Docstoc

Irs Form 1096 Templates

Document Sample
Irs Form 1096 Templates Powered By Docstoc
					                                                 CCE
  CCE ID        CCE Description
                                              Parameters



             /export/home should be
             configured on an
             appropriate filesystem
CCE-5847-9   logical volume                logical volume
             /var should be configured
             on an appropriate
CCE-5424-7   filesystem logical volume     logical volume
             /opt should be configured
             on an appropriate
CCE-5710-9   filesystem logical volume     logical volume
             The shell for the root
             account should be located
             on the appropriate
CCE-5662-2   filesystem                    filesystem

             Core dump size limits         Size (0 to disable
CCE-5317-3   should be set appropriately   core dumps)
             The read-only SNMP
             community string should be
CCE-5384-3   set appropriately.            string
             The read/write SNMP
             community string should be
CCE-5723-2   set appropriately.            string
             Password policy should
             ban or allow usernames or
             UIDs in passwords as
CCE-5634-1   appropriate                   ban/allow

             Password policy should
             ban or allow words found in
CCE-5352-0   a dictionary as appropriate. ban/allow

             Password policy should
             enforce the correct amount number of special
CCE-5848-7   of special characters      characters
             Password policy should
             enforce or not enforce the
             requirement to have mixed
             case passwords as
CCE-5443-7   appropriate.               enforce/not enforce
             The minimum password
             age should be set as
CCE-5664-8   appropriate                     number of days
             The minimum required
             password length should be       number of
CCE-5804-0   set as appropriate              characters
             Password history should be
             saved for an appropriate
             number of password              number of password
CCE-4858-7   changes                         changes
             The number of consecutive
             failed login attempts
             required to trigger a lockout   number of
             should be set as                consecutive failed
CCE-5775-2   appropriate                     login attempts
             Login access to accounts
             without passwords should
             be enabled or disabled as
CCE-5761-2   appropriate                     enabled/disabled
             New users should be
             required or not required to
             change their password on
CCE-5841-2   first login as appropriate      required/not required
             Access to single-user
             mode (maintainence mode)
             should require the root
             password or not as
CCE-5858-6   appropriate                     required/not required
             The delay between failed
             logins should be set as
CCE-5078-1   appropriate                     number of seconds

             All files should be owned       existing account
             by an existing account or       required / existing
CCE-5715-8   not as appropriate.             account not required
             All files should be owned       existing group
             by an existing group or not     required / existing
CCE-5684-6   as appropriate.                 group not required

             The console login banner
CCE-5244-9   should be set appropriately. banner text or null

             The SSH login banner
CCE-5402-3   should be set appropriately. banner text or null

             The telnet login banner
CCE-5622-6   should be set appropriately. banner text or null

             The ftp login banner should
CCE-5843-8   be set appropriately.       banner text or null
             The graphical login banner
CCE-5842-0   should be set appropriately.    banner text or null
             Accounts other than root
             should be allowed to have
             the UID 0 or not as
CCE-5560-8   appropriate                     allowed/not allowed
             Accounts other than root
             and locked system
             accounts should be
             allowed to have a GID of 0
CCE-4873-6   or not as appropriate           allowed/not allowed
             Each account should be
             assigned a unique UID or
CCE-5187-0   not as appropriate              unique/not unique
             The ftp account should
CCE-5765-3   exist or not as appropriate     exist/not exist
             Login accounts should
             include an appropriate
             GECOS identifier or no
CCE-4884-3   GECOS identifier                GECOS value, null
             The screen lock should
             activate after an
             appropriate period of
CCE-5381-9   inactivity                      number of minutes
             File permissions should be
             set appropriately for all
CCE-5645-7   shell executables.              permissions
             Remote (serial) consoles
             should be enabled or
CCE-5597-0   disabled as appropriate.        enabled/disabled
             Root logins should be
             restricted to the console or    restricted/not
CCE-5676-2   not as appropriate.             restricted
             .netrc files should exist or
             not as appropriate for all
CCE-5733-1   users.                          exist/not exist
             .rhosts files should exist or
             not as appropriate for all
CCE-5702-6   users.                          exist/not exist
             .shosts files should exist or
             not as appropriate for all
CCE-5076-5   users.                          exist/not exist
             The /etc/hosts.equiv file
             should exist or not as
CCE-5442-9   appropriate.                    exist/not exist
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/passwd
             file should be allowed or
CCE-5640-8   disallowed as appropriate. allowed/not allowed

             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/shadow
             file should be allowed or
CCE-4893-4   disallowed as appropriate.       allowed/not allowed
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/group
             file should be allowed or
CCE-5024-5   disallowed as appropriate.       allowed/not allowed
             The /etc/shells file should
CCE-5742-2   exist or not as appropriate      exist/not exist
             Shells referenced in
             /etc/passwd should be
             included in /etc/shells or
CCE-5777-8   not as appropriate               included/not included
             Groups referenced in
             /etc/passwd should be
             included in /etc/group or
CCE-5605-1   not as appropriate.              included/not included
             The home directory for the
             root account should be set
CCE-5750-5   appropriately.                   path
             The home directory for
             each user account should
CCE-5199-5   be set appropriately.            path
             Home directories
             referenced in /etc/passwd
             should exist or not as
CCE-5310-8   appropriate                      exist/not exist
             All device files should be
             located inside an
CCE-5327-2   appropriate directory            path
             The ntpd service should be
             enabled or disabled as
CCE-4900-7   appropriate.                     enabled/disabled

             The Network Time Protocol
             (ntp) synchronization
             server should be set
CCE-5675-4   appropriately.            timeserver
             All logon attempts should
             be logged or not logged as
CCE-5147-4   appropriate                     logged/not logged
             All su (switch user) activity
             should be logged or not as
CCE-5724-0   appropriate                     logged/not logged
             Filesystem
             logging/journaling should
             be performed or not as          performed/not
CCE-5614-3   appropriate                     performed
             Automount should be
             enabled or disabled as
CCE-5834-7   appropriate                     enabled/disabled
             Source-routed packets
             should be accepted or
CCE-5745-5   rejected as appropriate.        accepted/rejected
             Response to ICMP
             timestamp requests should
             be enabled or disabled as
CCE-5587-1   appropriate                     enabled/disabled
             Response to ICMP
             timestamp broadcast
             requests should be
             enabled or disabled as
CCE-5525-1   appropriate                     enabled/disabled
             Response to ICMP echo
             (ping) requests should be
             enabled or disabled as
CCE-4930-4   appropriate                     enabled/disabled
             Executable stack should be
             enabled or disabled as
CCE-4901-5   appropriate                     enabled/disabled

             The default gateway should
CCE-5017-9   be set appropriately.           IP address/disabled
             The inetd service should be
             enabled or disabled as
CCE-5347-0   appropriate.                    enabled/disabled
             echo service should be
             enabled or disabled as
CCE-5193-8   appropriate                     enabled/disabled
             netstat service should be
             enabled or disabled as
CCE-5725-7   appropriate                     enabled/disabled
             rcp service should be
             enabled or disabled as
CCE-5801-6   appropriate                     enabled/disabled
             chargen service should be
             enabled or disabled as
CCE-5506-1   appropriate                     enabled/disabled
             finger service should be
             enabled or disabled as
CCE-5791-9   appropriate                 enabled/disabled
             tftpd service should be
             enabled or disabled as
CCE-5743-0   appropriate                 enabled/disabled
             walld service should be
             enabled or disabled as
CCE-5773-7   appropriate                 enabled/disabled
             rstatd service should be
             enabled or disabled as
CCE-5461-9   appropriate                 enabled/disabled
             sprayd service should be
             enabled or disabled as
CCE-4905-6   appropriate                 enabled/disabled
             rusersd service should be
             enabled or disabled as
CCE-5463-5   appropriate                 enabled/disabled
             rlogin service should be
             enabled or disabled as
CCE-5542-6   appropriate                 enabled/disabled
             rsh service should be
             enabled or disabled as
CCE-5431-2   appropriate                 enabled/disabled
             ftp service should be
             enabled or disabled as
CCE-5780-2   appropriate                 enabled/disabled
             telnet service should be
             enabled or disabled as
CCE-5872-7   appropriate                 enabled/disabled
CCE-4909-8   DEPRECATED.
             inn service should be
             enabled or disabled as
CCE-5343-9   appropriate                 enabled/disabled
             uucp service should be
             enabled or disabled as
CCE-5611-9   appropriate                 enabled/disabled
             rexec service should be
             enabled or disabled as
CCE-5598-8   appropriate                 enabled/disabled
             inetd logging should be
             enabled or disabled as
CCE-5550-9   appropriate                 enabled/disabled
             font-service should be
             enabled or disabled as
CCE-4911-4   appropriate                 enabled/disabled
             imap2 service should be
             enabled or disabled as
CCE-4926-2   appropriate                 enabled/disabled
             pop3 service should be
             enabled or disabled as
CCE-4913-0   appropriate                   enabled/disabled
             ident service should be
             enabled or disabled as
CCE-5681-2   appropriate                   enabled/disabled
             rexd service should be
             enabled or disabled as
CCE-5368-6   appropriate                   enabled/disabled
             daytime service should be
             enabled or disabled as
CCE-5549-1   appropriate                   enabled/disabled
             dtspc (cde-spc) service
             should be enabled or
CCE-5144-1   disabled as appropriate       enabled/disabled
             rquotad service should be
             enabled or disabled as
CCE-5223-3   appropriate                   enabled/disabled
             cmsd service should be
             enabled or disabled as
CCE-5738-0   appropriate                   enabled/disabled
             tooltalk service should be
             enabled or disabled as
CCE-5456-9   appropriate                   enabled/disabled
             xdmcp service should be
             enabled or disabled as
CCE-4918-9   appropriate                   enabled/disabled
             discard service should be
             enabled or disabled as
CCE-5798-4   appropriate                   enabled/disabled
CCE-4923-9   DEPRECATED.
             vino-server service should
             be enabled or disabled as
CCE-5917-0   appropriate                   enabled/disabled
             The bind service should be
             enabled or disabled as
CCE-4934-6   appropriate.                  enabled/disabled
             The version string reported
             by the bind service should
             be configured
CCE-5535-0   appropriately.                string
             SSH Protocol v1 should be
             enabled or disabled as
CCE-5117-7   appropriate                   enabled/disabled
             TCP_WRAPPERS should
             be enabled or disabled as
CCE-5690-3   appropriate                   enabled/disabled
             SNMP version 1 should be
             enabled or disabled as
CCE-5852-9   appropriate                   enabled/disabled
             The nfsd service should be
             enabled or disabled as
CCE-5068-2   appropriate                   enabled/disabled
             The mountd service should
             be enabled or disabled as
CCE-5569-9   appropriate                   enabled/disabled
             The statd service should be
             enabled or disabled as
CCE-5806-5   appropriate                   enabled/disabled
             The lockd service should
             be enabled or disabled as
CCE-5882-6   appropriate                   enabled/disabled
             NFS should be configured
             to respond or not as
             appropriate to client
             requests that do not
CCE-5414-8   include a user id .           respond/not respond
             NFS should be configured
             to respond or not as
             appropriate to client
             requests that do not
             originate from a privileged
CCE-5348-8   port.                         respond/not respond
             NFS server support for the
             AUTH_NONE
             authentication mechanism
             should be enabled or
CCE-5511-1   disabled as appropriate.      enabled/disabled
             NFS server support for the
             AUTH_UNIX authentication
             mechanism should be
             enabled or disabled as
CCE-5480-9   appropriate.                  enabled/disabled
             NFS server support for the
             AUTH_DES authentication
             mechanism should be
             enabled or disabled as
CCE-4957-7   appropriate.                  enabled/disabled
             NFS server support for the
             AUTH_KERB
             authentication mechanism
             should be enabled or
CCE-4958-5   disabled as appropriate.      enabled/disabled
             The read-only (ro) option
             should be enabled or
             disabled as appropriate for
CCE-5922-0   all NFS exports.              enabled/disabled
             The nosuid option should
             be enabled or disabled for
             all NFS mounts as
CCE-5790-1   appropriate                    enabled/disabled
             The nosgid option should
             be enabled or disabled for
             all NFS mounts as
CCE-5189-6   appropriate                    enabled/disabled
             Sendmail should be
             enabled or disabled as
CCE-5876-8   appropriate                    enabled/disabled

             The sendmail banner
CCE-4959-3   should be set appropriately.   string
             The decode sendmail alias
             should be enabled or
CCE-5115-1   disabled as appropriate.       enabled/disabled
             .forward files should be
             allowed or disallowed as
CCE-5445-2   appropriate for all users      allow/disallow
             Programs executed
             through the aliases file
             should be owned by an
CCE-4960-1   appropriate user               user
             Programs executed
             through the aliases file
             should reside a directory
             with an appropriate user
CCE-5802-4   owner                          user
             Sendmail vrfy command
             should be allowed or not as
CCE-5212-6   appropriate                    allow/disallow
             Sendmail expn command
             should be allowed or not as
CCE-5291-0   appropriate                    allow/disallow
             Sendmail should be
             configured with an
CCE-5741-4   appropriate logging level      logging level
             The sendmail help
             command should be
             allowed or not as
CCE-4967-6   appropriate                    allow/disallow
             NIS should be enabled or
CCE-5783-6   disabled as appropriate        enabled/disabled
             NIS+ server should operate
             at an appropriate security
CCE-4975-9   level                          security level
             X-Windows should be
             enabled or disabled as
CCE-5138-3   appropriate                    enabled/disabled
             Authorized X-clients should
             be listed or not in the
CCE-5711-7   X*.hosts file as appropriate   listed/not listed
             X-Windows should write
             .Xauthority files to users'
             home directories or not as
CCE-4984-1   appropriate                    write/not write
             X11 forwarding via SSH
             should be enabled or
CCE-5975-8   disabled as appropriate.       enabled/disabled
             Samba should be enabled
CCE-5931-1   or disabled as appropriate     enabled/disabled
             Samba 'hosts allow' option
             should be configured with
             an appropriate set of
CCE-4994-0   networks                       list of networks
             Samba 'security option'
             option should be set as
CCE-5923-8   appropriate
             Samba 'encrypt' passwords
             option should be set as
CCE-5939-4   appropriate                    yes/no
             Samba 'smb passwd file'
             option should be set to an
             appropriate password file
CCE-5891-7   or no password file            file/nothing
             IPv6 should be enabled or
CCE-5234-0   disabled as appropriate        enabled/disabled
             The "at" utility directory
             permissions should be set
CCE-5767-9   as appropriate                 permissions

             at.allow file permissions
CCE-5846-1   should be set appropriately permissions

             at.deny file permissions
CCE-5991-5   should be set appropriately permissions

             Cron directory permissions
CCE-5705-9   should be set appropriately permissions
             Crontab directory
             permissions should be set
CCE-5678-8   appropriately               permissions

             Cron log file permissions
CCE-5942-8   should be set appropriately permissions

             cron.allow file permissions
CCE-5770-3   should be set appropriately permissions
             cron.deny file permissions
CCE-5280-3   should be set appropriately permissions

             Crontab file permissions
CCE-5896-6   should be set appropriately permissions

             /dev/kmem file permissions
CCE-5474-2   should be set appropriately permissions

             /dev/mem file permissions
CCE-5363-7   should be set appropriately permissions

             /dev/null file permissions
CCE-5566-5   should be set appropriately permissions

             resolv.conf file permissions
CCE-5851-1   should be set appropriately    permissions
             /etc/named.conf file
             permissions should be set
CCE-5821-4   appropriately                  permissions
             File permissions should be
             set appropriately for all
CCE-5755-4   user home directories.         permissions
             /etc/exports file
             permissions should be set
CCE-5807-3   appropriately                  permissions

             /usr/bin/at file permissions
CCE-5759-6   should be set appropriately permissions
             /usr/bin/rdist file
             permissions should be set
CCE-5979-0   appropriately                permissions
             /usr/sbin/sync file
             permissions should be set
CCE-5228-2   appropriately                permissions

             Superuser account home
             directories' permissions
CCE-5951-9   should be set appropriately permissions
             /etc/samba/smb.conf file
             permissions should be set
CCE-5981-6   appropriately               permissions
             smbpassword executable
             permissions should be set
CCE-5668-9   appropriately               permissions

             Aliases file permissions
CCE-5010-4   should be set appropriately permissions
             File permissions should be
             set as appropriate for the
             log file configured to
             capture critical sendmail
CCE-5666-3   messages.                  permissions
             All files executed through
             /etc/aliases file entries
             should have file
             permissions set
CCE-5012-0   appropriately              permissions

             /bin/csh file permissions
CCE-5796-8   should be set appropriately permissions

             /bin/jsh file permissions
CCE-5747-1   should be set appropriately permissions

             /bin/ksh file permissions
CCE-5849-5   should be set appropriately permissions
             The /bin/rsh file should
CCE-5893-3   exist or not as appropriate exist/not exist

             /bin/sh file permissions
CCE-5734-9   should be set appropriately permissions

             /bin/bash file permissions
CCE-5862-8   should be set appropriately permissions

             /sbin/csh file permissions
CCE-5954-3   should be set appropriately permissions

             /sbin/jsh file permissions
CCE-5027-8   should be set appropriately permissions

             /sbin/ksh file permissions
CCE-5206-8   should be set appropriately permissions
             The /sbin/rsh file should
CCE-5907-1   exist or not as appropriate exist/not exist

             /sbin/sh file permissions
CCE-5040-1   should be set appropriately permissions

             /sbin/bash file permissions
CCE-5049-2   should be set appropriately permissions
             /usr/bin/csh file
             permissions should be set
CCE-5056-7   appropriately               permissions

             /usr/bin/jsh file permissions
CCE-6031-9   should be set appropriately permissions
             /usr/bin/ksh file
             permissions should be set
CCE-6004-6   appropriately                permissions
             The /usr/bin/rsh file should
CCE-5974-1   exist or not as appropriate exist/not exist

             /usr/bin/sh file permissions
CCE-5863-6   should be set appropriately permissions
             /usr/bin/bash file
             permissions should be set
CCE-5815-6   appropriately                permissions
             snmpd.conf file
             permissions should be set
CCE-5955-0   appropriately                permissions

             /tmp file permissions
CCE-6052-5   should be set appropriately permissions

             /usr/tmp file permissions
CCE-6021-0   should be set appropriately permissions
             traceroute executable file
             permissions should be set
CCE-5272-0   appropriately                permissions
             .Xauthority file permissions
             should be set appropriately
CCE-5884-2   for all users.               permissions

             /etc/aliases file permissions
CCE-6023-6   should be set appropriately permissions
             /etc/cron.d/at.allow file
             permissions should be set
CCE-5349-6   appropriately                 permissions
             /etc/cron.d/cron.allow file
             permissions should be set
CCE-6050-9   appropriately                 permissions

             /etc/csh file permissions
CCE-5833-9   should be set appropriately   permissions
             /etc/default/* file
             permissions should be set
CCE-5803-2   appropriately                 permissions
             /etc/default/login file
             permissions should be set
CCE-5820-6   appropriately                 permissions
             The /etc/ftpusers file
             should exist or not as
CCE-5397-5   appropriate                   exist/not exist
             /etc/host.lpd file
             permissions should be set
CCE-5226-6   appropriately                 permissions
             /etc/hostname* file
             permissions should be set
CCE-5903-0   appropriately                 permissions

             /etc/hosts file permissions
CCE-5970-9   should be set appropriately permissions
             /etc/inetd.conf file
             permissions should be set
CCE-5930-3   appropriately               permissions

             /etc/issue file permissions
CCE-5698-6   should be set appropriately permissions

             /etc/jsh file permissions
CCE-5641-6   should be set appropriately permissions

             /etc/ksh file permissions
CCE-5909-7   should be set appropriately permissions
             /etc/mail/aliases file
             permissions should be set
CCE-5985-7   appropriately               permissions

             /etc/motd file permissions
CCE-5350-4   should be set appropriately   permissions
             /etc/netconfig file
             permissions should be set
CCE-5988-1   appropriately                 permissions
             /etc/notrouter file
             permissions should be set
CCE-5817-2   appropriately                 permissions
             /etc/pam.conf file
             permissions should be set
CCE-5231-6   appropriately                 permissions
             /etc/passwd file
             permissions should be set
CCE-5323-1   appropriately                 permissions
             The /etc/rsh file should
CCE-5526-9   exist or not as appropriate   exist/not exist
             /etc/security file
             permissions should be set
CCE-5631-7   appropriately                 permissions
             /etc/services file
             permissions should be set
CCE-5728-1   appropriately                 permissions

             /etc/sh file permissions
CCE-5512-9   should be set appropriately permissions
             /etc/shadow file
             permissions should be set
CCE-5074-0   appropriately               permissions
             /etc/syslog.conf file
             permissions should be set
CCE-5808-1   appropriately                 permissions
CCE-5075-7   DEPRECATED.

             /etc/fstab file permissions
CCE-5932-9   should be set appropriately   permissions
CCE-5825-5   DEPRECATED.
             /var/adm/loginlog file
             permissions should be set
CCE-5279-5   appropriately                 permissions
             /var/adm/messages file
             permissions should be set
CCE-5984-0   appropriately                 permissions
             /var/adm/sulog file
             permissions should be set
CCE-5656-4   appropriately                 permissions
             /var/adm/utmp file
             permissions should be set
CCE-5736-4   appropriately                 permissions
             /var/adm/wtmp file
             permissions should be set
CCE-6062-4   appropriately                 permissions
             /var/adm/authlog file
             permissions should be set
CCE-5453-6   appropriately                 permissions
             /var/adm/syslog file
             permissions should be set
CCE-6048-3   appropriately                 permissions

             /var/mail file permissions
CCE-5832-1   should be set appropriately permissions

             /var/tmp file permissions
CCE-6017-8   should be set appropriately   permissions
             /usr/lib/pt_chmod file
             permissions should be set
CCE-5986-5   appropriately                 permissions
             /usr/lib/embedded_us file
             permissions should be set
CCE-5875-0   appropriately                 permissions
             /usr/lib/sendmail file
             permissions should be set
CCE-5977-4   appropriately                 permissions
             /usr/kerberos/bin/rsh file
             permissions should be set
CCE-5627-5   appropriately                 permissions
             /var/spool/mail file
             permissions should be set
CCE-5455-1   appropriately                 permissions
             smbpassword file
             permissions should be set
CCE-5077-3   appropriately                permissions
             At directory should be
             owned by an appropriate
CCE-5695-2   user                         list of users
             At directory should be
             owned by an appropriate
CCE-5646-5   group                        list of groups
             at.allow file should be
             owned by an appropriate
CCE-5161-5   user                         list of users
             at.allow file should be
             owned by an appropriate
CCE-5254-8   group                        list of groups
             at.deny file should be
             owned by an appropriate
CCE-5853-7   user                         list of users
             at.deny file should be
             owned by an appropriate
CCE-5632-5   group                        list of groups
             Cron directories should be
             owned by an appropriate
CCE-5319-9   user                         list of users
             Cron directories should be
             owned by an appropriate
CCE-5412-2   group                        list of groups
             Crontab directories should
             be owned by an
CCE-5082-3   appropriate user             list of users
             Crontab directories should
             be owned by an
CCE-5754-7   appropriate group            list of groups
             cron.allow file should be
             owned by an appropriate
CCE-6022-8   user                         list of users
             cron.allow file should be
             owned by an appropriate
CCE-5868-5   group                        list of groups

             cron.deny should be owned
CCE-5961-8   by an appropriate user       list of users
             cron.deny data should be
             owned by an appropriate
CCE-5837-0   group                        list of groups
             crontab files should be
             owned by an appropriate
CCE-5929-5   user                         list of users
             crontab files should be
             owned by an appropriate
CCE-5085-6   group                        list of groups
             /etc/resolv.conf file should
             be owned by an
CCE-5919-6   appropriate user               list of users
             /etc/resolv.conf file should
             be owned by an
CCE-5888-3   appropriate group              list of groups
             /etc/named.boot file should
             be owned by an
CCE-5941-0   appropriate user               list of users
             /etc/named.boot file should
             be owned by an
CCE-5910-5   appropriate group              list of groups
             /etc/named.conf file should
             be owned by an
CCE-5822-2   appropriate user               list of users
             /etc/named.conf file should
             be owned by an
CCE-5663-0   appropriate group              list of groups
             Each user home directory
             should be owned by an
CCE-5086-4   appropriate user.              user
             Each user home directory
             should be owned by an
CCE-6007-9   appropriate group.             group
             inetd.conf file should be
             owned by an appropriate
CCE-5088-0   user                           user
             inetd.conf file should be
             owned by an appropriate
CCE-5732-3   group                          group
             /etc/exports should be
             owned by an appropriate
CCE-5326-4   user                           list of users
             /etc/exports should be
             owned by an appropriate
CCE-5296-9   group                          list of groups
             Exported files and
             directories should be
             owned by an appropriate
CCE-5283-7   user                           list of users
             Exported files and
             directories should be
             owned by an appropriate
CCE-5428-8   group                          list of groups
             /etc/services file should be
             owned by an appropriate
CCE-5626-7   user                           list of users
             /etc/services file should be
             owned by an appropriate
CCE-5957-6   group                          list of groups
             /etc/notrouter file should be
             owned by an appropriate
CCE-5740-6   user                            list of users
             /etc/notrouter file should be
             owned by an appropriate
CCE-5090-6   group                           list of groups
             /etc/samba/smb.conf file
             should be owned by an
CCE-6086-3   appropriate user                list of users
             /etc/samba/smb.conf file
             should be owned by an
CCE-6055-8   appropriate group               list of groups
             smbpasswd executable
             should be owned by an
CCE-6024-4   appropriate user                list of users
             smbpasswd executable
             should be owned by an
CCE-5839-6   appropriate group               list of groups
             aliases file should be
             owned by an appropriate
CCE-5091-4   user                            list of users
             aliases file should be
             owned by an appropriate
CCE-5497-3   group                           list of groups
             The log file configured to
             capture critical sendmail
             messages should be
             owned by the appropriate
CCE-6029-3   user.                           list of users
             The log file configured to
             capture critical sendmail
             messages should be
             owned by the appropriate
CCE-5116-9   group.                          list of groups
             Programs executed
             through aliases file entries
             should be owned by an
CCE-5154-0   appropriate user                list of users
             Programs executed
             through aliases file entries
             should be owned by an
CCE-6013-7   appropriate group               list of groups

             Shell files should be owned
CCE-5999-8   by an appropriate user      list of users

             Shell files should be owned
CCE-6003-8   by an appropriate group     list of groups
             snmpd.conf file should be
             owned by an appropriate
CCE-6096-2   user                            list of users
             snmpd.conf file should be
             owned by an appropriate
CCE-6107-7   group                           list of groups
             /etc/syslog.conf file should
             be owned by an
CCE-5171-4   appropriate user                list of users
             /etc/syslog.conf file should
             be owned by an
CCE-5688-7   appropriate group               list of groups
             traceroute executable
             should be owned by an
CCE-5185-4   appropriate user                list of users
             traceroute executable
             should be owned by an
CCE-5671-3   appropriate group               list of groups
             /usr/lib/sendmail file should
             be owned by an
CCE-5706-7   appropriate user                list of users
             /usr/lib/sendmail file should
             be owned by an
CCE-6177-0   appropriate group               list of groups
             /etc/passwd file should be
             owned by an appropriate
CCE-5860-2   user                            list of users
             /etc/passwd file should be
             owned by an appropriate
CCE-6146-5   group                           list of groups
             /etc/shadow file should be
             owned by an appropriate
CCE-5992-3   user                            list of users
             /etc/shadow file should be
             owned by an appropriate
CCE-5615-0   group                           list of groups
             smbpasswd file should be
             owned by an appropriate
CCE-5580-6   user                            list of users
             smbpasswd file should be
             owned by an appropriate
CCE-5191-2   group                           list of groups
             Environmental variable
             PATH for superuser
             accounts should or should
             not contain world-writable
CCE-6088-9   files as appropriate            should/should not
             Environmental variable
             PATH for superuser
             accounts should not
             contain the current
             directory as the first or last
CCE-6044-2   entry                          should/should not
             The current working
             directory should or should
             not be added to the
             environmental variable
             PATH by global
             initialization files as
CCE-5195-3   appropriate                    should/should not
             The current working
             directory should or should
             not be added to the
             environmental variable
             PATH by local initialization
CCE-6012-9   files as appropriate           should/should not
CCE-5361-1   DEPRECATED.
             The current working
             directory should or should
             not be added to the
             environmental variable
             PATH by run control scripts
CCE-5204-3   as appropriate                 should/should not
             The system umask should
CCE-6087-1   be set appropriately           umask
             The user umask should be
CCE-6056-6   set appropriately              umask
             The cron.allow file should
             be configured with the set
             of users permitted to use
             the cron facility as
CCE-5816-4   appropriate.                   list of users
             The cron.deny file should
             be configured with the set
             of users not permitted to
             use the cron facility as
CCE-5785-1   appropriate.                   list of users
             Cron logging should be
             enabled or disabled as
CCE-5661-4   appropriate                    enabled/disabled
             The at.allow file should be
             configured with the set of
             users permitted to use the
CCE-5877-6   at facility as appropriate.    list of users
             The at.deny file should be
             configured with the set of
             users not permitted to use
             the at facility as
CCE-5600-2   appropriate.                   list of users
             /etc/security/audit/config
             file permissions should be
CCE-5489-0   set appropriately              permissions
             /etc/security/audit/events
             file permissions should be
CCE-6066-5   set appropriately              permissions
             /etc/security/audit/objects
             file permissions should be
CCE-6084-8   set appropriately              permissions
             /usr/lib/trcload file
             permissions should be set
CCE-5819-8   appropriately                  permissions
             /usr/lib/semutil file
             permissions should be set
CCE-5648-1   appropriately                  permissions
             /etc/security/audit/config
             file should be owned by an
CCE-5205-0   appropriate user               list of users
             /etc/security/audit/events
             file should be owned by an
CCE-5548-3   appropriate user               list of users
             /etc/security/audit/objects
             file should be owned by an
CCE-6085-5   appropriate user               list of users
             /usr/lib/trcload file should
             be owned by an
CCE-5926-1   appropriate user               list of users
             /usr/lib/semutil file should
             be owned by an
CCE-5224-1   appropriate user               list of users
             /etc/security/audit/config
             file should be owned by an
CCE-6037-6   appropriate group              list of groups
             /etc/security/audit/events
             file should be owned by an
CCE-6011-1   appropriate group              list of groups
             /etc/security/audit/objects
             file should be owned by an
CCE-5980-8   appropriate group              list of groups
             /usr/lib/trcload file should
             be owned by an
CCE-6103-6   appropriate group              list of groups
             /usr/lib/semutil file should
             be owned by an
CCE-5945-1   appropriate group              list of groups
             The authentication
             mechanism (SYSTEM
             attribute) should be set    authentication
CCE-6079-8   appropriately for each user system
             Trusted Computing Base
             should be installed or not
CCE-6158-0   as appropriate              installed/not installed

             Auditing should be enabled
             or disabled as appropriate
CCE-5484-1   in runcontrol scripts         enabled/disabled
             BIN mode auditing should
             be enabled or disabled as
CCE-5378-5   appropriate                   enabled/disabled
             Accounts should be
             present or absent from the
             audit config file as
CCE-5235-7   appropriate                   present/absent
             System logons should be
             audited or not as
CCE-5913-9   appropriate                   audited/not audited
             System logoffs should be
             audited or not as
CCE-5993-1   appropriate                   audited/not audited
             Password changes should
             be audited or not as
CCE-5693-7   appropriate                   audited/not audited

             su usage should be audited
CCE-6230-7   or not as appropriate      audited/not audited
             Creation/modification of
             superuser groups should
             be audited or not as
CCE-5697-8   appropriate                audited/not audited

             Startup/shutdown of audit
             functions should be audited
CCE-6197-8   or not as appropriate         audited/not audited
             Certificate revocation
             should be audited or not as
CCE-5889-1   appropriate                   audited/not audited
             Remote access from
             outside the corporate
             network should be audited
CCE-6109-3   or not as appropriate         audited/not audited
             Use of chown command
             should be audited or not as
CCE-5242-3   appropriate                   audited/not audited
             File permissions of the rcp
             binary should be set
CCE-6213-3   correctly                      permissions
             File permissions of the
             rlogin binary should be set
CCE-5680-4   correctly                      permissions
             File permissions of the
             rlogind binary should be set
CCE-5591-3   correctly                      permissions
             File permissions of the rsh
             binary should be set
CCE-5543-4   correctly                      permissions
             File permissions of the
             rshd binary should be set
CCE-5934-5   correctly                      permissions
             File permissions of the tftp
             binary should be set
CCE-6009-5   correctly                      permissions
             File permissions of the
             tftpd binary should be set
CCE-5996-4   correctly                      permissions
             Global initialization files
             should allow or deny write
             access to the terminal as
CCE-6135-8   appropriate                    allow/deny
             Netrc should be configured
             with an appropriate set of
CCE-5963-4   services                       list of services
             Change of file ownership
             should be audited or not as
CCE-6104-4   appropriate                    audited/not audited
             Use of chmod command
             should be audited or not as
CCE-5324-9   appropriate                    audited/not audited
             Certificate creation should
             be audited or not as
CCE-6170-5   appropriate                    audited/not audited
             Certificate deletion should
             be audited or not as
CCE-5243-1   appropriate                    audited/not audited
             Certificate retrieval should
             be audited or not as
CCE-6016-0   appropriate                    audited/not audited
             Startup or shutdown of the
             audit process should be
             audited or not as
CCE-6174-7   appropriate                    audited/not audited
             Use of chgrp should be
             audited or not as
CCE-5245-6   appropriate                    audited/not audited
             Use of mkgroup should be
             audited or not as
CCE-5253-0   appropriate              audited/not audited
             Use of rmgroup should be
             audited or not as
CCE-6189-5   appropriate              audited/not audited

             Use of change user
             functions should be audited
CCE-6035-0   or not as appropriate       audited/not audited
             Terminal logoffs should be
             audited or not as
CCE-6100-2   appropriate                 audited/not audited
             Exit function usage should
             be audited or not as
CCE-6157-2   appropriate                 audited/not audited

             Hard core dump size limits Size (0 to disable
CCE-6156-4   should be set appropriately core dumps)
             Remote root logins via
             SSH should be allowed or
CCE-5751-3   not as appropriate.         allowed/not allowed
                                         Internal Revenue Service Basic
                                         UNIX Security Requirements (IRS
              CCE Technical Mechanisms   BUSR)
                                         http://www.irs.gov/irm/part10/ch03
                                         s08.html




via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)




via /etc/passwd                          10.8.10.4.2.1 (6)

via /etc/security/limits
via ulimit                               10.8.10.4.4 (3)


via /etc/snmp.conf                       10.8.10.5.1 (1) c)


via /etc/snmp.conf                       10.8.10.5.1 (1) c)




via /etc/security/user                   10.8.10.5.1 (2) a)




via /etc/security/user                   10.8.10.5.1 (2) a)




via /etc/security/user                   10.8.10.5.1 (2) a)




via /etc/security/user                   10.8.10.5.1 (2) a)
via /etc/security/user        10.8.10.5.1 (2) b)


via /etc/security/user        10.8.10.5.1 (2) c)




via /etc/security/user        10.8.10.5.1 (2) d)




via /etc/security/user        10.8.10.5.1 (2) e)


via passwd
via /etc/shadow               10.8.10.5.1 (2) f)




via /etc/security/passwd      10.8.10.5.1 (2) g)




                              10.8.10.5.1 (3)


via /etc/security/user        10.8.10.5.1 (5)




via chown                     10.8.10.5.2 (3)

via chgrp
via chown                     10.8.10.5.2 (3)

via /etc/security/login.cfg
via /etc/motd                 10.8.10.5.2 (5) a)


via sshd.conf                 10.8.10.5.2 (5) b)


                              10.8.10.5.2 (5) c)


                              10.8.10.5.2 (5) d)
                     10.8.10.5.2 (5) e)


via passwd
via /etc/passwd      10.8.10.5.2.1 (2) a)




via passwd
via /etc/passwd      10.8.10.5.2.1 (2) b)


via /etc/passwd      10.8.10.5.2.4 (3)

via /etc/passwd      10.8.10.5.2.4 (9)




via /etc/passwd      10.8.10.5.2.4.1 (1)


via Xscreensaver
via dtsession        10.8.10.5.2.5 (1)


via chmod            10.8.10.5.2.6 (1)


via BIOS             10.8.10.5.2.6 (3)


/etc/default/login   10.8.10.5.2.6 (4)


filesystem           10.8.10.5.2.6 (6)


filesystem           10.8.10.5.2.6 (6)


filesystem           10.8.10.5.2.6 (6)


filesystem           10.8.10.5.2.6 (6)
Text editor      10.8.10.5.2.6 (7)




Text editor      10.8.10.5.2.6 (7)




Text editor      10.8.10.5.2.6 (10)

Text editor      10.8.10.5.2.6 (11)




/etc/shells      10.8.10.5.2.6 (12)




/etc/group       10.8.10.5.2.6 (15)


/etc/passwd      10.8.10.5.2.6 (16)


/etc/passwd      10.8.10.5.2.6 (17)




filesystem       10.8.10.5.2.6 (18)


filesystem       10.8.10.5.2.6 (24)


via RC scripts   10.8.10.5.3 (3)




ntpd.conf
Audit subsystem               10.8.10.5.3 (4)


Audit subsystem               10.8.10.5.3 (5)




Audit subsystem               10.8.10.5.3 (6)


                              10.8.10.5.4.1 (12)


                              10.8.10.5.4.1 (2) a)




                              10.8.10.5.4.1 (2) c)




                              10.8.10.5.4.1 (2) d)




                              10.8.10.5.4.1 (2) e)


                              10.8.10.5.4.1 (3)


via /etc/default/route.conf   10.8.10.5.4.1 (4)


via RC scripts                10.8.10.5.4.1 (5)

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #1

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #2

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #3

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #4
via inetd
via inetd.conf   10.8.10.5.4.1 (11) #5

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #6

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #7

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #8

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #9

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #10

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #11

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #12

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #13

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #14


via inetd
via inetd.conf   10.8.10.5.4.1 (11) #16

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #17

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #18

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #19

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #20

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #21
via inetd
via inetd.conf        10.8.10.5.4.1 (11) #22

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #23

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #24

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #26

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #27

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #28

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #29

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #30

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #31

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #32


via inetd
via inetd.conf        10.8.10.5.4.1 (11) #34


via RC scripts        10.8.10.5.4.1.1 (2)




via /etc/named.conf   10.8.10.5.4.1.1 (5)


/etc/ssh/ssh_config   10.8.10.5.4.1.2 (2)


via inetd.conf        10.8.10.5.4.1.3 (1)


                      10.8.10.5.4.1.4 (1)
via RC scripts     10.8.10.5.4.1.5 (1)


via RC scripts     10.8.10.5.4.1.5 (1)


via RC scripts     10.8.10.5.4.1.5 (1)


via RC scripts     10.8.10.5.4.1.5 (1)




                   10.8.10.5.4.1.5 (1) a)




                   10.8.10.5.4.1.5 (1) a)




                   10.8.10.5.4.1.5 (1) f)




                   10.8.10.5.4.1.5 (1) f)




                   10.8.10.5.4.1.5 (1) f)




                   10.8.10.5.4.1.5 (1) f)




via /etc/exports   10.8.10.5.4.1.5 (1) g)
via /etc/fstab                   10.8.10.5.4.1.5 (1) i)




via /etc/fstab                   10.8.10.5.4.1.5 (1) i)


via RC scripts                   10.8.10.5.4.2.2 (1)


via /etc/mail/sendmail.cf        10.8.10.5.4.2.2 (3)

via /etc/aliases
via /usr/lib/aliases             10.8.10.5.4.2.2 (4) c)


via rm                           10.8.10.5.4.2.2 (4) e)




via chown                        10.8.10.5.4.2.2 (4) f)




via chown                        10.8.10.5.4.2.2 (4) f)


via /etc/mail/sendmail.cf        10.8.10.5.4.2.2 (4) g)


via /etc/mail/sendmail.cf        10.8.10.5.4.2.2 (4) h)


via /etc/mail/sendmail.cf        10.8.10.5.4.2.2 (4) i)




via /etc/mail/sendmail.cf        10.8.10.5.4.2.2 (4) k)

via RC scripts                   10.8.10.5.4.2.3 (1)

via NIS+
via RC scripts                   10.8.10.5.4.2.3 (1) b)

via Xwindows
via /etc/inittab vi RC scripts   10.8.10.5.4.2.4 (1)
via /etc/X*.hosts   10.8.10.5.4.2.4 (2) b)

via xdm
via gdm
via kdm             10.8.10.5.4.2.4 (2) d)


via sshd_config     10.8.10.5.4.2.4 (2) f)
via smbd
via RC scripts      10.8.10.5.4.2.6 (1)


via smbd
via smb.conf        10.8.10.5.4.2.6 (3) a)

via smbd
via smb.conf        10.8.10.5.4.2.6 (3) b)

via smbd
via smb.conf        10.8.10.5.4.2.6 (3) c)


via smbd
via smb.conf        10.8.10.5.4.2.6 (3) d)

via SMIT            10.8.10.5.4.3 (1)


via chmod           10.8.10-1 A.1 1) #1


via chmod           10.8.10-1 A.1 1) #2


via chmod           10.8.10-1 A.1 1) #2


via chmod           10.8.10-1 A.1 1) #5


via chmod           10.8.10-1 A.1 1) #5


via chmod           10.8.10-1 A.1 1) #6


via chmod           10.8.10-1 A.1 1) #7
via chmod   10.8.10-1 A.1 1) #7


via chmod   10.8.10-1 A.1 1) #8


via chmod   10.8.10-1 A.1 1) #9


via chmod   10.8.10-1 A.1 1) #10


via chmod   10.8.10-1 A.1 1) #11


via chmod   10.8.10-1 A.1 1) #13


via chmod   10.8.10-1 A.1 1) #14


via chmod   10.8.10-1 A.1 1) #21


via chmod   10.8.10-1 A.1 1) #23


via chmod   10.8.10-1 A.1 1) #25


via chmod   10.8.10-1 A.1 1) #26


via chmod   10.8.10-1 A.1 1) #27




via chmod   10.8.10-1 A.1 1) #29


via chmod   10.8.10-1 A.1 1) #31


via chmod   10.8.10-1 A.1 1) #32


via chmod   10.8.10-1 A.1 1) #34
via chmod        10.8.10-1 A.1 1) #35




via chmod        10.8.10-1 A.1 1) #36


via chmod        10.8.10-1 A.1 1) #37


via chmod        10.8.10-1 A.1 1) #38


via chmod        10.8.10-1 A.1 1) #39

via filesystem   10.8.10-1 A.1 1) #40


via chmod        10.8.10-1 A.1 1) #41


via chmod        10.8.10-1 A.1 1) #42


via chmod        10.8.10-1 A.1 1) #43


via chmod        10.8.10-1 A.1 1) #44


via chmod        10.8.10-1 A.1 1) #45

via filesystem   10.8.10-1 A.1 1) #46


via chmod        10.8.10-1 A.1 1) #47


via chmod        10.8.10-1 A.1 1) #48


via chmod        10.8.10-1 A.1 1) #49


via chmod        10.8.10-1 A.1 1) #50
via chmod        10.8.10-1 A.1 1) #51

via filesystem   10.8.10-1 A.1 1) #52


via chmod        10.8.10-1 A.1 1) #53


via chmod        10.8.10-1 A.1 1) #54


via chmod        10.8.10-1 A.1 1) #56


via chmod        10.8.10-1 A.1 1) #57


via chmod        10.8.10-1 A.1 1) #58


via chmod        10.8.10-1 A.1 1) #59


via chmod        10.8.10-1 A.1 1) #60


via chmod        10.8.10-1 A.1 1) #61


via chmod        10.8.10-1 A.1 1) #62


via chmod        10.8.10-1 A.1 1) #63


via chmod        10.8.10-1 A.1 1) #64


via chmod        10.8.10-1 A.1 1) #65


via chmod        10.8.10-1 A.1 1) #66


via filesystem   10.8.10-1 A.1 1) #69


via chmod        10.8.10-1 A.1 1) #70
via chmod        10.8.10-1 A.1 1) #71


via chmod        10.8.10-1 A.1 1) #72


via chmod        10.8.10-1 A.1 1) #73


via chmod        10.8.10-1 A.1 1) #75


via chmod        10.8.10-1 A.1 1) #76


via chmod        10.8.10-1 A.1 1) #77


via chmod        10.8.10-1 A.1 1) #78


via chmod        10.8.10-1 A.1 1) #79


via chmod        10.8.10-1 A.1 1) #80


via chmod        10.8.10-1 A.1 1) #81


via chmod        10.8.10-1 A.1 1) #82


via chmod        10.8.10-1 A.1 1) #83

via filesystem   10.8.10-1 A.1 1) #84


via chmod        10.8.10-1 A.1 1) #85


via chmod        10.8.10-1 A.1 1) #86


via chmod        10.8.10-1 A.1 1) #87


via chmod        10.8.10-1 A.1 1) #88
via chmod   10.8.10-1 A.1 1) #89




via chmod   10.8.10-1 A.1 1) #91




via chmod   10.8.10-1 A.1 1) #93


via chmod   10.8.10-1 A.1 1) #94


via chmod   10.8.10-1 A.1 1) #95


via chmod   10.8.10-1 A.1 1) #96


via chmod   10.8.10-1 A.1 1) #97


via chmod   10.8.10-1 A.1 1) #98


via chmod   10.8.10-1 A.1 1) #99


via chmod   10.8.10-1 A.1 1) #100


via chmod   10.8.10-1 A.1 1) #101


via chmod   10.8.10-1 A.1 1) #103


via chmod   10.8.10-1 A.1 1) #104


via chmod   10.8.10-1 A.1 1) #105


via chmod   10.8.10-1 A.1 1) #107


via chmod   10.8.10-1 A.1 1) #108
via chmod   10.8.10-1 A.1 1) #109


via chown   10.8.10-1 A.1 2) #1

via chgrp
via chown   10.8.10-1 A.1 2) #1


via chown   10.8.10-1 A.1 2) #2

via chgrp
via chown   10.8.10-1 A.1 2) #2


via chown   10.8.10-1 A.1 2) #2

via chgrp
via chown   10.8.10-1 A.1 2) #2


via chown   10.8.10-1 A.1 2) #4

via chgrp
via chown   10.8.10-1 A.1 2) #4


via chown   10.8.10-1 A.1 2) #4

via chgrp
via chown   10.8.10-1 A.1 2) #4


via chown   10.8.10-1 A.1 2) #5

via chgrp
via chown   10.8.10-1 A.1 2) #5


via chown   10.8.10-1 A.1 2) #5

via chgrp
via chown   10.8.10-1 A.1 2) #5


via chown   10.8.10-1 A.1 2) #6

via chgrp
via chown   10.8.10-1 A.1 2) #6
via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7


via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7


via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7


via chown   10.8.10-1 A.1 2) #11

via chgrp
via chown   10.8.10-1 A.1 2) #11


via chown   10.8.10-1 A.1 2) #12

via chgrp
via chown   10.8.10-1 A.1 2) #12


via chown   10.8.10-1 A.1 2) #13

via chgrp
via chown   10.8.10-1 A.1 2) #13




via chown   10.8.10-1 A.1 2) #14


via chgrp
via chown   10.8.10-1 A.1 2) #14


via chown   10.8.10-1 A.1 2) #16

via chgrp
via chown   10.8.10-1 A.1 2) #16
via chown   10.8.10-1 A.1 2) #18

via chgrp
via chown   10.8.10-1 A.1 2) #18


via chown   10.8.10-1 A.1 2) #21

via chgrp
via chown   10.8.10-1 A.1 2) #21


via chown   10.8.10-1 A.1 2) #22

via chgrp
via chown   10.8.10-1 A.1 2) #22


via chown   10.8.10-1 A.1 2) #24

via chgrp
via chown   10.8.10-1 A.1 2) #24




via chown   10.8.10-1 A.1 2) #25




via chgrp
via chown   10.8.10-1 A.1 2) #25




via chown   10.8.10-1 A.1 2) #26


via chgrp
via chown   10.8.10-1 A.1 2) #26


via chown   10.8.10-1 A.1 2) #27

via chgrp
via chown   10.8.10-1 A.1 2) #27
via chown     10.8.10-1 A.1 2) #29

via chgrp
via chown     10.8.10-1 A.1 2) #29


via chown     10.8.10-1 A.1 2) #30

via chgrp
via chown     10.8.10-1 A.1 2) #30


via chown     10.8.10-1 A.1 2) #31

via chgrp
via chown     10.8.10-1 A.1 2) #31


via chown     10.8.10-1 A.1 2) #32

via chgrp
via chown     10.8.10-1 A.1 2) #32


via chown     10.8.10-1 A.1 2) #35

via chgrp
via chown     10.8.10-1 A.1 2) #35


via chown     10.8.10-1 A.1 2) #36

via chgrp
via chown     10.8.10-1 A.1 2) #36


via chown     10.8.10-1 A.1 2) #37

via chgrp
via chown     10.8.10-1 A.1 2) #37




via chmod
via profile   10.8.10-1 A.2 1) #1
via local init files    10.8.10-1 A.2 1) #2




via local init files    10.8.10-1 A.2 1) #3




via local init files    10.8.10-1 A.2 1) #4




                        10.8.10-1 A.2 1) #7

via global init files   10.8.10-1 A.2 1) #8

via local init files    10.8.10-1 A.2 1) #8




Text editor




Text editor


                        10.8.10-1 A.3 4)




Text editor
Text editor


via chmod     10.8.10-5 E.1 1) #1


via chmod     10.8.10-5 E.1 1) #2


via chmod     10.8.10-5 E.1 1) #3


via chmod     10.8.10-5 E.1 1) #5


via chmod     10.8.10-5 E.1 1) #6


via chown     10.8.10-5 E.1 1) #1

via chgrp
via chown     10.8.10-5 E.1 1) #2


via chown     10.8.10-5 E.1 1) #3


via chown     10.8.10-5 E.1 1) #5


via chown     10.8.10-5 E.1 1) #6


via chown     10.8.10-5 E.1 1) #1

via chgrp
via chown     10.8.10-5 E.1 1) #2

via chgrp
via chown     10.8.10-5 E.1 1) #3

via chgrp
via chown     10.8.10-5 E.1 1) #5

via chgrp
via chown     10.8.10-5 E.1 1) #6
via /etc/security/user           10.8.10-5 E.1 2)


via /etc/security/user           10.8.10-5 E.2 1)


via /etc/inittab
via RC scripts                   10.8.10-5 E.3 1)


via /etc/security/audit/config   10.8.10-5 E.3 2)




via /etc/security/audit/config   10.8.10-5 E.3 3)


via /etc/security/audit/config   10.8.10-5 E.3 4) #1


via /etc/security/audit/config   10.8.10-5 E.3 4) #2


via /etc/security/audit/config   10.8.10-5 E.3 4) #3


via /etc/security/audit/config   10.8.10-5 E.3 4) #4




via /etc/security/audit/config   10.8.10-5 E.3 4) #5




via /etc/security/audit/config   10.8.10-5 E.3 4) #9


via /etc/security/audit/config   10.8.10-5 E.3 4) #10




via /etc/security/audit/config   10.8.10-5 E.3 4) #11


via /etc/security/audit/config   10.8.10-5 E.3 4) #13
via chmod                        10.8.10-5 E.4 1)


via chmod                        10.8.10-5 E.4 1)


via chmod                        10.8.10-5 E.4 1)


via chmod                        10.8.10-5 E.4 1)


via chmod                        10.8.10-5 E.4 1)


via chmod                        10.8.10-5 E.4 1)


via chmod                        10.8.10-5 E.4 1)




via global init files            10.8.10-5 E.5 1) #1


via /etc/security/sysck.cfg      10.8.10-5 E.4 1)


via /etc/security/audit/config   10.8.10-5 E.3 4) #13


via /etc/security/audit/config   10.8.10-5 E.3 4) #13


via /etc/security/audit/config   10.8.10-5 E.3 4) #10


via /etc/security/audit/config   10.8.10-5 E.3 4) #10


via /etc/security/audit/config   10.8.10-5 E.3 4) #10




via /etc/security/audit/config   10.8.10-5 E.3 4) #9


via /etc/security/audit/config   10.8.10-5 E.3 4) #5
via /etc/security/audit/config    10.8.10-5 E.3 4) #5


via /etc/security/audit/config    10.8.10-5 E.3 4) #5




via /etc/security/audit/config    10.8.10-5 E.3 4) #4


via /etc/security/audit/config    10.8.10-5 E.3 4) #2


via /etc/security/audit/config    10.8.10-5 E.3 4) #2


via /etc/security/limits ulimit   10.8.10.4.4 (3)


via /etc/ssh/sshd_config          10.8.10.5.2.6 (4)
                                                 CCE
  CCE ID        CCE Description
                                              Parameters



             /export/home should be
             configured on an
             appropriate filesystem
CCE-5435-3   logical volume                logical volume
             /var should be configured
             on an appropriate
CCE-6030-1   filesystem logical volume     logical volume
             /opt should be configured
             on an appropriate
CCE-5936-0   filesystem logical volume     logical volume
             The shell for the root
             account should be located
             on the appropriate
CCE-6122-6   filesystem                    filesystem

             Core dump size limits         Size (0 to disable
CCE-6091-3   should be set appropriately   core dumps)
             The read-only SNMP
             community string should be
CCE-6249-7   set appropriately.            string
             The read/write SNMP
             community string should be
CCE-6095-4   set appropriately.            string
             Password policy should
             ban or allow usernames or
             UIDs in passwords as
CCE-6108-5   appropriate                   ban/allow

             Password policy should
             ban or allow words found in
CCE-5812-3   a dictionary as appropriate. ban/allow

             Password policy should
             enforce the correct amount number of special
CCE-6161-4   of special characters      characters
             Password policy should
             enforce or not enforce the
             requirement to have mixed
             case passwords as
CCE-6172-1   appropriate.               enforce/not enforce
             The minimum password
             age should be set as
CCE-5639-0   appropriate                     number of days
             The minimum required
             password length should be       number of
CCE-6163-0   set as appropriate              characters
             Password history should be
             saved for an appropriate
             number of password              number of password
CCE-5982-4   changes                         changes
             The number of consecutive
             failed login attempts
             required to trigger a lockout   number of
             should be set as                consecutive failed
CCE-5956-8   appropriate                     login attempts
             Login access to accounts
             without passwords should
             be enabled or disabled as
CCE-6219-0   appropriate                     enabled/disabled
             New users should be
             required or not required to
             change their password on
CCE-5925-3   first login as appropriate      required/not required
             Access to single-user
             mode (maintainence mode)
             should require the root
             password or not as
CCE-6140-8   appropriate                     required/not required
             The delay between failed
             logins should be set as
CCE-6180-4   appropriate                     number of seconds

             All files should be owned       existing account
             by an existing account or       required / existing
CCE-6114-3   not as appropriate.             account not required
             All files should be owned       existing group
             by an existing group or not     required / existing
CCE-6120-0   as appropriate.                 group not required

             The console login banner
CCE-6094-7   should be set appropriately. banner text or null

             The SSH login banner
CCE-5561-6   should be set appropriately. banner text or null

             The telnet login banner
CCE-5583-0   should be set appropriately. banner text or null

             The ftp login banner should
CCE-5552-5   be set appropriately.       banner text or null
             The graphical login banner
CCE-5255-5   should be set appropriately.    banner text or null
             Accounts other than root
             should be allowed to have
             the UID 0 or not as
CCE-6043-4   appropriate                     allowed/not allowed
             Accounts other than root
             and locked system
             accounts should be
             allowed to have a GID of 0
CCE-6117-6   or not as appropriate           allowed/not allowed
             Each account should be
             assigned a unique UID or
CCE-5883-4   not as appropriate              unique/not unique
             The ftp account should
CCE-5261-3   exist or not as appropriate     exist/not exist
             Login accounts should
             include an appropriate
             GECOS identifier or no
CCE-5495-7   GECOS identifier                GECOS value, null
             The screen lock should
             activate after an
             appropriate period of
CCE-5949-3   inactivity                      number of minutes
             File permissions should be
             set appropriately for all
CCE-6147-3   shell executables.              permissions
             Remote (serial) consoles
             should be enabled or
CCE-6182-0   disabled as appropriate.        enabled/disabled
             Root logins should be
             restricted to the console or    restricted/not
CCE-5764-6   not as appropriate.             restricted
             .netrc files should exist or
             not as appropriate for all
CCE-6151-5   users.                          exist/not exist
             .rhosts files should exist or
             not as appropriate for all
CCE-5516-0   users.                          exist/not exist
             .shosts files should exist or
             not as appropriate for all
CCE-6089-7   users.                          exist/not exist
             The /etc/hosts.equiv file
             should exist or not as
CCE-5873-5   appropriate.                    exist/not exist
             The /etc/shells file should
CCE-6186-1   exist or not as appropriate     exist/not exist
             Shells referenced in
             /etc/passwd should be
             included in /etc/shells or
CCE-6191-1   not as appropriate               included/not included

             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/passwd
             file should be allowed or
CCE-8640-5   disallowed as appropriate. allowed/not allowed

             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/shadow
             file should be allowed or
CCE-8240-4   disallowed as appropriate.       allowed/not allowed
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/group
             file should be allowed or
CCE-8631-4   disallowed as appropriate.       allowed/not allowed
             Groups referenced in
             /etc/passwd should be
             included in /etc/group or
CCE-6208-3   not as appropriate.              included/not included
             The home directory for the
             root account should be set
CCE-5265-4   appropriately.                   path
             The home directory for
             each user account should
CCE-6133-3   be set appropriately.            path
             Home directories
             referenced in /etc/passwd
             should exist or not as
CCE-5797-6   appropriate                      exist/not exist
             All device files should be
             located inside an
CCE-5886-7   appropriate path                 path
             The ntpd service should be
             enabled or disabled as
CCE-5762-0   appropriate.                     enabled/disabled

             The Network Time Protocol
             (ntp) synchronization
             server should be set
CCE-5987-3   appropriately.            timeserver

             The default gateway should
CCE-5828-9   be set appropriately.      IP address/disabled
             The inetd service should be
             enabled or disabled as
CCE-5927-9   appropriate.                  enabled/disabled
             echo service should be
             enabled or disabled as
CCE-6143-2   appropriate                   enabled/disabled
             netstat service should be
             enabled or disabled as
CCE-6054-1   appropriate                   enabled/disabled
             rcp service should be
             enabled or disabled as
CCE-6010-3   appropriate                   enabled/disabled
             chargen service should be
             enabled or disabled as
CCE-5460-1   appropriate                   enabled/disabled
             finger service should be
             enabled or disabled as
CCE-5618-4   appropriate                   enabled/disabled
             tftpd service should be
             enabled or disabled as
CCE-5838-8   appropriate                   enabled/disabled
             walld service should be
             enabled or disabled as
CCE-5878-4   appropriate                   enabled/disabled
             rstatd service should be
             enabled or disabled as
CCE-5266-2   appropriate                   enabled/disabled
             sprayd service should be
             enabled or disabled as
CCE-6138-2   appropriate                   enabled/disabled
             rusersd service should be
             enabled or disabled as
CCE-6057-4   appropriate                   enabled/disabled
             rlogin service should be
             enabled or disabled as
CCE-5885-9   appropriate                   enabled/disabled
             rsh service should be
             enabled or disabled as
CCE-5978-2   appropriate                   enabled/disabled
             ftp service should be
             enabled or disabled as
CCE-5607-7   appropriate                   enabled/disabled
             telnet service should be
             enabled or disabled as
CCE-6075-6   appropriate                   enabled/disabled
CCE-6232-3   DEPRECATED.
             inn service should be
             enabled or disabled as
CCE-6171-3   appropriate                   enabled/disabled
             uucp service should be
             enabled or disabled as
CCE-5638-2   appropriate                  enabled/disabled
             rexec service should be
             enabled or disabled as
CCE-6175-4   appropriate                  enabled/disabled
             font-service should be
             enabled or disabled as
CCE-6144-0   appropriate                  enabled/disabled
             imap2 service should be
             enabled or disabled as
CCE-5763-8   appropriate                  enabled/disabled
             pop3 service should be
             enabled or disabled as
CCE-5856-0   appropriate                  enabled/disabled
             ident service should be
             enabled or disabled as
CCE-6081-4   appropriate                  enabled/disabled
             rexd service should be
             enabled or disabled as
CCE-6093-9   appropriate                  enabled/disabled
             daytime service should be
             enabled or disabled as
CCE-6173-9   appropriate                  enabled/disabled
             dtspc (cde-spc) service
             should be enabled or
CCE-5287-8   disabled as appropriate      enabled/disabled
             rquotad service should be
             enabled or disabled as
CCE-6070-7   appropriate                  enabled/disabled
             cmsd service should be
             enabled or disabled as
CCE-6026-9   appropriate                  enabled/disabled
             tooltalk service should be
             enabled or disabled as
CCE-6166-3   appropriate                  enabled/disabled
             xdmcp service should be
             enabled or disabled as
CCE-5867-7   appropriate                  enabled/disabled
             discard service should be
             enabled or disabled as
CCE-5810-7   appropriate                  enabled/disabled
CCE-5898-2   DEPRECATED.
             vino-server service should
             be enabled or disabled as
CCE-5713-3   appropriate                  enabled/disabled
             The bind service should be
             enabled or disabled as
CCE-5994-9   appropriate.                 enabled/disabled
             The version string reported
             by the bind service should
             be configured
CCE-6215-8   appropriately.                 string
             The nfsd service should be
             enabled or disabled as
CCE-5937-8   appropriate                    enabled/disabled
             The mountd service should
             be enabled or disabled as
CCE-5303-3   appropriate                    enabled/disabled
             The statd service should be
             enabled or disabled as
CCE-6223-2   appropriate                    enabled/disabled
             The lockd service should
             be enabled or disabled as
CCE-6069-9   appropriate                    enabled/disabled
             NFS should be configured
             with appropriate
CCE-5320-7   authentication methods         list of auth methods
             The read-only (ro) option
             should be enabled or
             disabled as appropriate for
CCE-5593-9   all NFS exports.               enabled/disabled
             The nosuid option should
             be enabled or disabled for
             all NFS mounts as
CCE-6256-2   appropriate                    enabled/disabled
             The nosgid option should
             be enabled or disabled for
             all NFS mounts as
CCE-5596-2   appropriate                    enabled/disabled
             Sendmail should be
             enabled or disabled as
CCE-6234-9   appropriate                    enabled/disabled

             The sendmail banner
CCE-6185-3   should be set appropriately.   string
             The decode sendmail alias
             should be enabled or
CCE-6000-4   disabled as appropriate.       enabled/disabled
             .forward files should be
             allowed or disallowed as
CCE-5551-7   appropriate for all users      allow/disallow
             Programs executed
             through the aliases file
             should be owned by an
CCE-6018-6   appropriate user               user
             Programs executed
             through the aliases file
             should reside a directory
             with an appropriate user
CCE-6141-6   owner                          user
             Sendmail vrfy command
             should be allowed or not as
CCE-6233-1   appropriate                    allow/disallow
             Sendmail expn command
             should be allowed or not as
CCE-5288-6   appropriate                    allow/disallow
             Sendmail should be
             configured with an
CCE-6113-5   appropriate logging level      logging level
             Sendmail help command
             should be allowed or not as
CCE-6047-5   appropriate                    allow/disallow
             NIS+ server should operate
             at an appropriate security
CCE-6214-1   level                          security level
             X-Windows should be
             enabled or disabled as
CCE-6051-7   appropriate                    enabled/disabled

             Authorized X-clients should
             be listed or not in the
CCE-5756-2   X*.hosts file as appropriate   listed/not listed
             X-Windows should write
             .Xauthority files to users'
             home directories or not as
CCE-5769-5   appropriate                    write/not write
             X11 forwarding via SSH
             should be enabled or
CCE-5976-6   disabled as appropriate.       enabled/disabled
             Samba should be enabled
CCE-5438-7   or disabled as appropriate     enabled/disabled
             Samba 'hosts allow' option
             should be configured with
             an appropriate set of
CCE-6227-3   networks                       list of networks
             Samba 'security option'
             option should be set as
CCE-5290-2   appropriate
             Samba 'encrypt' passwords
             option should be set as
CCE-6192-9   appropriate                    yes/no
             Samba 'smb passwd file'
             option should be set to an
             appropriate password file
CCE-6165-5   or no password file            file/nothing
             IPv6 should be enabled or
CCE-6262-0   disabled as appropriate     enabled/disabled

             /dev/kmem file permissions
CCE-6134-1   should be set appropriately permissions

             /dev/mem file permissions
CCE-5315-7   should be set appropriately permissions

             /dev/null file permissions
CCE-5912-1   should be set appropriately permissions

             resolv.conf file permissions
CCE-6128-3   should be set appropriately permissions
             /etc/named.conf file
             permissions should be set
CCE-5322-3   appropriately                permissions

             /usr/bin/at file permissions
CCE-6231-5   should be set appropriately permissions
             /usr/bin/rdist file
             permissions should be set
CCE-6082-2   appropriately                permissions
             /usr/sbin/sync file
             permissions should be set
CCE-6121-8   appropriately                permissions

             Superuser account home
             directories' permissions
CCE-5452-8   should be set appropriately permissions
             /etc/samba/smb.conf file
             permissions should be set
CCE-6280-2   appropriately               permissions
             smbpassword executable
             permissions should be set
CCE-5332-2   appropriately               permissions

             Aliases file permissions
CCE-5782-8   should be set appropriately permissions
             File permissions should be
             set as appropriate for the
             log file configured to
             capture critical sendmail
CCE-5861-0   messages.                   permissions
             All files executed through
             /etc/aliases file entries
             should have file
             permissions set
CCE-6248-9   appropriately               permissions
             /bin/csh file permissions
CCE-5592-1   should be set appropriately permissions

             /bin/jsh file permissions
CCE-5336-3   should be set appropriately permissions

             /bin/ksh file permissions
CCE-6205-9   should be set appropriately permissions
             The /bin/rsh file should
CCE-6298-4   exist or not as appropriate exist/not exist

             /bin/sh file permissions
CCE-6331-3   should be set appropriately permissions

             /bin/bash file permissions
CCE-6300-8   should be set appropriately permissions

             /sbin/csh file permissions
CCE-5938-6   should be set appropriately permissions

             /sbin/jsh file permissions
CCE-6027-7   should be set appropriately permissions

             /sbin/ksh file permissions
CCE-5864-4   should be set appropriately permissions
             The /sbin/rsh file should
CCE-5757-0   exist or not as appropriate exist/not exist

             /sbin/sh file permissions
CCE-6207-5   should be set appropriately permissions

             /sbin/bash file permissions
CCE-5973-3   should be set appropriately permissions
             /usr/bin/csh file
             permissions should be set
CCE-5341-3   appropriately               permissions

             /usr/bin/jsh file permissions
CCE-6291-9   should be set appropriately permissions
             /usr/bin/ksh file
             permissions should be set
CCE-6306-5   appropriately                 permissions
             The /usr/bin/rsh file should
CCE-5358-7   exist or not as appropriate exist/not exist

             /usr/bin/sh file permissions
CCE-6310-7   should be set appropriately permissions
             snmpd.conf file
             permissions should be set
CCE-5904-8   appropriately                 permissions

             /tmp file permissions
CCE-6217-4   should be set appropriately permissions

             /usr/tmp file permissions
CCE-5494-0   should be set appropriately permissions
             .Xauthority file permissions
             should be set appropriately
CCE-6221-6   for all users.               permissions

             /etc/aliases file permissions
CCE-6314-9   should be set appropriately permissions
             /etc/cron.d/at.allow file
             permissions should be set
CCE-6327-1   appropriately                 permissions
             /etc/cron.d/cron.allow file
             permissions should be set
CCE-6032-7   appropriately                 permissions

             /etc/csh file permissions
CCE-5915-4   should be set appropriately   permissions
             /etc/default/* file
             permissions should be set
CCE-5990-7   appropriately                 permissions
             /etc/default/login file
             permissions should be set
CCE-6320-6   appropriately                 permissions
             The /etc/ftpusers file
             should exist or not as
CCE-6236-4   appropriate                   exist/not exist
             /etc/host.lpd file
             permissions should be set
CCE-5950-1   appropriately                 permissions
             /etc/hostname* file
             permissions should be set
CCE-5362-9   appropriately                 permissions

             /etc/hosts file permissions
CCE-6068-1   should be set appropriately permissions
             /etc/inetd.conf file
             permissions should be set
CCE-6271-1   appropriately               permissions

             /etc/issue file permissions
CCE-6301-6   should be set appropriately permissions

             /etc/jsh file permissions
CCE-6275-2   should be set appropriately permissions
             /etc/ksh file permissions
CCE-6319-8   should be set appropriately permissions
             /etc/mail/aliases file
             permissions should be set
CCE-5649-9   appropriately               permissions

             /etc/motd file permissions
CCE-5870-1   should be set appropriately   permissions
             /etc/netconfig file
             permissions should be set
CCE-6274-5   appropriately                 permissions
             /etc/notrouter file
             permissions should be set
CCE-5372-8   appropriately                 permissions
             /etc/pam.conf file
             permissions should be set
CCE-5439-5   appropriately                 permissions
             /etc/passwd file
             permissions should be set
CCE-5601-0   appropriately                 permissions
             The /etc/rsh file should
CCE-6302-4   exist or not as appropriate   exist/not exist
             /etc/security file
             permissions should be set
CCE-5570-7   appropriately                 permissions
             /etc/services file
             permissions should be set
CCE-6020-2   appropriately                 permissions

             /etc/sh file permissions
CCE-5760-4   should be set appropriately permissions
             /etc/shadow file
             permissions should be set
CCE-5899-0   appropriately               permissions
             /etc/syslog.conf file
             permissions should be set
CCE-6225-7   appropriately               permissions
CCE-6242-2   DEPRECATED.

             /etc/fstab file permissions
CCE-6083-0   should be set appropriately permissions
CCE-5683-8   DEPRECATED.
             /var/adm/loginlog file
             permissions should be set
CCE-5933-7   appropriately               permissions
             /var/adm/messages file
             permissions should be set
CCE-6149-9   appropriately               permissions
             /var/adm/sulog file
             permissions should be set
CCE-6039-2   appropriately                 permissions
             /var/adm/utmp file
             permissions should be set
CCE-5655-6   appropriately                 permissions
             /var/adm/wtmp file
             permissions should be set
CCE-5854-5   appropriately                 permissions
             /var/adm/authlog file
             permissions should be set
CCE-6349-5   appropriately                 permissions
             /var/adm/syslog file
             permissions should be set
CCE-6067-3   appropriately                 permissions

             /var/mail file permissions
CCE-5388-4   should be set appropriately permissions

             /var/tmp file permissions
CCE-5691-1   should be set appropriately   permissions
             /usr/lib/pt_chmod file
             permissions should be set
CCE-5502-0   appropriately                 permissions
             /usr/lib/embedded_us file
             permissions should be set
CCE-5682-0   appropriately                 permissions
             /usr/lib/sendmail file
             permissions should be set
CCE-6259-6   appropriately                 permissions
             /usr/kerberos/bin/rsh file
             permissions should be set
CCE-6210-9   appropriately                 permissions
             /var/spool/mail file
             permissions should be set
CCE-5871-9   appropriately                 permissions
             smbpassword file
             permissions should be set
CCE-5840-4   appropriately                 permissions
             System files should be
             owned by an appropriate
CCE-6353-7   user                          list of users
             System files should be
             owned by an appropriate
CCE-5393-4   group                         list of groups
             Default/skeleton dot files
             should be owned by an
CCE-5399-1   appropriate user              list of users
             Default/skeleton dot files
             should be owned by an
CCE-6179-6   appropriate group             list of groups
             Global initialization files
             should be owned by an
CCE-6272-9   appropriate user                list of users
             Global initialization files
             should be owned by an
CCE-5403-1   appropriate group               list of groups
             Home directories should be
             owned by an appropriate
CCE-5746-3   user                            list of users
             Home directories should be
             owned by an appropriate
CCE-5465-0   group                           list of groups
             inetd.conf file should be
             owned by an appropriate
CCE-5729-9   user                            list of users
             inetd.conf file should be
             owned by an appropriate
CCE-5433-8   group                           list of groups
             /etc/services file should be
             owned by an appropriate
CCE-5879-2   user                            list of users
             /etc/services file should be
             owned by an appropriate
CCE-5447-8   group                           list of groups
             /etc/notrouter file should be
             owned by an appropriate
CCE-6046-7   user                            list of users
             /etc/notrouter file should be
             owned by an appropriate
CCE-5473-4   group                           list of groups
CCE-5404-9   DEPRECATED.
CCE-6254-7   DEPRECATED.
             /etc/passwd file should be
             owned by an appropriate
CCE-5425-4   user                            list of users
             /etc/passwd file should be
             owned by an appropriate
CCE-6372-7   group                           list of groups
             /etc/shadow file should be
             owned by an appropriate
CCE-6283-6   user                            list of users
             /etc/shadow file should be
             owned by an appropriate
CCE-6001-2   group                           list of groups
             Environmental variable
             PATH for superuser
             accounts should or should
             not contain world-writable
CCE-5451-0   files as appropriate            should/should not
             Environmental variable
             PATH for superuser
             accounts should not
             contain the current
             directory as the first or last
CCE-5467-6   entry                          should/should not

             The current directory
             should or should not be
             added to the environmental
             variable PATH by global
             initialization files as
CCE-6455-0   appropriate                      should/should not
             The current directory
             should or should not be
             added to the environmental
             variable PATH by local
             initialization files as
CCE-5486-6   appropriate                      should/should not
CCE-6337-0   DEPRECATED.
             The system umask should
CCE-6289-3   be set appropriately             umask
             The user umask should be
CCE-6451-9   set appropriately                umask
CCE-6042-6   DEPRECATED.
             /etc/rc.config.d/auditing file
             should be owned by an
CCE-5556-6   appropriate user                 list of users
CCE-5887-5   DEPRECATED.
             /etc/init.d file should be
             owned by an appropriate
CCE-5962-6   user                             list of users
             /etc/hosts.lpd file should be
             owned by an appropriate
CCE-6365-1   user                             list of users
CCE-6211-7   DEPRECATED.
             /etc/rc.config.d/auditing file
             should be owned by an
CCE-5491-6   appropriate group                list of groups
CCE-6313-1   DEPRECATED.
             /etc/init.d file should be
             owned by an appropriate
CCE-6159-8   group                            list of groups
             /etc/hosts.lpd file should be
             owned by an appropriate
CCE-6065-7   group                            list of groups
CCE-6251-3   DEPRECATED.
             /etc/rc.config.d/auditing file
             permissions should be set
CCE-6290-1   appropriately                    permissions
             DEPRECATED in favor of
             CCE-8638-9, CCE-8647-0,
CCE-6360-2   and CCE-8187-7.
             /etc/auto.master file should
             be owned by an
CCE-8638-9   appropriate user             list of users
             /etc/auto.misc file should
             be owned by an
CCE-8647-0   appropriate user             list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8187-7   user                         list of users

             /etc/init.d file permissions
CCE-5504-6   should be set appropriately permissions
             /etc/hosts.lpd file
             permissions should be set
CCE-5517-8   appropriately                permissions
CCE-6076-4   DEPRECATED.

             Auditing should be enabled
             or disabled for user
CCE-6292-7   accounts as appropriate       enabled/disabled
             Auditing should be enabled
             or disabled at boot time as
CCE-6203-4   appropriate                   enabled/disabled
             System logons should be
             audited or not as
CCE-5794-3   appropriate                   audited/not audited
             System logoffs should be
             audited or not as
CCE-6168-9   appropriate                   audited/not audited
             Password changes should
             be audited or not as
CCE-6014-5   appropriate                   audited/not audited

             su usage should be audited
CCE-5983-2   or not as appropriate          audited/not audited
             Creation/modification of
             superuser groups should
             be audited or not as
CCE-5859-4   appropriate                    audited/not audited
             Clearing of the audit log file
             should be audited or not as
CCE-6326-3   appropriate                    audited/not audited

             Startup/shutdown of audit
             functions should be audited
CCE-5894-1   or not as appropriate       audited/not audited
             Use of
             identification/authorization
             mechanisms should be
             audited or not as
CCE-6110-1   appropriate                    audited/not audited
             Remote access from
             outside the corporate
             network should be audited
CCE-6423-8   or not as appropriate          audited/not audited
             Change of
             permissions/privileges
             should be audited or not as
CCE-6454-3   appropriate                    audited/not audited
             Global initialization files
             should allow or deny write
             access to the terminal as
CCE-6282-8   appropriate                    allow/deny
             PRI audit file should be
CCE-6317-2   specified appropriately        file and path
             SEC audit file should be
CCE-5660-6   specified appropriately        file and path

             FileSpaceSwitch should be percentage of free
CCE-6348-7   set to an appropriate value space

             Wakeup switchpoint
             frequency should be set to
CCE-5774-5   an appropriate time interval number of minutes
             Warning messages
             switchpoint distance should
             be set to an appropriate     switchpoint distance
CCE-5731-5   value                        integer

             Hard core dump size limits Size (0 to disable
CCE-6444-4   should be set appropriately core dumps)
             Root logins should be
             allowed or not as
             appropriate from SSH
CCE-5940-2   consoles                    allowed/not allowed
                                         Internal Revenue Service Basic
                                         UNIX Security Requirements (IRS
              CCE Technical Mechanisms   BUSR)
                                         http://www.irs.gov/irm/part10/ch03
                                         s08.html




via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)




via /etc/passwd                          10.8.10.4.2.1 (6)

via /etc/security/limits
via ulimit                               10.8.10.4.4 (3)


via /etc/snmp.conf                       10.8.10.5.1 (1) c)


via /etc/snmp.conf                       10.8.10.5.1 (1) c)




                                         10.8.10.5.1 a)




via /etc/security/user                   10.8.10.5.1 (2) a)




via /etc/security/user                   10.8.10.5.1 (2) a)




via /etc/security/user                   10.8.10.5.1 (2) a)
via /etc/security/user        10.8.10.5.1 (2) b)


via /etc/security/user        10.8.10.5.1 (2) c)




via /etc/security/user        10.8.10.5.1 (2) d)




via /etc/security/user        10.8.10.5.1 (2) e)


via passwd
via /etc/shadow               10.8.10.5.1 (2) f)




via /etc/security/passwd      10.8.10.5.1 (2) g)




                              10.8.10.5.1 (3)


                              10.8.10.5.1 (5)




via chown                     10.8.10.5.2 (3)

via chgrp
via chown                     10.8.10.5.2 (3)

via /etc/security/login.cfg
via /etc/motd                 10.8.10.5.2 (5) a)


via sshd.conf                 10.8.10.5.2 (5) b)


via telnetd                   10.8.10.5.2 (5) c)


                              10.8.10.5.2 (5) d)
via Xwindows       10.8.10.5.2 (5) e)


via passwd
via /etc/passwd    10.8.10.5.2.1 (2) a)




via passwd
via /etc/passwd    10.8.10.5.2.1 (2) b)


via /etc/passwd    10.8.10.5.2.4 (3)

via /etc/passwd    10.8.10.5.2.4 (9)




via /etc/passwd    10.8.10.5.2.4.1 (1)


via Xscreensaver
via dtsession      10.8.10.5.2.5 (1)


via chmod          10.8.10.5.2.6 (1)


via inittab        10.8.10.5.2.6 (3)


                   10.8.10.5.2.6 (4)


via filesystem     10.8.10.5.2.6 (6)


via filesystem     10.8.10.5.2.6 (6)


via filesystem     10.8.10.5.2.6 (6)


via filesystem     10.8.10.5.2.6 (6)

via /etc/shells    10.8.10.5.2.6 (11)
via /etc/shells               10.8.10.5.2.6 (12)




via Text editor               10.8.10.5.2.6 (7)




via Text editor               10.8.10.5.2.6 (7)




via Text editor               10.8.10.5.2.6 (7)




via /etc/group                10.8.10.5.2.6 (15)


via /etc/passwd               10.8.10.5.2.6 (16)
via /etc/passwd
via /usr/sbin/useradd
via /etc/default/useradd      10.8.10.5.2.6 (17)




via filesystem                10.8.10.5.2.6 (18)


via filesystem                10.8.10.5.2.6 (24)


via RC scripts                10.8.10.5.3 (3)




via ntpd.conf

via /etc/default/route.conf
via /etc/gated.conf           10.8.10.5.4.1 (4)
via RC scripts   10.8.10.5.4.1 (5)

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #1

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #2

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #3

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #4

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #5

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #6

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #7

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #8

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #9

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #10

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #11

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #12

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #13

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #14


via inetd
via inetd.conf   10.8.10.5.4.1 (11) #16
via inetd
via inetd.conf   10.8.10.5.4.1 (11) #17

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #18

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #20

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #21

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #22

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #23

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #24

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #26

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #27

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #28

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #29

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #30

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #31

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #32


via inetd
via inetd.conf   10.8.10.5.4.1 (11) #34

via inetd
via inetd.conf   10.8.10.5.4.1.1 (2)
via /etc/named.conf         10.8.10.5.4.1.1 (5)


via RC scripts              10.8.10.5.4.1.5 (1)


via RC scripts              10.8.10.5.4.1.5 (1)


via RC scripts              10.8.10.5.4.1.5 (1)


via RC scripts              10.8.10.5.4.1.5 (1)

via NFSvia
via /etc/exports            10.8.10.5.4.1.5 (1) f)




via /etc/exports            10.8.10.5.4.1.5 (1) g)




via /etc/fstab              10.8.10.5.4.1.5 (1) i)




via /etc/fstab              10.8.10.5.4.1.5 (1) i)

via inetd
via RC scripts              10.8.10.5.4.2.2 (1)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (3)

via /etc/aliases
via /usr/lib/aliases        10.8.10.5.4.2.2 (4) c)


via rm                      10.8.10.5.4.2.2 (4) e)




via chown                   10.8.10.5.4.2.2 (4) f)
via chown                   10.8.10.5.4.2.2 (4) f)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) g)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) h)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) i)

via sendmail
via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) k)


via NIS+                    10.8.10.5.4.2.3 (1) b)


via Xwindows                10.8.10.5.4.2.4 (1)




via /etc/X*.hosts           10.8.10.5.4.2.4 (2) b)

via xdm
via gdm
via kdm                     10.8.10.5.4.2.4 (2) d)


via sshd_config             10.8.10.5.4.2.4 (2) f)
via smbd
via RC scripts              10.8.10.5.4.2.6 (1)


via smbd
via smb.conf                10.8.10.5.4.2.6 (3) a)

via smbd
via smb.conf                10.8.10.5.4.2.6 (3) b)

via smbd
via smb.conf                10.8.10.5.4.2.6 (3) c)


via smbd
via smb.conf                10.8.10.5.4.2.6 (3) d)
via ifconfig   10.8.10.5.4.3 (1)


via chmod      10.8.10-1 A.1 1) #9


via chmod      10.8.10-1 A.1 1) #10


via chmod      10.8.10-1 A.1 1) #11


via chmod      10.8.10-1 A.1 1) #13


via chmod      10.8.10-1 A.1 1) #14


via chmod      10.8.10-1 A.1 1) #25


via chmod      10.8.10-1 A.1 1) #26


via chmod      10.8.10-1 A.1 1) #27




via chmod      10.8.10-1 A.1 1) #29


via chmod      10.8.10-1 A.1 1) #31


via chmod      10.8.10-1 A.1 1) #32


via chmod      10.8.10-1 A.1 1) #34




via chmod      10.8.10-1 A.1 1) #35




via chmod      10.8.10-1 A.1 1) #36
via chmod        10.8.10-1 A.1 1) #37


via chmod        10.8.10-1 A.1 1) #38


via chmod        10.8.10-1 A.1 1) #39

via filesystem   10.8.10-1 A.1 1) #40


via chmod        10.8.10-1 A.1 1) #41


via chmod        10.8.10-1 A.1 1) #42


via chmod        10.8.10-1 A.1 1) #43


via chmod        10.8.10-1 A.1 1) #44


via chmod        10.8.10-1 A.1 1) #45

via filesystem   10.8.10-1 A.1 1) #46


via chmod        10.8.10-1 A.1 1) #47


via chmod        10.8.10-1 A.1 1) #48


via chmod        10.8.10-1 A.1 1) #49


via chmod        10.8.10-1 A.1 1) #50


via chmod        10.8.10-1 A.1 1) #51

via filesystem   10.8.10-1 A.1 1) #52


via chmod        10.8.10-1 A.1 1) #53
via chmod        10.8.10-1 A.1 1) #56


via chmod        10.8.10-1 A.1 1) #57


via chmod        10.8.10-1 A.1 1) #58


via chmod        10.8.10-1 A.1 1) #60


via chmod        10.8.10-1 A.1 1) #61


via chmod        10.8.10-1 A.1 1) #62


via chmod        10.8.10-1 A.1 1) #63


via chmod        10.8.10-1 A.1 1) #64


via chmod        10.8.10-1 A.1 1) #65


via chmod        10.8.10-1 A.1 1) #66


via filesystem   10.8.10-1 A.1 1) #69


via chmod        10.8.10-1 A.1 1) #70


via chmod        10.8.10-1 A.1 1) #71


via chmod        10.8.10-1 A.1 1) #72


via chmod        10.8.10-1 A.1 1) #73


via chmod        10.8.10-1 A.1 1) #75


via chmod        10.8.10-1 A.1 1) #76
via chmod        10.8.10-1 A.1 1) #77


via chmod        10.8.10-1 A.1 1) #78


via chmod        10.8.10-1 A.1 1) #79


via chmod        10.8.10-1 A.1 1) #80


via chmod        10.8.10-1 A.1 1) #81


via chmod        10.8.10-1 A.1 1) #82


via chmod        10.8.10-1 A.1 1) #83

via filesystem   10.8.10-1 A.1 1) #84


via chmod        10.8.10-1 A.1 1) #85


via chmod        10.8.10-1 A.1 1) #86


via chmod        10.8.10-1 A.1 1) #87


via chmod        10.8.10-1 A.1 1) #88


via chmod        10.8.10-1 A.1 1) #89




via chmod        10.8.10-1 A.1 1) #91




via chmod        10.8.10-1 A.1 1) #93


via chmod        10.8.10-1 A.1 1) #94
via chmod   10.8.10-1 A.1 1) #95


via chmod   10.8.10-1 A.1 1) #96


via chmod   10.8.10-1 A.1 1) #97


via chmod   10.8.10-1 A.1 1) #98


via chmod   10.8.10-1 A.1 1) #99


via chmod   10.8.10-1 A.1 1) #100


via chmod   10.8.10-1 A.1 1) #101


via chmod   10.8.10-1 A.1 1) #103


via chmod   10.8.10-1 A.1 1) #104


via chmod   10.8.10-1 A.1 1) #105


via chmod   10.8.10-1 A.1 1) #107


via chmod   10.8.10-1 A.1 1) #108


via chmod   10.8.10-1 A.1 1) #109


via chown   10.8.10-1 A.1 2) #8

via chgrp
via chown   10.8.10-1 A.1 2) #8


via chown   10.8.10-1 A.1 2) #9

via chgrp
via chown   10.8.10-1 A.1 2) #9
via chown     10.8.10-1 A.1 2) #10

via chgrp
via chown     10.8.10-1 A.1 2) #10


via chown     10.8.10-1 A.1 2) #11

via chgrp
via chown     10.8.10-1 A.1 2) #11


via chown     10.8.10-1 A.1 2) #12

via chgrp
via chown     10.8.10-1 A.1 2) #12


via chown     10.8.10-1 A.1 2) #16

via chgrp
via chown     10.8.10-1 A.1 2) #16


via chown     10.8.10-1 A.1 2) #18

via chgrp
via chown     10.8.10-1 A.1 2) #18




via chown     10.8.10-1 A.1 2) #35

via chgrp
via chown     10.8.10-1 A.1 2) #35


via chown     10.8.10-1 A.1 2) #36

via chgrp
via chown     10.8.10-1 A.1 2) #36




via chmod
via profile   10.8.10-1 A.2 1) #1
via local init files    10.8.10-1 A.2 1) #2




via local init files    10.8.10-1 A.2 1) #3




via local init files    10.8.10-1 A.2 1) #4


via global init files   10.8.10-1 A.2 1) #8

via local init files    10.8.10-1 A.2 1) #8




via chown               10.8.10-4 D.1 1) #2




via chown               10.8.10-4 D.1 1) #5


via chown               10.8.10-4 D.1 1) #6


via chgrp
via chown               10.8.10-4 D.1 1) #2


via chgrp
via chown               10.8.10-4 D.1 1) #5

via chgrp
via chown               10.8.10-4 D.1 1) #6




via chmod               10.8.10-4 D.1 1) #2
via chown                       10.8.10-3 C.1 1) #9


via chown                       10.8.10-3 C.1 1) #9


via chown                       10.8.10-3 C.1 1) #9


via chmod                       10.8.10-4 D.1 1) #5


via chmod                       10.8.10-4 D.1 1) #6




via /tcb/files/auth/*           10.8.10-4 D.3 1)


via /etc/rc.config.d/auditing   10.8.10-4 D.3 2)


via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #1


via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #2


via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #3


via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #4




via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #5


via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #8




via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #9
via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #10




via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #11




via /etc/rc.config.d/auditing   10.8.10-4 D.3 3) #13




via global init files           10.8.10-4 D.4 1) #1

via /etc/rc.config.d/auditing   10.8.10-4 D.3 2)

via /etc/rc.config.d/auditing   10.8.10-4 D.3 2)


via /etc/rc.config.d/auditing   10.8.10-4 D.3 2)




via /etc/rc.config.d/auditing   10.8.10-4 D.3 2)




via /etc/rc.config.d/auditing   10.8.10-4 D.3 2)

via /etc/security/limits
via ulimit                      10.8.10.4.4 (3)




                                10.8.10.5.2.6 (4)
                                              CCE
  CCE ID        CCE Description
                                           Parameters




             The "Security Zones: Use
             Only Machine Settings"
             setting should be
CCE-4017-0   configured correctly.       (1) enabled/disabled




             Internet Explorer
             Processes (Restrict
CCE-3924-8   ActiveX Install)            (1) enabled/disabled



             The "Security Zones: Do
             Not Allow Users to
             Add/Delete Sites" setting
             should be configured
CCE-3929-7   correctly.                  (1) enabled/disabled



             The "Disable Periodic
             Check For Internet
             Explorer Software
             Updates" setting should be
CCE-3576-6   configured correctly.      (1) enabled/disabled
             Internet Explorer
             Processes (Zone Elevation
CCE-4043-6   Protection)               enabled/disabled




             The "Internet Explorer
             Processes (Consistent
             MIME Handling)" setting
             should be configured
CCE-4047-7   correctly.                  enabled/disabled


             The "Allow Software to Run
             or Install Even if the
             Signature is Invalid" setting
             should be configured
CCE-3941-2   correctly.                    enabled/disabled
             The "Internet Explorer
             Processes (MK Protocol)"
             setting should be
CCE-3338-1   configured correctly.        (1) enabled/disabled




             The "Disable Software
             Update Shell Notifications
             on Program Launch"
             setting should be
CCE-4118-6   configured correctly.        (1) enabled/disabled
             The "Internet Explorer
             Processes (Restrict File
             Download)" setting should
CCE-4122-8   be configured correctly.       enabled/disabled


             The "Disable Automatic
             Install of Internet Explorer
             Components" setting
             should be configured
CCE-3518-8   correctly.                     (1) enabled/disabled




             The "Make Proxy Settings
             Per-Machine (Rather Then
             Per-User)" setting should  (1) number of proxy
CCE-3201-1   be configured correctly.  settings

             The "Do Not Allow Users to
             enable or Disable Add-
             Ons" setting should be
CCE-3744-0   configured correctly.      enabled/disabled



             The "Turn Off Crash
             Detection" setting should
CCE-3894-3   be configured correctly.       enabled/disabled
             The "Internet Explorer
             Processes (Scripted
             Window Security
             Restrictions)" setting
             should be configured
CCE-4162-4   correctly.                 enabled/disabled




             The "Security Zones: Do
             Not Allow Users to Change
             Policies" setting should be
CCE-3933-9   configured correctly.       (1) enabled/disabled




             The "Internet Explorer
             Processes (MIME Sniffing)"
             setting should be
CCE-4149-1   configured correctly.      enabled/disabled

             The "Check for Signature
             on Downloaded Programs"
             setting should be
CCE-4026-1   configured correctly.    enabled/disabled
             The "Do Not Allow
             Resetting Internet Explorer
             Settings" setting should be
CCE-4171-5   configured correctly.         enabled/disabled
             The "Allow cut, copy, or
             paste operations from the
             clipboard via script" setting
             should be configured
             correctly for the Internet
CCE-4109-5   Zone.                         enabled/disabled


             The "Turn Off First- Run
             Opt-In" setting should be
             configured correctly for the
CCE-3378-7   Internet Zone.               enabled/disabled


             The "Web Browser
             Applications" setting should
             be configured correctly for
CCE-4131-9   the Internet Zone.           enabled/disabled

             The "Allow cut, copy, or
             paste operations from the
             clipboard via script" setting
             should be configured
             correctly for the Restricted
CCE-4013-9   Sites Zone.                   enabled/disabled


             The "Turn Off First- Run
             Opt-In" setting should be
             configured correctly for the
CCE-4153-3   Restricted Sites Zone.       enabled/disabled


             The "Web Browser
             Applications" setting should
             be configured correctly for
CCE-4052-7   the Restricted Sites Zone. enabled/disabled


             The "Intranet Sites: Include
             all network paths (UNCs)"
             setting should be
CCE-4175-6   configured correctly.        enabled/disabled
             The "Disable the Advanced
             Page" setting should be
CCE-3695-4   configured correctly.     enabled/disabled


             The "Disable the Privacy
             Page" setting should be
CCE-3777-0   configured correctly.       enabled/disabled


             The "Disable the Security
             Page" setting should be
CCE-3433-0   configured correctly.       enabled/disabled

             The "Prevent Ignoing
             Certificate Errors" setting
             should be configured
CCE-4199-6   correctly.                  enabled/disabled
             The "Turn Off changing the
             URL to be displayed for
             checking updates to
             Internet Explorer and
             Internet Tools" setting
             should be configured
CCE-3204-5   correctly.                  enabled/disabled



             The "Turn Off Configuring
             the Update Check Interval
             (In Days)" setting should be
CCE-4098-0   configured correctly.        enabled/disabled



             The "Add-on List" setting
             should be configured
CCE-3741-6   correctly.                  enabled/disabled

             The "Deny all add-ons
             unless specifically allowed
             in the Add-on List" setting
             should be configured
CCE-3997-4   correctly.                  enabled/disabled
             The "Disable "Configuring
             History"" setting should be
CCE-4001-4   configured correctly.       enabled/disabled

             The "Disable Changing
             Automatic Configuration
             Settings" setting should be
CCE-4147-5   configured correctly.       enabled/disabled



             The "Disable Changing
             Connection Settings"
             setting should be
CCE-4059-2   configured correctly.      enabled/disabled

             The "Disable Changing
             Proxy Settings" setting
             should be configured
CCE-3935-4   correctly.                 enabled/disabled

             The "Disable Showing the
             Splash Screen" setting
             should be configured
CCE-3706-9   correctly.                 enabled/disabled

             The "Prevent "Fix settings"
             Functionality" setting
             should be configured
CCE-3975-0   correctly.                  enabled/disabled
             The "Prevent participation
             in the Customer
             Experience Improvement
             Programs" setting should
CCE-3993-3   be configured correctly.    enabled/disabled

             The "Prevent performance
             of First Run Customize
             settings" setting should be
CCE-3207-8   configured correctly.       enabled/disabled

             The "Prevent the deletation
             of temporary internet files
             and cookies" setting should
CCE-4073-3   be configured correctly.    enabled/disabled
             The "Turn off "Delete
             Browsing History"
             functionality" setting should
CCE-3615-2   be configured correctly.      enabled/disabled

             The "Turn off Managing
             Phishing Filter" setting
             should be configured
CCE-3866-1   correctly.                   enabled/disabled

             The "Turn off the Security
             Settings Check feature"
             setting should be
CCE-3875-2   configured correctly.        enabled/disabled

             The "Allow Active Content
             from CD's to Run on User
             Machine" setting should be
CCE-4174-9   configured correctly.      enabled/disabled

             The "Enable third-party
             browser extensions" setting
             should be configured
CCE-4192-1   correctly.                  enabled/disabled

             The "Automatically Check
             for Internet Explorer
             Updates" setting should be
CCE-3584-0   configured correctly.      enabled/disabled


             The "Check for Server
             Certificate Revocation"
             setting should be
CCE-3976-8   configured correctly.        enabled/disabled

             The "Access data sources
             across domains" setting
             should be configured
             correctly for the Internet enabled/disabled/pro
CCE-3853-9   Zone.                      mpt

             The "Drag and drop or
             copy and paste files"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3998-2   Internet Zone.               mpt
             The "Font download"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3888-5   Internet Zone.               mpt


             The "Installation of desktop
             items" setting should be
             configured correctly for the enabled/disabled/pro
CCE-3906-5   Internet Zone.                mpt
             The "Allow script-initiated
             windows without size or
             position constraints" setting
             should be configured
             correctly for the Internet
CCE-4099-8   Zone.                         enabled/disabled


             The "Allow Scriptlets"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3601-2   Internet Zone.               mpt

             The "Allow status bar
             updates via script" setting
             should be configured
             correctly for the Internet
CCE-3249-0   Zone.                         enabled/disabled

             The "Automatic prompting
             for file downloads" setting
             should be configured
             correctly for the Internet
CCE-4139-2   Zone.                         enabled/disabled

             The "Download signed
             ActiveX controls" setting
             should be configured
             correctly for the Internet    enabled/disabled/pro
CCE-3927-1   Zone.                         mpt

             The "Download unsigned
             ActiveX controls" setting
             should be configured
             correctly for the Internet    enabled/disabled/pro
CCE-3945-3   Zone.                         mpt
             The "Initialize and script
             ActiveX controls not
             marked as safe for
             scripting" setting should be
             configured correctly for the enabled/disabled/pro
CCE-4068-3   Internet Zone.               mpt



             The "Java permissions"
             setting should be            Custom/Disable
             configured correctly for the Java/High safety/Low
CCE-3963-6   Internet Zone.               safety/Medium safety

             The "Launching programs
             and files in an IFRAME"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-4104-6   Internet Zone.               mpt

                                         Anonymous
                                         logon/Automatic
                                         logon only in Intranet
                                         zone/Automatic
                                         logon with current
                                         user name and
             The "Logon" setting should password/Prompt for
             be configured correctly for user name and
CCE-3623-6   the Internet Zone.          password


             The "Loose XAML" setting
             should be configured
             correctly for the Internet enabled/disabled/pro
CCE-3751-5   Zone.                      mpt

             The "Navigate sub-frames
             across different domains"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-4143-4   Internet Zone.               mpt

             The "Open files based on
             content, not file extension"
             setting should be
             configured correctly for the
CCE-4161-6   Internet Zone.               enabled/disabled
             The "Software channel
             permissions" setting should
             be configured correctly for High safety/low
CCE-3553-5   the Internet Zone.          safety/medium safety


             The "Use Pop-up Blocker"
             setting should be
             configured correctly for the
CCE-3619-4   Internet Zone.               enabled/disabled


             The "Userdata persistence"
             setting should be
             configured correctly for the
CCE-3914-9   Internet Zone.               enabled/disabled
             The "Web sites in less
             privileged Web content
             zones can navigate into
             this zone" setting should be
             configured correctly for the enabled/disabled/pro
CCE-3570-9   Internet Zone.               mpt


             The "XPS documents"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3843-0   Internet Zone.               mpt


             The "Display mixed
             content" setting should be
             configured correctly for the enabled/disabled/pro
CCE-3984-2   Internet Zone.               mpt


             The "Display mixed
             content" setting should be
             configured correctly for the enabled/disabled/pro
CCE-3989-1   Intranet Zone.               mpt

             The "Display mixed
             content" setting should be
             configured correctly for the
             Locked Down Intranet         enabled/disabled/pro
CCE-4121-0   Zone.                        mpt
             The "Display mixed
             content" setting should be
             configured correctly for the enabled/disabled/pro
CCE-4138-4   Local Machine Zone.          mpt

             The "Display mixed
             content" setting should be
             configured correctly for the
             Locked Down Local            enabled/disabled/pro
CCE-4028-7   Machine Zone.                mpt

             The "Access data sources
             across domains" setting
             should be configured
             correctly for the Restricted enabled/disabled/pro
CCE-3905-7   Sites Zone.                  mpt


             The "Active scripting"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-4050-1   Restricted Sites Zone.       mpt


             The "Binary and script
             behaviors" setting should     Administrator
             be configured correctly for   approved/enabled/di
CCE-4196-2   the Restricted Sites Zone.    sabled

             The "Drag and drop or
             copy and paste files"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3337-3   Restricted Sites Zone.       mpt


             The "File download" setting
             should be configured
             correctly for the Restricted
CCE-4150-9   Sites Zone.                  enabled/disabled


             The "Font download"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-4062-6   Restricted Sites Zone.       mpt
             The "Installation of desktop
             items" setting should be
             configured correctly for the enabled/disabled/pro
CCE-4079-0   Restricted Sites Zone.       mpt


             The "Allow META
             REFRESH" setting should
             be configured correctly for
CCE-4084-0   the Restricted Sites Zone.    enabled/disabled

             The "Allow script-initiated
             windows without size or
             position constraints" setting
             should be configured
             correctly for the Restricted
CCE-4119-4   Sites Zone.                   enabled/disabled


             The "Allow Scriptlets"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3639-2   Restricted Sites Zone.       mpt

             The "Allow status bar
             updates via script" setting
             should be configured
             correctly for the Restricted
CCE-4031-1   Sites Zone.                  enabled/disabled

             The "Automatic prompting
             for file downloads" setting
             should be configured
             correctly for the Restricted
CCE-4053-5   Sites Zone.                  enabled/disabled

             The "Download signed
             ActiveX controls" setting
             should be configured
             correctly for the Restricted enabled/disabled/pro
CCE-4057-6   Sites Zone.                  mpt

             The "Download unsigned
             ActiveX controls" setting
             should be configured
             correctly for the Restricted enabled/disabled/pro
CCE-3564-2   Sites Zone.                  mpt
             The "Initialize and script
             ActiveX controls not
             marked as safe for
             scripting" setting should be
             configured correctly for the enabled/disabled/pro
CCE-4101-2   Restricted Sites Zone.       mpt



             The "Java permissions"
             setting should be            Custom/Disable
             configured correctly for the Java/High safety/Low
CCE-3996-6   Restricted Sites Zone.       safety/Medium safety

             The "Launching programs
             and files in an IFRAME"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-4066-7   Restricted Sites Zone.       mpt

                                         Anonymous
                                         logon/Automatic
                                         logon only in Intranet
                                         zone/Automatic
                                         logon with current
                                         user name and
             The "Logon" setting should password/Prompt for
             be configured correctly for user name and
CCE-3696-2   the Restricted Sites Zone. password


             The "Loose XAML" setting
             should be configured
             correctly for the Restricted enabled/disabled/pro
CCE-3590-7   Sites Zone.                  mpt

             The "Navigate sub-frames
             across different domains"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-4110-3   Restricted Sites Zone.       mpt

             The "Open files based on
             content, not file extension"
             setting should be
             configured correctly for the
CCE-4132-7   Restricted Sites Zone.       enabled/disabled
             The "Run components not
             signed with Authenticode"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3400-9   Restricted Sites Zone.       mpt

             The "Run components
             signed with Authenticode"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-4158-2   Restricted Sites Zone.       mpt


             The "Run ActiveX controls
             and plugins" setting should Administrator
             be configured correctly for approved/enabled/di
CCE-4163-2   the Restricted Sites Zone. sabled/prompt

             The "Script ActiveX
             controls marked safe for
             scripting" setting should be
             configured correctly for the enabled/disabled/pro
CCE-4202-8   Restricted Sites Zone.       mpt


             The "Scripting of Java
             applets" setting should be
             configured correctly for the enabled/disabled/pro
CCE-3216-9   Restricted Sites Zone.       mpt


             The "Software channel
             permissions" setting should
             be configured correctly for High safety/low
CCE-3855-4   the Restricted Sites Zone. safety/medium safety


             The "Use Pop-up Blocker"
             setting should be
             configured correctly for the
CCE-4018-8   Restricted Sites Zone.       enabled/disabled


             The "Userdata persistence"
             setting should be
             configured correctly for the
CCE-4040-2   Restricted Sites Zone.       enabled/disabled
             The "Web sites in less
             privileged Web content
             zones can navigate into
             this zone" setting should be
             configured correctly for the enabled/disabled/pro
CCE-4215-0   Restricted Sites Zone.       mpt


             The "XPS documents"
             setting should be
             configured correctly for the enabled/disabled/pro
CCE-3991-7   Restricted Sites Zone.       mpt


             The "Display mixed
             content" setting should be
             configured correctly for the enabled/disabled/pro
CCE-3264-9   Restricted Sites Zone.       mpt


             The "Display mixed
             content" setting should be
             configured correctly for the enabled/disabled/pro
CCE-4087-3   Trusted Sites Zone.          mpt

             The "Display mixed
             content" setting should be
             configured correctly for the
             Locked Down Trusted          enabled/disabled/pro
CCE-4232-5   Sites Zone.                  mpt


             The "Enable Native
             XMLHttp Support" setting
             should be configured
CCE-4259-8   correctly.                   enabled/disabled
             The "Turn on the auto-
             complete feature for user
             names and passwords on
             form" setting should be
CCE-3647-5   configured correctly.        enabled/disabled
             The "Allow Install On
             Demand (Internet
             Explorer)" setting should be
CCE-3677-2   configured correctly.        enabled/disabled

             The "Turn off page
             transitions" setting should
CCE-4056-8   be configured correctly.      enabled/disabled
             The "Disable
             AutoComplete for forms"
             setting should be
CCE-4246-5   configured correctly.           enabled/disabled
             The "Disable Save this
             program to disk option"
             setting should be
CCE-4214-3   configured correctly.           enabled/disabled
             The "Disable changing
             certificate settings" setting
             should be configured
CCE-3606-1   correctly.                      enabled/disabled
             The "Disable external
             branding of Internet
             Explorer" setting should be
CCE-4237-4   configured correctly.           enabled/disabled
             The "Configure Outlook
             Express" setting should be
CCE-3275-5   configured correctly            enabled/disabled
             The "Turn on the Internet
             Connection Wizard Auto
             Detect" setting should be
CCE-4036-0   configured correctly.           enabled/disabled
             The "Disable Internet
             Connection wizard" setting
             should be configured
CCE-3825-7   correctly.                      enabled/disabled
             The "Disable the Reset
             Web Settings feature"
             should be configured
CCE-4226-7   correctly.                      enabled/disabled

             The "Disable Downloading
             Of Site Subscription
             Content" setting should be
CCE-4120-2   configured correctly.           enabled/disabled
             The "Disable Adding
             Schedules For Offline
             Pages" setting should be
CCE-4248-1   configured correctly.           enabled/disabled
             The "Disable Adding
             Channels" setting should
CCE-3389-4   be configured correctly.        enabled/disabled
             The "Disable Editing And
             Creating Of Schedule
             Groups" setting should be
CCE-3645-9   configured correctly.           enabled/disabled
             The "Disable All Scheduled
             Offline Pages" setting
             should be configured
CCE-3940-4   correctly.                      enabled/disabled
             The "Disable Editing
             Schedules For Offline
             Pages" setting should be
CCE-3821-6   configured correctly.      enabled/disabled

             The "Disable Channel User
             Interface Completely"
             setting should be
CCE-3742-4   configured correctly.     enabled/disabled
             The "Disable Removing
             Channels" setting should
CCE-4261-4   be configured correctly.  enabled/disabled
             The "Disable Removing
             Schedules For Offline
             Pages" setting should be
CCE-4190-5   configured correctly.     enabled/disabled

             The "Disable Offline Page
             Hit Logging" setting should
CCE-4208-5   be configured correctly.    enabled/disabled



             The "Java permissions"
             setting should be
             configured correctly for the Custom/Disable
             Locked Down Intranet         Java/High safety/Low
CCE-3754-9   Zone.                        safety/Medium safety



             The "Java permissions"
             setting should be            Custom/Disable
             configured correctly for the Java/High safety/Low
CCE-3891-9   Local Machine Zone.          safety/Medium safety



             The "Java permissions"
             setting should be
             configured correctly for the Custom/Disable
             Locked Down Local            Java/High safety/Low
CCE-4160-8   Machine Zone.                safety/Medium safety


             Computer-wide, rather than
             per-user, assignment of
             sites to zones for Internet
             Explorer should be enabled enabled, disabled, or
CCE-4763-9   or disabled as appropriate. not configured
             The "Turn on Protected
             Mode" setting should be
             configured correctly for the
CCE-4643-3   Internet Zone.               enabled/disabled



             The "Java permissions"
             setting should be              Custom/Disable
             configured correctly for the   Java/High safety/Low
CCE-4652-4   Intranet Zone.                 safety/Medium safety
             The "Download signed
             ActiveX controls" setting
             should be configured
             correctly for the Locked-      enabled/disabled/pro
CCE-4793-6   Down Internet Zone.            mpt



             The "Java permissions"
             setting should be
             configured correctly for the Custom/Disable
             Locked Down Internet         Java/High safety/Low
CCE-4692-0   Zone.                        safety/Medium safety



             The "Java permissions"
             setting should be
             configured correctly for the   Custom/Disable
             Locked Down Restricted         Java/High safety/Low
CCE-3902-4   Sites Zone.                    safety/Medium safety
             The "Allow status bar
             updates via script" setting
             should be configured
             correctly for the Locked-
CCE-4546-8   Down Trusted Sites Zone.       enabled/disabled



             The "Java permissions"
             setting should be
             configured correctly for the Custom/Disable
             Locked Down Trusted          Java/High safety/Low
CCE-4564-1   Sites Zone.                  safety/Medium safety


             The "Turn on Protected
             Mode" setting should be
             configured correctly for the
CCE-3909-9   Restricted Sites Zone.       enabled/disabled
             The "Java permissions"
             setting should be            Custom/Disable
             configured correctly for the Java/High safety/Low
CCE-4845-4   Trusted Sites Zone.          safety/Medium safety
                                                                 Old v4 CCE
             CCE Technical Mechanisms
                                                                      ID



HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet Settings\Use_HKLM_only Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_HKLM_only                              CCE-5

HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL!explorer.exe, HKLM\Software\Policies\Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict ActiveX Install, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL\iexplore.exe                                           CCE-119

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet Settings\Security_Zones_Map_Edit
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_zones_map_edit                         CCE-146


HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoUpdateCheck                 CCE-212
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
!(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Protection From Zone Elevation,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\iexplore.exe                                                    CCE-347
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(
Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!
explorer.exe, HKLM\Software\Policies\Microsoft\Internet
E,Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Binary
Behavior Security Restriction, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(
Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\
explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\i
explore.exe                                                      CCE-382
HKLM\Software\Policies\Microsoft\Internet
Explorer\Download!RunInvalidSignatures,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Download\RunInvalidSignatures                           CCE-449
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/MK Protocol Security Restriction,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\iexplore.exe                                               CCE-591


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Loc
al Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict File Download, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\iexplore.exe                                             CCE-622
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD!explorer.exe, Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict File Download, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\iexplore.exe                                           CCE-668

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoJITSetup                  CCE-684

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet
Settings\ProxySettingsPerUser,Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\ProxySettingsPerUser                          CCE-693

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Restrictions\NoExtensionManagement                    CCE-708
HKLM\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoCrashDetection,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Restrictions\NoCrashDetection                         CCE-753
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS!explorer.exe, Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Scripted Window Security
Restrictions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS\iexplore.exe                                            CCE-827

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet
Settings\Security_options_edit,Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_options_edit                         CCE-833

HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(
Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!e
xplorer.exe, Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Mime
Sniffing Safety Feature, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(
Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\e
xplorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\ie
xplore.exe                                                     CCE-985
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Download\CheckExeSignatures                           CCE-1025
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\DisableRIED                                              CCE-42
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1407                                  CCE-49
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1208                                  CCE-863
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2400                                  CCE-286

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1407                                  CCE-1031
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1208                                  CCE-200
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2400                                  CCE-51

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\ZoneMap\UNCAsIntranet                         CCE-876
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\AdvancedTab                                              CCE-810
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\PrivacyTab                                               CCE-811
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\SecurityTab                                              CCE-595
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\PreventIgnoreCertErrors                       CCE-938
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Internet Settings/Component Updates/Periodic
Check for Updates to Internet Explorer and Internet Tools,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\Update_Check_Page                                CCE-946
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Internet Settings/Component Updates/Periodic
Check for Updates to Internet Explorer and Internet Tools,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\Update_Check_Interval                            CCE-237
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Features/Add-on Management,
Registry Keys:[HKLM |
HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\E
xt\ListBox_Support_CLSID                                       CCE-541
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Features/Add-on Management,
Registry Keys:[HKLM |
HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\E
xt\RestrictToList                                              CCE-911
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Control Panel\History, [HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Url History\DaysToKeep                        CCE-66

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Control Panel\Autoconfig                              CCE-471

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Control Panel\Connection Settings, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\Connwiz Admin Lock                                       CCE-611

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Control Panel\Proxy                                   CCE-62

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoSplash                    CCE-556

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Security\DisableFixSecuritySettings                   CCE-948

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\SQM\DisableCustomerImprovementProgram                 CCE-495

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\DisableFirstRunCustomize                         CCE-1006

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Control Panel\Settings                                CCE-909
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Control Panel\DisableDeleteBrowsingHistory            CCE-1010

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\PhishingFilter\Enabled                                CCE-1032

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Security\DisableSecuritySettingsCheck                 CCE-1054
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCAL                     CCE-964
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\Enable Browser Extensions                        CCE-598
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\NoUpdateCheck                                    CCE-1008

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\CertificateRevocation                         CCE-690
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1406                                  CCE-47
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1802                                  CCE-685
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1604                                  CCE-491
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1800                                  CCE-355
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2102                                  CCE-280
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1209                                  CCE-439
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2103                                  CCE-914
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2200                                  CCE-16
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1001                                  CCE-1013
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1004                                  CCE-176
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1201                                  CCE-586

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Internet Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1C00                                  CCE-132
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1804                                  CCE-689




Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1A00                                  CCE-720
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2402                                  CCE-126
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1607                                  CCE-245
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2100                                  CCE-910
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1E05                                  CCE-359
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1809                                  CCE-1002
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1606                                  CCE-425
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2101                                  CCE-724
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2401                                  CCE-1015
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1609                                  CCE-878
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Intranet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\1\1609                                  CCE-288
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Intranet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\1\1609                         CCE-552
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Local Machine Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\0\1609                                  CCE-473
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Local Machine
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\0\1609                         CCE-239
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1406                                  CCE-636
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1400                                  CCE-292
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2000                                  CCE-178
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1802                                  CCE-41
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1803                                  CCE-970
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1604                                  CCE-882
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1800                                  CCE-763
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1608                                  CCE-680

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2102                                  CCE-208
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1209                                  CCE-838
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1001                                  CCE-129
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2200                                  CCE-175
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1001                                  CCE-52
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1004                                  CCE-1012
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1201                                  CCE-26

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Restricted Sites Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1C00                                  CCE-925
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1804                                  CCE-339




Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1A00                                  CCE-128
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2402                                  CCE-639
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1607                                  CCE-995
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2100                                  CCE-409
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2004                                  CCE-678
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2001                                  CCE-563
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1200                                  CCE-841
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1405                                  CCE-973
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1402                                  CCE-1000
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1E05                                  CCE-520
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1809                                  CCE-660
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1606                                  CCE-28
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2101                                  CCE-698
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2401                                  CCE-460
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\4\1609                         CCE-30
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Trusted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\2\1609                                  CCE-31
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Trusted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\2\1609                         CCE-666

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet
Control Panel/Security Features, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\XMLHTTP                                          CCE-528

HKCU\Software\Policies\Microsoft\Internet
Explorer\Main!FormSuggest Passwords,
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel\FormSuggest Passwords                                    CCE-721


HKCU\Software\Policies\Microsoft\Internet
Explorer\Main!NoJITSetup                                       CCE-69


HKCU\Software\Policies\Microsoft\Internet
Explorer\Main!Page_Transitions                                 CCE-71
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use
FormSuggest, HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel!FormSuggest                            CCE-478


HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoSelectDownloadDir                     CCE-412


HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!Certificates                                            CCE-1037


HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoExternalBranding                      CCE-1051

HKCU\Software\Microsoft\Outlook
Express!BlockExeAttachments                                   CCE-963


HKCU\Software\Policies\Microsoft\Internet Connection
Wizard!DisableICW                                             CCE-258


HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!Connwiz Admin Lock                                      CCE-769


HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!ResetWebSettings                                        CCE-625



HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoSubscriptionContent      CCE-74


HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoAddingSubscriptions      CCE-122

HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoAddingChannels           CCE-716


HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups    CCE-610


HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoScheduledUpdates         CCE-619
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoEditingSubscriptions      CCE-373



HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoChannelUI                 CCE-298

HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoRemovingChannels          CCE-1069


HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions     CCE-615


HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoChannelLogging            CCE-1003

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Locked-Down Intranet Zone/Java permissions, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\1\1C00                         CCE-320
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Local Machine Zone/Java permissions, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\0\1C00                                  CCE-138

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Locked-Down Local Machine Zone/Java permissions,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\0\1C00                         CCE-1045




GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Site to Zone Assignment List       CCE-1005
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Internet Zone\Turn on Protected
Mode                                                           CCE-281

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Intranet Zone/Java permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\1\1C00                                  CCE-218

GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Page/Locked-Down Internet Zone\Download
signed ActiveX controls                                        CCE-308

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Locked-Down Internet Zone/Java permissions, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\3\1C00                         CCE-781

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Locked-Down Restricted Sites Zone/Java permissions,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\4\1C00                         CCE-1088

GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Page/Locked-Down Trusted Sites Zone\Allow
status bar updates via script                                  CCE-1147

Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Locked-Down Trusted Sites Zone/Java permissions,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\2\1C00                         CCE-140
(1) GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Restricted Sites Zone\Turn on
Protected Mode (2) Registry
Keys:[HKLM|HKCU]\Software\Policies\Microsoft\Windows\Curr
entVersion\Internet Settings\Zones\4\2500                      CCE-1211
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Trusted Sites Zone/Java permissions, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\2\1C00                                  CCE-675
  NIST SCAP Microsoft Internet    NIST SCAP Microsoft Internet Explorer
Explorer Version 7.0 OVAL(SCAP- Version 7.0 XCCDF (SCAP-IE7-XCCDF-Beta-
     IE7-OVAL-Beta-v3.xml)                      v3.xml




oval:org.mitre.oval:def:1277,   UseOnlyMachineSettings-LocalComputer,
oval:org.mitre.oval:def:2050    UseOnlyMachineSettings-LocalComputer-Disabled




oval:org.mitre.oval:def:658     IEProcesses-RestrictActiveXInstall-LocalComputer




oval:org.mitre.oval:def:1400    DoNotAllowUsersAddDeleteSites-LocalComputer




                                DisablePeriodicCheckForIESoftwareUpdates-
oval:org.mitre.oval:def:1357    LocalComputer
oval:org.mitre.oval:def:620




oval:org.mitre.oval:def:884    IEProcesses-ConsistentMimeHandling-LocalComputer



                               AllowSoftwareRunInstallSignatureInvalid-
                               LocalComputer,
oval:org.mitre.oval:def:680,   AllowSoftwareToRununOrInstallEvenIfSignatureInvalid-
oval:org.mitre.oval:def:1392   LocalUser
                               IEProcesses-MKProtocolSecurityRestriction-
oval:org.mitre.oval:def:617    LocalComputer




                               DisableSoftwareUpdateShellNotifications-
oval:org.mitre.oval:def:1188   LocalComputer
oval:org.mitre.oval:def:320     IEProcesses-RestrictFileDownload-LocalComputer




                                DisableAutomaticInstallOfIEComponents-
oval:org.mitre.oval:def:1198    LocalComputer




oval:org.mitre.oval:def:1181    MakeProxySettingsPerMachine-LocalComputer


oval:org.mitre.oval:def:1380,   DoNotAllowUsersEnableDisableAddOns-
oval:org.mitre.oval:def:1358,   LocalComputer,
oval:org.mitre.oval:def:1694    DoNotAllowUsersEnableDisableAddOns-LocalUser




oval:org.mitre.oval:def:487     TurnOffCrashDetection-LocalComputer
                               IEProcesses-ScriptedWindowSecurityRestrictions-
oval:org.mitre.oval:def:465    LocalComputer




oval:org.mitre.oval:def:1404   DoNotAllowUsersChangePolicies-LocalComputer




                               IEProcesses-MimeSniffingSafetyFeature-
oval:org.mitre.oval:def:317    LocalComputer




oval:org.mitre.oval:def:395    CheckSignatureDownloadedPrograms-LocalComputer
oval:org.mitre.oval:def:583    DoNotAllowResettingIESettings-LocalComputer


                               AllowCutCopyPasteOperationsFromClipboardViaScript-
                               InternetZone-LocalComputer,
oval:org.mitre.oval:def:506,   AllowCutCopyPasteOperationsFromClipboardViaScript-
oval:org.mitre.oval:def:533    InternetZone-LocalUser




oval:org.mitre.oval:def:1119   TurnOffFirst-RunOpt-In-InternetZone-LocalComputer




oval:org.mitre.oval:def:242    WebBrowserApplications-InternetZone-LocalComputer



                               AllowCutCopyPasteOperationsFromClipboardViaScript-
                               RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:249,   AllowCutCopyPasteOperationsFromClipboardViaScript-
oval:org.mitre.oval:def:1393   RestrictedSitesZone-LocalUser




                               TurnOffFirst-RunOpt-In-RestrictedSitesZone-
oval:org.mitre.oval:def:621    LocalComputer




                               WebBrowserApplications-RestrictedSitesZone-
oval:org.mitre.oval:def:580    LocalComputer




oval:org.mitre.oval:def:559,   IncludeAllNetworkPaths-LocalComputer,
oval:org.mitre.oval:def:1370   IncludeAllNetworkPaths-LocalUser
oval:org.mitre.oval:def:934,   DisableTheAdvancedPage-LocalComputer,
oval:org.mitre.oval:def:660    DisableTheAdvancedPage-LocalUser




oval:org.mitre.oval:def:1111   DisableThePrivacyPage-LocalComputer



oval:org.mitre.oval:def:672,   DisableTheSecurityPage-LocalComputer,
oval:org.mitre.oval:def:601    DisableTheSecurityPage-LocalUser



oval:org.mitre.oval:def:655,   PreventIgnoingCertificateErrors-LocalComputer,
oval:org.mitre.oval:def:1129   PreventIgnoingCertificateErrors-LocalUser




oval:org.mitre.oval:def:715    TurnOffChangingURLDisplay-LocalComputer




                               TurnOffConfiguringUpdateCheckInterval-
oval:org.mitre.oval:def:1187   LocalComputer




oval:org.mitre.oval:def:626    AddOnList-LocalComputer




oval:org.mitre.oval:def:1278   DenyAllAddOns-LocalComputer
oval:org.mitre.oval:def:757,    DisableConfiguringHistory-LocalComputer,
oval:org.mitre.oval:def:1365    DisableConfiguringHistory-LocalUser

                                DisableChangingAutomaticConfigurationSettings-
                                LocalComputer,
oval:org.mitre.oval:def:1285,   DisableChangingAutomaticConfigurationSettings-
oval:org.mitre.oval:def:613     LocalUser




oval:org.mitre.oval:def:355,    DisableChangingConnectionSettings-LocalComputer,
oval:org.mitre.oval:def:1128    DisableChangingConnectionSettings-LocalUser



oval:org.mitre.oval:def:398,    DisableChangingProxySettings-LocalComputer,
oval:org.mitre.oval:def:635     DisableChangingProxySettings-LocalUser




oval:org.mitre.oval:def:1164    DisableShowingSplashScreen-LocalComputer



oval:org.mitre.oval:def:448,    PreventFixSettingsFunctionality-LocalComputer,
oval:org.mitre.oval:def:640     PreventFixSettingsFunctionality-LocalUser

                                PreventParticipationInCustomerExperienceImprovement
                                Programs-LocalComputer,
oval:org.mitre.oval:def:1171,   PreventParticipationInCustomerExperienceImprovement
oval:org.mitre.oval:def:1391    Programs-LocalUser



                                PreventPerformanceOfFirstRunCustomizeSettings-
oval:org.mitre.oval:def:1322    LocalComputer



oval:org.mitre.oval:def:1382,   PerventDeletationOfTempInternetFiles-LocalComputer,
oval:org.mitre.oval:def:703     PerventDeletationOfTempInternetFiles-LocalUser
                                TurnOffDeleteBrowsingHistoryFunctionality-
oval:org.mitre.oval:def:458,    LocalComputer,
oval:org.mitre.oval:def:1474    TurnOffDeleteBrowsingHistoryFunctionality-LocalUser




oval:org.mitre.oval:def:501     TurnOffManagingPhishingFilter-LocalComputer



oval:org.mitre.oval:def:916,    TurnOffSecuritySettingsCheckFeature-LocalComputer,
oval:org.mitre.oval:def:1034    TurnOffSecuritySettingsCheckFeature-LocalUser




oval:org.mitre.oval:def:400     AllowActiveContentFromCD-LocalComputer




oval:org.mitre.oval:def:110     AllowThird-PartyBrowserExtensions-LocalComputer



oval:org.mitre.oval:def:656,    AutomaticallyCheckIEUpdates-LocalComputer,
oval:org.mitre.oval:def:1360    AutomaticallyCheckForIEUpdates-LocalUser




oval:org.mitre.oval:def:172,    CheckServerCertificateRevocation-LocalComputer,
oval:org.mitre.oval:def:1502    CheckForServerCertificateRevocation-LocalUser



                                AccessDataSourcesAcrossDomains-InternetZone-
oval:org.mitre.oval:def:674,    LocalComputer, AccessDataSourcesAcrossDomains-
oval:org.mitre.oval:def:650     InternetZone-LocalUser



                                AllowDragDropOrCopyPasteFiles-InternetZone-
oval:org.mitre.oval:def:1083,   LocalComputer, AllowDragDropOrCopyPasteFiles-
oval:org.mitre.oval:def:547     InternetZone-LocalUser
oval:org.mitre.oval:def:524,    AllowFontDownloads-InternetZone-LocalComputer,
oval:org.mitre.oval:def:659     AllowFontDownloads-InternetZone-LocalUser



                                AllowInstallationOfDesktopItems-InternetZone-
oval:org.mitre.oval:def:223,    LocalComputer, AllowInstallationOfDesktopItems-
oval:org.mitre.oval:def:541     InternetZone-LocalUser


                                AllowScriptInitiatedWindowsWithoutSizeOrPositionCons
                                traints-InternetZone-LocalComputer,
oval:org.mitre.oval:def:589,    AllowScriptInitiatedWindowsWithoutSizeOrPositionCons
oval:org.mitre.oval:def:1476    traints-InternetZone-LocalUser




oval:org.mitre.oval:def:1043    AllowScriptlets-InternetZone-LocalComputer



                                AllowStatusBarUpdatesViaScript-InternetZone-
oval:org.mitre.oval:def:226,    LocalComputer, AllowStatusBarUpdatesViaScript-
oval:org.mitre.oval:def:1208    InternetZone-LocalUser



                                AutomaticPromptingFileDownloads-InternetZone-
oval:org.mitre.oval:def:1113,   LocalComputer, AutomaticPromptingFileDownloads-
oval:org.mitre.oval:def:562     InternetZone-LocalUser



                                DownloadSignedActiveXControls-InternetZone-
oval:org.mitre.oval:def:1199,   LocalComputer, DownloadSignedActiveXControls-
oval:org.mitre.oval:def:546     InternetZone-LocalUser



                                DownloadUnsignedActiveXControls-InternetZone-
oval:org.mitre.oval:def:391,    LocalComputer, DownloadUnsignedActiveXControls-
oval:org.mitre.oval:def:1200    InternetZone-LocalUser
                                InitializeScriptActiveXControlsNotMarkedAsSafe-
                                InternetZone-LocalComputer, JavaPermissions-
                                InternetZone-LocalComputer,
oval:org.mitre.oval:def:1040,   InitializeScriptActiveXControlsNotMarkedAsSafe-
oval:org.mitre.oval:def:739     InternetZone-LocalUser




oval:org.mitre.oval:def:1174,
oval:org.mitre.oval:def:725     JavaPermissions-InternetZone-LocalUser


                                LaunchingApplicationsAndFilesInIFRAME-InternetZone-
                                LocalComputer,
oval:org.mitre.oval:def:611,    LaunchingApplicationsAndFilesInIFRAME-InternetZone-
oval:org.mitre.oval:def:1487    LocalUser




oval:org.mitre.oval:def:691,    LogonOptions-InternetZone-LocalComputer,
oval:org.mitre.oval:def:1123    LogonOptions-InternetZone-LocalUser




oval:org.mitre.oval:def:240     LooseXAMLFiles-InternetZone-LocalComputer



                                NavigateSub-framesAcrossDifferentDomains-
oval:org.mitre.oval:def:612,    InternetZone-LocalComputer, NavigateSub-
oval:org.mitre.oval:def:1394    framesAcrossDifferentDomains-InternetZone-LocalUser



                                OpenFilesBasedOnContent-InternetZone-
oval:org.mitre.oval:def:953,    LocalComputer, OpenFilesBasedOnContent-
oval:org.mitre.oval:def:1300    InternetZone-LocalUser
                                SoftwareChannelPermissions-InternetZone-
oval:org.mitre.oval:def:302,    LocalComputer, SoftwareChannelPermissions-
oval:org.mitre.oval:def:1398    InternetZone-LocalUser




oval:org.mitre.oval:def:1179,   UsePop-upBlocker-InternetZone-LocalComputer,
oval:org.mitre.oval:def:558     UsePop-upBlocker-InternetZone-LocalUser




oval:org.mitre.oval:def:1108    UserdataPersistence-InternetZone-LocalComputer


                                WebSitesInLessPrivilegedWebContentZonesCanNaviga
                                teIntoThisZone-InternetZone-LocalComputer,
oval:org.mitre.oval:def:265,    WebSitesInLessPrivilegedWebContentZonesCanNaviga
oval:org.mitre.oval:def:1432    teIntoThisZone-InternetZone-LocalUser




oval:org.mitre.oval:def:628     XPSFiles-InternetZone-LocalComputer




                                DisplayMixedContent-LockedDownInternetZone-
oval:org.mitre.oval:def:245     LocalComputer




oval:org.mitre.oval:def:1166    DisplayMixedContent-IntranetZone-LocalComputer




                                DisplayMixedContent-LockedDownIntranetZone-
oval:org.mitre.oval:def:247     LocalComputer
                                DisplayMixedContent-LocalMachineZone-
oval:org.mitre.oval:def:383     LocalComputer




                                DisplayMixedContent-LockedDownLocalMachineZone-
oval:org.mitre.oval:def:418     LocalComputer


                                AccessDataSourcesAcrossDomains-
                                RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:652,    AccessDataSourcesAcrossDomains-
oval:org.mitre.oval:def:750     RestrictedSitesZone-LocalUser



                                AllowActiveScripting-RestrictedSitesZone-
oval:org.mitre.oval:def:293,    LocalComputer, AllowActiveScripting-
oval:org.mitre.oval:def:561     RestrictedSitesZone-LocalUser



                                AllowBinaryAndScriptBehaviors-RestrictedSitesZone-
oval:org.mitre.oval:def:365,    LocalComputer, AllowBinaryAndScriptBehaviors-
oval:org.mitre.oval:def:1314    RestrictedSitesZone-LocalUser



                                AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-
oval:org.mitre.oval:def:498,    LocalComputer, AllowDragDropOrCopyPasteFiles-
oval:org.mitre.oval:def:1465    RestrictedSitesZone-LocalUser



                                AllowFileDownloads-RestrictedSitesZone-
oval:org.mitre.oval:def:1184,   LocalComputer, AllowFileDownloads-
oval:org.mitre.oval:def:1318    RestrictedSitesZone-LocalUser



                                AllowFontDownloads-RestrictedSitesZone-
oval:org.mitre.oval:def:1109,   LocalComputer, AllowFontDownloads-
oval:org.mitre.oval:def:1410    RestrictedSitesZone-LocalUser
                                AllowInstallationOfDesktopItems-RestrictedSitesZone-
oval:org.mitre.oval:def:251,    LocalComputer, AllowInstallationOfDesktopItems-
oval:org.mitre.oval:def:1257    RestrictedSitesZone-LocalUser



                                AllowMETAREFRESH-RestrictedSitesZone-
oval:org.mitre.oval:def:1218,   LocalComputer, AllowMETAREFRESH-
oval:org.mitre.oval:def:1270    RestrictedSitesZone-LocalUser



                                AllowScriptInitiatedWindowsWithoutSizeOrPositionCons
                                traints-RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:1234,   AllowScriptInitiatedWindowsWithoutSizeOrPositionCons
oval:org.mitre.oval:def:574     traints-RestrictedSitesZone-LocalUser




oval:org.mitre.oval:def:1217    AllowScriptlets-RestrictedSitesZone-LocalComputer



                                AllowStatusBarUpdatesViaScript-RestrictedSitesZone-
oval:org.mitre.oval:def:378,    LocalComputer, AllowStatusBarUpdatesViaScript-
oval:org.mitre.oval:def:1320    RestrictedSitesZone-LocalUser



                                AutomaticPromptingFileDownloads-RestrictedSitesZone-
oval:org.mitre.oval:def:252,    LocalComputer, AutomaticPromptingFileDownloads-
oval:org.mitre.oval:def:1312    RestrictedSitesZone-LocalUser



                                DownloadSignedActiveXControls-RestrictedSitesZone-
oval:org.mitre.oval:def:1019,   LocalComputer, DownloadSignedActiveXControls-
oval:org.mitre.oval:def:1389    RestrictedSitesZone-LocalUser


                                DownloadUnsignedActiveXControls-
                                RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:949,    DownloadUnsignedActiveXControls-
oval:org.mitre.oval:def:579     RestrictedSitesZone-LocalUser
                                InitializeScriptActiveXControlsNotMarkedAsSafe-
                                RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:273,    InitializeScriptActiveXControlsNotMarkedAsSafe-
oval:org.mitre.oval:def:1342    RestrictedSitesZone-LocalUser




oval:org.mitre.oval:def:824,    JavaPermissions-RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:732     JavaPermissions-RestrictedSitesZone-LocalUser


                                LaunchingApplicationsAndFilesInIFRAME-
                                RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:274,    LaunchingApplicationsAndFilesInIFRAME-
oval:org.mitre.oval:def:1223    RestrictedSitesZone-LocalUser




oval:org.mitre.oval:def:326,    LogonOptions-RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:1378    LogonOptions-RestrictedSitesZone-LocalUser




oval:org.mitre.oval:def:275     LooseXAMLFiles-RestrictedSitesZone-LocalComputer


                                NavigateSub-framesAcrossDifferentDomains-
                                RestrictedSitesZone-LocalComputer, NavigateSub-
oval:org.mitre.oval:def:1229,   framesAcrossDifferentDomains-RestrictedSitesZone-
oval:org.mitre.oval:def:1292    LocalUser



                                OpenFilesBasedOnContent-RestrictedSitesZone-
oval:org.mitre.oval:def:706,    LocalComputer, OpenFilesBasedOnContent-
oval:org.mitre.oval:def:1421    RestrictedSitesZone-LocalUser
                                RunNETFrameworkReliantComponentsNotSignedWith
                                Authenticode-RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:329,    RunNETFrameworkReliantComponentsNotSignedWith
oval:org.mitre.oval:def:599     Authenticode-RestrictedSitesZone-LocalUser


                                RunNETFrameworkReliantComponentsSignedWithAuth
                                enticode-RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:276,    RunNETFrameworkReliantComponentsSignedWithAuth
oval:org.mitre.oval:def:1428    enticode-RestrictedSitesZone-LocalUser



                                RunActiveXControlsAndPlugins-RestrictedSitesZone-
oval:org.mitre.oval:def:571,    LocalComputer, RunActiveXControlsAndPlugins-
oval:org.mitre.oval:def:1594    RestrictedSitesZone-LocalUser


                                ScriptActiveXControlsMarkedSafeForScripting-
                                RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:602,    ScriptActiveXControlsMarkedSafeForScripting-
oval:org.mitre.oval:def:1274    RestrictedSitesZone-LocalUser



                                ScriptingOfJavaApplets-RestrictedSitesZone-
oval:org.mitre.oval:def:280,    LocalComputer, ScriptingOfJavaApplets-
oval:org.mitre.oval:def:641     RestrictedSitesZone-LocalUser



                                SoftwareChannelPermissions-RestrictedSitesZone-
oval:org.mitre.oval:def:290,    LocalComputer, SoftwareChannelPermissions-
oval:org.mitre.oval:def:1214    RestrictedSitesZone-LocalUser



                                UsePop-upBlocker-RestrictedSitesZone-
oval:org.mitre.oval:def:1100,   LocalComputer, UsePop-upBlocker-
oval:org.mitre.oval:def:1286    RestrictedSitesZone-LocalUser




                                UserdataPersistence-RestrictedSitesZone-
oval:org.mitre.oval:def:300     LocalComputer
                                WebSitesInLessPrivilegedWebContentZonesCanNaviga
                                teIntoThisZone-RestrictedSitesZone-LocalComputer,
oval:org.mitre.oval:def:1219,   WebSitesInLessPrivilegedWebContentZonesCanNaviga
oval:org.mitre.oval:def:1243    teIntoThisZone-RestrictedSitesZone-LocalUser




oval:org.mitre.oval:def:1176    XPSFiles-RestrictedSitesZone-LocalComputer




                                DisplayMixedContent-LockedDownRestrictedSitesZone-
oval:org.mitre.oval:def:314     LocalComputer




oval:org.mitre.oval:def:1153    DisplayMixedContent-TrustedSitesZone-LocalComputer




                                DisplayMixedContent-LockedDownTrustedSitesZone-
oval:org.mitre.oval:def:1183    LocalComputer




oval:org.mitre.oval:def:338     EnableNativeXMLHttpSupport-LocalComputer




oval:org.mitre.oval:def:645     DisableSaveThisProgramToDiskOption-LocalUser



oval:org.mitre.oval:def:523     AllowInstallOnDemandIE-LocalUser



oval:org.mitre.oval:def:1206    TurnOffPageTransitions-LocalUser
oval:org.mitre.oval:def:1516   DisableAutoCompleteForForms-LocalUser



oval:org.mitre.oval:def:505    AllowInstallOnDemandIE-LocalUser



oval:org.mitre.oval:def:1362   DisableChangingCertificateSettings-LocalUser



oval:org.mitre.oval:def:1384   DisableExternalBrandingOfIE-LocalUser


oval:org.mitre.oval:def:1238   ConfigureOutlookExpress-LocalUser



oval:org.mitre.oval:def:604    InternetConnectionWizardSettings-LocalUser



oval:org.mitre.oval:def:1355   DisableInternetConnectionWizard-LocalUser



oval:org.mitre.oval:def:1437   DisableResetWebSettingsFeature-LocalUser



                               DisableDownloadingOfSiteSubscriptionContent-
oval:org.mitre.oval:def:1080   LocalUser



oval:org.mitre.oval:def:1293   DisableAddingSchedulesForOfflinePages-LocalUser


oval:org.mitre.oval:def:1383   DisableAddingChannels-LocalUser


                               DisableEditingAndCreatingOfScheduleGroups-
oval:org.mitre.oval:def:1397   LocalUser



oval:org.mitre.oval:def:1501   DisableAllScheduledOfflinePages-LocalUser
oval:org.mitre.oval:def:1565   DisableEditingSchedulesForOfflinePages-LocalUser




oval:org.mitre.oval:def:1782   DisableChannelUserInterfaceCompletely-LocalUser


oval:org.mitre.oval:def:1801   DisableRemovingChannels-LocalUser



oval:org.mitre.oval:def:1954   DisableRemovingSchedulesForOfflinePages-LocalUser



oval:org.mitre.oval:def:2026   DisableOfflinePageHitLogging-LocalUser




                               JavaPermissions-LockedDownIntranetZone-
oval:org.mitre.oval:def:2039   LocalComputer




oval:org.mitre.oval:def:1422   JavaPermissions-LocalMachineZone-LocalComputer




                               JavaPermissions-LockedDownLocalMachineZone-
oval:org.mitre.oval:def:1986   LocalComputer
   FDCC IE7 XCCDF (fdcc-
                                        FDCC IE7 OVAL (fdcc-
     accepted-content-
                                          accepted-content-
     20080110\fdcc-ie7-
                                      20080110\fdcc-ie7-oval.xml
        xccdf.xml)




use_only_machine_settings_local_co
mputer                             oval:gov.nist.fdcc.ie7:def:1277




IEProcesses_RestrictActiveXInstall_
LocalComputer                       oval:gov.nist.fdcc.ie7:def:658




DoNotAllowUsersAddDeleteSites_Lo
calComputer                      oval:gov.nist.fdcc.ie7:def:1400




DisablePeriodicCheckForIESoftware
Updates_LocalComputer             oval:gov.nist.fdcc.ie7:def:1357
IEProcesses_ProtectionFromZoneEl
evation_LocalComputer            oval:gov.nist.fdcc.ie7:def:620




IEProcesses_ConsistentMimeHandli
ng_LocalComputer                 oval:gov.nist.fdcc.ie7:def:884




AllowSoftwareRunInstallSignatureInv
alid_LocalComputer                  oval:gov.nist.fdcc.ie7:def:680
IEProcesses_MKProtocolSecurityRe
striction_LocalComputer          oval:gov.nist.fdcc.ie7:def:617




DisableSoftwareUpdateShellNotificati
ons_LocalComputer                    oval:gov.nist.fdcc.ie7:def:1188
IEProcesses_RestrictFileDownload_
LocalComputer                     oval:gov.nist.fdcc.ie7:def:320




DisableAutomaticInstallOfIECompon
ents_LocalComputer                oval:gov.nist.fdcc.ie7:def:1198




MakeProxySettingsPerMachine_Loca
lComputer                        oval:gov.nist.fdcc.ie7:def:1181



DoNotAllowUsersEnableDisableAdd
Ons_LocalComputer                   oval:gov.nist.fdcc.ie7:def:1694




TurnOffCrashDetection_LocalCompu
ter                              oval:gov.nist.fdcc.ie7:def:487
IEProcesses_ScriptedWindowSecurit
yRestrictions_LocalComputer       oval:gov.nist.fdcc.ie7:def:465




DoNotAllowUsersChangePolicies_Lo
calComputer                      oval:gov.nist.fdcc.ie7:def:1404




IEProcesses_MimeSniffingSafetyFea
ture_LocalComputer                oval:gov.nist.fdcc.ie7:def:317



CheckSignatureDownloadedProgram
s_LocalComputer                 oval:gov.nist.fdcc.ie7:def:395
DoNotAllowResettingIESettings_Loc
alComputer                        oval:gov.nist.fdcc.ie7:def:583



allow_cut_copy_paste_operations_fr
om_clipboard_via_script_internet_zo
ne_local_computer                   oval:gov.nist.fdcc.ie7:def:506




TurnOffFirstRunOptIn_InternetZone_
LocalComputer                      oval:gov.nist.fdcc.ie7:def:1119




WebBrowserApplications_InternetZo
ne_LocalComputer                  oval:gov.nist.fdcc.ie7:def:242




AllowCutCopyPasteOperationsFrom
ClipboardViaScript_RestrictedSitesZ
one_LocalComputer                   oval:gov.nist.fdcc.ie7:def:249




TurnOffFirstRunOptIn_RestrictedSite
sZone_LocalComputer                 oval:gov.nist.fdcc.ie7:def:621




WebBrowserApplications_Restricted
SitesZone_LocalComputer           oval:gov.nist.fdcc.ie7:def:580




include_all_network_paths_local_co
mputer                               oval:gov.nist.fdcc.ie7:def:559
prevent_ignoring_certificate_errors_l
ocal_computer                         oval:gov.nist.fdcc.ie7:def:655




TurnOffChangingURLDisplay_LocalC
omputer                          oval:gov.nist.fdcc.ie7:def:715




TurnOffConfiguringUpdateCheckInter
val_LocalComputer                  oval:gov.nist.fdcc.ie7:def:1187
DisableConfiguringHistory_LocalCom
puter                              oval:gov.nist.fdcc.ie7:def:757



DisableChangingAutomaticConfigurat
ionSettings_LocalComputer          oval:gov.nist.fdcc.ie7:def:1285




DisableShowingSplashScreen_Local
Computer                         oval:gov.nist.fdcc.ie7:def:1164




PreventParticipationInCustomerExpe
rienceImprovementPrograms_LocalC
omputer                            oval:gov.nist.fdcc.ie7:def:1171



PreventPerformanceOfFirstRunCusto
mizeSettings_LocalComputer        oval:gov.nist.fdcc.ie7:def:1322
TurnOffDeleteBrowsingHistoryFuncti
onality_LocalComputer              oval:gov.nist.fdcc.ie7:def:458



TurnOffManagingPhishingFilter_Loca
lComputer                          oval:gov.nist.fdcc.ie7:def:501



TurnOffSecuritySettingsCheckFeatur
e_LocalComputer                    oval:gov.nist.fdcc.ie7:def:916



AllowActiveContentFromCD_LocalCo
mputer                           oval:gov.nist.fdcc.ie7:def:400


AllowThird-
PartyBrowserExtensions_LocalComp
uter                             oval:gov.nist.fdcc.ie7:def:110



AutomaticallyCheckIEUpdates_Local
Computer                          oval:gov.nist.fdcc.ie7:def:656




CheckServerCertificateRevocation_L
ocalComputer                       oval:gov.nist.fdcc.ie7:def:172




access_data_sources_across_domai
ns_internet_zone_local_computer  oval:gov.nist.fdcc.ie7:def:674




AllowDragDropOrCopyPasteFiles_Int
ernetZone_LocalComputer           oval:gov.nist.fdcc.ie7:def:1083
AllowFontDownloads_InternetZone_L
ocalComputer                      oval:gov.nist.fdcc.ie7:def:524




AllowInstallationOfDesktopItems_Inte
rnetZone_LocalComputer               oval:gov.nist.fdcc.ie7:def:223



AllowScriptInitiatedWindowsWithoutS
izeOrPositionConstraints_InternetZon
e_LocalComputer                      oval:gov.nist.fdcc.ie7:def:589




allow_scriptlets_internet_zone_local_
computer                              oval:gov.nist.fdcc.ie7:def:1043




allow_status_bar_updates_via_script
_internet_zone_local_computer       oval:gov.nist.fdcc.ie7:def:226




AutomaticPromptingFileDownloads_I
nternetZone_LocalComputer         oval:gov.nist.fdcc.ie7:def:1113




download_signed_activex_controls_I
nternetZone_LocalComputer          oval:gov.nist.fdcc.ie7:def:1199




DownloadUnsignedActiveXControls_I
nternetZone_LocalComputer         oval:gov.nist.fdcc.ie7:def:391
InitializeScriptActiveXControlsNotMar
kedAsSafe_InternetZone_LocalCom
puter                                 oval:gov.nist.fdcc.ie7:def:1040




java_permissions_internet_zone_loc
al_computer                        oval:gov.nist.fdcc.ie7:def:1174




LaunchingApplicationsAndFilesInIFR
AME_InternetZone_LocalComputer oval:gov.nist.fdcc.ie7:def:611




LogonOptions_InternetZone_LocalCo
mputer                            oval:gov.nist.fdcc.ie7:def:691




LooseXAMLFiles_InternetZone_Loca
lComputer                        oval:gov.nist.fdcc.ie7:def:240



navigate_sub_frames_across_differe
nt_domains_Internet_zone_local_co
mputer                             oval:gov.nist.fdcc.ie7:def:612




OpenFilesBasedOnContent_Internet
Zone_LocalComputer               oval:gov.nist.fdcc.ie7:def:953
SoftwareChannelPermissions_Intern
etZone_LocalComputer              oval:gov.nist.fdcc.ie7:def:302



UsePop-
upBlocker_InternetZone_LocalComp
uter                             oval:gov.nist.fdcc.ie7:def:1179




UserdataPersistence_InternetZone_L
ocalComputer                       oval:gov.nist.fdcc.ie7:def:1108



WebSitesInLessPrivilegedWebConte
ntZonesCanNavigateIntoThisZone_In
ternetZone_LocalComputer          oval:gov.nist.fdcc.ie7:def:265




display_mixed_content_locked_down
_internet_zone_local_computer     oval:gov.nist.fdcc.ie7:def:245




display_mixed_content_intranet_zon
e_local_computer                   oval:gov.nist.fdcc.ie7:def:1166



display_mixed_content-
LockedDownintranet_zone_local_co
mputer                              oval:gov.nist.fdcc.ie7:def:247
display_mixed_content-
local_machine_zone_local_computer oval:gov.nist.fdcc.ie7:def:383



display_mixed_content-
LockedDownlocal_machine_zone_lo
cal_computer                    oval:gov.nist.fdcc.ie7:def:418




AccessDataSourcesAcrossDomains_
RestrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:652




AllowActiveScripting_RestrictedSites
Zone_LocalComputer                   oval:gov.nist.fdcc.ie7:def:293




AllowBinaryAndScriptBehaviors_Rest
rictedSitesZone_LocalComputer      oval:gov.nist.fdcc.ie7:def:365




AllowDragDropOrCopyPasteFiles_Re
strictedSitesZone_LocalComputer  oval:gov.nist.fdcc.ie7:def:498




AllowFileDownloads_RestrictedSites
Zone_LocalComputer                 oval:gov.nist.fdcc.ie7:def:1184




AllowFontDownloads_RestrictedSites
Zone_LocalComputer                 oval:gov.nist.fdcc.ie7:def:1109
AllowInstallationOfDesktopItems_Re
strictedSitesZone_LocalComputer    oval:gov.nist.fdcc.ie7:def:251




AllowMETAREFRESH_RestrictedSit
esZone_LocalComputer           oval:gov.nist.fdcc.ie7:def:1218




AllowScriptInitiatedWindowsWithoutS
izeOrPositionConstraints_Restricted
SitesZone_LocalComputer             oval:gov.nist.fdcc.ie7:def:1234




AllowStatusBarUpdatesViaScript_Re
strictedSitesZone_LocalComputer   oval:gov.nist.fdcc.ie7:def:378




AutomaticPromptingFileDownloads_
RestrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:252




download_signed_activex_controls_
RestrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1019




DownloadUnsignedActiveXControls_
RestrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:949
InitializeScriptActiveXControlsNotMar
kedAsSafe_RestrictedSitesZone_Loc
alComputer                            oval:gov.nist.fdcc.ie7:def:273




java_permissions_RestrictedSitesZo
ne_LocalComputer                   oval:gov.nist.fdcc.ie7:def:824



LaunchingApplicationsAndFilesInIFR
AME_RestrictedSitesZone_LocalCo
mputer                             oval:gov.nist.fdcc.ie7:def:274




LogonOptions_RestrictedSitesZone_
LocalComputer                     oval:gov.nist.fdcc.ie7:def:326




LooseXAMLFiles_RestrictedSitesZon
e_LocalComputer                   oval:gov.nist.fdcc.ie7:def:275



NavigateSub-
framesAcrossDifferentDomains_Rest
rictedSitesZone_LocalComputer     oval:gov.nist.fdcc.ie7:def:1229




OpenFilesBasedOnContent_Restrict
edSitesZone_LocalComputer        oval:gov.nist.fdcc.ie7:def:706
RunNETFrameworkReliantCompone
ntsNotSignedWithAuthenticode_Rest
rictedSitesZone_LocalComputer     oval:gov.nist.fdcc.ie7:def:329



RunNETFrameworkReliantCompone
ntsSignedWithAuthenticode_Restrict
edSitesZone_LocalComputer          oval:gov.nist.fdcc.ie7:def:276




RunActiveXControlsAndPlugins_Rest
rictedSitesZone_LocalComputer     oval:gov.nist.fdcc.ie7:def:571



ScriptActiveXControlsMarkedSafeFor
Scripting_RestrictedSitesZone_Local
Computer                            oval:gov.nist.fdcc.ie7:def:602




ScriptingOfJavaApplets_RestrictedSit
esZone_LocalComputer                 oval:gov.nist.fdcc.ie7:def:280




SoftwareChannelPermissions_Restri
ctedSitesZone_LocalComputer       oval:gov.nist.fdcc.ie7:def:290



UsePop-
upBlocker_RestrictedSitesZone_Loc
alComputer                        oval:gov.nist.fdcc.ie7:def:1100




UserdataPersistence_RestrictedSites
Zone_LocalComputer                  oval:gov.nist.fdcc.ie7:def:300
WebSitesInLessPrivilegedWebConte
ntZonesCanNavigateIntoThisZone_R
estrictedSitesZone_LocalComputer oval:gov.nist.fdcc.ie7:def:1219




display_mixed_content-
LockedDownRestrictedSitesZone_Lo
calComputer                      oval:gov.nist.fdcc.ie7:def:314




display_mixed_content_trusted_sites
_zone_local_computer                oval:gov.nist.fdcc.ie7:def:1153




display_mixed_content_LockedDown
trusted_sites_zone_local_computer oval:gov.nist.fdcc.ie7:def:1183




EnableNativeXMLHttpSupport_Local
Computer                         oval:gov.nist.fdcc.ie7:def:338



TurnOnAutoCompleteFeatureForUse
rNamesAndPasswords_LocalUser    oval:gov.nist.fdcc.ie7:def:645


allow_install_on_demand_ie_local_c
omputer                            oval:gov.nist.fdcc.ie7:def:9999



TurnOffPageTransitions_LocalUser     oval:gov.nist.fdcc.ie7:def:1206
DisableAutoCompleteForForms_Loc
alUser                          oval:gov.nist.fdcc.ie7:def:1516




DisableExternalBrandingOfIE_LocalU
ser                                oval:gov.nist.fdcc.ie7:def:1384

configure_outlook_express_local_us
er                                 oval:gov.nist.fdcc.ie7:def:1238


TurnOnInternetConnectionWizardAut
oDetect_LocalUser                 oval:gov.nist.fdcc.ie7:def:604


DisableInternetConnectionWizard_Lo
calUser                            oval:gov.nist.fdcc.ie7:def:1355


DisableResetWebSettingsFeature_L
ocalUser                         oval:gov.nist.fdcc.ie7:def:1437
java_permissions_LockedDownintran
et_zone_local_computer            oval:gov.nist.fdcc.ie7:def:2039




java_permissions_local_machine_zo
ne_local_computer                 oval:gov.nist.fdcc.ie7:def:1422




java_permissions_LockedDownlocal
_machine_zone_local_computer     oval:gov.nist.fdcc.ie7:def:1986




site_to_zone_assignment_list_local_
computer                            oval:gov.nist.fdcc.ie7:def:9998
TurnOnProtectedMode_InternetZone
_LocalComputer                   oval:gov.nist.fdcc.ie7:def:111999




java_permissions_intranet_zone_loc
al_computer                        oval:gov.nist.fdcc.ie7:def:1883


download_signed_activex_controls_l
ocked_down_internet_zone_local_co
mputer                             oval:gov.nist.fdcc.ie7:def:24599




java_permissions_locked_down_inter
net_zone_local_computer            oval:gov.nist.fdcc.ie7:def:1419




java_permissions_LockedDownRestr
ictedSitesZone_LocalComputer     oval:gov.nist.fdcc.ie7:def:1753


AllowStatusBarUpdatesViaScript_Loc
kedDowntrusted_sites_zone_local_c
omputer                            oval:gov.nist.fdcc.ie7:def:118399




java_permissions_LockedDowntruste
d_sites_zone_local_computer       oval:gov.nist.fdcc.ie7:def:1699




TurnOnProtectedMode_RestrictedSit
esZone_LocalComputer              oval:gov.nist.fdcc.ie7:def:62199
java_permissions_trusted_sites_zon
e_local_computer                   oval:gov.nist.fdcc.ie7:def:1379
                                                 CCE
  CCE ID       CCE Description
                                              Parameters




            The "Disable VBA for
            Office applications" setting
            should be configured
CCE-116-4   correctly.                   enabled/disabled




                                            1 = Do not prompt | 4
                                            = Prompt user to use
            The "ActiveX Control            control defaults | 6 =
            Initialization:" setting should Prompt user to use
CCE-908-4   be configured correctly.        persisted data

            The "Enable Customer
            Experience Improvement
            Program" setting should be
CCE-184-2   configured correctly.      enabled/disabled

            The "Enable Customer
            Experience Improvement
            Program" setting should be
CCE-276-6   configured correctly.      enabled/disabled
                                       0 = Never show
                                       online content or
                                       entry points | 1 =
                                       Search only offline
                                       content whenever
                                       available | 2 =
            The "Online content        Search online
            options" setting should be content whenever
CCE-967-0   configured correctly.      available
                                        1 = No Security
                                        checks for macros |
                                        2 = Trust Bar
                                        warning for all
                                        macros | 3 = Trust
                                        Bar warning for
                                        digitally signed
            The "VBA Macro Warning macros only | 4 = No
            Settings" setting should be Warnings for all
            configured correctly for    macros but disable
CCE-427-5   Access 2007.                all macros

                                        1 = No Security
                                        checks for macros |
                                        2 = Trust Bar
                                        warning for all
                                        macros | 3 = Trust
                                        Bar warning for
                                        digitally signed
            The "VBA Macro Warning macros only | 4 = No
            Settings" setting should be Warnings for all
            configured correctly for    macros but disable
CCE-649-4   Excel 2007.                 all macros




            The "Trust access to Visual
            Basic Project" setting
            should be configured
            correctly for Excel 2007
CCE-862-3   and 2003.                   enabled/disabled
                                        1 = No Security
                                        checks for macros |
                                        2 = Trust Bar
                                        warning for all
                                        macros | 3 = Trust
                                        Bar warning for
                                        digitally signed
            The "VBA Macro Warning macros only | 4 = No
            Settings" setting should be Warnings for all
            configured correctly for    macros but disable
CCE-567-8   PowerPoint 2007.            all macros

            The "Trust access to Visual
            Basic Project" setting
            should be configured
            correctly for PowerPoint
CCE-68-7    2007.                       enabled/disabled

            The "Disable Remember
            Passwords" setting should
            be configured correctly for
CCE-537-1   Outlook 2007.               enabled/disabled
                                        0 = Trust all or use
                                        Exchange settings if
                                        present | 1 = Trust
                                        all loaded and
                                        installed COM
            The "Configure Add-In       addins | 2 = Do
            Trust Level" setting should NOT trust loaded
            be configured correctly for and installed COM
CCE-786-4   Outlook 2007.               addins
            DEPRECATED in favor of
CCE-937-3   CCE-537-1.



            The "Minimum encryption
            settings" setting should be
CCE-13-3    configured correctly.       enabled/disabled

            The "Do not check e-mail
            address against address of
            certificates being using"
            setting should be
CCE-316-0   configured correctly.      enabled/disabled
            The "Send all signed
            messages as clear signed
            messages" setting should
CCE-14-1    be configured correctly.   enabled/disabled

            The "Request an S/MIME
            receipt for all S/MIME
            signed messages" setting
            should be configured
CCE-153-7   correctly.                 enabled/disabled




            The "Do not display
            'Publish to GAL' button"
            setting should be
CCE-345-9   configured correctly.      enabled/disabled




                                       0 = Let user decide if
                                       they want to be
                                       warned | 1 = Always
                                       warn about invalid
            The "Signature Warning"    signatures | 2 =
            setting should be          Never warn about
CCE-700-5   configured correctly.      invalid signatures
            The "Enable Cryptography
            Icons" setting should be
CCE-695-7   configured correctly.    enabled/disabled


                                        0 = Use system
                                        Default | 1 = When
            The "Retrieving CRLs        online always
            (Certificate Revocation     retreive the CRL | 2
            Lists)" setting should be   = Never retreive the
CCE-395-4   configured correctly.       CRL
                                        1 = No Security
                                        checks for macros |
                                        2 = Trust Bar
                                        warning for all
                                        macros | 3 = Trust
                                        Bar warning for
                                        digitally signed
            The "VBA Macro Warning macros only | 4 = No
            Settings" setting should be Warnings for all
            configured correctly for    macros but disable
CCE-659-3   Word 2007.                  all macros




            The "Trust access to Visual
            Basic Project" setting
            should be configured
            correctly for Word 2007
CCE-703-9   and 2003.                   enabled/disabled
             The "Warn before printing,
             saving or sending a file that
             contains tracked changes
             or comments" setting
             should be configured
CCE-173-5    correctly.                    enabled/disabled

             The "Block updates from
             the Office Update Site from
             applying" setting should be
CCE-784-9    configured correctly.          enabled/disabled
             The "Underline hyperlinks"     enabled/disabled
             setting should be
             configured correctly for
CCE-1395-3   Access 2007.
             The "Number of                 enabled/disabled
             documents in the Recent
             Documents list (0-9)"
             setting should be
             configured correctly for
CCE-1137-9   Access 2007.
             The "Disable Trust Bar         enabled/disabled
             Notification for unsigned
             application add-ins" setting
             should be configured
             correctly for Access 2007.
CCE-1423-3
             The "Disable all application enabled/disabled
             add-ins" setting should be
             configured correctly for
             Access 2007.
CCE-1238-5
             The "Require that            enabled/disabled
             application add-ins are
             signed by Trusted
             Publisher" setting should
             be configured correctly for
CCE-1476-1   Access 2007.
             The "Disable all trusted     enabled/disabled
             locations" setting should be
             configured correctly for
             Access 2007.

CCE-1520-6
             The "Allow Trusted            enabled/disabled
             Locations not on the
             computer" setting should
             be configured correctly for
             Access 2007.

CCE-780-7
             The "Modal Trust Decision enabled/disabled
             Only" setting should be
             configured correctly for
             Access 2007.

CCE-1214-6
             The "Disable commands"        enabled/disabled
             setting should be
             configured correctly for
             Access 2007.
CCE-1370-6
             The "Disable commands -       enabled/disabled
             Office Button | E-Mail"
             setting should be
             configured correctly for
             Access 2007.
CCE-1268-2
             The "Disable commands - enabled/disabled
             Office Button | Access
             Options | Customize | All
             Commands | Insert
             Hyperlink" setting should
             be configured correctly for
CCE-1400-1   Access 2007.
             The "Disable commands - enabled/disabled
             Database Tools | Database
             Tools | Encrypt with
             Password" setting should
             be configured correctly for
             Access 2007.
CCE-1440-7
             The "Disable commands - enabled/disabled
             Database Tools |
             Administer | Users and
             Permission | User and
             Group Permissions" setting
             should be configured
             correctly for Access 2007.
CCE-581-9
             The "Disable commands -       enabled/disabled
             Database Tools |
             Administer | Users and
             Permissions | User and
             Group Accounts" setting
             should be configured
             correctly for Access 2007.
CCE-1480-3
             The "Disable commands -       enabled/disabled
             Database Tools |
             Administer | Users and
             Permission | User-Level
             Security Wizard..." setting
             should be configured
             correctly for Access 2007.
CCE-1489-4
             The "Disable commands - enabled/disabled
             Database Tools | Database
             Tools | Encode/Decode
             Database" setting should
             be configured correctly for
             Access 2007.
CCE-1392-0
             The "Disable commands - enabled/disabled
             Database Tools | Macro |
             Visual Basic" setting should
             be configured correctly for
             Access 2007.
CCE-1414-2
             The "Disable commands - enabled/disabled
             Database Tools | Macro |
             Run Macro" setting should
             be configured correctly for
             Access 2007.
CCE-1418-3
             The "Database Tools |        enabled/disabled
             Macro | Convert Macros to
             Visual Basic" setting should
             be configured correctly for
             Access 2007.
CCE-1405-0
             The "Database Tools |         enabled/disabled
             Macro | Create Shortcut
             Menu from Macro" setting
             should be configured
             correctly for Access 2007.
CCE-1550-3
             The "Disable shortcut keys" enabled/disabled
             setting should be
             configured correctly for
             Access 2007.
CCE-1075-1
             The "Disable commands - enabled/disabled
             Ctrl+K (Office Button |
             Access Options |
             Customize | All Commands
             | Insert Hyperlinks)" setting
             should be configured
             correctly for Access 2007.

CCE-709-6
             The "Disable commands - enabled/disabled
             Alt+F11 (Database Tools |
             Macro | Visual Basic)"
             setting should be
             configured correctly for
CCE-1502-4   Access 2007.
             The "Default file format    enabled/disabled
             (Access 2007 | Access
             2002-2003)" setting should
             be configured correctly for
             Access 2007.
CCE-1260-9
             The "Do not prompt to        enabled/disabled
             convert older databases"
             setting should be
             configured correctly for
CCE-1510-7   Access 2007.
             The "Internet and network enabled/disabled
             paths as hyperlinks" setting
             should be configured
             correctly for Excel 2007.

CCE-1532-1
             The "Save Excel files as   enabled/disabled
             (Excel Workbook (*.xlsx) |
             Excel Macro-Enabled
             Workbook (*.xlsm) | Excel
             Binary Workbook (*.xlsb) |
             Web Page (*.htm; *.html) |
             Excel 97-2003 Workbook
             (*.xls) | Excel 5.0/95
             Workbook (*.xls))" setting
             should be configured
             correctly for Excel 2007.
CCE-1039-7
             The "Disable                enabled/disabled
             AutoRepublish" setting
             should be configured
CCE-1295-5   correctly for Excel 2007.
             The "AutoRepublish          enabled/disabled
             Warning Alert (Always
             show the alert before
             publishing | Never show the
             alert before publishing)"
             setting should be
             configured correctly for
CCE-1334-2   Excel 2007.
             The "Determine whether to enabled/disabled
             force encrypted macros to
             be scanned in Microsoft
             Excel Open XML
             workbooks" setting should
             be configured correctly
CCE-1308-6
             The "Force file extension to enabled/disabled
             match file type (Allow
             different | Allow different,
             but warn | Always match
             file type)" setting should be
             configured correctly for
CCE-616-3    Excel 2007.
             The "Store macro in           enabled/disabled
             Personal Macro Workbook
             by default" setting should
             be configured correctly
CCE-1246-8
             The "Disable all application enabled/disabled
             add-ins" setting should be
             configured correctly for
             Excel 2007.
CCE-1251-8
             The "Require that            enabled/disabled
             application add-ins are
             signed by Trusted
             Publisher" setting should
             be configured correctly for
CCE-1524-8   Excel 2007.
             The "Disable Trust Bar       enabled/disabled
             Notification for unsigned
             application add-ins" setting
             should be configured
             correctly for Excel 2007.
CCE-1422-5
             The "Allow Trusted            enabled/disabled
             Locations not on the
             computer" setting should
             be configured correctly for
             Excel 2007.
CCE-1444-9
             The "Disable all trusted     enabled/disabled
             locations" setting should be
             configured correctly for
             Excel 2007.
CCE-1449-8
             The "Ignore other             enabled/disabled
             applications " setting
             should be configured
             correctly for Excel 2007.
CCE-1471-2
             The "Ask to update          enabled/disabled
             automatic links" setting
             should be configured
CCE-1119-7   correctly for Excel 2007.
             The "Number of              enabled/disabled
             documents in the Recent
             Documents list (0-17)"
             setting should be
             configured correctly for
CCE-1378-9   Excel 2007.
             The "Save any additional    enabled/disabled
             data necessary to maintain
             formulas" setting should be
             configured correctly for
             Excel 2007.
CCE-1277-3
             The "Load pictures from       enabled/disabled
             Web pages not created in
             Excel" setting should be
             configured correctly for
CCE-1464-7   Excel 2007.
             The "Do not show data         enabled/disabled
             extraction options when
             opening corrupt
             workbooks" setting should
             be configured correctly for
CCE-1094-2   Excel 2007.
             The "Assume structured        enabled/disabled
             storage format of workbook
             is intact when recovering
             data" setting should be
             configured correctly for
CCE-1129-6   Excel 2007.
             The "Corrupt formula          enabled/disabled
             conversion (Convert
             unrecoverable references
             to: values | #REF or
             #NAME)" setting should be
             configured correctly for
CCE-1389-6   Excel 2007.
             The "Connection File          enabled/disabled
             Locations" setting should
             be configured correctly for
             Excel 2007.
CCE-1433-2
             The "Automatic Query        enabled/disabled
             Refresh (Prompt for all
             workbooks | Do not prompt;
             do not allow auto refresh |
             Do not prompt; allow auto
             refresh)" setting should be
             configured correctly for
             Excel 2007.
CCE-1323-5
             The "Disable commands"        enabled/disabled
             setting should be
             configured correctly for
             Excel 2007.
CCE-1469-6
             The "Disable commands - enabled/disabled
             Office Button | Excel
             Options | Customize | All
             Commands | Save as Web
             Page" setting should be
             configured correctly for
CCE-1473-8   Excel 2007.
             The "Disable commands - enabled/disabled
             Office Button | Excel
             Options | Customize | All
             Commands | Web Page
             Preview" setting should be
             configured correctly for
CCE-1499-3   Excel 2007.
             The "Disable commands - enabled/disabled
             Office Button | Send |
             Email" setting should be
             configured correctly for
             Excel 2007.
CCE-1024-9
             The "Disable commands -       enabled/disabled
             Insert | Links | Hyperlink"
             setting should be
             configured correctly for
             Excel 2007.
CCE-1530-5
             The "Disable commands - enabled/disabled
             Review | Changes | Protect
             Sheet" setting should be
             configured correctly for
             Excel 2007.
CCE-1120-5
             The "Disable commands - enabled/disabled
             Review | Changes | Protect
             Workbook" setting should
             be configured correctly for
             Excel 2007.
CCE-1252-6
             The "Disable commands - enabled/disabled
             Review | Changes | Protect
             and Share Workbook"
             setting should be
             configured correctly for
CCE-1151-0   Excel 2007.
             The "Disable commands - enabled/disabled
             View | Macros | Macros"
             setting should be
             configured correctly for
             Excel 2007.
CCE-1301-1
             The "Disable commands - enabled/disabled
             Developer | Code | Macros"
             setting should be
             configured correctly for
             Excel 2007.
CCE-1310-2
             The "Disable commands - enabled/disabled
             Developer | Code | Record
             Macro" setting should be
             configured correctly for
             Excel 2007.
CCE-1213-8
             The "Disable commands - enabled/disabled
             Developer | Code | Macro
             Security" setting should be
             configured correctly for
             Excel 2007.
CCE-1362-3
             The "Disable commands -     enabled/disabled
             Developer | Code | Visual
             Basic" setting should be
             configured correctly for
             Excel 2007.
CCE-1156-9
             The "Disable commands - enabled/disabled
             Office Button | Excel
             Options | Customize | All
             Commands | Document
             Location" setting should be
             configured correctly for
CCE-1429-0   Excel 2007.
             The "Disable shortcut keys" enabled/disabled
             setting should be
             configured correctly for
             Excel 2007.
CCE-1182-5
             The "Disable shortcut keys - enabled/disabled
             Ctrl+K (Insert | Links |
             Hyperlink)" setting should
             be configured correctly for
             Excel 2007.
CCE-1525-5
             The "Disable shortcut keys - enabled/disabled
             Alt+F8 (Developer | Code |
             Macros)" setting should be
             configured correctly for
             Excel 2007.
CCE-1547-9
             The "Disable shortcut keys - enabled/disabled
             Alt+F11 (Developer | Code
             | Visual Basic)" setting
             should be configured
             correctly for Excel 2007.
CCE-1300-3
             The "Block opening of pre- enabled/disabled
             release versions of file
             formats new to Excel 2007"
             setting should be
             configured correctly for
CCE-1331-8   Excel 2007.
             The "Block opening of         enabled/disabled
             Open XML file types"
             setting should be
             configured correctly for
CCE-1468-8   Excel 2007.
             The "Block opening of         enabled/disabled
             Binary 12 file types" setting
             should be configured
             correctly for Excel 2007.
CCE-1490-2
             The "Block opening of        enabled/disabled
             Binary file types" setting
             should be configured
             correctly for Excel 2007.
CCE-1512-3
             The "Block opening of Html enabled/disabled
             and Xmlss files types"
             setting should be
             configured correctly for
CCE-1543-8   Excel 2007.
             The "Block opening of Xml enabled/disabled
             file types" setting should be
             configured correctly for
             Excel 2007.
CCE-1195-7
             The "Block opening of DIF enabled/disabled
             and SYLK file types" setting
             should be configured
             correctly for Excel 2007.
CCE-554-6
             The "Block opening of Text enabled/disabled
             file types" setting should be
             configured correctly for
             Excel 2007.
CCE-1415-9
             The "Block opening of Xll      enabled/disabled
             file type" setting should be
             configured correctly for
             Excel 2007.
CCE-1437-3
             The "Block saving of Open enabled/disabled
             Xml file types" setting
             should be configured
             correctly for Excel 2007.
CCE-1446-4
             The "Block saving of         enabled/disabled
             Binary12 file types" setting
             should be configured
             correctly for Excel 2007.
CCE-1098-3
             The "Block saving of Binary enabled/disabled
             file types" setting should be
             configured correctly for
             Excel 2007.
CCE-562-9
             The "Block saving of Html      enabled/disabled
             and Xmlss file types"
             setting should be
             configured correctly for
CCE-1507-3   Excel 2007.
             The "Block saving Xml file     enabled/disabled
             types" setting should be
             configured correctly for
             Excel 2007.
CCE-1406-8
             The "Block saving DIF and enabled/disabled
             SYLK file types" setting
             should be configured
             correctly for Excel 2007.
CCE-573-6
             The "Block saving of Text enabled/disabled
             file types" setting should be
             configured correctly for
             Excel 2007.
CCE-1336-7
             The "Locally cache network enabled/disabled
             file storages" setting should
             be configured correctly for
             Excel 2007.
CCE-1230-2
             The "Locally cache          enabled/disabled
             PivotTable reports" setting
             should be configured
             correctly for Excel 2007.
CCE-1375-5
             The "OLAP PivotTable           enabled/disabled
             User Defined Function
             (UDF) security setting
             (Allow ALL UDFs | Allow
             safe UDFs only | Allow NO
             UDFs)" setting should be
             configured correctly for
CCE-1380-5   Excel 2007.
             The "Recognize                 enabled/disabled
             SmartTags" setting should
             be configured correctly for
CCE-1376-3   Excel 2007.
             The "Number of                 enabled/disabled
             documents in the Recent
             Documents list (0 - 9)"
             setting should be
             configured correctly for
CCE-1398-7   InfoPath 2007.
             The "Offline Mode status       enabled/disabled
             (Disabled | Enabled,
             InfoPath in Offline Mode |
             Enabled, InfoPath not in
             Offline Mode)" setting
             should be configured
             correctly for InfoPath 2007.
CCE-569-4
             The "Disable commands"         enabled/disabled
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-1065-2
             The "Disable commands -        enabled/disabled
             File | Print" setting should
             be configured correctly for
             InfoPath 2007.
CCE-1361-5
             The "Disable commands -       enabled/disabled
             File | Send to Mail
             Recipient" setting should
             be configured correctly for
             InfoPath 2007.
CCE-1096-7
             The "Disable commands - enabled/disabled
             File | Open from
             SharePoint Site" setting
             should be configured
             correctly for InfoPath 2007.
CCE-1391-2
             The "Disable commands - enabled/disabled
             File | Print Preview" setting
             should be configured
             correctly for InfoPath 2007.

CCE-1519-8
             The "Disable commands - enabled/disabled
             File | Page Setup" setting
             should be configured
             correctly for InfoPath 2007.

CCE-1523-0
             The "Disable commands -       enabled/disabled
             Insert | Hyperlinks..."
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-1171-8
             The "Disable commands -       enabled/disabled
             Tools | Set Language"
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-1457-1
             The "Disable commands -       enabled/disabled
             Tools | Customize..."
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-1426-6
             The "Disable commands - enabled/disabled
             Tools | Options..." setting
             should be configured
             correctly for InfoPath 2007.

CCE-805-2
             The "Disable commands -       enabled/disabled
             Help | Microsoft Office
             Online" setting should be
             configured correctly for
             InfoPath 2007.
CCE-1453-0
             The "Disable commands - enabled/disabled
             Office Diagnostics" setting
             should be configured
             correctly for InfoPath 2007.

CCE-1351-6
             The "Disable commands -       enabled/disabled
             Help | Activate Product..."
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-620-5
             The "Disable commands - enabled/disabled
             Print Default" setting
             should be configured
             correctly for InfoPath 2007.
CCE-1017-3
             The "Disable shortcut keys" enabled/disabled
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-1021-5
             The "Disable shortcut keys - enabled/disabled
             Print Shortcut (Ctrl+P)"
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-1299-7
             The "Disable shortcut keys - enabled/disabled
             Insert Hyperlink Shortcut
             (Ctrl+K)" setting should be
             configured correctly for
             InfoPath 2007.
CCE-1197-3
             The "Control behavior for enabled/disabled
             Windows SharePoint
             Services gradual upgrade
             (Allow redirections to any
             location | Allow redirections
             to Intranet only | Block all
             redirections)" setting
             should be configured
             correctly for InfoPath 2007.

CCE-704-7
             The "Disable opening of      enabled/disabled
             solutions from the Internet
             security zone" setting
             should be configured
             correctly for InfoPath 2007.
CCE-1105-6
             The "Disable fully trusted   enabled/disabled
             solutions full access to
             computer" setting should
             be configured correctly for
`            InfoPath 2007.
             The "Allow the use of        enabled/disabled
             ActiveX Custom Controls in
             InfoPath forms" setting
             should be configured
             correctly for InfoPath 2007.
CCE-761-7
             The "Run forms in            enabled/disabled
             restricted mode if they do
             not specify a publish
             location and use only
             features introduced before
             InfoPath 2003 SP1" setting
             should be configured
             correctly for InfoPath 2007.
CCE-739-3
             The "Allow file types as        enabled/disabled
             attachments to forms"
             setting should be
             configured correctly for
CCE-1259-1   InfoPath 2007.
             The "Block specific file        enabled/disabled
             types as attachments to
             forms" setting should be
             configured correctly for
CCE-1267-4   InfoPath 2007.
             The "Prevent users from         enabled/disabled
             allowing unsafe file types to
             be attached to forms"
             setting should be
             configured correctly for
CCE-1060-3   InfoPath 2007.
             The "Display a warning that     enabled/disabled
             a form is digitally signed"
             setting should be
             configured correctly for
CCE-955-5    InfoPath 2007.
             The "Control behavior     enabled/disabled
             when opening forms in the
             Internet security zone
             (Block | Prompt | Allow)"
             setting should be
             configured correctly for
CCE-1479-5   InfoPath 2007.
             The "Control behavior     enabled/disabled
             when opening forms in the
             Intranet security zone
             (Block | Prompt | Allow)"
             setting should be
             configured correctly for
CCE-1360-7   InfoPath 2007.
             The "Control behavior     enabled/disabled
             when opening forms in the
             Local Machine security
             zone (Block | Prompt |
             Allow)" setting should be
             configured correctly for
             InfoPath 2007.
CCE-1386-2
             The "Control behavior        enabled/disabled
             when opening forms in the
             Trusted Site security zone
             (Block | Prompt | Allow)"
             setting should be
             configured correctly for
CCE-893-8    InfoPath 2007.
             The "Beaconing UI for        enabled/disabled
             forms opened in InfoPath
             (Never show beaconing UI
             | Always show beaconing
             UI | Show UI if Form
             Template is from Internet
             Zone)" setting should be
             configured correctly for
CCE-1290-6   InfoPath 2007.
             The "Beaconing UI for        enabled/disabled
             forms opened in InfoPath
             Editor ActiveX (Never show
             beaconing UI | Always
             show beaconing UI | Show
             UI if Form Template is from
             Internet Zone)" setting
             should be configured
             correctly for InfoPath 2007.
CCE-1381-3
             The "Disable all application enabled/disabled
             add-ins" setting should be
             configured correctly for
             InfoPath 2007.
CCE-1135-3
             The "Require that            enabled/disabled
             application add-ins are
             signed by Trusted
             Publisher" setting should
             be configured correctly for
CCE-1157-7   InfoPath 2007.
             The "Disable Trust Bar       enabled/disabled
             Notification for unsigned
             application add-ins" setting
             should be configured
             correctly for InfoPath 2007.
CCE-1434-0
             The "Control behavior       enabled/disabled
             when opening InfoPath e-
             mail forms containing code
             or script (Run without
             prompting | Prompt before
             running | Never run)"
             setting should be
             configured correctly for
CCE-1315-1   InfoPath 2007.
             The "Disable sending form enabled/disabled
             template with e-mail forms"
             setting should be
             configured correctly for
             InfoPath 2007.
CCE-1210-4
             The "Disable dynamic        enabled/disabled
             caching of the form
             template in InfoPath e-mail
             forms" setting should be
             configured correctly for
             InfoPath 2007.
CCE-1236-9
             The "Disable sending        enabled/disabled
             InfoPath 2003 Forms as e-
             mail forms" setting should
             be configured correctly for
             InfoPath 2007.
CCE-884-7
             The "Disable e-mail forms enabled/disabled
             running in restricted
             security level" setting
             should be configured
             correctly for InfoPath 2007.
CCE-1518-0
             The "Disable e-mail forms enabled/disabled
             from the Internet security
             zone" setting should be
             configured correctly for
CCE-1170-0   InfoPath 2007.
             The "Disable e-mail forms enabled/disabled
             from the Intranet security
             zone" setting should be
             configured correctly for
CCE-1316-9   InfoPath 2007.
             The "Disable e-mail forms enabled/disabled
             from the Full Trust security
             zone" setting should be
             configured correctly for
             InfoPath 2007.
CCE-1567-7
             The "Disable InfoPath e-     enabled/disabled
             mail forms in Outlook"
             setting should be
             configured correctly for
CCE-1265-8   InfoPath 2007.
             The "Information Rights      enabled/disabled
             Management" setting
             should be configured
             correctly for InfoPath 2007.
CCE-1538-8
             The "Custom code" setting enabled/disabled
             should be configured
             correctly for InfoPath 2007.
CCE-1564-4
             The "Email Forms           enabled/disabled
             Beaconing UI (Never show
             UI | Always show UI | Show
             UI if XSN is in Internet
             Zone)" setting should be
             configured correctly for
             InfoPath 2007.
CCE-1212-0
             The "Disable user           enabled/disabled
             customization of Quick
             Access Toolbar via UI"
             setting should be
             configured correctly
CCE-1344-1
             The "Disable user           enabled/disabled
             customization of Quick
             Access Toolbar via UI -
             Disallow in Word" setting
             should be configured
CCE-723-7    correctly
             The "Disable user            enabled/disabled
             customization of Quick
             Access Toolbar via UI -
             Disallow in Excel" setting
             should be configured
CCE-1384-7   correctly
             The "Disable user            enabled/disabled
             customization of Quick
             Access Toolbar via UI -
             Disallow in PowerPoint"
             setting should be
             configured correctly
CCE-1159-3
             The "Disable user            enabled/disabled
             customization of Quick
             Access Toolbar via UI -
             Disallow in Access" setting
             should be configured
CCE-1146-0   correctly
             The "Disable user            enabled/disabled
             customization of Quick
             Access Toolbar via UI -
             Disallow in Outlook" setting
             should be configured
CCE-1542-0   correctly
             The "Disable all user        enabled/disabled
             customization of Quick
             Access Toolbar" setting
             should be configured
             correctly
CCE-582-7
             The "Disable all user      enabled/disabled
             customization of Quick
             Access Toolbar - Disallow
             in Word" setting should be
             configured correctly
CCE-1291-4
             The "Disable all user       enabled/disabled
             customization of Quick
             Access Toolbar - Disallow
             in Excel" setting should be
             configured correctly
CCE-1326-8
             The "Disable all user        enabled/disabled
             customization of Quick
             Access Toolbar - Disallow
             in PowerPoint" setting
             should be configured
CCE-1330-0   correctly
             The "Disable all user        enabled/disabled
             customization of Quick
             Access Toolbar - Disallow
             in Access" setting should
             be configured correctly
CCE-1335-9
             The "Disable all user        enabled/disabled
             customization of Quick
             Access Toolbar - Disallow
             in Outlook" setting should
             be configured correctly
CCE-1229-4
             The "Disable UI extending    enabled/disabled
             from documents and
             templates" setting should
             be configured correctly

CCE-630-4
             The "Disable UI extending    enabled/disabled
             from documents and
             templates - Disallow in
             Word" setting should be
             configured correctly
CCE-1154-4
             The "Disable UI extending    enabled/disabled
             from documents and
             templates - Disallow in
             Excel" setting should be
             configured correctly
CCE-1410-0
             The "Disable UI extending enabled/disabled
             from documents and
             templates - Disallow in
             PowerPoint" setting should
             be configured correctly
CCE-1432-4
             The "Disable UI extending    enabled/disabled
             from documents and
             templates - Disallow in
             Access" setting should be
             configured correctly
CCE-1198-1
             The "Disable UI extending enabled/disabled
             from documents and
             templates - Disallow in
             Outlook" setting should be
             configured correctly
CCE-929-0
             The "Recognize smart tags enabled/disabled
             in Excel" setting should be
             configured correctly


CCE-1074-4
             The "Disable Clip Art and enabled/disabled
             Media downloads from the
             client and from Office
             Online website" setting
             should be configured
CCE-1458-9   correctly
             The "Disable template      enabled/disabled
             downloads from the client
             and from Office Online
             website" setting should be
             configured correctly
CCE-1233-6
             The "Disable access to     enabled/disabled
             updates, add-ins, and
             patches on the Office
             Online website" setting
             should be configured
CCE-1379-7   correctly
             The "Prevents users from enabled/disabled
             uploading document
             templates to the Office
             Online community." setting
             should be configured
CCE-1401-9   correctly
             The "Disable training      enabled/disabled
             practice downloads from
             the Office Online website"
             setting should be
             configured correctly
CCE-1528-9
             The "Disable customer-      enabled/disabled
             submitted templates
             downloads from Office
             Online" setting should be
             configured correctly
CCE-1533-9
             The "Open Office            enabled/disabled
             documents as read/write
             while browsing" setting
             should be configured
             correctly
CCE-646-0
             The "Rely on VML for        enabled/disabled
             displaying graphics in
             browsers" setting should be
             configured correctly

CCE-1438-1
             The "Allow PNG as an           enabled/disabled
             output format" setting
             should be configured
             correctly
CCE-711-2
             The "Improve Proofing          enabled/disabled
             Tools" setting should be
             configured correctly

CCE-1292-2
             The "Disable Opt-in Wizard
             on first run" setting should
             be configured correctly.

CCE-1615-4                                  enabled/disabled
             The "Microsoft Office          enabled/disabled
             Online" setting should be
CCE-1191-6   configured correctly
             The "Disable Password      enabled/disabled
             Caching" setting should be
             configured correctly
CCE-1587-5
             The "Disable all Trust Bar     enabled/disabled
             notifications for security
             issues" setting should be
             configured correctly
CCE-1486-0
             The "Protect document     enabled/disabled
             metadata for rights
             managed Office Open XML
             Files" setting should be
CCE-1508-1   configured correctly
             The "Protect document     enabled/disabled
             metadata for password
             protected files." setting
             should be configured
CCE-1640-2   correctly
             The "Encryption type for  enabled/disabled
             password protected Office
             Open XML files" setting
             should be configured
CCE-1539-6   correctly
             The "Encryption type for    enabled/disabled
             password protected Office
             97-2003 files" setting
             should be configured
CCE-1561-0   correctly
             The "Load Controls in       enabled/disabled
             Forms3 (1 | 2 | 3 | 4)"
             setting should be
CCE-1068-6   configured correctly
             The "Automation Security enabled/disabled
             (Disable macros by default
             | Use application macro
             security level | Macros
             enabled)" setting should be
             configured correctly



CCE-1574-3
             The "Prevent Word and    enabled/disabled
             Excel from loading
             managed code extensions"
             setting should be
             configured correctly
CCE-1239-3
             The "Disable hyperlink      enabled/disabled
             warnings" setting should be
             configured correctly
CCE-1623-8
             The "Disable password to enabled/disabled
             open UI" setting should be
             configured correctly
CCE-1083-5
             The "Download Office        enabled/disabled
             Controls" setting should be
             configured correctly
CCE-1343-3
             The "Disable All ActiveX"   enabled/disabled
             setting should be
             configured correctly
CCE-1242-7
             The "Allow mix of policy    enabled/disabled
             and user locations" setting
             should be configured
             correctly
CCE-770-8
             The "Disable Smart          enabled/disabled
             Document's use of
             manifests" setting should
             be configured correctly
CCE-903-5
             The "Completely disable    enabled/disabled
             the Smart Documents
             feature in Word and Excel"
             setting should be
             configured correctly
CCE-1555-2
             The "Disable Internet Fax    enabled/disabled
             feature" setting should be
             configured correctly

CCE-1061-1
             The "Prevent users from      enabled/disabled
             changing permissions on
             rights managed content"
             setting should be
             configured correctly
CCE-1603-0
             The "Allow users with         enabled/disabled
             earlier versions of Office to
             read with browsers..."
             setting should be
             configured correctly
CCE-1612-1
             The "Always require users enabled/disabled
             to connect to verify
             permission" setting should
             be configured correctly
CCE-1493-6
             The "Always expand         enabled/disabled
             groups in Office when
             restricting permission for
             documents" setting should
             be configured correctly
CCE-1409-2
             The "Never allow users to enabled/disabled
             specify groups when
             restricting permission for
             documents" setting should
             be configured correctly
CCE-1589-1
             The "Disable Microsoft     enabled/disabled
             Passport service for
             content with restricted
             permission" setting should
             be configured correctly
CCE-1237-7
             The "Do not allow users to enabled/disabled
             upgrade Information Rights
             Management configuration"
             setting should be
             configured correctly
CCE-1404-3
             The "Key Usage Filtering"     enabled/disabled
             setting should be
CCE-1396-1   configured correctly
             The "EKU filtering" setting   enabled/disabled
             should be configured
             correctly
CCE-1167-6
             The "Legacy format            enabled/disabled
             signatures" setting should
             be configured correctly
CCE-1585-9
             The "Suppress Office       enabled/disabled
             Signing Providers (Enable
             Western and East Asian |
             Suppress default Western |
             Suppress default East
             Asian | Suppress both
             Western and East Asian)"
             setting should be
             configured correctly
CCE-1572-7
             The "Suppress external        enabled/disabled
             signature services menu
             item" setting should be
             configured correctly
CCE-1220-3
             The "Disable Check For        enabled/disabled
             Solutions" setting should
             be configured correctly
CCE-1634-5
             The "Disable inclusion of     enabled/disabled
             document properties in
             PDF and XPS output"
             setting should be
             configured correctly
CCE-1643-6
             The "Disable Document         enabled/disabled
             Information Panel" setting
             should be configured
             correctly
CCE-1546-1
             The "Document              enabled/disabled
             Information Panel
             Beaconing UI (Never show
             UI | Always show UI | Show
             UI if XSN is in Internet
             Zone)" setting should be
             configured correctly
CCE-1505-7
             The "Disable the Office     enabled/disabled
             client from polling the
             Office server for published
             links" setting should be
CCE-1545-3   configured correctly
             The "Block opening of pre- enabled/disabled
             release versions of file
             formats new to Word 2007
             through the Compatibility
             Pack for the 2007 Office
             system and Word 2007
             Open XML/Word 97-2003
             Format Converter" setting
             should be configured
             correctly
CCE-1549-5
             The "Block opening of pre- enabled/disabled
             release versions of file
             formats new to Excel 2007
             through the Compatibility
             Pack for the 2007 Office
             system and Excel 2007
             Converter" setting should
             be configured correctly
CCE-1431-6
             The "Block opening of pre- enabled/disabled
             release versions of file
             formats new to PowerPoint
             2007 through the
             Compatibility Pack for the
             2007 Office system and
             PowerPoint 2007
             Converter" setting should
CCE-1594-1   be configured correctly
             The "Control Blogging        enabled/disabled
             (Enabled | Only SharePoint
             blogs allowed | All blogging
             disabled)" setting should be
             configured correctly
CCE-1241-9
             The "Enable Smart         enabled/disabled
             Resume" setting should be
             configured correctly

CCE-1607-1
             The "Do not upload media    enabled/disabled
             files" setting should be
             configured correctly
CCE-752-6
             The "Disable hyperlinks to enabled/disabled
             web templates in File | New
             and task panes" setting
             should be configured
CCE-1166-8   correctly
             The "Prevent access to      enabled/disabled
             Web-based file storage"
             setting should be
             configured correctly
CCE-654-4
             The "Do not allow          enabled/disabled
             attachment previewing in
             Outlook" setting should be
             configured correctly for
CCE-1192-4   Outlook 2007.
             The "Read e-mail as plain enabled/disabled
             text" setting should be
             configured correctly for
             Outlook 2007.
CCE-791-4
             The "Read signed e-mail       enabled/disabled
             as plain text" setting should
             be configured correctly for
             Outlook 2007.
CCE-1456-3
             The "Prevent publishing to enabled/disabled
             Office Online" setting
             should be configured
             correctly for Outlook 2007.


CCE-1478-7
             The "Prevent publishing to enabled/disabled
             a DAV server" setting
             should be configured
             correctly for Outlook 2007.


CCE-1368-0
             The "Restrict level of       enabled/disabled
             calendar details users can
             publish (All options are
             available | Disables 'Full
             details' | Disables 'Full
             details' and 'Limited
             details')" setting should be
             configured correctly for
             Outlook 2007.
CCE-1641-0
             The "Access to published      enabled/disabled
             calendars" setting should
             be configured correctly for
             Outlook 2007.


CCE-1266-6
             The "Restrict upload          enabled/disabled
             method" setting should be
             configured correctly for
             Outlook 2007.


CCE-1399-5
             The "Hide Junk Mail UI"       enabled/disabled
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1187-4
             The "Junk E-mail             enabled/disabled
             protection level (No
             Protection, Low, High,
             Trusted Lists Only)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1588-3
             The "Trust E-mail from      enabled/disabled
             Contacts" setting should be
             configured correctly for
             Outlook 2007.
CCE-1117-1
             The "Add e-mail recipients enabled/disabled
             to users' Safe Senders
             Lists" setting should be
             configured correctly for
             Outlook 2007.
CCE-1130-4
             The "Dial-up options"         enabled/disabled
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1093-4
             The "Dial-up options -      enabled/disabled
             Warn before switching dial-
             up connection" setting
             should be configured
             correctly for Outlook 2007.
CCE-1599-0
             The "Dial-up options -      enabled/disabled
             Hang up when finished
             sending, receiving, or
             updating" setting should be
             configured correctly for
CCE-1621-2   Outlook 2007.
             The "Dial-up options -      enabled/disabled
             Automatically dial during a
             background Send/Receive"
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1269-0
             The "Do not allow creating, enabled/disabled
             replying, or forwarding
             signatures for e-mail
             messages" setting should
             be configured correctly for
             Outlook 2007.
CCE-1419-1
             The "Send copy of pictures enabled/disabled
             with HTML messages
             instead of reference to
             Internet location" setting
             should be configured
             correctly for Outlook 2007.
CCE-1551-1
             The "Outlook Rich Text     enabled/disabled
             options (Convert to HTML |
             Convert to Plain Text
             format | Send Using
             Outlook Rich Text format)"
             setting should be
             configured correctly for
CCE-655-1    Outlook 2007.
             The "Plain text options"   enabled/disabled
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1592-5
             The "Plain text options -     enabled/disabled
             Encode attachments in
             UUENCODE format when
             sending a plain text
             message" setting should
             be configured correctly for
CCE-1614-7   Outlook 2007.
             The "Set message format        enabled/disabled
             (HTML | Rich Text | Plain
             Text)" setting should be
             configured correctly for
             Outlook 2007.
CCE-1526-3
             The "Make Outlook the          enabled/disabled
             default program for E-mail,
             Contacts, and Calendar"
             setting should be
             configured correctly for
CCE-1111-4   Outlook 2007.
             The "Do not allow folders in   enabled/disabled
             non-default stores to be set
             as folder home pages"
             setting should be
             configured correctly for
CCE-1494-4   Outlook 2007.
             The "Use Unicode format        enabled/disabled
             when dragging e-mail
             message to file system"
             setting should be
             configured correctly for
CCE-1287-2   Outlook 2007.
             The "Do not allow Outlook      enabled/disabled
             object model scripts to run
             for shared folders" setting
             should be configured
             correctly for Outlook 2007.
CCE-1529-7
             The "Do not allow Outlook enabled/disabled
             object model scripts to run
             for public folders" setting
             should be configured
             correctly for Outlook 2007.
CCE-1560-2
             The "Set maximum level of enabled/disabled
             online status on a person
             name (Do not allow | Allow
             everywhere except To and
             CC field | Allow
             everywhere)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1596-6
             The "Display online status enabled/disabled
             on a person name (Never |
             Everywhere except To and
             CC field | Everywhere)"
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1604-8
             The "Turn off Enable the  enabled/disabled
             Person Names Smart Tag
             option" setting should be
             configured correctly for
             Outlook 2007.
CCE-1648-5
             The "Outlook Security       enabled/disabled
             Mode (Outlook Default
             Security | Use Security
             Form from 'Outlook
             Security Settings' Public
             Folder | Use Security Form
             from 'Outlook 10 Security
             Settings' Public Folder |
             Use Outlook Security
             Group Policy)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1516-4
             The "Display Level 1        enabled/disabled
             attachments" setting
             should be configured
             correctly for Outlook 2007.
CCE-1296-3
             The "Allow users to demote enabled/disabled
             attachments to Level 2"
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1388-8
             The "Do not prompt about enabled/disabled
             Level 1 attachments when
             sending an item" setting
             should be configured
             correctly for Outlook 2007.
CCE-1652-7
             The "Do not prompt about enabled/disabled
             Level 1 attachments when
             closing an item" setting
             should be configured
             correctly for Outlook 2007.
CCE-1569-3
             The "Allow in-place         enabled/disabled
             activation of embedded
             OLE objects" setting
             should be configured
             correctly for Outlook 2007.
CCE-1459-7
             The "Display OLE package enabled/disabled
             objects" setting should be
             configured correctly for
             Outlook 2007.
CCE-1608-9
             The "Add file extensions to enabled/disabled
             block as Level 1" setting
             should be configured
             correctly for Outlook 2007.
CCE-1617-0
             The "Remove file             enabled/disabled
             extensions blocked as
             Level 1" setting should be
             configured correctly for
             Outlook 2007.
CCE-1631-1
             The "Add file extensions to enabled/disabled
             block as Level 2" setting
             should be configured
             correctly for Outlook 2007.
CCE-1155-1
             The "Remove file             enabled/disabled
             extensions blocked as
             Level 2" setting should be
             configured correctly for
             Outlook 2007.
CCE-1556-0
             The "Allow scripts in one- enabled/disabled
             off Outlook forms" setting
             should be configured
             correctly for Outlook 2007.
CCE-1595-8
             The "Set Outlook object      enabled/disabled
             model Custom Actions
             execution prompt (Prompt
             User | Automatically
             Approve | Automatically
             Deny | Prompt user based
             on computer security)"
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1436-5
             The "Set control            enabled/disabled
             ItemProperty prompt
             (Prompt User |
             Automatically Approve |
             Automatically Deny |
             Prompt user based on
             computer security)" setting
             should be configured
CCE-1586-7   correctly
             The "Configure Outlook      enabled/disabled
             object model prompt when
             sending mail (Prompt User
             | Automatically Approve |
             Automatically Deny |
             Prompt user based on
             computer security)" setting
             should be configured
             correctly for Outlook 2007.

CCE-1590-9
             The "Configure Outlook      enabled/disabled
             object model prompt when
             accessing an address book
             (Prompt User |
             Automatically Approve |
             Automatically Deny |
             Prompt user based on
             computer security)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1004-1
             The "Configure Outlook      enabled/disabled
             object model prompt when
             reading address
             information (Prompt User |
             Automatically Approve |
             Automatically Deny |
             Prompt user based on
             computer security)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1273-2
             The "Configure Outlook      enabled/disabled
             object model prompt when
             responding to meeting and
             task requests (Prompt User
             | Automatically Approve |
             Automatically Deny |
             Prompt user based on
             computer security)" setting
             should be configured
             correctly for Outlook 2007.

CCE-1172-6
             The "Configure Outlook    enabled/disabled
             object model prompt when
             executing Save As (Prompt
             User | Automatically
             Approve | Automatically
             Deny | Prompt user based
             on computer security)"
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1568-5
             The "Configure Outlook      enabled/disabled
             object model prompt When
             accessing the Formula
             property of a UserProperty
             object (Prompt User |
             Automatically Approve |
             Automatically Deny |
             Prompt user based on
             computer security)" setting
             should be configured
             correctly for Outlook 2007.

CCE-1573-5
             The "Configure Outlook      enabled/disabled
             object model prompt when
             accessing address
             information via
             UserProperties.Find
             (Prompt User |
             Automatically Approve |
             Automatically Deny |
             Prompt user based on
             computer security)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1454-8
             The "Required Certificate enabled/disabled
             Authority" setting should be
             configured correctly for
CCE-1498-5   Outlook 2007.
             The "S/MIME                  enabled/disabled
             interoperability with
             external clients: (Handle
             internally | Handle
             externally | Handle if
             possible)" setting should be
             configured correctly for
CCE-1630-3   Outlook 2007.
             The "Always use Rich Text enabled/disabled
             formatting in S/MIME
             messages" setting should
             be configured correctly for
             Outlook 2007.
CCE-1626-1
             The "S/MIME password        enabled/disabled
             settings" setting should be
             configured correctly for
             Outlook 2007.
CCE-1163-5
             The "S/MIME password        enabled/disabled
             settings - Default S/MIME
             password time (minutes):
             (0 - 2147483647)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1445-6
             The "S/MIME password        enabled/disabled
             settings - Maximum
             S/MIME password time
             (minutes): (0 -
             2147483647)" setting
             should be configured
             correctly for Outlook 2007.
CCE-1582-6
             The "Message Formats"       enabled/disabled
             setting should be
             configured correctly for
CCE-1357-3   Outlook 2007.
             The "Message Formats -      enabled/disabled
             Support the following
             message formats: (S/MIME
             | Exchange | Fortezza |
             S/MIME and Exchange |
             S/MIME and Fortezza |
             Exchange and Fortezza |
             S/MIME, Exchange, and
             Fortezza)" setting should
             be configured correctly for
             Outlook 2007.
CCE-1132-0
             2007: The "Do not provide enabled/disabled
             Continue option on
             Encryption warning dialog
             boxes" setting should be
             configured correctly for
             Outlook 2007. 2003: The
             "Disable Continue button
             on all Encryption warning
             dialogs" setting should be
             configured correctly.
CCE-1511-5
             The "Run in FIPS            enabled/disabled
             compliant mode" setting
             should be configured
             correctly for Outlook 2007.
CCE-1018-1
             The "Encrypt all e-mail        enabled/disabled
             messages" setting should
             be configured correctly for
             Outlook 2007 and 2003.




CCE-1181-7
             The "Sign all e-mail           enabled/disabled
             messages" setting should
             be configured correctly for
             Outlook 2007.
CCE-1639-4
             The "URL for S/MIME            enabled/disabled
             certificates" setting should
             be configured correctly for
             Outlook 2007.
CCE-677-5
             The "Ensure all S/MIME        enabled/disabled
             signed messages have a
             label" setting should be
             configured correctly for
CCE-687-4    Outlook 2007.
             The "S/MIME receipt           enabled/disabled
             requests (Open message if
             receipt can't be sent | Don't
             open message if receipt
             can't be sent | Always
             prompt before sending
             receipt | Never send
             S/MIME )" setting should
             be configured correctly for
             Outlook 2007.
CCE-1613-9
             The "Fortezza certificate     enabled/disabled
             policies" setting should be
             configured correctly for
CCE-1402-7   Outlook 2007.
             The "Require SuiteB           enabled/disabled
             algorithms for S/MIME
             operations" setting should
             be configured correctly for
             Outlook 2007.
CCE-1658-4
             The "Missing CRLs" setting enabled/disabled
             should be configured
             correctly for Outlook 2007.
CCE-1662-6
             The "Missing CRLs -          enabled/disabled
             Indicate a missing CRL as
             a(n): (warning | error)"
             setting should be
             configured correctly for
CCE-1080-1   Outlook 2007.
             The "Missing root            enabled/disabled
             certificates" setting should
             be configured correctly for
             Outlook 2007.
CCE-1076-9
             The "Missing root             enabled/disabled
             certificates - Indicate a
             missing root certificate as
             a(n): (neither error nor
             warning | warning | error)"
             setting should be
             configured correctly for
CCE-1636-0   Outlook 2007.
             The "Promote Level 2        enabled/disabled
             errors as errors, not
             warnings" setting should be
             configured correctly for
CCE-943-1    Outlook 2007.
             The "Attachment Secure      enabled/disabled
             Temporary Folder" setting
             should be configured
             correctly for Outlook 2007.
CCE-1591-7
             The "Display pictures and enabled/disabled
             external content in HTML e-
             mail" setting should be
             configured correctly for
             Outlook 2007.
CCE-1133-8
             The "Automatically          enabled/disabled
             download content for e-
             mail from people in Safe
             Senders and Safe
             Recipients Lists" setting
             should be configured
             correctly for Outlook 2007.
CCE-725-2
             The "Do not permit          enabled/disabled
             download of content from
             safe zones" setting should
             be configured correctly for
             Outlook 2007.
CCE-1347-4
             The "Block Trusted Zones" enabled/disabled
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1475-3
             The "Include Internet in    enabled/disabled
             Safe Zones for Automatic
             Picture Download" setting
             should be configured
             correctly for Outlook 2007.
CCE-1497-7
             The "Include Intranet in    enabled/disabled
             Safe Zones for Automatic
             Picture Download" setting
             should be configured
             correctly for Outlook 2007.
CCE-1501-6
             The "Security setting for   enabled/disabled
             macros (Always warn |
             Never warn, disable all |
             Warn for signed, disable
             unsigned | No security
             check)" setting should be
             configured correctly for
CCE-1030-6   Outlook 2007.
             The "Enable links in e-mail enabled/disabled
             messages" setting should
             be configured correctly for
             Outlook 2007.
CCE-1052-0
             The "Apply macro security enabled/disabled
             settings to macros, add-
             ins, and SmartTags"
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1462-1
             The "Automatically          enabled/disabled
             configure profile based on
             Active Directory Primary
             SMTP address" setting
             should be configured
             correctly for Outlook 2007.
CCE-1281-5
             The "Do not allow users to enabled/disabled
             change permissions on
             folders" setting should be
             configured correctly for
             Outlook 2007.
CCE-1303-7
             The "Enable RPC               enabled/disabled
             encryption" setting should
             be configured correctly for
             Outlook 2007.
CCE-1082-7
             The "Authentication with    enabled/disabled
             Exchange Server
             (Kerberos/NTLM Password
             Authentication | Kerberos
             Password Authentication |
             NTLM Password
             Authentication)" setting
             should be configured
             correctly for Outlook 2007.

CCE-1712-9
             The "Synchronize Outlook      enabled/disabled
             RSS Feeds with Common
             Feed List" setting should
             be configured correctly for
             Outlook 2007.
CCE-1131-2
             The "Turn off RSS feature" enabled/disabled
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1620-4
             The "Automatically          enabled/disabled
             download enclosures"
             setting should be
             configured correctly for
CCE-1541-2   Outlook 2007.
             The "Download full text of enabled/disabled
             articles as HTML
             attachments" setting
             should be configured
             correctly for Outlook 2007.
CCE-1311-0
             The "Automatically            enabled/disabled
             download attachments"
             setting should be
             configured correctly for
             Outlook 2007.
CCE-1682-4
             The "Do not include         enabled/disabled
             Internet Calendar
             integration in Outlook"
             setting should be
             configured correctly for
CCE-1461-3   Outlook 2007.
             The "Disable user entries enabled/disabled
             to server list (Publish
             default, allow others |
             Publish default, disallow
             others)" setting should be
             configured correctly for
CCE-1041-3   Outlook 2007.
             The "Do not expand          enabled/disabled
             distribution lists" setting
             should be configured
             correctly for Outlook 2007.
CCE-1565-1
             The "Save files in this       enabled/disabled
             format (PowerPoint
             Presentation (*.pptx) |
             PowerPoint Macro-Enabled
             Presentation (*.pptm) |
             PowerPoint 97-2003
             Presentation (*.ppt))"
             setting should be
             configured correctly for
CCE-1719-4   PowerPoint 2007.
             The "Number of                enabled/disabled
             documents in the Recent
             Documents list (0 - 50)"
             setting should be
             configured correctly for
CCE-1477-9   PowerPoint 2007.
             The "Determine whether to     enabled/disabled
             force encrypted macros to
             be scanned in Microsoft
             PowerPoint Open XML
             presentations" setting
             should be configured
             correctly for PowerPoint
CCE-1142-9   2007.
             The "Run Programs             enabled/disabled
             (disable (don't run any
             programs) | enable (prompt
             user before running) |
             enable all (run without
             prompting))" setting should
             be configured correctly for
             PowerPoint 2007.
CCE-1649-3
             The "Make hidden markup enabled/disabled
             visible" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1279-9
             The "Unblock automatic     enabled/disabled
             download of linked images"
             setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1451-4
             The "Disable all application enabled/disabled
             add-ins" setting should be
             configured correctly for
             PowerPoint 2007.

CCE-1204-7
             The "Require that            enabled/disabled
             application add-ins are
             signed by Trusted
             Publisher" setting should
             be configured correctly for
CCE-1107-2   PowerPoint 2007.
             The "Disable Trust Bar       enabled/disabled
             Notification for unsigned
             application add-ins" setting
             should be configured
             correctly for PowerPoint
CCE-743-5    2007.
             The "Allow Trusted           enabled/disabled
             Locations not on the
             computer" setting should
             be configured correctly for
             PowerPoint 2007.
CCE-747-6
             The "Disable all trusted     enabled/disabled
             locations" setting should be
             configured correctly for
             PowerPoint 2007.

CCE-782-3
             The "Disable commands"        enabled/disabled
             setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1327-6
             The "Disable commands - enabled/disabled
             Office Button | PowerPoint
             Options | Customize | All
             Commands | Web Page
             Preview" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1723-6
             The "Disable commands -       enabled/disabled
             Office Button | Send |
             Email" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1366-4
             The "Disable commands -       enabled/disabled
             Insert | Links | Hyperlink"
             setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1679-0
             The "Disable commands -       enabled/disabled
             Review | Proofing |
             Language" setting should
             be configured correctly for
             PowerPoint 2007.
CCE-1173-4
             The "Disable commands -       enabled/disabled
             View | Macros | Macros"
             setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1714-5
             The "Disable commands - enabled/disabled
             Developer | Code | Macros"
             setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1485-2
             The "Disable commands - enabled/disabled
             Developer | Code | Macro
             Security" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1687-3
             The "Disable commands -       enabled/disabled
             Developer | Code | Visual
             Basic" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1709-5
             The "Disable commands - enabled/disabled
             Office Button | PowerPoint
             Options | Customize | All
             Commands | Document
             Location" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1463-9
             The "Disable commands -       enabled/disabled
             Disable shortcut keys"
             setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1467-0
             The "Disable commands -       enabled/disabled
             Ctrl+K (Insert | Links |
             Hyperlink)" setting should
             be configured correctly for
             PowerPoint 2007.
CCE-1740-0
             The "Disable commands - enabled/disabled
             Alt+F8 (Developer | Code |
             Macros)" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1780-6
             The "Disable commands - enabled/disabled
             Alt+F11 (Developer | Code
             | Visual Basic)" setting
             should be configured
             correctly for PowerPoint
CCE-1661-8   2007.
             The "Block opening of pre- enabled/disabled
             release versions of file
             formats new to PowerPoint
             2007" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1688-1
             The "Block opening of         enabled/disabled
             Open Xml files types"
             setting should be
             configured correctly for
CCE-1701-2   PowerPoint 2007.
             The "Block opening of         enabled/disabled
             Binary file types" setting
             should be configured
             correctly for PowerPoint
CCE-1348-2   2007.
             The "Block opening of Html enabled/disabled
             file types" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1644-4
             The "Block opening of       enabled/disabled
             Outlines" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1194-0
             The "Block opening of       enabled/disabled
             Converters" setting should
             be configured correctly for
             PowerPoint 2007.
CCE-1216-1
             The "Block saving of Open enabled/disabled
             Xml file types" setting
             should be configured
             correctly for PowerPoint
CCE-1506-5   2007.
             The "Block saving of Binary enabled/disabled
             file types" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1136-1
             The "Block saving of Html enabled/disabled
             file types" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1766-5
             The "Block saving of        enabled/disabled
             Outlines" setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1180-9
             The "Block saving of       enabled/disabled
             GraphicFilters" setting
             should be configured
             correctly for PowerPoint
CCE-1722-8   2007.
             The "Disable Slide Update" enabled/disabled
             setting should be
             configured correctly for
             PowerPoint 2007.
CCE-1731-9
             The "Hidden text" setting   enabled/disabled
             should be configured
             correctly for Word 2007.
CCE-885-4
             The "Save files in this        enabled/disabled
             format (Word document
             (*.docx) | Single Files Web
             Page (*.mht) | Web Page
             (*.htm; *.html) | Web Page,
             Filtered (*.htm, *.html) |
             Rich Text Format (*.rtf) |
             Plain Text (*.txt) | Word
             6.0/95 (*.doc) | Word
             6.0/95 - Chinese
             (Simplified) (*.doc) | Word
             6.0/95 - Chinese
             (Traditional) (*.doc) | Word
             6.0/95 - Japanese (*.doc) |
             Word 6.0/95 - Korean
             (*.doc) | Word 97-2002 &
             6.0/95 - RTF | Word 5.1 for
             Macintosh (*.mcw) | Word
             5.0 for Macintosh (*.mcw) |
             Word 2.x for Windows
             (*.doc) | Works 4.0 for
             Windows (*.wps) |
             WordPerfect 5.x for
             Windows (*.doc) |
             WordPerfect 5.1 for DOS
             (*.doc) | Word 2007 Macro
             Enabled Document
             (*.docm) | Word 2007
             Macro Free Template
             (*.dotx) | Word 2007 Macro
             Enabled Template (*.dotm)
CCE-1656-8   | Word 97 - 2003
             Document (*.doc) | Word
             The "Number of                 enabled/disabled
             documents in the Recent
             Documents list (0-50)"
             setting should be
             configured correctly for
CCE-1537-0   Word 2007.
             The "Update automatic          enabled/disabled
             links at Open" setting
             should be configured
CCE-1249-2   correctly for Word 2007.
             The "Save smart tags in e-     enabled/disabled
             mail" setting should be
             configured correctly for
CCE-1509-9   Word 2007.
             The "Determine whether to enabled/disabled
             force encrypted macros to
             be scanned in Microsoft
             Word Open XML
             documents" setting should
             be configured correctly for
CCE-1280-7   Word 2007.
             The "Disable all application enabled/disabled
             add-ins" setting should be
             configured correctly for
             Word 2007.
CCE-1681-6
             The "Require that            enabled/disabled
             application add-ins are
             signed by Trusted
             Publisher" setting should
             be configured correctly for
CCE-1562-8   Word 2007.
             The "Disable Trust Bar       enabled/disabled
             Notification for unsigned
             application add-ins" setting
             should be configured
             correctly for Word 2007.
CCE-1333-4
             The "Allow Trusted            enabled/disabled
             Locations not on the
             computer" setting should
             be configured correctly for
             Word 2007.
CCE-1355-7
             The "Disable all trusted     enabled/disabled
             locations" setting should be
             configured correctly for
             Word 2007.
CCE-1637-8
             The "Disable commands"        enabled/disabled
             setting should be
             configured correctly for
             Word 2007.
CCE-1659-2
             The "Disable commands - enabled/disabled
             Office Button | Word
             Options | Customize | All
             Commands | Save As Web
             Page" setting should be
             configured correctly for
CCE-1329-2   Word 2007.
             The "Disable commands - enabled/disabled
             Office Button | Word
             Options | Customize | All
             Commands | Web Page
             Preview" setting should be
             configured correctly for
CCE-1632-9   Word 2007.
             The "Disable commands - enabled/disabled
             Office Button | Send |
             Email" setting should be
             configured correctly for
             Word 2007.
CCE-1425-8
             The "Disable commands -       enabled/disabled
             Insert | Links | Hyperlink"
             setting should be
             configured correctly for
             Word 2007.
CCE-1196-5
             The "Disable commands -       enabled/disabled
             Review | Protect | Protect
             Document" setting should
             be configured correctly for
             Word 2007.
CCE-936-5
             The "Disable commands -       enabled/disabled
             View | Macros | Macros"
             setting should be
             configured correctly for
             Word 2007.
CCE-1354-0
             The "Disable commands - enabled/disabled
             Developer | Code | Macros"
             setting should be
             configured correctly for
             Word 2007.
CCE-1125-4
             The "Disable commands - enabled/disabled
             Developer | Code | Record
             Macro" setting should be
             configured correctly for
             Word 2007.
CCE-1742-6
             The "Disable commands - enabled/disabled
             Developer | Code | Macro
             Security" setting should be
             configured correctly for
             Word 2007.
CCE-1782-2
             The "Disable commands -     enabled/disabled
             Developer | Code | Visual
             Basic" setting should be
             configured correctly for
             Word 2007.
CCE-1306-0
             The "Disable commands - enabled/disabled
             Developer | Templates |
             Document Template"
             setting should be
             configured correctly for
CCE-1548-7   Word 2007.
             The "Disable shortcut keys" enabled/disabled
             setting should be
             configured correctly for
             Word 2007.
CCE-1716-0
             The "Disable shortcut keys - enabled/disabled
             Ctrl+F (Home | Editing |
             Find)" setting should be
             configured correctly for
             Word 2007.
CCE-1597-4
             The "Disable shortcut keys - enabled/disabled
             Ctrl+K (Insert | Links |
             Hyperlink)" setting should
             be configured correctly for
             Word 2007.
CCE-1689-9
             The "Disable shortcut keys - enabled/disabled
             Alt+F8 (Developer | Code |
             Macros)" setting should be
             configured correctly for
             Word 2007.
CCE-1570-1
             The "Disable shortcut keys - enabled/disabled
             Alt+F11 (Developer | Code
             | Visual Basic)" setting
             should be configured
             correctly for Word 2007.
CCE-1720-2
             The "Block opening of pre- enabled/disabled
             release versions of file
             formats new to Word 2007"
             setting should be
             configured correctly for
CCE-1746-7   Word 2007.
             The "Block opening of      enabled/disabled
             Open XML file types"
             setting should be
             configured correctly for
CCE-1504-0   Word 2007.
             The "Block opening of          enabled/disabled
             Binary file types" setting
             should be configured
             correctly for Word 2007.
CCE-1654-3
             The "Block opening of          enabled/disabled
             HTML file types" setting
             should be configured
             correctly for Word 2007.
CCE-1160-1
             The "Block opening of         enabled/disabled
             Word 2003 XML file types"
             setting should be
             configured correctly for
CCE-958-9    Word 2007.
             The "Block opening of RTF enabled/disabled
             file types" setting should be
             configured correctly for
             Word 2007.
CCE-1579-2
             The "Block open             enabled/disabled
             Converters" setting should
             be configured correctly for
             Word 2007.
CCE-984-5
             The "Block opening of Text enabled/disabled
             file types" setting should be
             configured correctly for
             Word 2007.
CCE-1072-8
             The "Block opening of          enabled/disabled
             Internal file types" setting
             should be configured
             correctly for Word 2007.
CCE-1503-2
             The "Block opening of files enabled/disabled
             before version" setting
             should be configured
             correctly for Word 2007.
CCE-1371-4
             The "Block saving of Open enabled/disabled
             XML file types" setting
             should be configured
             correctly for Word 2007.
CCE-1019-9
             The "Block saving of Binary enabled/disabled
             file types" setting should be
             configured correctly for
             Word 2007.
CCE-1684-0
             The "Block saving of HTML enabled/disabled
             file types" setting should be
             configured correctly for
             Word 2007.
CCE-1675-8
             The "Block saving of Word enabled/disabled
             2003 XML file types"
             setting should be
             configured correctly for
CCE-1200-5   Word 2007.
             The "Block saving of RTF enabled/disabled
             file types" setting should be
             configured correctly for
             Word 2007.
CCE-1741-8
             The "Block saving of        enabled/disabled
             Converters" setting should
             be configured correctly for
             Word 2007.
CCE-1231-0
             The "Block saving of Text enabled/disabled
             file types" setting should be
             configured correctly for
             Word 2007.
CCE-1755-8

             The InfoPath APTCA         enabled/disabled
             Assembly Whitelist setting
             should be configured
             correctly.

CCE-1169-2
             The Windows Internet       enabled/disabled
             Explorer Feature Control
             Opt-In (None |
             InfoPath.exe, Document
             Information Panel and
             Workflow forms |
             InfoPath.exe, Document
             Information Panel,
             Workflow forms and 3rd
             Party Hosting) setting
             should be configured
CCE-1735-0   correctly.
             The InfoPath APTCA         enabled/disabled
             Assembly Whitelist
             Enforcement setting should
             be configured correctly.

CCE-1739-2
             The Disable Package        enabled/disabled
             Repair setting should be
             configured correctly.

CCE-933-2
             The Disable user name      enabled/disabled
             and password setting
             should be configured
             correctly.


CCE-1563-6
             The Disable user name      enabled/disabled
             and password - excel.exe
             setting should be
             configured correctly.


CCE-1215-3
             The Disable user name      enabled/disabled
             and password -
             powerpnt.exe setting
             should be configured
             correctly.

CCE-1484-5
             The Disable user name      enabled/disabled
             and password -
             pptview.exe setting should
             be configured correctly.


CCE-1629-5
             The Disable user name      enabled/disabled
             and password -
             winword.exe setting should
             be configured correctly.


CCE-1762-4
             The Disable user name      enabled/disabled
             and password - outlook.exe
             setting should be
             configured correctly.


CCE-1660-0
             The Disable user name        enabled/disabled
             and password -
             spDesign.exe setting
             should be configured
             correctly.

CCE-1057-9
             The Disable user name        enabled/disabled
             and password -
             msaccess.exe setting
             should be configured
             correctly.

CCE-1285-6
             The Bind to object setting   enabled/disabled
             should be configured
             correctly.


CCE-1669-1
             The Bind to object -        enabled/disabled
             excel.exe setting should be
             configured correctly.


CCE-1691-5
             The Bind to object -         enabled/disabled
             powerpnt.exe setting
             should be configured
             correctly.

CCE-1338-3
             The Bind to object -       enabled/disabled
             pptview.exe setting should
             be configured correctly.


CCE-1717-8
             The Bind to object -       enabled/disabled
             winword.exe setting should
             be configured correctly.


CCE-1488-6
             The Bind to object -         enabled/disabled
             outlook.exe setting should
             be configured correctly.


CCE-1638-6
             The Bind to object -         enabled/disabled
             spDesign.exe setting
             should be configured
             correctly.

CCE-1647-7
             The Bind to object -         enabled/disabled
             msaccess.exe setting
             should be configured
             correctly.

CCE-1294-8
             The Saved from URL           enabled/disabled
             setting should be
             configured correctly.


CCE-1193-2
             The Saved from URL -        enabled/disabled
             excel.exe setting should be
             configured correctly.


CCE-1352-4
             The Saved from URL -         enabled/disabled
             powerpnt.exe setting
             should be configured
             correctly.

CCE-928-2
             The Saved from URL -       enabled/disabled
             pptview.exe setting should
             be configured correctly.


CCE-1576-8
             The Saved from URL -       enabled/disabled
             pptview.exe setting should
             be configured correctly.


CCE-1100-7
             The Saved from URL -         enabled/disabled
             outlook.exe setting should
             be configured correctly.


CCE-1232-8
             The Saved from URL -         enabled/disabled
             spDesign.exe setting
             should be configured
             correctly.

CCE-1774-9
             The Saved from URL -         enabled/disabled
             msaccess.exe setting
             should be configured
             correctly.

CCE-906-8
             The Navigate URL setting     enabled/disabled
             should be configured
             correctly.


CCE-1034-8
             The Navigate URL -          enabled/disabled
             excel.exe setting should be
             configured correctly.


CCE-1435-7
             The Navigate URL -           enabled/disabled
             powerpnt.exe setting
             should be configured
             correctly.

CCE-1708-7
             The Navigate URL -         enabled/disabled
             pptview.exe setting should
             be configured correctly.


CCE-808-6
             The Navigate URL -         enabled/disabled
             winword.exe setting should
             be configured correctly.


CCE-1650-1
             The Navigate URL -           enabled/disabled
             outlook.exe setting should
             be configured correctly.


CCE-1223-7
             The Navigate URL -           enabled/disabled
             spDesign.exe setting
             should be configured
             correctly.

CCE-1764-0
             The Navigate URL -           enabled/disabled
             msaccess.exe setting
             should be configured
             correctly.

CCE-1769-9
             The Block popups setting     enabled/disabled
             should be configured
             correctly.


CCE-1152-8
             The Block popups -          enabled/disabled
             excel.exe setting should be
             configured correctly.


CCE-1566-9
             The Block popups -           enabled/disabled
             powerpnt.exe setting
             should be configured
             correctly.

CCE-1077-7
             The Block popups -         enabled/disabled
             pptview.exe setting should
             be configured correctly.


CCE-1606-3
             The Block popups -         enabled/disabled
             winword.exe setting should
             be configured correctly.


CCE-1738-4
             The Block popups -           enabled/disabled
             outlook.exe setting should
             be configured correctly.


CCE-1262-5
             The Block popups -           enabled/disabled
             spDesign.exe setting
             should be configured
             correctly.

CCE-1663-4
             The Block popups -           enabled/disabled
             msaccess.exe setting
             should be configured
             correctly.

CCE-1544-6




             The "Prevent users from
             customizing attachment
             security settings" setting
             should be configured
CCE-1443-1   correctly.                   enabled/disabled




             The "Access: Macro
             Security Level" setting      1 = Enabled - Low | 2
             should be configured         = Enabled - Medium
CCE-1161-9   correctly.                   | 3 = Enabled - High




             The "Access: Trust all
             installed add – ins and
             templates" setting should    0 = Enabled | 1 =
CCE-1421-7   be configured correctly.     Disabled




             The "Excel: Macro Security 1 = Enabled - Low | 2
             Level" setting should be   = Enabled - Medium
CCE-1571-9   configured correctly.      | 3 = Enabled - High
             The "Excel: Trust all
             installed add – ins and
             templates" setting should    0 = Enabled | 1 =
CCE-1721-0   be configured correctly.     Disabled




             The "Outlook: Macro
             Security Level" setting      1 = Enabled - Low | 2
             should be configured         = Enabled - Medium
CCE-1602-2   correctly.                   | 3 = Enabled - High

             The "Outlook: Trust all
             installed add-ins and
             templates" setting should   0 = Enabled | 1 =
CCE-1624-6   be configured correctly.    Disabled
                                         0 = Uses default
                                         administrative
                                         settings | 1 = Look
                                         in the Outlook
                                         Security Settings
                                         folder | 2 = Look in
             The "Outlook virus security the Outlook 10
             settings" setting should be Security Settings
CCE-1522-2   configured correctly.       folder

                                         0 = Open message if
                                         receipt can't be sent |
                                         1 = Always prompt
                                         before sending
                                         receipt | 2 = Never
                                         send S/MIME
             The "S/MIME receipt         receipts | 3 = Don't
             requests" setting should be open message if
CCE-1183-3   configured correctly.       receipt can't be sent




             The "PowerPoint: Macro
             Security Level" setting      1 = Enabled - Low | 2
             should be configured         = Enabled - Medium
CCE-1611-3   correctly.                   | 3 = Enabled - High
             The "PowerPoint: Trust all
             installed add – ins and
             templates" setting should    0 = Enabled | 1 =
CCE-1633-7   be configured correctly.     Disabled

             The "Publisher: Macro
             Security Level" setting      1 = Enabled - Low | 2
             should be configured         = Enabled - Medium
CCE-822-7    correctly.                   | 3 = Enabled - High


             The "Publisher: Trust all
             installed add–ins and
             templates" setting should    0 = Enabled | 1 =
CCE-1734-3   be configured correctly.     Disabled




             The "Word: Macro Security 1 = Enabled - Low | 2
             Level" setting should be  = Enabled - Medium
CCE-1628-7   configured correctly.     | 3 = Enabled - High




             The "Word: Trust all
             installed add–ins and
             templates" setting should    0 = Enabled | 1 =
CCE-1761-6   be configured correctly.     Disabled

             The "Store random number
             to improve merge
             accuracy" setting should be 0 = Enabled | 1 =
CCE-1302-9   configured correctly.       Disabled

             The "Prevent Users from
             Changing Office Encryption
             Settings" setting should be 0 = Disabled | 1 =
CCE-1307-8   configured correctly.       Enabled
             The "Disable Update
             Diagnostics" setting should (1) 0 = Disabled | 1 =
CCE-4277-0   be configured correctly.    Enabled

                                           (1) 0 = Enabled
                                           (Load only Outlook
                                           Controls) | 1 =
                                           Enabled (Allows only
             The "Allow Active X One       Safe Controls) | 2 =
             Off Forms" setting should     Enabled (Allows all
             be configured correctly for   ActiveX Controls)
CCE-4280-4   Outlook 2007.

             The "Allow access to e-
             mail attachments" setting
             should be configured        (1) 0 = Disabled | 1 =
CCE-4283-8   correctly for Outlook 2007. Enabled

             The "Do not automatically
             sign replies" setting should
             be configured correctly for 0 = Disabled | 1 =
CCE-5276-1   Outlook 2007.                Enabled

             The "Prompt user to
             choose security settings if
             default settings fail" setting
             should be configured           (1) 0 = Disabled | 1 =
CCE-4440-4   correctly for Outlook 2007. Enabled
                                                                 Old v4 CCE
             CCE Technical Mechanisms
                                                                      ID




2007: GPO Settings:Computer Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office 2007 System / Security Settings , Registry Keys:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\1
2.0\Common\VbaOff 2003: (1) Computer
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\Disable VBA for Office applications (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Common -
VbaOff (3) User Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Disable
VBA for Office applications (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Common -
VbaOff                                                           CCE-116
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office 2007 system / Security /ActiveX Control
InitializationSettings , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\C
ommon\Security\UFIControls 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\ActiveX Control Initialization (2)
HKCU\Software\Policies\Microsoft\Office\Common\Security -
UFIControls                                                      CCE-908
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007 /
Privacy / Trust Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Common\QMEnable                                              CCE-184
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007 /
Privacy / Trust Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Common\UpdateReliabilityData                                 CCE-276



GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007
system / Tools / Options / General / Service Options / Online
Content , Registry Keys:
HKEY_CURRENT_USER\Softtware\Polices\Microsoft\Office\1
2.0\Common\Internet\UseOnlineContent                             CCE-967
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Access
2007 / Application Settings / Security / Trust Center , Registry
Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Access\Security\VBAWarnings                                    CCE-427




2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Excel 2007 / Excel Options / Security / Trust Center ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Excel\Security\VBAWarnings                                     CCE-649
2007GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Excel 2007 / Excel Options / Security / Trust Center ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Excel\Security\AccessVBOM 2003: (1) Computer
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\Excel: Trust access to Visual Basic
Project (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security -
AccessVBOM (3) User Configuration\Administrative
Templates\Microsoft Office Excel
2003\Tools\Macros\Security\Trust access to Visual Basic
Project (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security -
AccessVBOM                                                         CCE-862
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office
PowerPoint 2007 / PowerPoint Options / Security / Trust
Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\PowerPoint\Security\VBAWarnings                            CCE-567
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office
PowerPoint 2007 / PowerPoint Options / Security / Trust
Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\PowerPoint\Security\AccessVBOM                             CCE-68
(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office Outlook
2007\Security\Disable Remember Passwords (2)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Securit
y\EnableRememberPwd                                            CCE-537




(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office Outlook
2007\Security\Configure Add-In Trust Level (2)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\AddinTrust                                CCE-786

                                                               CCE-937

GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\MinEncKey                                 CCE-13

GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\SupressNameChecks                         CCE-316
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\ClearSign 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Cryptography\Send all
signed messages as clear signed messages (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - ClearSign                                                     CCE-14

GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\RequestSecureReceipt                         CCE-153


2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\PublishToGalDisabled 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Cryptography\Disable
'Publish to GAL' button (2)
HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security -
PublishToGalDisabled                                              CCE-345


2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\WarnAboutInvalid 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Cryptography\Signature
Warning (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - WarnAboutInvalid                                              CCE-700
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\ConvertSMIMEBlobSignedIcons 2003:
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook
2003\Tools\Options\Security\Cryptography\Enable
cryptography icons (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - ConvertSMIMEBlobSignedIcons                                  CCE-695


GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography / Signature Status Dialog Box ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\UseCRLChasing                               CCE-395




GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Word
2007 / Word Options / Security / Trust Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Word\Security\VBAWarnings                                    CCE-659
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Word 2007 / Word Options / Security / Trust Center ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Policies\Microsoft\
Office\12.0\Word\Security\AccessVBOM 2003: (1) Computer
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\Word: Trust access to Visual Basic
Project (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security -
AccessVBOM (3) User Configuration\Administrative
Templates\Microsoft Office Word
2003\Tools\Macro\Security\Trust access to Visual Basic
Project (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security -
AccessVBOM                                                       CCE-703
(1) Computer Configuration\Administrative Templates\Classic
Administrative Templates (ADM)\Microsoft Office Word
2007\Word Options\Security\Warn before printing, saving or
sending a file that contains tracked changes or comments (2)
HKLM\Software\Policies\Microsoft\Office\12.0\Word\Security\T
rusted Locations\fWarnRevisions_1805_1                           CCE-173
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007 /
Miscellaneous , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\C
ommon\OfficeUpdate\BlockUpdates                                  CCE-784
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application Settings\Web
Options\General\Underline hyperlinks (2)
Software\Policies\Microsoft\Office\12.0\Access\Internet          CCE-1395
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application
Settings\General\General\Number of documents in the Recent
Documents list (0-9) (2)
Software\Policies\Microsoft\Office\12.0\Access\Settings
                                                                 CCE-1137
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application Settings\Security\Trust
Center\Disable Trust Bar Notification for unsigned application
add-ins (2)
Software\Policies\Microsoft\Office\12.0\Access\Security
                                                                 CCE-1423
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application Settings\Security\Trust
Center\Disable all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Access\Security
                                                                 CCE-1238
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application Settings\Security\Trust
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\Access\Security
                                                                 CCE-1476
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application Settings\Security\Trust
Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Access\Security\Truste
d Locations
                                                                 CCE-1520
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application Settings\Security\Trust
Center\Trusted Locations\Allow Trusted Locations not on the
computer (2)
Software\Policies\Microsoft\Office\12.0\Access\Security\Truste
d Locations
                                                                 CCE-780
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application Settings\Security\Trust
Center\Trusted Locations\Modal Trust Decision Only (2)
Software\Policies\Microsoft\Office\12.0\Access\Security\Truste
d Locations
                                                                 CCE-1214
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes                                                CCE-1370
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | E-
Mail (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes                                                CCE-1268
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Access Options | Customize | All Commands | Insert Hyperlink
(2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes                                                CCE-1400
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Database Tools | Encrypt with Password (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
                                                                 CCE-1440
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Administer | Users and Permission | User and Group
Permissions (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
                                                                 CCE-581
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Administer | Users and Permissions | User and Group
Accounts (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
                                                                CCE-1480
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Administer | Users and Permission | User-Level Security
Wizard... (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
                                                                CCE-1489
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Database Tools | Encode/Decode Database (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
                                                                CCE-1392
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Macro | Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes                                               CCE-1414
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Macro | Run Macro (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes                                               CCE-1418
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Database Tools | Macro | Convert Macros
to Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes                                               CCE-1405
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Database Tools | Macro | Create Shortcut
Menu from Macro (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes                                               CCE-1550
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledShortc
utKeysCheckBoxes                                                CCE-1075
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Ctrl+K (Office
Button | Access Options | Customize | All Commands | Insert
Hyperlinks) (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledShortc
utKeysCheckBoxes

                                                                CCE-709
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Alt+F11 (Database
Tools | Macro | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledShortc
utKeysCheckBoxes                                                CCE-1502
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Miscellaneous\Default file format (Access
2007 | Access 2002-2003) (2)
Software\Policies\Microsoft\Office\12.0\Access\Settings

                                                                CCE-1260
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Miscellaneous\Do not prompt to convert
older databases (2)
Software\Policies\Microsoft\Office\12.0\Access\Settings
                                                                CCE-1510
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Proofing\Autocorrect
Options\Internet and network paths as hyperlinks (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options

                                                                CCE-1532
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Save\Save Excel files as
(Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook
(*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm;
*.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95
Workbook (*.xls)) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options




                                                                CCE-1039
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Save\Disable AutoRepublish
(2) Software\Policies\Microsoft\Office\12.0\Excel\Options
                                                                CCE-1295
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Save\AutoRepublish Warning
Alert (Always show the alert before publishing | Never show
the alert before publishing) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options


                                                                    CCE-1334
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Determine whether
to force encrypted macros to be scanned in Microsoft Excel
Open XML workbooks (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security

                                                                    CCE-1308
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Force file extension
to match file type (Allow different | Allow different, but warn |
Always match file type) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security

                                                                    CCE-616
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Trust Center\Store
macro in Personal Macro Workbook by default (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
                                                                    CCE-1246
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Trust Center\Disable
all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
                                                                    CCE-1251
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Trust
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
                                                                    CCE-1524
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Trust Center\Disable
Trust Bar Notification for unsigned application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security

                                                                    CCE-1422
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Trust Center\Trusted
LocationsAllow Trusted Locations not on the computer (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted
Locations
                                                                    CCE-1444
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Security\Trust Center\Trusted
LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted
Locations                                                        CCE-1449
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Advanced\Ignore other
applications (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options\BinaryO
ptions                                                           CCE-1471
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Advanced\Ask to update
automatic links (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options            CCE-1119
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Advanced\Number of
documents in the Recent Documents list (0-17) (2)
Software\Policies\Microsoft\Office\12.0\Excel\File MRU

                                                                 CCE-1378
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Advanced\Web
Options…\GeneralSave any additional data necessary to
maintain formulas (2)
Software\Policies\Microsoft\Office\12.0\Excel\Internet
                                                                 CCE-1277
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Advanced\Web
Options…\GeneralLoad pictures from Web pages not created
in Excel (2)
Software\Policies\Microsoft\Office\12.0\Excel\Internet           CCE-1464
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Recovery\Do not show data extraction
options when opening corrupt workbooks (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options

                                                                 CCE-1094
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Recovery\Assume structured storage
format of workbook is intact when recovering data (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options

                                                                 CCE-1129
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Recovery\Corrupt formula conversion
(Convert unrecoverable references to: values | #REF or
#NAME) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options

                                                                 CCE-1389
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Access Security\Connection File
Locations (2)
Software\Policies\Microsoft\Office\Common\Server
Links\Published                                                 CCE-1433
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Access Security\Automatic Query
Refresh (Prompt for all workbooks | Do not prompt; do not
allow auto refresh | Do not prompt; allow auto refresh) (2)
Software\Policies\Microsoft\Office\Common\Server
Links\Published


                                                                CCE-1323
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1469
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Excel
Options | Customize | All Commands | Save as Web Page (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
                                                                CCE-1473
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Excel
Options | Customize | All Commands | Web Page Preview (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
                                                                CCE-1499
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Send
| Email (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1024
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Links |
Hyperlink (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1530
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Review | Changes |
Protect Sheet (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1120
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Review | Changes |
Protect Workbook (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1252
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Review | Changes |
Protect and Share Workbook (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1151
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - View | Macros |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1301
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1310
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Record Macro (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1213
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macro Security (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1362
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1156
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Excel
Options | Customize | All Commands | Document Location (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
                                                                CCE-1429
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes                                                   CCE-1182
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Ctrl+K (Insert |
Links | Hyperlink) (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes                                                   CCE-1525
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F8 (Developer
| Code | Macros) (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes                                                   CCE-1547
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F11
(Developer | Code | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes                                                   CCE-1300
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
pre-release versions of file formats new to Excel 2007 (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
                                                                 CCE-1331
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
Open XML file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-1468
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
Binary 12 file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-1490
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-1512
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
Html and Xmlss files types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-1543
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
Xml file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-1195
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
DIF and SYLK file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-554
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of
Text file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-1415
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Open\Block opening of Xll
file type (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock                                                           CCE-1437
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving of
Open Xml file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock                                                           CCE-1446
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving of
Binary12 file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock                                                           CCE-1098
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving of
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock                                                           CCE-562
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving of Html
and Xmlss file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock                                                           CCE-1507
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving Xml
file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock                                                           CCE-1406
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving DIF
and SYLK file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock                                                           CCE-573
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving of Text
file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock                                                            CCE-1336
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\Locally cache network file
storages (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
                                                                  CCE-1230
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\Locally cache PivotTable
reports (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
                                                                  CCE-1375
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\OLAP PivotTable User
Defined Function (UDF) security setting (Allow ALL UDFs |
Allow safe UDFs only | Allow NO UDFs) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options


                                                                  CCE-1380
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\Recognize SmartTags (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
                                                                  CCE-1376
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Tools | Options\General\Number of
documents in the Recent Documents list (0 - 9) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath

                                                                  CCE-1398
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline
Mode status (Disabled | Enabled, InfoPath in Offline Mode |
Enabled, InfoPath not in Offline Mode) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Editor\Offline


                                                                  CCE-569
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                                CCE-1065
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Print (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                                CCE-1361
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Send to Mail
Recipient (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1096
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Open from
SharePoint Site (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1391
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Print Preview
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1519
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Page Setup
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1523
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Hyperlinks...
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1171
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Tools | Set
Language (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1457
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Tools | Customize...
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1426
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Tools | Options... (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
                                                                 CCE-805
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Help | Microsoft
Office Online (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1453
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Office Diagnostics
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1351
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Help | Activate
Product... (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-620
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Print Default (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes                                               CCE-1017
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShort
cutKeysCheckBoxes                                                CCE-1021
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Print Shortcut
(Ctrl+P) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShort
cutKeysCheckBoxes                                                CCE-1299
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Insert Hyperlink
Shortcut (Ctrl+K) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShort
cutKeysCheckBoxes                                                CCE-1197
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Control behavior for Windows
SharePoint Services gradual upgrade (Allow redirections to
any location | Allow redirections to Intranet only | Block all
redirections) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security




                                                                 CCE-704
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Disable opening of solutions
from the Internet security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security

                                                                     CCE-1105
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Disable fully trusted solutions full
access to computer (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                     CCE-1114
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Allow the use of ActiveX Custom
Controls in InfoPath forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath

                                                                     CCE-761
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Run forms in restricted mode if
they do not specify a publish location and use only features
introduced before InfoPath 2003 SP1 (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security



                                                                     CCE-739
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Allow file types as attachments
to forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                     CCE-1259
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Block specific file types as
attachments to forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                     CCE-1267
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Prevent users from allowing
unsafe file types to be attached to forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security

                                                                     CCE-1060
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Display a warning that a form is
digitally signed (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                     CCE-955
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Control behavior when opening
forms in the Internet security zone (Block | Prompt | Allow) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors

                                                                   CCE-1479
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Control behavior when opening
forms in the Intranet security zone (Block | Prompt | Allow) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors

                                                                   CCE-1360
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Control behavior when opening
forms in the Local Machine security zone (Block | Prompt |
Allow) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors

                                                                   CCE-1386
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Control behavior when opening
forms in the Trusted Site security zone (Block | Prompt | Allow)
(2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors

                                                                   CCE-893
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Beaconing UI for forms opened
in InfoPath (Never show beaconing UI | Always show
beaconing UI | Show UI if Form Template is from Internet
Zone) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security


                                                                   CCE-1290
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Beaconing UI for forms opened
in InfoPath Editor ActiveX (Never show beaconing UI | Always
show beaconing UI | Show UI if Form Template is from
Internet Zone) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security



                                                                   CCE-1381
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Trust Center\Disable all
application add-ins (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                  CCE-1135
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Trust Center\Require that
application add-ins are signed by Trusted Publisher (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security

                                                                  CCE-1157
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Trust Center\Disable Trust Bar
Notification for unsigned application add-ins (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security

                                                                  CCE-1434
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Control
behavior when opening InfoPath e-mail forms containing code
or script (Run without prompting | Prompt before running |
Never run) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security


                                                                  CCE-1315
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable
sending form template with e-mail forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

                                                                  CCE-1210
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable
dynamic caching of the form template in InfoPath e-mail forms
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

                                                                  CCE-1236
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable
sending InfoPath 2003 Forms as e-mail forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath

                                                                  CCE-884
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable e-
mail forms running in restricted security level (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security

                                                                  CCE-1518
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable e-
mail forms from the Internet security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                  CCE-1170
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable e-
mail forms from the Intranet security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                  CCE-1316
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable e-
mail forms from the Full Trust security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security

                                                                  CCE-1567
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Disable items in user interface\Disable
InfoPath e-mail forms in Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                  CCE-1265
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Restricted Features\Information Rights
Management (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\Rest
rictedFeatures                                                    CCE-1538
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Restricted Features\Custom code (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\Rest
rictedFeatures                                                    CCE-1564
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Miscellaneous\Email Forms Beaconing
UI (Never show UI | Always show UI | Show UI if XSN is in
Internet Zone) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security


                                                                  CCE-1212
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable user
customization of Quick Access Toolbar via UI (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                                  CCE-1344
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable user
customization of Quick Access Toolbar via UI - Disallow in
Word (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
                                                                  CCE-723
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable user
customization of Quick Access Toolbar via UI - Disallow in
Excel (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
                                                                CCE-1384
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable user
customization of Quick Access Toolbar via UI - Disallow in
PowerPoint (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                                CCE-1159
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable user
customization of Quick Access Toolbar via UI - Disallow in
Access (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
                                                                CCE-1146
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable user
customization of Quick Access Toolbar via UI - Disallow in
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
                                                                CCE-1542
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable all user
customization of Quick Access Toolbar (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                                CCE-582
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable all user
customization of Quick Access Toolbar - Disallow in Word (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                                CCE-1291
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable all user
customization of Quick Access Toolbar - Disallow in Excel (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                                CCE-1326
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable all user
customization of Quick Access Toolbar - Disallow in
PowerPoint (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
                                                                CCE-1330
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable all user
customization of Quick Access Toolbar - Disallow in Access
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                               CCE-1335
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable all user
customization of Quick Access Toolbar - Disallow in Outlook
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                               CCE-1229
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable UI
extending from documents and templates (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                               CCE-630
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable UI
extending from documents and templates - Disallow in Word
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                               CCE-1154
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable UI
extending from documents and templates - Disallow in Excel
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                               CCE-1410
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable UI
extending from documents and templates - Disallow in
PowerPoint (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
                                                               CCE-1432
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable UI
extending from documents and templates - Disallow in Access
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

                                                               CCE-1198
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Global Options\Customize\Disable UI
extending from documents and templates - Disallow in
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
                                                               CCE-929
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | AutoCorrect Options... (Excel,
Word, PowerPoint and Access)\Recognize smart tags in Excel
(2) Software\Policies\Microsoft\Office\12.0\Excel\Options

                                                                 CCE-1074
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Disable Clip Art and Media downloads from the
client and from Office Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                 CCE-1458
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Disable template downloads from the client and
from Office Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                 CCE-1233
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Disable access to updates, add-ins, and patches on
the Office Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                 CCE-1379
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Prevents users from uploading document templates
to the Office Online community. (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                 CCE-1401
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Disable training practice downloads from the Office
Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                 CCE-1528
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Disable customer-submitted templates downloads
from Office Online (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                 CCE-1533
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Files\Open Office documents as read/write while
browsing (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                 CCE-646
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Browsers\Rely on VML for displaying graphics in
browsers (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                CCE-1438
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | General | Web
Options...\Browsers\Allow PNG as an output format (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                CCE-711
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Tools | Options | Spelling\Proofing Data
Collection\Improve Proofing Tools (2)
Software\Policies\Microsoft\Office\12.0\Common\PTWatson
                                                                CCE-1292
(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office 2007\Privacy \Trust
Center\Disable Opt-in Wizard on first run (2)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Common\QMEnable                                             CCE-1615
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Help\Microsoft Office Online (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet         CCE-1191
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Disable Password
Caching (2)
Software\Policies\Microsoft\Office\12.0\Common\Security         CCE-1587
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Disable all Trust Bar
notifications for security issues (2)
Software\Policies\Microsoft\Office\12.0\Common\TrustCenter
                                                                CCE-1486
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Protect document
metadata for rights managed Office Open XML Files (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
                                                                CCE-1508
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Protect document
metadata for password protected files. (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
                                                                CCE-1640
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Encryption type for
password protected Office Open XML files (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
                                                                CCE-1539
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Encryption type for
password protected Office 97-2003 files (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
                                                                CCE-1561
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Load Controls in Forms3
(1 | 2 | 3 | 4) (2) Software\Policies\Microsoft\VBA\Security
                                                                CCE-1068
2007: (1) User Configuration\Administrative
Templates\Microsoft Office 2007 system\Security
Settings\Automation Security (Disable macros by default | Use
application macro security level | Macros enabled) (2)
Software\Policies\Microsoft\Office\Common\Security 2003: (1)
Computer Configuration\Administrative Templates\Microsoft
Office 2003\Security Settings\Automation Security (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Common\Securi
ty - AutomationSecurity
                                                                CCE-1574
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Prevent Word and Excel
from loading managed code extensions (2)
Software\Policies\Microsoft\Office\Common\Smart Tag

                                                                CCE-1239
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Disable hyperlink
warnings (2)
Software\Policies\Microsoft\Office\12.0\Common\Security         CCE-1623
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Disable password to
open UI (2)
Software\Policies\Microsoft\Office\12.0\Common\Security         CCE-1083
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Download Office
Controls (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet         CCE-1343
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Disable All ActiveX (2)
Software\Policies\Microsoft\Office\Common\Security
                                                                CCE-1242
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Trust Center\Allow mix
of policy and user locations (2)
Software\Policies\Microsoft\Office\12.0\Common\Security\Trus
ted Locations                                                   CCE-770
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Smart Documents (Word, Excel)\Disable
Smart Document's use of manifests (2)
Software\Policies\Microsoft\Office\Common\Smart Tag
                                                                CCE-903
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Smart Documents (Word,
Excel)\Completely disable the Smart Documents feature in
Word and Excel (2)
Software\Policies\Microsoft\Office\Common\Smart Tag
                                                                     CCE-1555
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Services\Fax\Disable Internet Fax feature
(2)
Software\Policies\Microsoft\Office\12.0\Common\Services\Fax
                                                                     CCE-1061
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Prevent
users from changing permissions on rights managed content
(2) Software\Policies\Microsoft\Office\12.0\Common\DRM

                                                                     CCE-1603
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Allow
users with earlier versions of Office to read with browsers... (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM

                                                                     CCE-1612
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Always
require users to connect to verify permission (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
                                                                     CCE-1493
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Always
expand groups in Office when restricting permission for
documents (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM\AutoEx
pandDls                                                              CCE-1409
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Never
allow users to specify groups when restricting permission for
documents (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
                                                                     CCE-1589
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Disable
Microsoft Passport service for content with restricted
permission (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
                                                                     CCE-1237
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Do not
allow users to upgrade Information Rights Management
configuration (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
                                                                     CCE-1404
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Signing\Key Usage Filtering (2)
Software\Policies\Microsoft\Office\12.0\Common\General         CCE-1396
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Signing\EKU filtering (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures
                                                               CCE-1167
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Signing\Legacy format signatures (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures
                                                               CCE-1585
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Signing\Suppress Office Signing Providers
(Enable Western and East Asian | Suppress default Western |
Suppress default East Asian | Suppress both Western and
East Asian) (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures



                                                               CCE-1572
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Signing\Suppress external signature
services menu item (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures
                                                               CCE-1220
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Office Diagnostics\Disable Check For
Solutions (2)
Software\Policies\Microsoft\Office\Common\OffDiag              CCE-1634
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Microsoft Save As PDF and XPS add-
ins\Disable inclusion of document properties in PDF and XPS
output (2)
Software\Policies\Microsoft\Office\12.0\Common\FixedFormat
                                                               CCE-1643
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Document Information Panel\Disable
Document Information Panel (2)
Software\Policies\Microsoft\Office\12.0\Common\DocumentInf
ormationPanel                                                  CCE-1546
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Document Information Panel\Document
Information Panel Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet Zone) (2)
Software\Policies\Microsoft\Office\12.0\Common\DocumentInf
ormationPanel

                                                               CCE-1505
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Server Settings\Disable the Office client
from polling the Office server for published links (2)
Software\Policies\Microsoft\Office\12.0\Common\Portal
                                                                  CCE-1545
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Office 2007 Converters\Block opening of
pre-release versions of file formats new to Word 2007 through
the Compatibility Pack for the 2007 Office system and Word
2007 Open XML/Word 97-2003 Format Converter (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock



                                                                  CCE-1549
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Office 2007 Converters\Block opening of
pre-release versions of file formats new to Excel 2007 through
the Compatibility Pack for the 2007 Office system and Excel
2007 Converter (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock

                                                                  CCE-1431
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Office 2007 Converters\Block opening of
pre-release versions of file formats new to PowerPoint 2007
through the Compatibility Pack for the 2007 Office system and
PowerPoint 2007 Converter (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock

                                                                  CCE-1594
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Control Blogging (Enabled |
Only SharePoint blogs allowed | All blogging disabled) (2)
Software\Policies\Microsoft\Office\12.0\Common\Blog

                                                                  CCE-1241
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Enable Smart Resume (2)
Software\Policies\Microsoft\Office\12.0\Common\Restore
Workspace
                                                                  CCE-1607
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Do not upload media files
(2) Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                  CCE-752
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Disable hyperlinks to web
templates in File | New and task panes (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
                                                                   CCE-1166
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Prevent access to Web-
based file storage (2)
Software\Policies\Microsoft\Office\12.0\Common\WebServices
                                                                   CCE-654
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\E-mail
Options\Do not allow attachment previewing in Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Preferences
                                                                   CCE-1192
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\E-mail
Options\Read e-mail as plain text (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                   CCE-791
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\E-mail
Options\Read signed e-mail as plain text (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                   CCE-1456
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServicePrevent
publishing to Office Online (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
                                                                   CCE-1478
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServicePrevent
publishing to a DAV server (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
                                                                   CCE-1368
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServiceRestrict level
of calendar details users can publish (All options are available
| Disables 'Full details' | Disables 'Full details' and 'Limited
details') (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al

                                                                   CCE-1641
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServiceAccess to
published calendars (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
                                                               CCE-1266
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServiceRestrict
upload method (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
                                                               CCE-1399
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Hide Junk Mail UI (2)
Software\Policies\Microsoft\Office\12.0\Outlook
                                                               CCE-1187
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Junk E-mail protection level (No Protection, Low, High,
Trusted Lists Only) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

                                                               CCE-1588
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Trust E-mail from Contacts (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                               CCE-1117
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Add e-mail recipients to users' Safe Senders Lists (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

                                                               CCE-1130
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                               CCE-1093
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options - Warn before switching dial-up connection (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

                                                               CCE-1599
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options - Hang up when finished sending, receiving, or
updating (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                CCE-1621
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options - Automatically dial during a background Send/Receive
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

                                                                CCE-1269
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Format\Do not
allow creating, replying, or forwarding signatures for e-mail
messages (2)
Software\Policies\Microsoft\Office\12.0\Common\MailSettings

                                                                CCE-1419
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Send copy of pictures with HTML messages
instead of reference to Internet location (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

                                                                CCE-1551
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Outlook Rich Text options (Convert to HTML |
Convert to Plain Text format | Send Using Outlook Rich Text
format) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

                                                                CCE-655
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Plain text options (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                CCE-1592
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Plain text options - Encode attachments in
UUENCODE format when sending a plain text message (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

                                                                CCE-1614
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Message FormatSet message format (HTML | Rich
Text | Plain Text) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                   CCE-1526
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Make Outlook the
default program for E-mail, Contacts, and Calendar (2)
software\policies\microsoft\office\12.0\outlook\options\general

                                                                   CCE-1111
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Advanced\Do not
allow folders in non-default stores to be set as folder home
pages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                   CCE-1494
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Advanced\Use
Unicode format when dragging e-mail message to file system
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Gener
al                                                                 CCE-1287
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Advanced\Do not
allow Outlook object model scripts to run for shared folders (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security

                                                                   CCE-1529
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Advanced\Do not
allow Outlook object model scripts to run for public folders (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security

                                                                   CCE-1560
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Person
Names\Set maximum level of online status on a person name
(Do not allow | Allow everywhere except To and CC field |
Allow everywhere) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\IM


                                                                   CCE-1596
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Person
Names\Display online status on a person name (Never |
Everywhere except To and CC field | Everywhere) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\IM


                                                                CCE-1604
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Other\Person
Names\Turn off Enable the Person Names Smart Tag option
(2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

                                                                CCE-1648
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form Settings\Outlook
Security Mode (Outlook Default Security | Use Security Form
from 'Outlook Security Settings' Public Folder | Use Security
Form from 'Outlook 10 Security Settings' Public Folder | Use
Outlook Security Group Policy) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                                CCE-1516
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Display Level 1 attachments (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                CCE-1296
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Allow users to demote
attachments to Level 2 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                CCE-1388
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Do not prompt about Level 1
attachments when sending an item (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                CCE-1652
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Do not prompt about Level 1
attachments when closing an item (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                CCE-1569
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Allow in-place activation of
embedded OLE objects (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                               CCE-1459
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Display OLE package objects (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                               CCE-1608
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Add file extensions to block as
Level 1 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security       CCE-1617
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Remove file extensions blocked
as Level 1 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                               CCE-1631
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Add file extensions to block as
Level 2 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security       CCE-1155
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Remove file extensions blocked
as Level 2 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                               CCE-1556
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form Settings\Custom
Form Security\Allow scripts in one-off Outlook forms (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                               CCE-1595
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form Settings\Custom
Form Security\Set Outlook object model Custom Actions
execution prompt (Prompt User | Automatically Approve |
Automatically Deny | Prompt user based on computer security)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                               CCE-1436
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form Settings\Custom
Form Security\Set control ItemProperty prompt (Prompt User |
Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security


                                                               CCE-1586
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Programmatic Security\Configure Outlook object
model prompt when sending mail (Prompt User | Automatically
Approve | Automatically Deny | Prompt user based on
computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security



                                                               CCE-1590
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Programmatic Security\Configure Outlook object
model prompt when accessing an address book (Prompt User
| Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security



                                                               CCE-1004
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Programmatic Security\Configure Outlook object
model prompt when reading address information (Prompt User
| Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security



                                                               CCE-1273
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Programmatic Security\Configure Outlook object
model prompt when responding to meeting and task requests
(Prompt User | Automatically Approve | Automatically Deny |
Prompt user based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                               CCE-1172
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Programmatic Security\Configure Outlook object
model prompt when executing Save As (Prompt User |
Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security



                                                               CCE-1568
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Programmatic Security\Configure Outlook object
model prompt When accessing the Formula property of a
UserProperty object (Prompt User | Automatically Approve |
Automatically Deny | Prompt user based on computer security)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                               CCE-1573
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Programmatic Security\Configure Outlook object
model prompt when accessing address information via
UserProperties.Find (Prompt User | Automatically Approve |
Automatically Deny | Prompt user based on computer security)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                               CCE-1454
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Required
Certificate Authority (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security              CCE-1498
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\S/MIME
interoperability with external clients: (Handle internally | Handle
externally | Handle if possible) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security


                                                                      CCE-1630
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Always use Rich
Text formatting in S/MIME messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security

                                                                      CCE-1626
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\S/MIME password
settings (2)
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Mi
crosoft Exchange Cryptographic Provider v1.0                          CCE-1163
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\S/MIME password
settings - Default S/MIME password time (minutes): (0 -
2147483647) (2)
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Mi
crosoft Exchange Cryptographic Provider v1.0
                                                                      CCE-1445
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\S/MIME password
settings - Maximum S/MIME password time (minutes): (0 -
2147483647) (2)
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Mi
crosoft Exchange Cryptographic Provider v1.0

                                                                      CCE-1582
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Message Formats
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                      CCE-1357
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Message Formats -
Support the following message formats: (S/MIME | Exchange |
Fortezza | S/MIME and Exchange | S/MIME and Fortezza |
Exchange and Fortezza | S/MIME, Exchange, and Fortezza)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                                  CCE-1132
2007: (1) User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not provide Continue option on
Encryption warning dialog boxes (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003:
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook
2003\Tools\Options\Security\Cryptography\Disable Continue
button on all Encryption warning dialogs (2)
HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security -
DisableContinue                                                   CCE-1511
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Run in FIPS
compliant mode (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                  CCE-1018
2007: (1) User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Encrypt all e-mail messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003:
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook
2003\Tools\Options\Security\Cryptography\Encrypt all e-mail
messages (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - AlwaysEncrypt
                                                                  CCE-1181
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Sign all e-mail
messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                  CCE-1639
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\URL for S/MIME
certificates (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                  CCE-677
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Ensure all S/MIME
signed messages have a label (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                     CCE-687
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\S/MIME receipt
requests (Open message if receipt can't be sent | Don't open
message if receipt can't be sent | Always prompt before
sending receipt | Never send S/MIME ) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                                     CCE-1613
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Fortezza certificate
policies (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security             CCE-1402
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Require SuiteB
algorithms for S/MIME operations (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security

                                                                     CCE-1658
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing CRLs (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security             CCE-1662
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing CRLs - Indicate a missing CRL as a(n):
(warning | error) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                     CCE-1080
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing root certificates (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                     CCE-1076
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing root certificates - Indicate a missing root
certificate as a(n): (neither error nor warning | warning | error)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security


                                                                     CCE-1636
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Promote Level 2 errors as errors, not warnings (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                CCE-943
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Attachment Secure Temporary Folder (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
                                                                CCE-1591
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Automatic Picture Download
Settings\Display pictures and external content in HTML e-mail
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                CCE-1133
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Automatic Picture Download
Settings\Automatically download content for e-mail from
people in Safe Senders and Safe Recipients Lists (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail


                                                                CCE-725
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Automatic Picture Download
Settings\Do not permit download of content from safe zones
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                CCE-1347
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Automatic Picture Download
Settings\Block Trusted Zones (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                CCE-1475
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Automatic Picture Download
Settings\Include Internet in Safe Zones for Automatic Picture
Download (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                CCE-1497
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Automatic Picture Download
Settings\Include Intranet in Safe Zones for Automatic Picture
Download (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                CCE-1501
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Trust Center\Security setting for
macros (Always warn | Never warn, disable all | Warn for
signed, disable unsigned | No security check) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security


                                                                 CCE-1030
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Trust Center\Enable links in e-
mail messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                 CCE-1052
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Trust Center\Apply macro
security settings to macros, add-ins, and SmartTags (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security


                                                                 CCE-1462
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account
Settings\Exchange\Automatically configure profile based on
Active Directory Primary SMTP address (2)
Software\Policies\Microsoft\Office\12.0\Outlook\AutoDiscover

                                                                 CCE-1281
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\Exchange\Do
not allow users to change permissions on folders (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Folder
s
                                                                 CCE-1303
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account
Settings\Exchange\Enable RPC encryption (2)
Software\Policies\Microsoft\Office\12.0\Outlook\RPC
                                                                 CCE-1082
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account
Settings\Exchange\Authentication with Exchange Server
(Kerberos/NTLM Password Authentication | Kerberos
Password Authentication | NTLM Password Authentication) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security




                                                                 CCE-1712
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\RSS
Feeds\Synchronize Outlook RSS Feeds with Common Feed
List (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
                                                                   CCE-1131
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn
off RSS feature (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
                                                                   CCE-1620
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\RSS
Feeds\Automatically download enclosures (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
                                                                   CCE-1541
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\RSS
Feeds\Download full text of articles as HTML attachments (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

                                                                   CCE-1311
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\Internet
Calendars\Automatically download attachments (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebC
al
                                                                   CCE-1682
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\Internet
Calendars\Do not include Internet Calendar integration in
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebC
al                                                                 CCE-1461
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Meeting Workspace\Disable user entries
to server list (Publish default, allow others | Publish default,
disallow others) (2)
Software\Policies\Microsoft\Office\12.0\Meetings\Profile

                                                                   CCE-1041
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Miscellaneous\Do not expand distribution
lists (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
                                                                   CCE-1565
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Save\Save files
in this format (PowerPoint Presentation (*.pptx) | PowerPoint
Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003
Presentation (*.ppt)) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Options



                                                                 CCE-1719
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint
Options\Advanced\Number of documents in the Recent
Documents list (0 - 50) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\File MRU
                                                                 CCE-1477
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint
Options\Security\Determine whether to force encrypted
macros to be scanned in Microsoft PowerPoint Open XML
presentations (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

                                                                 CCE-1142
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Run
Programs (disable (don't run any programs) | enable (prompt
user before running) | enable all (run without prompting)) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security



                                                                 CCE-1649
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Make
hidden markup visible (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
                                                                 CCE-1279
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Unblock
automatic download of linked images (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

                                                                 CCE-1451
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Trust
Center\Disable all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

                                                                 CCE-1204
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Trust
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
                                                                 CCE-1107
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Trust
Center\Disable Trust Bar Notification for unsigned application
add-ins (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
                                                                 CCE-743
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Trust
Center\Trusted LocationsAllow Trusted Locations not on the
computer (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Tr
usted Locations                                                  CCE-747
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint Options\Security\Trust
Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Tr
usted Locations
                                                                 CCE-782
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1327
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
PowerPoint Options | Customize | All Commands | Web Page
Preview (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
                                                                 CCE-1723
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Send
| Email (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1366
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Links |
Hyperlink (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1679
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Review | Proofing |
Language (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1173
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - View | Macros |
Macros (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1714
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macros (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1485
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macro Security (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1687
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes                                             CCE-1709
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
PowerPoint Options | Customize | All Commands | Document
Location (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
                                                                 CCE-1463
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Disable shortcut
keys (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes                                            CCE-1467
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Ctrl+K (Insert | Links
| Hyperlink) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes                                            CCE-1740
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Alt+F8 (Developer |
Code | Macros) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes                                             CCE-1780
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Alt+F11 (Developer
| Code | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes                                             CCE-1661
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Open\Block opening
of pre-release versions of file formats new to PowerPoint 2007
(2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
                                                                  CCE-1688
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Open\Block opening
of Open Xml files types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock                                                        CCE-1701
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Open\Block opening
of Binary file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock                                                        CCE-1348
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Open\Block opening
of Html file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock                                                        CCE-1644
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Open\Block opening
of Outlines (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock                                                        CCE-1194
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Open\Block opening
of Converters (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock                                                        CCE-1216
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Save\Block saving
of Open Xml file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock                                                        CCE-1506
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Save\Block saving
of Binary file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock                                                        CCE-1136
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Save\Block saving
of Html file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock                                                        CCE-1766
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Save\Block saving
of Outlines (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock                                                        CCE-1180
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file formats\Save\Block saving
of GraphicFilters (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock                                                        CCE-1722
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\Block file
formats\Miscellaneous\Disable Slide Update (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\slide
libraries                                                         CCE-1731
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Display\Hidden text (2)
Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
                                                                  CCE-885
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Save\Save files in this format
(Word document (*.docx) | Single Files Web Page (*.mht) |
Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) |
Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95
(*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word
6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese
(*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95
- RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for
Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0
for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) |
WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled
Document (*.docm) | Word 2007 Macro Free Template
(*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word
97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot)
| Flat XML Document (*.xml)) (2)
Software\Policies\Microsoft\Office\12.0\Word\Options




                                                                  CCE-1656
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Advanced\Number of
documents in the Recent Documents list (0-50) (2)
Software\Policies\Microsoft\Office\12.0\Word\File MRU

                                                                  CCE-1537
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Advanced\Update automatic
links at Open (2)
Software\Policies\Microsoft\Office\12.0\Word\Options              CCE-1249
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Advanced\E-mail
Options\Save smart tags in e-mail (2)
Software\Policies\Microsoft\Office\12.0\Word\Options\vpref        CCE-1509
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Security\Trust
Center\Determine whether to force encrypted macros to be
scanned in Microsoft Word Open XML documents (2)
Software\Policies\Microsoft\Office\12.0\Word\Security

                                                                CCE-1280
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Security\Trust Center\Disable
all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Word\Security
                                                                CCE-1681
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Security\Trust
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\Word\Security
                                                                CCE-1562
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Security\Trust Center\Disable
Trust Bar Notification for unsigned application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Word\Security

                                                                CCE-1333
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Security\Trust Center\Trusted
LocationsAllow Trusted Locations not on the computer (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted
Locations
                                                                CCE-1355
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Security\Trust Center\Trusted
LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted
Locations                                                       CCE-1637
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                 CCE-1659
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Word
Options | Customize | All Commands | Save As Web Page (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
                                                                CCE-1329
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Word
Options | Customize | All Commands | Web Page Preview (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
                                                               CCE-1632
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | Send
| Email (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                CCE-1425
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Links |
Hyperlink (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                CCE-1196
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Review | Protect |
Protect Document (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                CCE-936
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - View | Macros |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                CCE-1354
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                CCE-1125
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Record Macro (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                CCE-1742
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macro Security (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                CCE-1782
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                  CCE-1306
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer |
Templates | Document Template (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes                                                  CCE-1548
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes                                                   CCE-1716
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Ctrl+F (Home |
Editing | Find) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes                                                   CCE-1597
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Ctrl+K (Insert |
Links | Hyperlink) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes                                                   CCE-1689
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F8 (Developer
| Code | Macros) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes                                                   CCE-1570
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F11
(Developer | Code | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes                                                   CCE-1720
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
pre-release versions of file formats new to Word 2007 (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
                                                                 CCE-1746
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
Open XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                           CCE-1504
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-1654
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
HTML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-1160
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
Word 2003 XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-958
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
RTF file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-1579
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block open
Converters (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-984
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
Text file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-1072
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
Internal file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-1503
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Open\Block opening of
files before version (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock                                                          CCE-1371
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Save\Block saving of
Open XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock                                                          CCE-1019
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Save\Block saving of
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock                                                          CCE-1684
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Save\Block saving of
HTML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock                                                          CCE-1675
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Save\Block saving of
Word 2003 XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock                                                          CCE-1200
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Save\Block saving of RTF
file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock                                                          CCE-1741
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Save\Block saving of
Converters (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock                                                          CCE-1231
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Block file formats\Save\Block saving of Text
file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock                                                          CCE-1755

(1) Computer Configuration\Administrative
Templates\Microsoft Office InfoPath 2007
(Machine)\Security\InfoPath APTCA Assembly Whitelist (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security\APT
CA
                                                                CCE-1169
(1) Computer Configuration\Administrative
Templates\Microsoft Office InfoPath 2007
(Machine)\Security\Windows Internet Explorer Feature Control
Opt-In (None | InfoPath.exe, Document Information Panel and
Workflow forms | InfoPath.exe, Document Information Panel,
Workflow forms and 3rd Party Hosting) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security




                                                                CCE-1735
(1) Computer Configuration\Administrative
Templates\Microsoft Office InfoPath 2007
(Machine)\Security\InfoPath APTCA Assembly Whitelist
Enforcement (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
                                                                CCE-1739
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\Disable Package Repair (2)
Software\Policies\Microsoft\Office\12.0\Common\OpenXMLFo
rmat                                                        CCE-933
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1563
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password -
excel.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1215
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password -
powerpnt.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1484
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password -
pptview.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1629
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password -
winword.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1762
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password -
outlook.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1660
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password -
spDesign.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1057
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Disable user name and password -
msaccess.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
                                                            CCE-1285
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1669
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1691
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1338
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1717
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1488
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1638
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1647
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT                                                         CCE-1294
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-1193
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-1352
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-928
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-1576
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-1100
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-1232
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-1774
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK                                                        CCE-906
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-1034
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-1435
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-1708
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-808
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-1650
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-1223
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-1764
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL                                                     CCE-1769
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                   CCE-1152
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                   CCE-1566
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                   CCE-1077
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                   CCE-1606
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                   CCE-1738
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                   CCE-1262
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                         CCE-1663
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT                                                         CCE-1544


(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Prevent users from customizing
attachment security settings (2) User
Configuration\Administrative Templates\Classic Administrative
Templates\Microsoft Office Outlook 2007\Security\Prevent
users from customizing attachment security settings (3)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook -
DisallowAttachmentCustomization                                   CCE-1443
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Access:
Macro Security Leve (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security
- Level (3) User Configuration\Administrative
Templates\Microsoft Office Access
2003\Tools\Macros\Security\Security level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security
- Level                                                           CCE-1161

(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Access:
Trust all installed add – ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security
- DontTrustInstalledFiles (3) User Configuration\Administrative
Templates\Microsoft Office Access
2003\Tools\Macros\Security\Trust all installed add-ins and
templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security
- DontTrustInstalledFiles                                         CCE-1421
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Excel:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security -
Level(3) User Configuration\Administrative
Templates\Microsoft Office Excel
2003\Tools\Macros\Security\Security level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security -
Level                                                             CCE-1571
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Excel:
Trust all installed add – ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security -
DontTrustInstalledFiles (3) User Configuration\Administrative
Templates\Microsoft Office Excel
2003\Tools\Macros\Security\Trust all installed add-ins and
templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security -
DontTrustInstalledFiles                                         CCE-1721
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Outlook:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - Level (3) User Configuration\Administrative
Templates\Microsoft Office Outlook
2003\Tools\Macros\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook -
Security\Level                                                  CCE-1602
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2003\Tools\Macros\Security\Outlook: Trust all
installed add-ins and templates (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - DontTrustInstalledFiles                                     CCE-1624




(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2003\Tools\Options\Security\Outlook virus
security settings (2)
HKCU\Software\Policies\Microsoft\Security -
CheckAdminSettings                                              CCE-1522




(1) User Configuration\Administrative Templates\Microsoft
Office Outlook
2003\Tools\Options\Security\Cryptography\S/MIME receipt
requests (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - RespondToReceiptRequests                                    CCE-1183
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security
Settings\PowerPoint: Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - Level (3) User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2003\Tools\Macro\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint -
Security\Level                                                  CCE-1611
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security
Settings\PowerPoint: Trust all installed add – ins and
templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - DontTrustInstalledFiles (3) User
Configuration\Administrative Templates\Microsoft Office
PowerPoint 2003\Tools\Macro\Security\Trust all installed add
– ins and templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - DontTrustInstalledFiles                                 CCE-1633
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Publisher:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Securi
ty - Level                                                      CCE-822

(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Publisher:
Trust all installed add–ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Securi
ty - DontTrustInstalledFiles                                    CCE-1734
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Word:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security -
Level (3) User Configuration\Administrative
Templates\Microsoft Office Word
2003\Tools\Macro\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word -
Security\Level                                                  CCE-1628
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Word:
Trust all installed add–ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security -
DontTrustInstalledFiles (3) User Configuration\Administrative
Templates\Microsoft Office Word
2003\Tools\Macro\Security\Trust all installed add – ins and
templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security -
DontTrustInstalledFiles                                         CCE-1761
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2003\Tools\Options\Security\Store random
number to improve merge accuracy (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\v
pref - fDontSaveRSID_1804_1                                     CCE-1302
(1) User Configuration\Administrative Templates\Microsoft
Office 2003\Security Settings\Prevent Users from Changing
Office Encryption Settings (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Common\Securi
ty - DisableCustomEncryption                                    CCE-1307
(1)Computer Configuration\Administrative Templates\Classic
Administrative Templates (ADM)\Microsoft Office 2007
system\Office Diagnostics\Disable Update Diagnostics (2)
HKLM\Software\Policies\Microsoft\Office\Common\OffDiag\Dis
ableOffDiagnostics




(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office Outlook
2007\Security\Allow Active X One Off Forms (2)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Securit
y\AllowActiveXOneOffForms
(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office Outlook
2007\Security\Allow access to e-mail attachments (2)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Securit
y\Level1Add
(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office Outlook
2007\Security\Do not automatically sign replies (2)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Securit
y\NoSignOnReply
(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office Outlook
2007\Security\Prompt user to choose security settings if
default settings fail (2)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Securit
y\ForceDefaultProfile
                                                 Microsoft Office 2007
     Microsoft Threats and                    Recommendations (Security
    Countermeasures guide                       Settings for Office 2007
                                                  Applications.xlsx)


                                            User Configuration\Administrative
                                            Templates\Microsoft Office 2007
                                            system\Security Settings\Disable VBA
                                            for Office applications, Computer
                                            Configuration\Administrative
                                            Templates\Microsoft Office 2007 system
                                            (Machine)\Security Settings\Disable
                                            VBA for Office applications



Table 1.124. Disable VBA for Office
applications, Table 2.5. Disable VBA for
Office applications
                                            User Configuration\Administrative
                                            Templates\Microsoft Office 2007
                                            system\Security Settings\ActiveX
                                            Control Initialization (1 | 2 | 3 | 4 | 5 | 6)




Table 1.3. ActiveX Control Initialization
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Privacy\Trust Center\Enable
Table 1.148. Enable Customer            Customer Experience Improvement
Experience Improvement Program          Program
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Privacy\Trust
Table 1.23. Automatically receive small Center\Automatically receive small
updates to improve reliability          updates to improve reliability
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Tools | Options | General |
                                        Service Options...\Online
                                        Content\Online content options (Never
                                        show online content or entry points |
                                        Search only offline content whenever
                                        available | Search online content
Table 1.179. Online content options     whenever available)
                                      User Configuration\Administrative
                                      Templates\Microsoft Office Access
                                      2007\Application Settings\Security\Trust
                                      Center\VBA Macro Warning Settings
                                      (Trust Bar warning for all macros | Trust
                                      Bar warning for digitally signed macros
                                      only (unsigned macros will be disabled) |
                                      No Warnings for all macros but disable
                                      all macros | No Security checks for
                                      macros (Not recommended, code in all
                                      documents can run))
Table 1.234. VBA Macro Warning
Settings
                                      User Configuration\Administrative
                                      Templates\Microsoft Office Excel
                                      2007\Excel Options\Security\Trust
                                      Center\VBA Macro Warning Settings
                                      (Trust Bar warning for all macros | Trust
                                      Bar warning for digitally signed macros
                                      only (unsigned macros will be disabled) |
                                      No Warnings for all macros but disable
                                      all macros | No Security checks for
                                      macros (Not recommended, code in all
Table 1.234. VBA Macro Warning        documents can run))
Settings
                                      User Configuration\Administrative
                                      Templates\Microsoft Office Excel
                                      2007\Excel Options\Security\Trust
                                      Center\Trust access to Visual Basic
                                      Project




Table 1.225. Trust access to Visual
Basic Project
                                          User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\PowerPoint Options\Security\Trust
                                          Center\VBA Macro Warning Settings
                                          (Trust Bar warning for all macros | Trust
                                          Bar warning for digitally signed macros
                                          only (unsigned macros will be disabled) |
                                          No Warnings for all macros but disable
                                          all macros | No Security checks for
                                          macros (Not recommended, code in all
                                          documents can run))
Table 1.234. VBA Macro Warning
Settings
                                          User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\PowerPoint Options\Security\Trust
                                          Center\Trust access to Visual Basic
Table 1.225. Trust access to Visual       Project
Basic Project
                                          User Configuration\Administrative
                                          Templates\Classic Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Disable Remember
                                          Passwords
                                          User Configuration\Administrative
                                          Templates\Classic Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Configure Add-In Trust
                                          Level



Table 1.72. Configure trusted add-ins


                                          User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Cryptography\Minimum
                                          encryption settings
Table 1.173. Minimum encryption
settings
                                          User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Cryptography\Do not
Table 1.134. Do not check e-mail          check e-mail address against address
address against address of certificates   of certificates being used
being using
                                          User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Cryptography\Send all
                                          signed messages as clear signed
                                          messages




Table 1.214. Send all signed messages
as clear signed messages
                                          User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Cryptography\Request an
                                          S/MIME receipt for all S/MIME signed
Table 1.198. Request an S/MIME            messages
receipt for all S/MIME signed messages
                                          User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Cryptography\Do not
                                          display 'Publish to GAL' button




Table 1.135. Do not display 'Publish to
GAL' button
                                          User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Cryptography\Signature
                                          Warning (Let user decide if they want to
                                          be warned | Always warn about invalid
                                          signatures | Never warn about invalid
                                          signatures)




Table 1.220. Signature Warning
                                      User Configuration\Administrative
                                      Templates\Microsoft Office Outlook
                                      2007\Security\Cryptography\Enable
                                      Cryptography Icons




                                      User Configuration\Administrative
                                      Templates\Microsoft Office Outlook
                                      2007\Security\Cryptography\Signature
                                      Status dialog box\Retrieving CRLs
                                      (Certificate Revocation Lists) (Use
                                      system Default | When online always
Table 1.204. Retrieving CRLs          retreive the CRL | Never retreive the
(Certificate Revocation Lists)        CRL)
                                      User Configuration\Administrative
                                      Templates\Microsoft Office Word
                                      2007\Word Options\Security\Trust
                                      Center\VBA Macro Warning Settings
                                      (Trust Bar warning for all macros | Trust
                                      Bar warning for digitally signed macros
                                      only (unsigned macros will be disabled) |
                                      No Warnings for all macros but disable
                                      all macros | No )
Table 1.234. VBA Macro Warning
Settings
                                      User Configuration\Administrative
                                      Templates\Microsoft Office Word
                                      2007\Word Options\Security\Trust
                                      Center\Trust access to Visual Basic
                                      Project




Table 1.225. Trust access to Visual
Basic Project
                                           Computer Configuration\Administrative
                                           Templates\Classic Administrative
                                           Templates (ADM)\Microsoft Office Word
                                           2007\Word Options\Security\Warn
                                           before printing, saving or sending a file
                                           that contains tracked changes or
                                           comments
                                           User Configuration\Administrative
                                           Templates\Microsoft Office 2007
                                           system\Miscellaneous\Block updates
Table 1.64. Block updates from the         from the Office Update Site from
Office Update Site from applying           applying
Table 1.230. Underline hyperlinks          User Configuration\Administrative
                                           Templates\Microsoft Office Access
                                           2007\Application Settings\Web
                                           Options\General\Underline hyperlinks
                                           User Configuration\Administrative
                                           Templates\Microsoft Office Access
                                           2007\Application
                                           Settings\General\General\Number of
                                           documents in the Recent Documents list
                                           (0-9)
Table 1.120. Disable Trust Bar             User Configuration\Administrative
Notification for unsigned application add- Templates\Microsoft Office Access
ins                                        2007\Application Settings\Security\Trust
                                           Center\Disable Trust Bar Notification for
                                           unsigned application add-ins

Table 1.87. Disable all application add-   User Configuration\Administrative
ins                                        Templates\Microsoft Office Access
                                           2007\Application Settings\Security\Trust
                                           Center\Disable all application add-ins

Table 1.200. Require that application   User Configuration\Administrative
add-ins are signed by Trusted Publisher Templates\Microsoft Office Access
                                        2007\Application Settings\Security\Trust
                                        Center\Require that application add-ins
                                        are signed by Trusted Publisher

Table 1.89. Disable all trusted locations User Configuration\Administrative
                                          Templates\Microsoft Office Access
                                          2007\Application Settings\Security\Trust
                                          Center\Trusted Locations\Disable all
                                          trusted locations
Table 1.11. Allow Trusted Locations not User Configuration\Administrative
on the computer                         Templates\Microsoft Office Access
                                        2007\Application Settings\Security\Trust
                                        Center\Trusted Locations\Allow Trusted
                                        Locations not on the computer


Table 1.176. Modal Trust Decision Only User Configuration\Administrative
                                       Templates\Microsoft Office Access
                                       2007\Application Settings\Security\Trust
                                       Center\Trusted Locations\Modal Trust
                                       Decision Only

Table 1.94. Disable commands            User Configuration\Administrative
                                        Templates\Microsoft Office Access
                                        2007\Disable items in user
                                        interface\Predefined\Disable commands

Table 1.94. Disable commands            User Configuration\Administrative
                                        Templates\Microsoft Office Access
                                        2007\Disable items in user
                                        interface\Predefined\Disable commands
                                        - Office Button | E-Mail

Table 1.94. Disable commands            User Configuration\Administrative
                                        Templates\Microsoft Office Access
                                        2007\Disable items in user
                                        interface\Predefined\Disable commands
                                        - Office Button | Access Options |
                                        Customize | All Commands | Insert
                                        Hyperlink
Table 1.94. Disable commands            User Configuration\Administrative
                                        Templates\Microsoft Office Access
                                        2007\Disable items in user
                                        interface\Predefined\Disable commands
                                        - Database Tools | Database Tools |
                                        Encrypt with Password

Table 1.94. Disable commands            User Configuration\Administrative
                                        Templates\Microsoft Office Access
                                        2007\Disable items in user
                                        interface\Predefined\Disable commands
                                        - Database Tools | Administer | Users
                                        and Permission | User and Group
                                        Permissions
Table 1.94. Disable commands         User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Disable commands
                                     - Database Tools | Administer | Users
                                     and Permissions | User and Group
                                     Accounts

Table 1.94. Disable commands         User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Disable commands
                                     - Database Tools | Administer | Users
                                     and Permission | User-Level Security
                                     Wizard...

Table 1.94. Disable commands         User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Disable commands
                                     - Database Tools | Database Tools |
                                     Encode/Decode Database

Table 1.94. Disable commands         User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Disable commands
                                     - Database Tools | Macro | Visual Basic

Table 1.94. Disable commands         User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Disable commands
                                     - Database Tools | Macro | Run Macro

                                     User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Database Tools |
                                     Macro | Convert Macros to Visual Basic

                                     User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Database Tools |
                                     Macro | Create Shortcut Menu from
                                     Macro
Table 1.114. Disable shortcut keys   User Configuration\Administrative
                                     Templates\Microsoft Office Access
                                     2007\Disable items in user
                                     interface\Predefined\Disable shortcut
                                     keys
Table 1.114. Disable shortcut keys       User Configuration\Administrative
                                         Templates\Microsoft Office Access
                                         2007\Disable items in user
                                         interface\Predefined\Disable commands
                                         - Ctrl+K (Office Button | Access Options
                                         | Customize | All Commands | Insert
                                         Hyperlinks)


Table 1.114. Disable shortcut keys       User Configuration\Administrative
                                         Templates\Microsoft Office Access
                                         2007\Disable items in user
                                         interface\Predefined\Disable commands
                                         - Alt+F11 (Database Tools | Macro |
                                         Visual Basic)
Table 1.80. Default file format          User Configuration\Administrative
                                         Templates\Microsoft Office Access
                                         2007\Miscellaneous\Default file format
                                         (Access 2007 | Access 2002-2003)


Table 1.141. Do not prompt to convert    User Configuration\Administrative
older databases                          Templates\Microsoft Office Access
                                         2007\Miscellaneous\Do not prompt to
                                         convert older databases

Table 1.164. Internet and network paths User Configuration\Administrative
as hyperlinks                           Templates\Microsoft Office Excel
                                        2007\Excel
                                        Options\Proofing\Autocorrect
                                        Options\Internet and network paths as
                                        hyperlinks
Table 1.211. Save Excel files as        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Excel Options\Save\Save Excel
                                        files as (Excel Workbook (*.xlsx) | Excel
                                        Macro-Enabled Workbook (*.xlsm) |
                                        Excel Binary Workbook (*.xlsb) | Web
                                        Page (*.htm; *.html) | Excel 97-2003
                                        Workbook (*.xls) | Excel 5.0/95
                                        Workbook (*.xls))



Table 1.91. Disable AutoRepublish        User Configuration\Administrative
                                         Templates\Microsoft Office Excel
                                         2007\Excel Options\Save\Disable
                                         AutoRepublish
Table 1.25. AutoRepublish Warning          User Configuration\Administrative
Alert                                      Templates\Microsoft Office Excel
                                           2007\Excel
                                           Options\Save\AutoRepublish Warning
                                           Alert (Always show the alert before
                                           publishing | Never show the alert before
                                           publishing)

Table 1.81. Determine whether to force User Configuration\Administrative
encrypted macros to be scanned in      Templates\Microsoft Office Excel
Microsoft Excel Open XML workbooks 2007\Excel Options\Security\Determine
                                       whether to force encrypted macros to be
                                       scanned in Microsoft Excel Open XML
                                       workbooks

Table 1.155. Force file extension to       User Configuration\Administrative
match file type                            Templates\Microsoft Office Excel
                                           2007\Excel Options\Security\Force file
                                           extension to match file type (Allow
                                           different | Allow different, but warn |
                                           Always match file type)

Table 1.221. Store macro in Personal       User Configuration\Administrative
Macro Workbook by default                  Templates\Microsoft Office Excel
                                           2007\Excel Options\Security\Trust
                                           Center\Store macro in Personal Macro
                                           Workbook by default
Table 1.87. Disable all application add-   User Configuration\Administrative
ins                                        Templates\Microsoft Office Excel
                                           2007\Excel Options\Security\Trust
                                           Center\Disable all application add-ins

Table 1.200. Require that application   User Configuration\Administrative
add-ins are signed by Trusted Publisher Templates\Microsoft Office Excel
                                        2007\Excel Options\Security\Trust
                                        Center\Require that application add-ins
                                        are signed by Trusted Publisher

Table 1.120. Disable Trust Bar             User Configuration\Administrative
Notification for unsigned application add- Templates\Microsoft Office Excel
ins                                        2007\Excel Options\Security\Trust
                                           Center\Disable Trust Bar Notification for
                                           unsigned application add-ins

Table 1.11. Allow Trusted Locations not User Configuration\Administrative
on the computer                         Templates\Microsoft Office Excel
                                        2007\Excel Options\Security\Trust
                                        Center\Trusted LocationsAllow Trusted
                                        Locations not on the computer
Table 1.89. Disable all trusted locations User Configuration\Administrative
                                          Templates\Microsoft Office Excel
                                          2007\Excel Options\Security\Trust
                                          Center\Trusted LocationsDisable all
                                          trusted locations
Table 1.159. Ignore other applications    User Configuration\Administrative
                                          Templates\Microsoft Office Excel
                                          2007\Excel Options\Advanced\Ignore
                                          other applications

Table 1.17. Ask to update automatic     User Configuration\Administrative
links                                   Templates\Microsoft Office Excel
                                        2007\Excel Options\Advanced\Ask to
                                        update automatic links
                                        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Excel Options\Advanced\Number
                                        of documents in the Recent Documents
                                        list (0-17)

Table 1.210. Save any additional data   User Configuration\Administrative
necessary to maintain formulas          Templates\Microsoft Office Excel
                                        2007\Excel Options\Advanced\Web
                                        Options…\GeneralSave any additional
                                        data necessary to maintain formulas

Table 1.169. Load pictures from Web     User Configuration\Administrative
pages not created in Excel              Templates\Microsoft Office Excel
                                        2007\Excel Options\Advanced\Web
                                        Options…\GeneralLoad pictures from
                                        Web pages not created in Excel
Table 1.143. Do not show data           User Configuration\Administrative
extraction options when opening corrupt Templates\Microsoft Office Excel
workbooks                               2007\Data Recovery\Do not show data
                                        extraction options when opening corrupt
                                        workbooks

                                        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Data Recovery\Assume structured
                                        storage format of workbook is intact
                                        when recovering data

                                        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Data Recovery\Corrupt formula
                                        conversion (Convert unrecoverable
                                        references to: values | #REF or #NAME)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Access Security\Connection
File Locations

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Access Security\Automatic
Query Refresh (Prompt for all
workbooks | Do not prompt; do not allow
auto refresh | Do not prompt; allow auto
refresh)


User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Excel Options |
Customize | All Commands | Save as
Web Page
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Excel Options |
Customize | All Commands | Web Page
Preview
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Send | Email

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Insert | Links | Hyperlink

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Changes | Protect Sheet
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Changes | Protect Workbook

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Changes | Protect and Share
Workbook
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- View | Macros | Macros

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macros

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Record Macro

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macro Security

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Visual Basic

User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Excel Options |
Customize | All Commands | Document
Location
Table 1.114. Disable shortcut keys       User Configuration\Administrative
                                         Templates\Microsoft Office Excel
                                         2007\Disable items in user
                                         interface\Predefined\Disable shortcut
                                         keys
Table 1.114. Disable shortcut keys       User Configuration\Administrative
                                         Templates\Microsoft Office Excel
                                         2007\Disable items in user
                                         interface\Predefined\Disable shortcut
                                         keys - Ctrl+K (Insert | Links | Hyperlink)

Table 1.114. Disable shortcut keys       User Configuration\Administrative
                                         Templates\Microsoft Office Excel
                                         2007\Disable items in user
                                         interface\Predefined\Disable shortcut
                                         keys - Alt+F8 (Developer | Code |
                                         Macros)
Table 1.114. Disable shortcut keys       User Configuration\Administrative
                                         Templates\Microsoft Office Excel
                                         2007\Disable items in user
                                         interface\Predefined\Disable shortcut
                                         keys - Alt+F11 (Developer | Code |
                                         Visual Basic)
Table 1.34. Block opening of files       User Configuration\Administrative
created by pre-release versions of Excel Templates\Microsoft Office Excel
2007                                     2007\Block file formats\Open\Block
                                         opening of pre-release versions of file
                                         formats new to Excel 2007

Table 1.38. Block opening of Open XML User Configuration\Administrative
file types                            Templates\Microsoft Office Excel
                                      2007\Block file formats\Open\Block
                                      opening of Open XML file types

Table 1.29. Block opening of Binary 12   User Configuration\Administrative
file types                               Templates\Microsoft Office Excel
                                         2007\Block file formats\Open\Block
                                         opening of Binary 12 file types

Table 1.30. Block opening of Binary file User Configuration\Administrative
types                                    Templates\Microsoft Office Excel
                                         2007\Block file formats\Open\Block
                                         opening of Binary file types

Table 1.35. Block opening of Html and    User Configuration\Administrative
Xmlss files types                        Templates\Microsoft Office Excel
                                         2007\Block file formats\Open\Block
                                         opening of Html and Xmlss files types
Table 1.49. Block opening of Xml file    User Configuration\Administrative
types                                    Templates\Microsoft Office Excel
                                         2007\Block file formats\Open\Block
                                         opening of Xml file types

Table 1.32. Block opening of DIF and     User Configuration\Administrative
SYLK file types                          Templates\Microsoft Office Excel
                                         2007\Block file formats\Open\Block
                                         opening of DIF and SYLK file types

Table 1.46. Block opening of Text file   User Configuration\Administrative
types                                    Templates\Microsoft Office Excel
                                         2007\Block file formats\Open\Block
                                         opening of Text file types

Table 1.48. Block opening of Xll file type User Configuration\Administrative
                                           Templates\Microsoft Office Excel
                                           2007\Block file formats\Open\Block
                                           opening of Xll file type

Table 1.57. Block saving of Open Xml     User Configuration\Administrative
file types                               Templates\Microsoft Office Excel
                                         2007\Block file formats\Save\Block
                                         saving of Open Xml file types

Table 1.52. Block saving of Binary12 file User Configuration\Administrative
types                                     Templates\Microsoft Office Excel
                                          2007\Block file formats\Save\Block
                                          saving of Binary12 file types

                                         User Configuration\Administrative
                                         Templates\Microsoft Office Excel
                                         2007\Block file formats\Save\Block
                                         saving of Binary file types

Table 1.55. Block saving of Html and     User Configuration\Administrative
Xmlss file types                         Templates\Microsoft Office Excel
                                         2007\Block file formats\Save\Block
                                         saving of Html and Xmlss file types

                                         User Configuration\Administrative
                                         Templates\Microsoft Office Excel
                                         2007\Block file formats\Save\Block
                                         saving Xml file types

Table 1.50. Block saving DIF and SYLK User Configuration\Administrative
file types                            Templates\Microsoft Office Excel
                                      2007\Block file formats\Save\Block
                                      saving DIF and SYLK file types
Table 1.60. Block saving of Text file   User Configuration\Administrative
types                                   Templates\Microsoft Office Excel
                                        2007\Block file formats\Save\Block
                                        saving of Text file types

                                        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Miscellaneous\Locally cache
                                        network file storages

                                        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Miscellaneous\Locally cache
                                        PivotTable reports

                                        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Miscellaneous\OLAP PivotTable
                                        User Defined Function (UDF) security
                                        setting (Allow ALL UDFs | Allow safe
                                        UDFs only | Allow NO UDFs)


                                        User Configuration\Administrative
                                        Templates\Microsoft Office Excel
                                        2007\Miscellaneous\Recognize
                                        SmartTags
                                        User Configuration\Administrative
                                        Templates\Microsoft Office InfoPath
                                        2007\Tools | Options\General\Number
                                        of documents in the Recent Documents
                                        list (0 - 9)

Table 1.178. Offline Mode status        User Configuration\Administrative
                                        Templates\Microsoft Office InfoPath
                                        2007\Tools |
                                        Options\Advanced\Offline\Offline Mode
                                        status (Disabled | Enabled, InfoPath in
                                        Offline Mode | Enabled, InfoPath not in
                                        Offline Mode)

Table 1.94. Disable commands            User Configuration\Administrative
                                        Templates\Microsoft Office InfoPath
                                        2007\Disable items in user
                                        interface\Predefined\Disable commands

Table 1.94. Disable commands            User Configuration\Administrative
                                        Templates\Microsoft Office InfoPath
                                        2007\Disable items in user
                                        interface\Predefined\Disable commands
                                        - File | Print
Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - File | Send to Mail Recipient

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - File | Open from SharePoint Site

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - File | Print Preview

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - File | Page Setup

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Insert | Hyperlinks...

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Tools | Set Language

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Tools | Customize...

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office InfoPath
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Tools | Options...
Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Help | Microsoft Office Online

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Office Diagnostics

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Help | Activate Product...

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Print Default
Table 1.114. Disable shortcut keys    User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Disable items in user
                                      interface\Predefined\Disable shortcut
                                      keys
Table 1.114. Disable shortcut keys    User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Disable items in user
                                      interface\Predefined\Disable shortcut
                                      keys - Print Shortcut (Ctrl+P)

Table 1.114. Disable shortcut keys    User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Disable items in user
                                      interface\Predefined\Disable shortcut
                                      keys - Insert Hyperlink Shortcut (Ctrl+K)

Table 1.73. Control behavior for      User Configuration\Administrative
Windows SharePoint Services gradual   Templates\Microsoft Office InfoPath
upgrade                               2007\Security\Control behavior for
                                      Windows SharePoint Services gradual
                                      upgrade (Allow redirections to any
                                      location | Allow redirections to Intranet
                                      only | Block all redirections)
Table 1.109. Disable opening of           User Configuration\Administrative
solutions from the Internet security zone Templates\Microsoft Office InfoPath
                                          2007\Security\Disable opening of
                                          solutions from the Internet security zone


Table 1.102. Disable fully trusted         User Configuration\Administrative
solutions full access to computer          Templates\Microsoft Office InfoPath
                                           2007\Security\Disable fully trusted
                                           solutions full access to computer

                                           User Configuration\Administrative
                                           Templates\Microsoft Office InfoPath
                                           2007\Security\Allow the use of ActiveX
                                           Custom Controls in InfoPath forms


                                           User Configuration\Administrative
                                           Templates\Microsoft Office InfoPath
                                           2007\Security\Run forms in restricted
                                           mode if they do not specify a publish
                                           location and use only features
                                           introduced before InfoPath 2003 SP1



Table 1.7. Allow file types as             User Configuration\Administrative
attachments to forms                       Templates\Microsoft Office InfoPath
                                           2007\Security\Allow file types as
                                           attachments to forms

Table 1.62. Block specific file types as   User Configuration\Administrative
attachments to forms                       Templates\Microsoft Office InfoPath
                                           2007\Security\Block specific file types
                                           as attachments to forms

Table 1.186. Prevent users from           User Configuration\Administrative
allowing unsafe file types to be attached Templates\Microsoft Office InfoPath
to forms                                  2007\Security\Prevent users from
                                          allowing unsafe file types to be attached
                                          to forms

                                           User Configuration\Administrative
                                           Templates\Microsoft Office InfoPath
                                           2007\Security\Display a warning that a
                                           form is digitally signed
Table 1.74. Control behavior when        User Configuration\Administrative
opening forms in the Internet security   Templates\Microsoft Office InfoPath
zone                                     2007\Security\Control behavior when
                                         opening forms in the Internet security
                                         zone (Block | Prompt | Allow)


Table 1.75. Control behavior when        User Configuration\Administrative
opening forms in the Intranet security   Templates\Microsoft Office InfoPath
zone                                     2007\Security\Control behavior when
                                         opening forms in the Intranet security
                                         zone (Block | Prompt | Allow)


                                         User Configuration\Administrative
                                         Templates\Microsoft Office InfoPath
                                         2007\Security\Control behavior when
                                         opening forms in the Local Machine
                                         security zone (Block | Prompt | Allow)



Table 1.76. Control behavior when        User Configuration\Administrative
opening forms in the Trusted Site        Templates\Microsoft Office InfoPath
security zone                            2007\Security\Control behavior when
                                         opening forms in the Trusted Site
                                         security zone (Block | Prompt | Allow)


Table 1.26. Beaconing UI for forms       User Configuration\Administrative
opened in InfoPath                       Templates\Microsoft Office InfoPath
                                         2007\Security\Beaconing UI for forms
                                         opened in InfoPath (Never show
                                         beaconing UI | Always show beaconing
                                         UI | Show UI if Form Template is from
                                         Internet Zone)


Table 1.27. Beaconing UI for forms       User Configuration\Administrative
opened in InfoPath Editor ActiveX        Templates\Microsoft Office InfoPath
                                         2007\Security\Beaconing UI for forms
                                         opened in InfoPath Editor ActiveX
                                         (Never show beaconing UI | Always
                                         show beaconing UI | Show UI if Form
                                         Template is from Internet Zone)
Table 1.87. Disable all application add-   User Configuration\Administrative
ins                                        Templates\Microsoft Office InfoPath
                                           2007\Security\Trust Center\Disable all
                                           application add-ins

Table 1.200. Require that application   User Configuration\Administrative
add-ins are signed by Trusted Publisher Templates\Microsoft Office InfoPath
                                        2007\Security\Trust Center\Require that
                                        application add-ins are signed by
                                        Trusted Publisher

Table 1.120. Disable Trust Bar             User Configuration\Administrative
Notification for unsigned application add- Templates\Microsoft Office InfoPath
ins                                        2007\Security\Trust Center\Disable
                                           Trust Bar Notification for unsigned
                                           application add-ins

Table 1.77. Control behavior when          User Configuration\Administrative
opening InfoPath e-mail forms              Templates\Microsoft Office InfoPath
containing code or script                  2007\Disable items in user
                                           interface\Control behavior when opening
                                           InfoPath e-mail forms containing code
                                           or script (Run without prompting |
                                           Prompt before running | Never run)


Table 1.112. Disable sending form          User Configuration\Administrative
template with e-mail forms                 Templates\Microsoft Office InfoPath
                                           2007\Disable items in user
                                           interface\Disable sending form template
                                           with e-mail forms

Table 1.97. Disable dynamic caching of User Configuration\Administrative
the form template in InfoPath e-mail   Templates\Microsoft Office InfoPath
forms                                  2007\Disable items in user
                                       interface\Disable dynamic caching of
                                       the form template in InfoPath e-mail
                                       forms

Table 1.113. Disable sending InfoPath      User Configuration\Administrative
2003 Forms as e-mail forms                 Templates\Microsoft Office InfoPath
                                           2007\Disable items in user
                                           interface\Disable sending InfoPath 2003
                                           Forms as e-mail forms

Table 1.101. Disable e-mail forms          User Configuration\Administrative
running in restricted security level       Templates\Microsoft Office InfoPath
                                           2007\Disable items in user
                                           interface\Disable e-mail forms running in
                                           restricted security level
Table 1.99. Disable e-mail forms from    User Configuration\Administrative
the Internet security zone               Templates\Microsoft Office InfoPath
                                         2007\Disable items in user
                                         interface\Disable e-mail forms from the
                                         Internet security zone
Table 1.100. Disable e-mail forms from   User Configuration\Administrative
the Intranet security zone               Templates\Microsoft Office InfoPath
                                         2007\Disable items in user
                                         interface\Disable e-mail forms from the
                                         Intranet security zone
Table 1.98. Disable e-mail forms from    User Configuration\Administrative
the Full Trust security zone             Templates\Microsoft Office InfoPath
                                         2007\Disable items in user
                                         interface\Disable e-mail forms from the
                                         Full Trust security zone

Table 1.106. Disable InfoPath e-mail     User Configuration\Administrative
forms in Outlook                         Templates\Microsoft Office InfoPath
                                         2007\Disable items in user
                                         interface\Disable InfoPath e-mail forms
                                         in Outlook
Table 1.163. Information Rights          User Configuration\Administrative
Management                               Templates\Microsoft Office InfoPath
                                         2007\Restricted Features\Information
                                         Rights Management

Table 1.79. Custom code                  User Configuration\Administrative
                                         Templates\Microsoft Office InfoPath
                                         2007\Restricted Features\Custom code

Table 1.147. Email Forms Beaconing UI User Configuration\Administrative
                                      Templates\Microsoft Office InfoPath
                                      2007\Miscellaneous\Email Forms
                                      Beaconing UI (Never show UI | Always
                                      show UI | Show UI if XSN is in Internet
                                      Zone)


Table 1.122. Disable user customization User Configuration\Administrative
of Quick Access Toolbar via UI          Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable user
                                        customization of Quick Access Toolbar
                                        via UI
Table 1.122. Disable user customization User Configuration\Administrative
of Quick Access Toolbar via UI          Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable user
                                        customization of Quick Access Toolbar
                                        via UI - Disallow in Word
Table 1.122. Disable user customization User Configuration\Administrative
of Quick Access Toolbar via UI          Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable user
                                        customization of Quick Access Toolbar
                                        via UI - Disallow in Excel
Table 1.122. Disable user customization User Configuration\Administrative
of Quick Access Toolbar via UI          Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable user
                                        customization of Quick Access Toolbar
                                        via UI - Disallow in PowerPoint

Table 1.122. Disable user customization User Configuration\Administrative
of Quick Access Toolbar via UI          Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable user
                                        customization of Quick Access Toolbar
                                        via UI - Disallow in Access
Table 1.122. Disable user customization User Configuration\Administrative
of Quick Access Toolbar via UI          Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable user
                                        customization of Quick Access Toolbar
                                        via UI - Disallow in Outlook
Table 1.90. Disable all user            User Configuration\Administrative
customization of Quick Access Toolbar Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable all user
                                        customization of Quick Access Toolbar

Table 1.90. Disable all user            User Configuration\Administrative
customization of Quick Access Toolbar   Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable all user
                                        customization of Quick Access Toolbar -
                                        Disallow in Word
Table 1.90. Disable all user            User Configuration\Administrative
customization of Quick Access Toolbar   Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable all user
                                        customization of Quick Access Toolbar -
                                        Disallow in Excel
Table 1.90. Disable all user            User Configuration\Administrative
customization of Quick Access Toolbar   Templates\Microsoft Office 2007
                                        system\Global
                                        Options\Customize\Disable all user
                                        customization of Quick Access Toolbar -
                                        Disallow in PowerPoint
Table 1.90. Disable all user           User Configuration\Administrative
customization of Quick Access Toolbar  Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable all user
                                       customization of Quick Access Toolbar -
                                       Disallow in Access
Table 1.90. Disable all user           User Configuration\Administrative
customization of Quick Access Toolbar Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable all user
                                       customization of Quick Access Toolbar -
                                       Disallow in Outlook
Table 1.121. Disable UI extending from User Configuration\Administrative
documents and templates                Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable UI extending
                                       from documents and templates

Table 1.121. Disable UI extending from User Configuration\Administrative
documents and templates                Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable UI extending
                                       from documents and templates -
                                       Disallow in Word
Table 1.121. Disable UI extending from User Configuration\Administrative
documents and templates                Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable UI extending
                                       from documents and templates -
                                       Disallow in Excel
Table 1.121. Disable UI extending from User Configuration\Administrative
documents and templates                Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable UI extending
                                       from documents and templates -
                                       Disallow in PowerPoint
Table 1.121. Disable UI extending from User Configuration\Administrative
documents and templates                Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable UI extending
                                       from documents and templates -
                                       Disallow in Access
Table 1.121. Disable UI extending from User Configuration\Administrative
documents and templates                Templates\Microsoft Office 2007
                                       system\Global
                                       Options\Customize\Disable UI extending
                                       from documents and templates -
                                       Disallow in Outlook
Table 1.194. Recognize smart tags in     User Configuration\Administrative
Excel                                    Templates\Microsoft Office 2007
                                         system\Tools | AutoCorrect Options...
                                         (Excel, Word, PowerPoint and
                                         Access)\Recognize smart tags in Excel

Table 1.93. Disable Clip Art and Media User Configuration\Administrative
downloads from the client and from     Templates\Microsoft Office 2007
Office Online website                  system\Tools | Options | General | Web
                                       Options...\Disable Clip Art and Media
                                       downloads from the client and from
                                       Office Online website
Table 1.117. Disable template          User Configuration\Administrative
downloads from the client and from     Templates\Microsoft Office 2007
Office Online website                  system\Tools | Options | General | Web
                                       Options...\Disable template downloads
                                       from the client and from Office Online
                                       website
Table 1.85. Disable access to updates, User Configuration\Administrative
add-ins, and patches on the Office     Templates\Microsoft Office 2007
Online website                         system\Tools | Options | General | Web
                                       Options...\Disable access to updates,
                                       add-ins, and patches on the Office
                                       Online website
Table 1.188. Prevents users from       User Configuration\Administrative
uploading document templates to the    Templates\Microsoft Office 2007
Office Online community                system\Tools | Options | General | Web
                                       Options...\Prevents users from
                                       uploading document templates to the
                                       Office Online community.
Table 1.119. Disable training practice User Configuration\Administrative
downloads from the Office Online       Templates\Microsoft Office 2007
website                                system\Tools | Options | General | Web
                                       Options...\Disable training practice
                                       downloads from the Office Online
                                       website
Table 1.95. Disable customer-submitted User Configuration\Administrative
templates downloads from Office Online Templates\Microsoft Office 2007
                                       system\Tools | Options | General | Web
                                       Options...\Disable customer-submitted
                                       templates downloads from Office Online

Table 1.180. Open Office documents as User Configuration\Administrative
read/write while browsing             Templates\Microsoft Office 2007
                                      system\Tools | Options | General | Web
                                      Options...\Files\Open Office documents
                                      as read/write while browsing
Table 1.195. Rely on VML for displaying User Configuration\Administrative
graphics in browsers                    Templates\Microsoft Office 2007
                                        system\Tools | Options | General | Web
                                        Options...\Browsers\Rely on VML for
                                        displaying graphics in browsers

Table 1.9. Allow PNG as an output       User Configuration\Administrative
format                                  Templates\Microsoft Office 2007
                                        system\Tools | Options | General | Web
                                        Options...\Browsers\Allow PNG as an
                                        output format
Table 1.160. Improve Proofing Tools     User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Tools | Options |
                                        Spelling\Proofing Data
                                        Collection\Improve Proofing Tools
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Privacy\Trust Center\Disable
Table 1.110. Disable Opt-in Wizard on   Opt-in Wizard on first run
first run
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Help\Microsoft Office Online
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Security Settings\Disable
                                        Password Caching
Table 1.88. Disable all Trust Bar       User Configuration\Administrative
notifications for security issues       Templates\Microsoft Office 2007
                                        system\Security Settings\Disable all
                                        Trust Bar notifications for security
                                        issues
Table 1.191. Protect document           User Configuration\Administrative
metadata for rights managed Office      Templates\Microsoft Office 2007
Open XML Files                          system\Security Settings\Protect
                                        document metadata for rights managed
                                        Office Open XML Files
Table 1.190. Protect document           User Configuration\Administrative
metadata for password protected files   Templates\Microsoft Office 2007
                                        system\Security Settings\Protect
                                        document metadata for password
                                        protected files.
Table 1.153. Encryption type for        User Configuration\Administrative
password protected Office Open XML      Templates\Microsoft Office 2007
files                                   system\Security Settings\Encryption
                                        type for password protected Office
                                        Open XML files
Table 1.152. Encryption type for        User Configuration\Administrative
password protected Office 97-2003 files Templates\Microsoft Office 2007
                                        system\Security Settings\Encryption
                                        type for password protected Office 97-
                                        2003 files
Table 1.168. Load Controls in Forms3    User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Security Settings\Load Controls
                                        in Forms3 (1 | 2 | 3 | 4)
Table 1.24. Automation Security         User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Security Settings\Automation
                                        Security (Disable macros by default |
                                        Use application macro security level |
                                        Macros enabled)




                                       User Configuration\Administrative
                                       Templates\Microsoft Office 2007
                                       system\Security Settings\Prevent Word
                                       and Excel from loading managed code
                                       extensions

Table 1.103. Disable hyperlink warnings User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Security Settings\Disable
                                        hyperlink warnings
Table 1.111. Disable password to open User Configuration\Administrative
UI                                      Templates\Microsoft Office 2007
                                        system\Security Settings\Disable
                                        password to open UI
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Security Settings\Download
                                        Office Controls
Table 1.86. Disable All ActiveX         User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Security Settings\Disable All
                                        ActiveX
Table 1.8. Allow mix of policy and user User Configuration\Administrative
locations                               Templates\Microsoft Office 2007
                                        system\Security Settings\Trust
                                        Center\Allow mix of policy and user
                                        locations
Table 1.116. Disable Smart Document's User Configuration\Administrative
use of manifests                        Templates\Microsoft Office 2007
                                        system\Smart Documents (Word,
                                        Excel)\Disable Smart Document's use of
                                        manifests
                                       User Configuration\Administrative
                                       Templates\Microsoft Office 2007
                                       system\Smart Documents (Word,
                                       Excel)\Completely disable the Smart
                                       Documents feature in Word and Excel

Table 1.107. Disable Internet Fax      User Configuration\Administrative
feature                                Templates\Microsoft Office 2007
                                       system\Services\Fax\Disable Internet
                                       Fax feature

Table 1.187. Prevent users from         User Configuration\Administrative
changing permissions on rights          Templates\Microsoft Office 2007
managed content                         system\Manage Restricted
                                        Permissions\Prevent users from
                                        changing permissions on rights
                                        managed content
Table 1.13. Allow users with earlier    User Configuration\Administrative
versions of Office to read with         Templates\Microsoft Office 2007
browsers…                               system\Manage Restricted
                                        Permissions\Allow users with earlier
                                        versions of Office to read with
                                        browsers...
Table 1.15. Always require users to     User Configuration\Administrative
connect to verify permission            Templates\Microsoft Office 2007
                                        system\Manage Restricted
                                        Permissions\Always require users to
                                        connect to verify permission
Table 1.14. Always expand groups in     User Configuration\Administrative
Office when restricting permission for  Templates\Microsoft Office 2007
documents                               system\Manage Restricted
                                        Permissions\Always expand groups in
                                        Office when restricting permission for
                                        documents
Table 1.177. Never allow users to       User Configuration\Administrative
specify groups when restricting         Templates\Microsoft Office 2007
permission for documents                system\Manage Restricted
                                        Permissions\Never allow users to
                                        specify groups when restricting
                                        permission for documents
Table 1.108. Disable Microsoft Passport User Configuration\Administrative
service for content with restricted     Templates\Microsoft Office 2007
permission                              system\Manage Restricted
                                        Permissions\Disable Microsoft Passport
                                        service for content with restricted
                                        permission
                                        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Manage Restricted
                                        Permissions\Do not allow users to
                                        upgrade Information Rights
                                        Management configuration
Table 1.166. Key Usage Filtering        User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Signing\Key Usage Filtering
Table 1.146. EKU filtering              User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Signing\EKU filtering

Table 1.167. Legacy format signatures   User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Signing\Legacy format
                                        signatures
Table 1.223. Suppress Office Signing    User Configuration\Administrative
Providers                               Templates\Microsoft Office 2007
                                        system\Signing\Suppress Office Signing
                                        Providers (Enable Western and East
                                        Asian | Suppress default Western |
                                        Suppress default East Asian | Suppress
                                        both Western and East Asian)



Table 1.222. Suppress external          User Configuration\Administrative
signature services menu item            Templates\Microsoft Office 2007
                                        system\Signing\Suppress external
                                        signature services menu item

Table 1.92. Disable Check For Solutions User Configuration\Administrative
                                        Templates\Microsoft Office 2007
                                        system\Office Diagnostics\Disable
                                        Check For Solutions
Table 1.105. Disable inclusion of       User Configuration\Administrative
document properties in PDF and XPS      Templates\Microsoft Office 2007
output                                  system\Microsoft Save As PDF and
                                        XPS add-ins\Disable inclusion of
                                        document properties in PDF and XPS
                                        output
Table 1.96. Disable Document            User Configuration\Administrative
Information Panel                       Templates\Microsoft Office 2007
                                        system\Document Information
                                        Panel\Disable Document Information
                                        Panel
Table 1.144. Document Information       User Configuration\Administrative
Panel Beaconing UI                      Templates\Microsoft Office 2007
                                        system\Document Information
                                        Panel\Document Information Panel
                                        Beaconing UI (Never show UI | Always
                                        show UI | Show UI if XSN is in Internet
                                        Zone)
Table 1.118. Disable the Office client    User Configuration\Administrative
from polling the Office server for        Templates\Microsoft Office 2007
published links                           system\Server Settings\Disable the
                                          Office client from polling the Office
                                          server for published links
Table 1.44. Block opening of pre-         User Configuration\Administrative
release versions of file formats new to   Templates\Microsoft Office 2007
Word 2007 through the Compatibility       system\Office 2007 Converters\Block
Pack for the 2007 Office system and       opening of pre-release versions of file
Word 2007 Open XML/Word 97-2003           formats new to Word 2007 through the
Format Converter                          Compatibility Pack for the 2007 Office
                                          system and Word 2007 Open
                                          XML/Word 97-2003 Format Converter



Table 1.40. Block opening of pre-         User Configuration\Administrative
release versions of file formats new to   Templates\Microsoft Office 2007
Excel 2007 through the Compatibility      system\Office 2007 Converters\Block
Pack for the 2007 Office system and       opening of pre-release versions of file
Excel 2007 Converter                      formats new to Excel 2007 through the
                                          Compatibility Pack for the 2007 Office
                                          system and Excel 2007 Converter


Table 1.42. Block opening of pre-         User Configuration\Administrative
release versions of file formats new to   Templates\Microsoft Office 2007
PowerPoint 2007 through the               system\Office 2007 Converters\Block
Compatibility Pack for the 2007 Office    opening of pre-release versions of file
system and PowerPoint 2007 Converter      formats new to PowerPoint 2007
                                          through the Compatibility Pack for the
                                          2007 Office system and PowerPoint
                                          2007 Converter

Table 1.78. Control blogging              User Configuration\Administrative
                                          Templates\Microsoft Office 2007
                                          system\Miscellaneous\Control Blogging
                                          (Enabled | Only SharePoint blogs
                                          allowed | All blogging disabled)

                                          User Configuration\Administrative
                                          Templates\Microsoft Office 2007
                                          system\Miscellaneous\Enable Smart
                                          Resume

                                          User Configuration\Administrative
                                          Templates\Microsoft Office 2007
                                          system\Miscellaneous\Do not upload
                                          media files
Table 1.104. Disable hyperlinks to web    User Configuration\Administrative
templates from the client and from        Templates\Microsoft Office 2007
Office Online website                     system\Miscellaneous\Disable
                                          hyperlinks to web templates in File |
                                          New and task panes
                                          User Configuration\Administrative
                                          Templates\Microsoft Office 2007
                                          system\Miscellaneous\Prevent access
                                          to Web-based file storage

Table 1.128. Do not allow attachment      User Configuration\Administrative
previewing in Outlook                     Templates\Microsoft Office Outlook
                                          2007\Tools | Options...\Preferences\E-
                                          mail Options\Do not allow attachment
                                          previewing in Outlook
Table 1.192. Read e-mail as plain text    User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Tools | Options...\Preferences\E-
                                          mail Options\Read e-mail as plain text

Table 1.193. Read signed e-mail as        User Configuration\Administrative
plain text                                Templates\Microsoft Office Outlook
                                          2007\Tools | Options...\Preferences\E-
                                          mail Options\Read signed e-mail as
                                          plain text
Table 1.185. Prevent publishing to        User Configuration\Administrative
Office Online                             Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Preferences\Calendar
                                          Options\Microsoft Office Online Sharing
                                          ServicePrevent publishing to Office
                                          Online
Table 1.184. Prevent publishing to a      User Configuration\Administrative
DAV server                                Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Preferences\Calendar
                                          Options\Microsoft Office Online Sharing
                                          ServicePrevent publishing to a DAV
                                          server
                                          User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Preferences\Calendar
                                          Options\Microsoft Office Online Sharing
                                          ServiceRestrict level of calendar details
                                          users can publish (All options are
                                          available | Disables 'Full details' |
Table 1.202. Restrict level of calendar   Disables 'Full details' and 'Limited
details users can publish                 details')
Table 1.1. Access to published            User Configuration\Administrative
calendars                                 Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Preferences\Calendar
                                          Options\Microsoft Office Online Sharing
                                          ServiceAccess to published calendars

Table 1.203. Restrict upload method       User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Preferences\Calendar
                                          Options\Microsoft Office Online Sharing
                                          ServiceRestrict upload method

Table 1.158. Hide Junk Mail UI            User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Preferences\Junk E-mail\Hide
                                          Junk Mail UI
Table 1.165. Junk E-mail protection       User Configuration\Administrative
level                                     Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Preferences\Junk E-mail\Junk
                                          E-mail protection level (No Protection,
                                          Low, High, Trusted Lists Only)

Table 1.226. Trust E-mail from Contacts User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Tools |
                                           Options...\Preferences\Junk E-
                                           mail\Trust E-mail from Contacts
                                           Safe Senders Lists
Table 1.4. Add e-mail recipients to users' User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Tools |
                                           Options...\Preferences\Junk E-mail\Add
                                           e-mail recipients to users' Safe Senders
                                           Lists
Table 1.84. Dial-up options                User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Tools | Options...\Mail Setup\Dial-
                                           up options

Table 1.84. Dial-up options               User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Tools | Options...\Mail Setup\Dial-
                                          up options - Warn before switching dial-
                                          up connection
Table 1.84. Dial-up options              User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Tools | Options...\Mail Setup\Dial-
                                         up options - Hang up when finished
                                         sending, receiving, or updating

Table 1.84. Dial-up options              User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Tools | Options...\Mail Setup\Dial-
                                         up options - Automatically dial during a
                                         background Send/Receive


Table 1.129. Do not allow creating,       User Configuration\Administrative
replying, or forwarding signatures for e- Templates\Microsoft Office Outlook
mail messages                             2007\Tools | Options...\Mail Format\Do
                                          not allow creating, replying, or
                                          forwarding signatures for e-mail
                                          messages

                                         User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Tools | Options...\Mail
                                         Format\Internet Formatting\Send copy
                                         of pictures with HTML messages
                                         instead of reference to Internet location

Table 1.181. Outlook Rich Text options   User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Tools | Options...\Mail
                                         Format\Internet Formatting\Outlook
                                         Rich Text options (Convert to HTML |
                                         Convert to Plain Text format | Send
                                         Using Outlook Rich Text format)

Table 1.183. Plain text options          User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Tools | Options...\Mail
                                         Format\Internet Formatting\Plain text
                                         options
Table 1.183. Plain text options          User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Tools | Options...\Mail
                                         Format\Internet Formatting\Plain text
                                         options - Encode attachments in
                                         UUENCODE format when sending a
                                         plain text message
Table 1.217. Set message format           User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Tools | Options...\Mail
                                          Format\Internet Formatting\Message
                                          FormatSet message format (HTML |
                                          Rich Text | Plain Text)
Table 1.171. Make Outlook the default     User Configuration\Administrative
program for E-mail, Contacts, and         Templates\Microsoft Office Outlook
Calendar                                  2007\Tools | Options...\Other\Make
                                          Outlook the default program for E-mail,
                                          Contacts, and Calendar

Table 1.130. Do not allow folders in non- User Configuration\Administrative
default stores to be set as folder home Templates\Microsoft Office Outlook
pages                                     2007\Tools |
                                          Options...\Other\Advanced\Do not allow
                                          folders in non-default stores to be set as
                                          folder home pages
Table 1.233. Use Unicode format when User Configuration\Administrative
dragging e-mail message to file system Templates\Microsoft Office Outlook
                                          2007\Tools |
                                          Options...\Other\Advanced\Use Unicode
                                          format when dragging e-mail message
                                          to file system
Table 1.132. Do not allow Outlook         User Configuration\Administrative
object model scripts to run for shared    Templates\Microsoft Office Outlook
folders                                   2007\Tools |
                                          Options...\Other\Advanced\Do not allow
                                          Outlook object model scripts to run for
                                          shared folders
Table 1.131. Do not allow Outlook         User Configuration\Administrative
object model scripts to run for public    Templates\Microsoft Office Outlook
folders                                   2007\Tools |
                                          Options...\Other\Advanced\Do not allow
                                          Outlook object model scripts to run for
                                          public folders
Table 1.216. Set maximum level of         User Configuration\Administrative
online status on a person name            Templates\Microsoft Office Outlook
                                          2007\Tools | Options...\Other\Person
                                          Names\Set maximum level of online
                                          status on a person name (Do not allow |
                                          Allow everywhere except To and CC
                                          field | Allow everywhere)
Table 1.126. Display online status on a   User Configuration\Administrative
person name                               Templates\Microsoft Office Outlook
                                          2007\Tools | Options...\Other\Person
                                          Names\Display online status on a
                                          person name (Never | Everywhere
                                          except To and CC field | Everywhere)


Table 1.227. Turn off Enable the Person User Configuration\Administrative
Names Smart Tag option                  Templates\Microsoft Office Outlook
                                        2007\Tools | Options...\Other\Person
                                        Names\Turn off Enable the Person
                                        Names Smart Tag option

Table 1.182. Outlook Security Mode        User Configuration\Administrative
                                          Templates\Microsoft Office Outlook
                                          2007\Security\Security Form
                                          Settings\Outlook Security Mode
                                          (Outlook Default Security | Use Security
                                          Form from 'Outlook Security Settings'
                                          Public Folder | Use Security Form from
                                          'Outlook 10 Security Settings' Public
                                          Folder | Use Outlook Security Group
                                          Policy)



Table 1.125. Display Level 1              User Configuration\Administrative
attachments                               Templates\Microsoft Office Outlook
                                          2007\Security\Security Form
                                          Settings\Attachment Security\Display
                                          Level 1 attachments
Table 1.12. Allow users to demote         User Configuration\Administrative
attachments to Level 2                    Templates\Microsoft Office Outlook
                                          2007\Security\Security Form
                                          Settings\Attachment Security\Allow
                                          users to demote attachments to Level 2

Table 1.140. Do not prompt about Level User Configuration\Administrative
1 attachments when sending an item     Templates\Microsoft Office Outlook
                                       2007\Security\Security Form
                                       Settings\Attachment Security\Do not
                                       prompt about Level 1 attachments when
                                       sending an item
Table 1.139. Do not prompt about Level User Configuration\Administrative
1 attachments when closing an item     Templates\Microsoft Office Outlook
                                       2007\Security\Security Form
                                       Settings\Attachment Security\Do not
                                       prompt about Level 1 attachments when
                                       closing an item
                                           User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Security\Security Form
                                           Settings\Attachment Security\Allow in-
                                           place activation of embedded OLE
                                           objects
                                           User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Security\Security Form
                                           Settings\Attachment Security\Display
                                           OLE package objects
                                            Level 1
Table 1.5. Add file extensions to block as User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Security\Security Form
                                           Settings\Attachment Security\Add file
                                           extensions to block as Level 1
Table 1.196. Remove file extensions        User Configuration\Administrative
blocked as Level 1                         Templates\Microsoft Office Outlook
                                           2007\Security\Security Form
                                           Settings\Attachment Security\Remove
                                           file extensions blocked as Level 1

                                            Level 2
Table 1.6. Add file extensions to block as User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Security\Security Form
                                           Settings\Attachment Security\Add file
                                           extensions to block as Level 2
Table 1.197. Remove file extensions        User Configuration\Administrative
blocked as Level 2                         Templates\Microsoft Office Outlook
                                           2007\Security\Security Form
                                           Settings\Attachment Security\Remove
                                           file extensions blocked as Level 2

Table 1.10. Allow scripts in one-off      User Configuration\Administrative
Outlook forms                             Templates\Microsoft Office Outlook
                                          2007\Security\Security Form
                                          Settings\Custom Form Security\Allow
                                          scripts in one-off Outlook forms
Table 1.218. Set Outlook object model     User Configuration\Administrative
Custom Actions execution prompt           Templates\Microsoft Office Outlook
                                          2007\Security\Security Form
                                          Settings\Custom Form Security\Set
                                          Outlook object model Custom Actions
                                          execution prompt (Prompt User |
                                          Automatically Approve | Automatically
                                          Deny | Prompt user based on computer
                                          security)
Table 1.215. Set control ItemProperty   User Configuration\Administrative
prompt                                  Templates\Microsoft Office Outlook
                                        2007\Security\Security Form
                                        Settings\Custom Form Security\Set
                                        control ItemProperty prompt (Prompt
                                        User | Automatically Approve |
                                        Automatically Deny | Prompt user based
                                        on computer security)

Table 1.71. Configure Outlook object    User Configuration\Administrative
model prompt when sending mail          Templates\Microsoft Office Outlook
                                        2007\Security\Security Form
                                        Settings\Programmatic
                                        Security\Configure Outlook object model
                                        prompt when sending mail (Prompt User
                                        | Automatically Approve | Automatically
                                        Deny | Prompt user based on computer
                                        security)


Table 1.65. Configure Outlook object    User Configuration\Administrative
model prompt when accessing an          Templates\Microsoft Office Outlook
address book                            2007\Security\Security Form
                                        Settings\Programmatic
                                        Security\Configure Outlook object model
                                        prompt when accessing an address
                                        book (Prompt User | Automatically
                                        Approve | Automatically Deny | Prompt
                                        user based on computer security)


Table 1.69. Configure Outlook object    User Configuration\Administrative
model prompt when reading address       Templates\Microsoft Office Outlook
information                             2007\Security\Security Form
                                        Settings\Programmatic
                                        Security\Configure Outlook object model
                                        prompt when reading address
                                        information (Prompt User | Automatically
                                        Approve | Automatically Deny | Prompt
                                        user based on computer security)
Table 1.70. Configure Outlook object   User Configuration\Administrative
model prompt when responding to        Templates\Microsoft Office Outlook
meeting and task requests              2007\Security\Security Form
                                       Settings\Programmatic
                                       Security\Configure Outlook object model
                                       prompt when responding to meeting and
                                       task requests (Prompt User |
                                       Automatically Approve | Automatically
                                       Deny | Prompt user based on computer
                                       security)


Table 1.68. Configure Outlook object User Configuration\Administrative
model prompt when executing Save As Templates\Microsoft Office Outlook
                                     2007\Security\Security Form
                                     Settings\Programmatic
                                     Security\Configure Outlook object model
                                     prompt when executing Save As
                                     (Prompt User | Automatically Approve |
                                     Automatically Deny | Prompt user based
                                     on computer security)


Table 1.67. Configure Outlook object   User Configuration\Administrative
model prompt When accessing the        Templates\Microsoft Office Outlook
Formula property of a UserProperty     2007\Security\Security Form
object                                 Settings\Programmatic
                                       Security\Configure Outlook object model
                                       prompt When accessing the Formula
                                       property of a UserProperty object
                                       (Prompt User | Automatically Approve |
                                       Automatically Deny | Prompt user based
                                       on computer security)



Table 1.66. Configure Outlook object User Configuration\Administrative
model prompt when accessing address Templates\Microsoft Office Outlook
information via UserProperties.Find  2007\Security\Security Form
                                     Settings\Programmatic
                                     Security\Configure Outlook object model
                                     prompt when accessing address
                                     information via UserProperties.Find
                                     (Prompt User | Automatically Approve |
                                     Automatically Deny | Prompt user based
                                     on computer security)
Table 1.201. Required Certificate      User Configuration\Administrative
Authority                              Templates\Microsoft Office Outlook
                                       2007\Security\Cryptography\Required
                                       Certificate Authority
Table 1.207. S/MIME interoperability   User Configuration\Administrative
with external clients:                 Templates\Microsoft Office Outlook
                                       2007\Security\Cryptography\S/MIME
                                       interoperability with external clients:
                                       (Handle internally | Handle externally |
                                       Handle if possible)


                                       User Configuration\Administrative
                                       Templates\Microsoft Office Outlook
                                       2007\Security\Cryptography\Always use
                                       Rich Text formatting in S/MIME
                                       messages

Table 1.208. S/MIME password settings User Configuration\Administrative
                                      Templates\Microsoft Office Outlook
                                      2007\Security\Cryptography\S/MIME
                                      password settings

Table 1.208. S/MIME password settings User Configuration\Administrative
                                      Templates\Microsoft Office Outlook
                                      2007\Security\Cryptography\S/MIME
                                      password settings - Default S/MIME
                                      password time (minutes): (0 -
                                      2147483647)

Table 1.208. S/MIME password settings User Configuration\Administrative
                                      Templates\Microsoft Office Outlook
                                      2007\Security\Cryptography\S/MIME
                                      password settings - Maximum S/MIME
                                      password time (minutes): (0 -
                                      2147483647)


Table 1.172. Message Formats           User Configuration\Administrative
                                       Templates\Microsoft Office Outlook
                                       2007\Security\Cryptography\Message
                                       Formats
Table 1.172. Message Formats            User Configuration\Administrative
                                        Templates\Microsoft Office Outlook
                                        2007\Security\Cryptography\Message
                                        Formats - Support the following
                                        message formats: (S/MIME | Exchange |
                                        Fortezza | S/MIME and Exchange |
                                        S/MIME and Fortezza | Exchange and
                                        Fortezza | S/MIME, Exchange, and
                                        Fortezza)



Table 1.142. Do not provide Continue    User Configuration\Administrative
option on Encryption warning dialog     Templates\Microsoft Office Outlook
boxes                                   2007\Security\Cryptography\Do not
                                        provide Continue option on Encryption
                                        warning dialog boxes




Table 1.205. Run in FIPS compliant      User Configuration\Administrative
mode                                    Templates\Microsoft Office Outlook
                                        2007\Security\Cryptography\Run in
                                        FIPS compliant mode

Table 1.151. Encrypt all e-mail         User Configuration\Administrative
messages                                Templates\Microsoft Office Outlook
                                        2007\Security\Cryptography\Encrypt all
                                        e-mail messages




Table 1.219. Sign all e-mail messages   User Configuration\Administrative
                                        Templates\Microsoft Office Outlook
                                        2007\Security\Cryptography\Sign all e-
                                        mail messages

Table 1.232. URL for S/MIME             User Configuration\Administrative
certificates                            Templates\Microsoft Office Outlook
                                        2007\Security\Cryptography\URL for
                                        S/MIME certificates
Table 1.154. Ensure all S/MIME signed User Configuration\Administrative
messages have a label                 Templates\Microsoft Office Outlook
                                      2007\Security\Cryptography\Ensure all
                                      S/MIME signed messages have a label

Table 1.209. S/MIME receipt requests     User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Security\Cryptography\S/MIME
                                         receipt requests (Open message if
                                         receipt can't be sent | Don't open
                                         message if receipt can't be sent |
                                         Always prompt before sending receipt |
                                         Never send S/MIME )



Table 1.156. Fortezza certificate policies User Configuration\Administrative
                                           Templates\Microsoft Office Outlook
                                           2007\Security\Cryptography\Fortezza
                                           certificate policies
Table 1.199. Require SuiteB algorithms User Configuration\Administrative
for S/MIME operations                      Templates\Microsoft Office Outlook
                                           2007\Security\Cryptography\Require
                                           SuiteB algorithms for S/MIME
                                           operations

Table 1.174. Missing CRLs                User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Security\Cryptography\Signature
                                         Status dialog box\Missing CRLs
Table 1.174. Missing CRLs                User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Security\Cryptography\Signature
                                         Status dialog box\Missing CRLs -
                                         Indicate a missing CRL as a(n):
                                         (warning | error)
Table 1.175. Missing root certificates   User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Security\Cryptography\Signature
                                         Status dialog box\Missing root
                                         certificates
Table 1.175. Missing root certificates   User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Security\Cryptography\Signature
                                         Status dialog box\Missing root
                                         certificates - Indicate a missing root
                                         certificate as a(n): (neither error nor
                                         warning | warning | error)
Table 1.189. Promote Level 2 errors as User Configuration\Administrative
errors, not warnings                   Templates\Microsoft Office Outlook
                                       2007\Security\Cryptography\Signature
                                       Status dialog box\Promote Level 2
                                       errors as errors, not warnings
Table 1.18. Attachment Secure          User Configuration\Administrative
Temporary Folder                       Templates\Microsoft Office Outlook
                                       2007\Security\Cryptography\Signature
                                       Status dialog box\Attachment Secure
                                       Temporary Folder
Table 1.127. Display pictures and      User Configuration\Administrative
external content in HTML e-mail        Templates\Microsoft Office Outlook
                                       2007\Security\Automatic Picture
                                       Download Settings\Display pictures and
                                       external content in HTML e-mail

Table 1.22. Automatically download       User Configuration\Administrative
content for e-mail from people in Safe   Templates\Microsoft Office Outlook
Senders and Safe Recipients Lists        2007\Security\Automatic Picture
                                         Download Settings\Automatically
                                         download content for e-mail from people
                                         in Safe Senders and Safe Recipients
                                         Lists

Table 1.138. Do not permit download of User Configuration\Administrative
content from safe zones                Templates\Microsoft Office Outlook
                                       2007\Security\Automatic Picture
                                       Download Settings\Do not permit
                                       download of content from safe zones

Table 1.63. Block Trusted Zones          User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Security\Automatic Picture
                                         Download Settings\Block Trusted Zones

Table 1.161. Include Internet in Safe    User Configuration\Administrative
Zones for Automatic Picture Download     Templates\Microsoft Office Outlook
                                         2007\Security\Automatic Picture
                                         Download Settings\Include Internet in
                                         Safe Zones for Automatic Picture
                                         Download
Table 1.162. Include Intranet in Safe    User Configuration\Administrative
Zones for Automatic Picture Download     Templates\Microsoft Office Outlook
                                         2007\Security\Automatic Picture
                                         Download Settings\Include Intranet in
                                         Safe Zones for Automatic Picture
                                         Download
Table 1.213. Security setting for macros User Configuration\Administrative
                                         Templates\Microsoft Office Outlook
                                         2007\Security\Trust Center\Security
                                         setting for macros (Always warn | Never
                                         warn, disable all | Warn for signed,
                                         disable unsigned | No security check)


Table 1.149. Enable links in e-mail     User Configuration\Administrative
messages                                Templates\Microsoft Office Outlook
                                        2007\Security\Trust Center\Enable links
                                        in e-mail messages

Table 1.16. Apply macro security        User Configuration\Administrative
settings to macros, add-ins, and        Templates\Microsoft Office Outlook
SmartTags                               2007\Security\Trust Center\Apply macro
                                        security settings to macros, add-ins, and
                                        SmartTags


Table 1.20. Automatically configure     User Configuration\Administrative
profile based on Active Directory       Templates\Microsoft Office Outlook
Primary SMTP address                    2007\Tools | Account
                                        Settings\Exchange\Automatically
                                        configure profile based on Active
                                        Directory Primary SMTP address

Table 1.133. Do not allow users to      User Configuration\Administrative
change permissions on folders           Templates\Microsoft Office Outlook
                                        2007\Tools | Account
                                        Settings\Exchange\Do not allow users to
                                        change permissions on folders

Table 1.150. Enable RPC encryption      User Configuration\Administrative
                                        Templates\Microsoft Office Outlook
                                        2007\Tools | Account
                                        Settings\Exchange\Enable RPC
                                        encryption
Table 1.19. Authentication with         User Configuration\Administrative
Exchange Server                         Templates\Microsoft Office Outlook
                                        2007\Tools | Account
                                        Settings\Exchange\Authentication with
                                        Exchange Server (Kerberos/NTLM
                                        Password Authentication | Kerberos
                                        Password Authentication | NTLM
                                        Password Authentication)
Table 1.224. Synchronize Outlook RSS User Configuration\Administrative
Feeds with Common Feed List          Templates\Microsoft Office Outlook
                                     2007\Tools | Account Settings\RSS
                                     Feeds\Synchronize Outlook RSS Feeds
                                     with Common Feed List

Table 1.228. Turn off RSS feature      User Configuration\Administrative
                                       Templates\Microsoft Office Outlook
                                       2007\Tools | Account Settings\RSS
                                       Feeds\Turn off RSS feature

                                       User Configuration\Administrative
                                       Templates\Microsoft Office Outlook
                                       2007\Tools | Account Settings\RSS
                                       Feeds\Automatically download
                                       enclosures
Table 1.145. Download full text of     User Configuration\Administrative
articles as HTML attachments           Templates\Microsoft Office Outlook
                                       2007\Tools | Account Settings\RSS
                                       Feeds\Download full text of articles as
                                       HTML attachments

Table 1.21. Automatically download     User Configuration\Administrative
attachments                            Templates\Microsoft Office Outlook
                                       2007\Tools | Account Settings\Internet
                                       Calendars\Automatically download
                                       attachments

Table 1.137. Do not include Internet   User Configuration\Administrative
Calendar integration in Outlook        Templates\Microsoft Office Outlook
                                       2007\Tools | Account Settings\Internet
                                       Calendars\Do not include Internet
                                       Calendar integration in Outlook

Table 1.123. Disable user entries to   User Configuration\Administrative
server list                            Templates\Microsoft Office Outlook
                                       2007\Meeting Workspace\Disable user
                                       entries to server list (Publish default,
                                       allow others | Publish default, disallow
                                       others)

Table 1.136. Do not expand distribution User Configuration\Administrative
lists                                   Templates\Microsoft Office Outlook
                                        2007\Miscellaneous\Do not expand
                                        distribution lists
Table 1.212. Save files in this format     User Configuration\Administrative
                                           Templates\Microsoft Office PowerPoint
                                           2007\PowerPoint Options\Save\Save
                                           files in this format (PowerPoint
                                           Presentation (*.pptx) | PowerPoint
                                           Macro-Enabled Presentation (*.pptm) |
                                           PowerPoint 97-2003 Presentation
                                           (*.ppt))


                                       User Configuration\Administrative
                                       Templates\Microsoft Office PowerPoint
                                       2007\PowerPoint
                                       Options\Advanced\Number of
                                       documents in the Recent Documents list
                                       (0 - 50)
Table 1.82. Determine whether to force User Configuration\Administrative
encrypted macros to be scanned in      Templates\Microsoft Office PowerPoint
Microsoft PowerPoint Open XML          2007\PowerPoint
presentations                          Options\Security\Determine whether to
                                       force encrypted macros to be scanned
                                       in Microsoft PowerPoint Open XML
                                       presentations

Table 1.206. Run Programs                  User Configuration\Administrative
                                           Templates\Microsoft Office PowerPoint
                                           2007\PowerPoint Options\Security\Run
                                           Programs (disable (don't run any
                                           programs) | enable (prompt user before
                                           running) | enable all (run without
                                           prompting))


Table 1.170. Make hidden markup            User Configuration\Administrative
visible                                    Templates\Microsoft Office PowerPoint
                                           2007\PowerPoint Options\Security\Make
                                           hidden markup visible

Table 1.229. Unblock automatic             User Configuration\Administrative
download of linked images                  Templates\Microsoft Office PowerPoint
                                           2007\PowerPoint
                                           Options\Security\Unblock automatic
                                           download of linked images

Table 1.87. Disable all application add-   User Configuration\Administrative
ins                                        Templates\Microsoft Office PowerPoint
                                           2007\PowerPoint Options\Security\Trust
                                           Center\Disable all application add-ins
Table 1.200. Require that application   User Configuration\Administrative
add-ins are signed by Trusted Publisher Templates\Microsoft Office PowerPoint
                                        2007\PowerPoint Options\Security\Trust
                                        Center\Require that application add-ins
                                        are signed by Trusted Publisher

Table 1.120. Disable Trust Bar             User Configuration\Administrative
Notification for unsigned application add- Templates\Microsoft Office PowerPoint
ins                                        2007\PowerPoint Options\Security\Trust
                                           Center\Disable Trust Bar Notification for
                                           unsigned application add-ins

Table 1.11. Allow Trusted Locations not User Configuration\Administrative
on the computer                         Templates\Microsoft Office PowerPoint
                                        2007\PowerPoint Options\Security\Trust
                                        Center\Trusted LocationsAllow Trusted
                                        Locations not on the computer

Table 1.89. Disable all trusted locations User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\PowerPoint Options\Security\Trust
                                          Center\Trusted LocationsDisable all
                                          trusted locations

Table 1.94. Disable commands              User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands

Table 1.94. Disable commands              User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands
                                          - Office Button | PowerPoint Options |
                                          Customize | All Commands | Web Page
                                          Preview

Table 1.94. Disable commands              User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands
                                          - Office Button | Send | Email

Table 1.94. Disable commands              User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands
                                          - Insert | Links | Hyperlink
Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Review | Proofing | Language

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - View | Macros | Macros

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Developer | Code | Macros

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Developer | Code | Macro Security

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Developer | Code | Visual Basic

Table 1.94. Disable commands          User Configuration\Administrative
                                      Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Office Button | PowerPoint Options |
                                      Customize | All Commands | Document
                                      Location

Table 1.94. Disable commands, Table   User Configuration\Administrative
1.114. Disable shortcut keys          Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Disable shortcut keys

Table 1.94. Disable commands, Table   User Configuration\Administrative
1.114. Disable shortcut keys          Templates\Microsoft Office PowerPoint
                                      2007\Disable items in user
                                      interface\Predefined\Disable commands
                                      - Ctrl+K (Insert | Links | Hyperlink)
Table 1.94. Disable commands, Table       User Configuration\Administrative
1.114. Disable shortcut keys              Templates\Microsoft Office PowerPoint
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands
                                          - Alt+F8 (Developer | Code | Macros)

Table 1.94. Disable commands, Table       User Configuration\Administrative
1.114. Disable shortcut keys              Templates\Microsoft Office PowerPoint
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands
                                          - Alt+F11 (Developer | Code | Visual
                                          Basic)
Table 1.41. Block opening of pre-         User Configuration\Administrative
release versions of file formats new to   Templates\Microsoft Office PowerPoint
PowerPoint 2007                           2007\Block file formats\Open\Block
                                          opening of pre-release versions of file
                                          formats new to PowerPoint 2007


Table 1.38. Block opening of Open XML User Configuration\Administrative
file types                            Templates\Microsoft Office PowerPoint
                                      2007\Block file formats\Open\Block
                                      opening of Open Xml files types

Table 1.30. Block opening of Binary file User Configuration\Administrative
types                                    Templates\Microsoft Office PowerPoint
                                         2007\Block file formats\Open\Block
                                         opening of Binary file types

Table 1.36. Block opening of HTML file    User Configuration\Administrative
types                                     Templates\Microsoft Office PowerPoint
                                          2007\Block file formats\Open\Block
                                          opening of Html file types

Table 1.39. Block opening of Outlines     User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\Block file formats\Open\Block
                                          opening of Outlines

Table 1.31. Block opening of Converters User Configuration\Administrative
                                        Templates\Microsoft Office PowerPoint
                                        2007\Block file formats\Open\Block
                                        opening of Converters

Table 1.57. Block saving of Open Xml      User Configuration\Administrative
file types                                Templates\Microsoft Office PowerPoint
                                          2007\Block file formats\Save\Block
                                          saving of Open Xml file types
Table 1.51. Block saving of Binary file   User Configuration\Administrative
types                                     Templates\Microsoft Office PowerPoint
                                          2007\Block file formats\Save\Block
                                          saving of Binary file types

Table 1.56. Block saving of HTML file     User Configuration\Administrative
types                                     Templates\Microsoft Office PowerPoint
                                          2007\Block file formats\Save\Block
                                          saving of Html file types

Table 1.58. Block saving of Outlines      User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\Block file formats\Save\Block
                                          saving of Outlines

Table 1.54. Block saving of               User Configuration\Administrative
GraphicFilters                            Templates\Microsoft Office PowerPoint
                                          2007\Block file formats\Save\Block
                                          saving of GraphicFilters

Table 1.115. Disable Slide Update         User Configuration\Administrative
                                          Templates\Microsoft Office PowerPoint
                                          2007\Block file
                                          formats\Miscellaneous\Disable Slide
                                          Update
Table 1.157. Hidden text                  User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Word Options\Display\Hidden text
Table 1.212. Save files in this format   User Configuration\Administrative
                                         Templates\Microsoft Office Word
                                         2007\Word Options\Save\Save files in
                                         this format (Word document (*.docx) |
                                         Single Files Web Page (*.mht) | Web
                                         Page (*.htm; *.html) | Web Page,
                                         Filtered (*.htm, *.html) | Rich Text
                                         Format (*.rtf) | Plain Text (*.txt) | Word
                                         6.0/95 (*.doc) | Word 6.0/95 - Chinese
                                         (Simplified) (*.doc) | Word 6.0/95 -
                                         Chinese (Traditional) (*.doc) | Word
                                         6.0/95 - Japanese (*.doc) | Word 6.0/95 -
                                         Korean (*.doc) | Word 97-2002 & 6.0/95 -
                                         RTF | Word 5.1 for Macintosh (*.mcw) |
                                         Word 5.0 for Macintosh (*.mcw) | Word
                                         2.x for Windows (*.doc) | Works 4.0 for
                                         Windows (*.wps) | WordPerfect 5.x for
                                         Windows (*.doc) | WordPerfect 5.1 for
                                         DOS (*.doc) | Word 2007 Macro
                                         Enabled Document (*.docm) | Word
                                         2007 Macro Free Template (*.dotx) |
                                         Word 2007 Macro Enabled Template
                                         (*.dotm) | Word 97 - 2003 Document
                                         (*.doc) | Word 97 - 2003 Template
                                         (*.dot) | Flat XML Document (*.xml))




                                         User Configuration\Administrative
                                         Templates\Microsoft Office Word
                                         2007\Word Options\Advanced\Number
                                         of documents in the Recent Documents
                                         list (0-50)

Table 1.231. Update automatic links at   User Configuration\Administrative
Open                                     Templates\Microsoft Office Word
                                         2007\Word Options\Advanced\Update
                                         automatic links at Open
                                         User Configuration\Administrative
                                         Templates\Microsoft Office Word
                                         2007\Word Options\Advanced\E-mail
                                         Options\Save smart tags in e-mail
Table 1.83. Determine whether to force User Configuration\Administrative
encrypted macros to be scanned in      Templates\Microsoft Office Word
Microsoft Word Open XML documents 2007\Word Options\Security\Trust
                                       Center\Determine whether to force
                                       encrypted macros to be scanned in
                                       Microsoft Word Open XML documents

Table 1.87. Disable all application add-   User Configuration\Administrative
ins                                        Templates\Microsoft Office Word
                                           2007\Word Options\Security\Trust
                                           Center\Disable all application add-ins

Table 1.200. Require that application   User Configuration\Administrative
add-ins are signed by Trusted Publisher Templates\Microsoft Office Word
                                        2007\Word Options\Security\Trust
                                        Center\Require that application add-ins
                                        are signed by Trusted Publisher

Table 1.120. Disable Trust Bar             User Configuration\Administrative
Notification for unsigned application add- Templates\Microsoft Office Word
ins                                        2007\Word Options\Security\Trust
                                           Center\Disable Trust Bar Notification for
                                           unsigned application add-ins

Table 1.11. Allow Trusted Locations not User Configuration\Administrative
on the computer                         Templates\Microsoft Office Word
                                        2007\Word Options\Security\Trust
                                        Center\Trusted LocationsAllow Trusted
                                        Locations not on the computer

Table 1.89. Disable all trusted locations User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Word Options\Security\Trust
                                          Center\Trusted LocationsDisable all
                                          trusted locations
Table 1.94. Disable commands              User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands

Table 1.94. Disable commands               User Configuration\Administrative
                                           Templates\Microsoft Office Word
                                           2007\Disable items in user
                                           interface\Predefined\Disable commands
                                           - Office Button | Word Options |
                                           Customize | All Commands | Save As
                                           Web Page
Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Office Button | Word Options |
                               Customize | All Commands | Web Page
                               Preview
Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Office Button | Send | Email

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Insert | Links | Hyperlink

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Review | Protect | Protect Document

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - View | Macros | Macros

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Developer | Code | Macros

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Developer | Code | Record Macro

Table 1.94. Disable commands   User Configuration\Administrative
                               Templates\Microsoft Office Word
                               2007\Disable items in user
                               interface\Predefined\Disable commands
                               - Developer | Code | Macro Security
Table 1.94. Disable commands              User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands
                                          - Developer | Code | Visual Basic

Table 1.94. Disable commands              User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable commands
                                          - Developer | Templates | Document
                                          Template
Table 1.114. Disable shortcut keys        User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable shortcut
                                          keys
Table 1.114. Disable shortcut keys        User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable shortcut
                                          keys - Ctrl+F (Home | Editing | Find)

Table 1.114. Disable shortcut keys        User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable shortcut
                                          keys - Ctrl+K (Insert | Links | Hyperlink)

Table 1.114. Disable shortcut keys        User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable shortcut
                                          keys - Alt+F8 (Developer | Code |
                                          Macros)
Table 1.114. Disable shortcut keys        User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Disable items in user
                                          interface\Predefined\Disable shortcut
                                          keys - Alt+F11 (Developer | Code |
                                          Visual Basic)
Table 1.43. Block opening of pre-         User Configuration\Administrative
release versions of file formats new to   Templates\Microsoft Office Word
Word 2007                                 2007\Block file formats\Open\Block
                                          opening of pre-release versions of file
                                          formats new to Word 2007

Table 1.38. Block opening of Open XML User Configuration\Administrative
file types                            Templates\Microsoft Office Word
                                      2007\Block file formats\Open\Block
                                      opening of Open XML file types
Table 1.30. Block opening of Binary file User Configuration\Administrative
types                                    Templates\Microsoft Office Word
                                         2007\Block file formats\Open\Block
                                         opening of Binary file types

Table 1.36. Block opening of HTML file    User Configuration\Administrative
types                                     Templates\Microsoft Office Word
                                          2007\Block file formats\Open\Block
                                          opening of HTML file types

Table 1.47. Block opening of Word 2003 User Configuration\Administrative
XML file types                         Templates\Microsoft Office Word
                                       2007\Block file formats\Open\Block
                                       opening of Word 2003 XML file types

Table 1.45. Block opening of RTF file     User Configuration\Administrative
types                                     Templates\Microsoft Office Word
                                          2007\Block file formats\Open\Block
                                          opening of RTF file types

Table 1.28. Block open Converters         User Configuration\Administrative
                                          Templates\Microsoft Office Word
                                          2007\Block file formats\Open\Block
                                          open Converters

Table 1.46. Block opening of Text file    User Configuration\Administrative
types                                     Templates\Microsoft Office Word
                                          2007\Block file formats\Open\Block
                                          opening of Text file types

Table 1.37. Block opening of Internal file User Configuration\Administrative
types                                      Templates\Microsoft Office Word
                                           2007\Block file formats\Open\Block
                                           opening of Internal file types

Table 1.33. Block opening of files before User Configuration\Administrative
version                                   Templates\Microsoft Office Word
                                          2007\Block file formats\Open\Block
                                          opening of files before version

Table 1.57. Block saving of Open Xml      User Configuration\Administrative
file types                                Templates\Microsoft Office Word
                                          2007\Block file formats\Save\Block
                                          saving of Open XML file types

Table 1.51. Block saving of Binary file   User Configuration\Administrative
types                                     Templates\Microsoft Office Word
                                          2007\Block file formats\Save\Block
                                          saving of Binary file types
Table 1.56. Block saving of HTML file    User Configuration\Administrative
types                                    Templates\Microsoft Office Word
                                         2007\Block file formats\Save\Block
                                         saving of HTML file types

Table 1.61. Block saving of Word 2003    User Configuration\Administrative
XML file types                           Templates\Microsoft Office Word
                                         2007\Block file formats\Save\Block
                                         saving of Word 2003 XML file types

Table 1.59. Block saving of RTF file     User Configuration\Administrative
types                                    Templates\Microsoft Office Word
                                         2007\Block file formats\Save\Block
                                         saving of RTF file types

Table 1.53. Block saving of Converters   User Configuration\Administrative
                                         Templates\Microsoft Office Word
                                         2007\Block file formats\Save\Block
                                         saving of Converters

Table 1.60. Block saving of Text file    User Configuration\Administrative
types                                    Templates\Microsoft Office Word
                                         2007\Block file formats\Save\Block
                                         saving of Text file types


Table 2.6. InfoPath APTCA Assembly       Computer Configuration\Administrative
allowable list                           Templates\Microsoft Office InfoPath
                                         2007 (Machine)\Security\InfoPath
                                         APTCA Assembly Whitelist


                                         Computer Configuration\Administrative
                                         Templates\Microsoft Office InfoPath
                                         2007 (Machine)\Security\Windows
                                         Internet Explorer Feature Control Opt-In
                                         (None | InfoPath.exe, Document
                                         Information Panel and Workflow forms |
                                         InfoPath.exe, Document Information
                                         Panel, Workflow forms and 3rd Party
                                         Hosting)



Table 2.7. InfoPath APTCA Assembly       Computer Configuration\Administrative
Allowable List Enforcement               Templates\Microsoft Office InfoPath
                                         2007 (Machine)\Security\InfoPath
                                         APTCA Assembly Whitelist
                                         Enforcement
Table 2.3. Disable Package Repair   Computer Configuration\Administrative
                                    Templates\Microsoft Office 2007 system
                                    (Machine)\Security Settings\Disable
                                    Package Repair

Table 2.4. Disable user name and    Computer Configuration\Administrative
password                            Templates\Microsoft Office 2007 system
                                    (Machine)\Security Settings\IE
                                    Security\Disable user name and
                                    password


Table 2.4. Disable user name and    Computer Configuration\Administrative
password                            Templates\Microsoft Office 2007 system
                                    (Machine)\Security Settings\IE
                                    Security\Disable user name and
                                    password - excel.exe


Table 2.4. Disable user name and    Computer Configuration\Administrative
password                            Templates\Microsoft Office 2007 system
                                    (Machine)\Security Settings\IE
                                    Security\Disable user name and
                                    password - powerpnt.exe


Table 2.4. Disable user name and    Computer Configuration\Administrative
password                            Templates\Microsoft Office 2007 system
                                    (Machine)\Security Settings\IE
                                    Security\Disable user name and
                                    password - pptview.exe


Table 2.4. Disable user name and    Computer Configuration\Administrative
password                            Templates\Microsoft Office 2007 system
                                    (Machine)\Security Settings\IE
                                    Security\Disable user name and
                                    password - winword.exe


Table 2.4. Disable user name and    Computer Configuration\Administrative
password                            Templates\Microsoft Office 2007 system
                                    (Machine)\Security Settings\IE
                                    Security\Disable user name and
                                    password - outlook.exe
Table 2.4. Disable user name and   Computer Configuration\Administrative
password                           Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Disable user name and
                                   password - spDesign.exe


Table 2.4. Disable user name and   Computer Configuration\Administrative
password                           Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Disable user name and
                                   password - msaccess.exe


Table 2.1. Bind to object          Computer Configuration\Administrative
                                   Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Bind to object


Table 2.1. Bind to object          Computer Configuration\Administrative
                                   Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Bind to object - excel.exe


Table 2.1. Bind to object          Computer Configuration\Administrative
                                   Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Bind to object - powerpnt.exe


Table 2.1. Bind to object          Computer Configuration\Administrative
                                   Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Bind to object - pptview.exe


Table 2.1. Bind to object          Computer Configuration\Administrative
                                   Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Bind to object - winword.exe


Table 2.1. Bind to object          Computer Configuration\Administrative
                                   Templates\Microsoft Office 2007 system
                                   (Machine)\Security Settings\IE
                                   Security\Bind to object - outlook.exe
Table 2.1. Bind to object   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Bind to object - spDesign.exe


Table 2.1. Bind to object   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Bind to object - msaccess.exe


Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL


Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL - excel.exe


Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL -
                            powerpnt.exe

Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL - pptview.exe


Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL - winword.exe


Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL - outlook.exe
Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL -
                            spDesign.exe

Table 2.9. Saved from URL   Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Saved from URL -
                            msaccess.exe

Table 2.8. Navigate URL     Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Navigate URL


Table 2.8. Navigate URL     Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Navigate URL - excel.exe


Table 2.8. Navigate URL     Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Navigate URL - powerpnt.exe


Table 2.8. Navigate URL     Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Navigate URL - pptview.exe


Table 2.8. Navigate URL     Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Navigate URL - winword.exe


Table 2.8. Navigate URL     Computer Configuration\Administrative
                            Templates\Microsoft Office 2007 system
                            (Machine)\Security Settings\IE
                            Security\Navigate URL - outlook.exe
Table 2.8. Navigate URL   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Navigate URL - spDesign.exe


Table 2.8. Navigate URL   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Navigate URL - msaccess.exe


Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups


Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups - excel.exe


Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups - powerpnt.exe


Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups - pptview.exe


Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups - winword.exe


Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups - outlook.exe
Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups - spDesign.exe


Table 2.2. Block popups   Computer Configuration\Administrative
                          Templates\Microsoft Office 2007 system
                          (Machine)\Security Settings\IE
                          Security\Block popups - msaccess.exe




                          User Configuration\Administrative
                          Templates\Classic Administrative
                          Templates\Microsoft Office Outlook
                          2007\Security\Prevent users from
                          customizing attachment security
                          settings
Computer Configuration\Administrative
Templates\Classic Administrative
Templates (ADM)\Microsoft Office 2007
system\Office Diagnostics\Disable
Update Diagnostics




User Configuration\Administrative
Templates\Classic Administrative
Templates\Microsoft Office Outlook
2007\Security\Allow Active X One Off
Forms
User Configuration\Administrative
Templates\Classic Administrative
Templates\Microsoft Office Outlook
2007\Security\Allow access to e-mail
attachments
User Configuration\Administrative
Templates\Classic Administrative
Templates\Microsoft Office Outlook
2007\Security\Do not automatically sign
replies

User Configuration\Administrative
Templates\Classic Administrative
Templates\Microsoft Office Outlook
2007\Security\Prompt user to choose
security settings if default settings fail
                            NIST SCAP
  NIST SCAP Microsoft
                          Microsoft Office
Office 2007 OVAL (SCAP-
                        2007 XCCDF (SCAP-
 Office2007-OVAL-Beta-
                        Office2007-XCCDF-
         v1.xml)
                           Beta-v1.xml )




                               DisableVBAForOfficeAppl
oval:org.mitre.oval:def:771    ications




                               ActiveXControlInitializatio
oval:org.mitre.oval:def:814    n



                               EnableCustomerExperien
oval:org.mitre.oval:def:829    ceImprovementProgram


                               AutomaticallyReceiveSma
                               llUpdatesToImproveRelia
oval:org.mitre.oval:def:1473   bility




oval:org.mitre.oval:def:1302   OnlineContentOptions
                               VBAMacroWarningSettin
oval:org.mitre.oval:def:1403   gs-Access




                               VBAMacroWarningSettin
oval:org.mitre.oval:def:649    gs-Excel




                               TrustAccessToVisualBasi
oval:org.mitre.oval:def:1560   cProject-Excel
                               VBAMacroWarningSettin
oval:org.mitre.oval:def:654    gs-PowerPoint




                               TrustAccessToVisualBasi
oval:org.mitre.oval:def:665    cProject-PowerPoint



                               DisableRememberPassw
oval:org.mitre.oval:def:1298   ord




                               ConfigureAddInTrustLeve
oval:org.mitre.oval:def:1390   l




                               MinimumEncryptionSettin
oval:org.mitre.oval:def:661    gs



                               DoNotCheckEmailAddres
                               sAgainstAddressOfCertifi
oval:org.mitre.oval:def:1399   catesBeingUsed
                               SendAllSignedMessages
oval:org.mitre.oval:def:1388   AsClearSignedMessages



                               RequestAnSMIMEReceipt
                               ForAllSMIMESignedMess
oval:org.mitre.oval:def:705    ages




                               DoNotDisplayPublishToG
oval:org.mitre.oval:def:741    ALButton




oval:org.mitre.oval:def:756    SignatureWarning
oval:org.mitre.oval:def:1716   EnableCryptographyIcons




oval:org.mitre.oval:def:1700   RetrievingCRLs




                               VBMacroWarningSettings-
oval:org.mitre.oval:def:1350   Word




                               TrustAccessToVisualBasi
oval:org.mitre.oval:def:1713   cProject-Word
                               WarnBeforePrintingSavin
                               gOrSendingAFileThatCon
                               tainsTrackedChangesOr
oval:org.mitre.oval:def:788    Comments


                               BlockUpdatesFromTheOf
                               ficeUpdateSiteFromApplyi
oval:org.mitre.oval:def:1755   ng
                                                 CCE
  CCE ID        CCE Description
                                              Parameters



             /export/home should be
             configured on an
             appropriate filesystem
CCE-5658-0   partition                     partition
             /var should be configured
             on an appropriate
CCE-6235-6   filesystem partition          partition
             /opt should be configured
             on an appropriate
CCE-6315-6   filesystem partition          partition
             The shell for the root
             account should be located
             on the appropriate
CCE-5947-7   filesystem                    filesystem

             Core dump size limits         Size (0 to disable
CCE-5546-7   should be set appropriately   core dumps)
             The read-only SNMP
             community string should be
CCE-6294-3   set appropriately.            string
             The read/write SNMP
             community string should be
CCE-6136-6   set appropriately.            string
             Password policy should
             ban or allow usernames or
             UIDs in passwords as
CCE-6105-1   appropriate                   ban/allow

             Password policy should
             ban or allow words found in
CCE-6263-8   a dictionary as appropriate. ban/allow

             Password policy should
             enforce the correct amount number of special
CCE-6448-5   of special characters      characters
             Password policy should
             enforce or not enforce the
             requirement to have mixed
             case passwords as
CCE-6417-0   appropriate.               enforce/not enforce
             The minimum password
             age should be set as
CCE-6078-0   appropriate                     number of days
             The minimum required
             password length should be       number of
CCE-5906-3   set as appropriate              characters
             Password history should be
             saved for an appropriate
             number of password              number of password
CCE-6045-9   changes                         changes
             The number of consecutive
             failed login attempts
             required to trigger a lockout   number of
             should be set as                consecutive failed
CCE-5997-2   appropriate                     login attempts
             Login access to accounts
             without passwords should
             be enabled or disabled as
CCE-6358-6   appropriate                     enabled/disabled
             New users should be
             required or not required to
             change their password on
CCE-6375-0   first login as appropriate      required/not required
             Access to single-user
             mode (maintainence mode)
             should require the root
             password or not as
CCE-6080-6   appropriate                     required/not required

             All files should be owned       existing account
             by an existing account or       required / existing
CCE-6366-9   not as appropriate.             account not required
             All files should be owned       existing group
             by an existing group or not     required / existing
CCE-6441-0   as appropriate.                 group not required

             The console login banner
CCE-5644-0   should be set appropriately. banner text or null

             The SSH login banner
CCE-5784-4   should be set appropriately. banner text or null

             The telnet login banner
CCE-6502-9   should be set appropriately. banner text or null

             The ftp login banner should
CCE-6440-2   be set appropriately.       banner text or null

             The graphical login banner
CCE-6286-9   should be set appropriately. banner text or null
             Accounts other than root
             should be allowed to have
             the UID 0 or not as
CCE-6472-5   appropriate                     allowed/not allowed
             Accounts other than root
             and locked system
             accounts should be
             allowed to have a GID of 0
CCE-6387-5   or not as appropriate           allowed/not allowed
             Each account should be
             assigned a unique UID or
CCE-6224-0   not as appropriate              unique/not unique
             The ftp account should
CCE-6515-1   exist or not as appropriate     exist/not exist
             Login accounts should
             include an appropriate
             GECOS identifier or no
CCE-6343-8   GECOS identifier                GECOS value, null
             The screen lock should
             activate after an
             appropriate period of
CCE-5527-7   inactivity                      number of minutes
             File permissions should be
             set appropriately for all
CCE-5855-2   shell executables.              permissions
             Remote (serial) consoles
             should be enabled or
CCE-6058-2   disabled as appropriate.        enabled/disabled
             Root logins should be
             restricted to the console or    restricted/not
CCE-8432-7   not as appropriate.             restricted
             .netrc files should exist or
             not as appropriate for all
CCE-6430-3   users.                          exist/not exist
             .rhosts files should exist or
             not as appropriate for all
CCE-6522-7   users.                          exist/not exist
             .shosts files should exist or
             not as appropriate for all
CCE-6346-1   users.                          exist/not exist
             The /etc/hosts.equiv file
             should exist or not as
CCE-6504-5   appropriate.                    exist/not exist

             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/passwd
             file should be allowed or
CCE-8667-8   disallowed as appropriate. allowed/not allowed
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/shadow
             file should be allowed or
CCE-8543-1   disallowed as appropriate.       allowed/not allowed
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/group
             file should be allowed or
CCE-8658-7   disallowed as appropriate.       allowed/not allowed
             Groups referenced in
             /etc/passwd should be
             included in /etc/group or
CCE-6184-6   not as appropriate.              included/not included
             The home directory for the
             root account should be set
CCE-6413-9   appropriately.                   path
             The home directory for
             each user account should
CCE-6284-4   be set appropriately.            path
             Home directories
             referenced in /etc/passwd
             should exist or not as
CCE-5628-3   appropriate                      exist/not exist
             All device files should be
             located inside an
CCE-5730-7   appropriate path                 path
             The ntpd service should be
             enabled or disabled as
CCE-6476-6   appropriate.                     enabled/disabled

             The Network Time Protocol
             (ntp) synchronization
             server should be set
CCE-6318-0   appropriately.            timeserver

             The default gateway should       GATEWAY=<IP
CCE-6335-4   be set appropriately.            address>/disabled
             The xinetd service should
             be enabled or disabled as
CCE-6450-1   appropriate.                     enabled/disabled
             echo service should be
             enabled or disabled as
CCE-6150-7   appropriate                      enabled/disabled
             netstat service should be
             enabled or disabled as
CCE-6414-7   appropriate                      enabled/disabled
             rcp service should be
             enabled or disabled as
CCE-6493-1   appropriate                 enabled/disabled
             chargen service should be
             enabled or disabled as
CCE-6277-8   appropriate                 enabled/disabled
             finger service should be
             enabled or disabled as
CCE-5545-9   appropriate                 enabled/disabled
             tftpd service should be
             enabled or disabled as
CCE-6202-6   appropriate                 enabled/disabled
             walld service should be
             enabled or disabled as
CCE-6354-5   appropriate                 enabled/disabled
             rstatd service should be
             enabled or disabled as
CCE-6200-0   appropriate                 enabled/disabled
             sprayd service should be
             enabled or disabled as
CCE-6028-5   appropriate                 enabled/disabled
             rusersd service should be
             enabled or disabled as
CCE-6415-4   appropriate                 enabled/disabled
             rlogin service should be
             enabled or disabled as
CCE-6393-3   appropriate                 enabled/disabled
             rsh service should be
             enabled or disabled as
CCE-6296-8   appropriate                 enabled/disabled
             ftp service should be
             enabled or disabled as
CCE-6499-8   appropriate                 enabled/disabled
             telnet service should be
             enabled or disabled as
CCE-6204-2   appropriate                 enabled/disabled
CCE-6238-0   DEPRECATED.
             inn service should be
             enabled or disabled as
CCE-5562-4   appropriate                 enabled/disabled
             uucp service should be
             enabled or disabled as
CCE-6520-1   appropriate                 enabled/disabled
             rexec service should be
             enabled or disabled as
CCE-6220-8   appropriate                 enabled/disabled
             font-service should be
             enabled or disabled as
CCE-6049-1   appropriate                 enabled/disabled
             imap2 service should be
             enabled or disabled as
CCE-6458-4   appropriate                   enabled/disabled
             pop3 service should be
             enabled or disabled as
CCE-6427-9   appropriate                   enabled/disabled
             ident service should be
             enabled or disabled as
CCE-6554-0   appropriate                   enabled/disabled
             rexd service should be
             enabled or disabled as
CCE-6422-0   appropriate                   enabled/disabled
             daytime service should be
             enabled or disabled as
CCE-6369-3   appropriate                   enabled/disabled
             dtspc (cde-spc) service
             should be enabled or
CCE-6523-5   disabled as appropriate       enabled/disabled
             rquotad service should be
             enabled or disabled as
CCE-5836-2   appropriate                   enabled/disabled
             cmsd service should be
             enabled or disabled as
CCE-6426-1   appropriate                   enabled/disabled
             tooltalk service should be
             enabled or disabled as
CCE-5567-3   appropriate                   enabled/disabled
CCE-6293-5   DEPRECATED.
             discard service should be
             enabled or disabled as
CCE-5575-6   appropriate                   enabled/disabled
CCE-6270-3   DEPRECATED.
             vino-server service should
             be enabled or disabled as
CCE-6508-6   appropriate                   enabled/disabled
             The bind service should be
             enabled or disabled as
CCE-6507-8   appropriate.                  enabled/disabled
             The version string reported
             by the bind service should
             be configured
CCE-5576-4   appropriately.                string
             The nfsd service should be
             enabled or disabled as
CCE-6243-0   appropriate                   enabled/disabled
             The mountd service should
             be enabled or disabled as
CCE-6468-3   appropriate                   enabled/disabled
             The statd service should be
             enabled or disabled as
CCE-5918-8   appropriate                   enabled/disabled
             The lockd service should
             be enabled or disabled as
CCE-6303-2   appropriate                    enabled/disabled
             NFS should be configured
             with appropriate
CCE-5669-7   authentication methods         list of auth methods
             The read-only (ro) option
             should be enabled or
             disabled as appropriate for
CCE-5809-9   all NFS exports.               enabled/disabled
             The nosuid option should
             be enabled or disabled for
             all NFS mounts as
CCE-6514-4   appropriate                    enabled/disabled
             The nosgid option should
             be enabled or disabled for
             all NFS mounts as
CCE-6462-6   appropriate                    enabled/disabled
             Sendmail should be
             enabled or disabled as
CCE-6250-5   appropriate                    enabled/disabled

             The sendmail banner
CCE-6466-7   should be set appropriately.   string
             The decode sendmail alias
             should be enabled or
CCE-6483-2   disabled as appropriate.       enabled/disabled
             .forward files should be
             allowed or disallowed as
CCE-6408-9   appropriate for all users      allow/disallow
             Programs executed
             through the aliases file
             should be owned by an
CCE-6560-7   appropriate user               user
             Programs executed
             through the aliases file
             should reside a directory
             with an appropriate user
CCE-6247-1   owner                          user
             Sendmail vrfy command
             should be allowed or not as
CCE-5714-1   appropriate                    allow/disallow
             Sendmail expn command
             should be allowed or not as
CCE-6357-8   appropriate                    allow/disallow
             Sendmail should be
             configured with an
CCE-5584-8   appropriate logging level      logging level
             Sendmail help command
             should be allowed or not as
CCE-6118-4   appropriate                 allow/disallow
             NIS+ server should operate
             at an appropriate security
CCE-6431-1   level                       security level
             X-Windows should be
             enabled or disabled as
CCE-6524-3   appropriate                 enabled/disabled

             Authorized X-clients should
             be listed or not in the
CCE-6435-2   X*.hosts file as appropriate   listed/not listed
             X-Windows should write
             .Xauthority files to users'
             home directories or not as
CCE-6510-2   appropriate                    write/not write
             X11 forwarding via SSH
             should be enabled or
CCE-6558-1   disabled as appropriate.       enabled/disabled
             Samba should be enabled
CCE-6025-1   or disabled as appropriate     enabled/disabled
             Samba 'hosts allow' option
             should be configured with
             an appropriate set of
CCE-5748-9   networks                       list of networks
             Samba 'security option'
             option should be set as
CCE-6373-5   appropriate
             Samba 'encrypt' passwords
             option should be set as
CCE-5620-0   appropriate                    yes/no
             Samba 'smb passwd file'
             option should be set to an
             appropriate password file
CCE-6268-7   or no password file            file/nothing
             IPv6 should be enabled or
CCE-6501-1   disabled as appropriate        enabled/disabled

             /dev/kmem file permissions
CCE-6206-7   should be set appropriately permissions

             /dev/mem file permissions
CCE-6602-7   should be set appropriately permissions

             /dev/null file permissions
CCE-6571-4   should be set appropriately permissions

             resolv.conf file permissions
CCE-6583-9   should be set appropriately permissions
             /etc/named.conf file
             permissions should be set
CCE-6552-4   appropriately                permissions

             /usr/bin/at file permissions
CCE-6363-6   should be set appropriately permissions
             /usr/bin/rdist file
             permissions should be set
CCE-5623-4   appropriately                permissions
             /usr/sbin/sync file
             permissions should be set
CCE-5995-6   appropriately                permissions

             Superuser account home
             directories' permissions
CCE-6572-2   should be set appropriately permissions
             /etc/samba/smb.conf file
             permissions should be set
CCE-5964-2   appropriately               permissions
             smbpassword executable
             permissions should be set
CCE-6559-9   appropriately               permissions

             Aliases file permissions
CCE-5968-3   should be set appropriately permissions
             File permissions should be
             set as appropriate for the
             log file configured to
             capture critical sendmail
CCE-6527-6   messages.                   permissions
             All files executed through
             /etc/aliases file entries
             should have file
             permissions set
CCE-6245-5   appropriately               permissions

             /bin/csh file permissions
CCE-6384-2   should be set appropriately permissions

             /bin/jsh file permissions
CCE-6371-9   should be set appropriately permissions

             /bin/ksh file permissions
CCE-6252-1   should be set appropriately permissions
             The /bin/rsh file should
CCE-6463-4   exist or not as appropriate exist/not exist

             /bin/sh file permissions
CCE-6437-8   should be set appropriately permissions
             /bin/bash file permissions
CCE-5952-7   should be set appropriately permissions

             /sbin/csh file permissions
CCE-5921-2   should be set appropriately permissions

             /sbin/jsh file permissions
CCE-6564-9   should be set appropriately permissions

             /sbin/ksh file permissions
CCE-6388-3   should be set appropriately permissions
             The /sbin/rsh file should
CCE-5636-6   exist or not as appropriate exist/not exist

             /sbin/sh file permissions
CCE-6130-9   should be set appropriately permissions

             /sbin/bash file permissions
CCE-6443-6   should be set appropriately permissions
             /usr/bin/csh file
             permissions should be set
CCE-6535-9   appropriately               permissions

             /usr/bin/jsh file permissions
CCE-5944-4   should be set appropriately permissions
             /usr/bin/ksh file
             permissions should be set
CCE-5650-7   appropriately                 permissions
             The /usr/bin/rsh file should
CCE-6548-2   exist or not as appropriate exist/not exist

             /usr/bin/sh file permissions
CCE-6253-9   should be set appropriately permissions
             /usr/bin/bash file
             permissions should be set
CCE-6240-6   appropriately                permissions
             snmpd.conf file
             permissions should be set
CCE-6531-8   appropriately                permissions

             /tmp file permissions
CCE-6460-0   should be set appropriately permissions

             /usr/tmp file permissions
CCE-5905-5   should be set appropriately permissions
             .Xauthority file permissions
             should be set appropriately
CCE-6002-0   for all users.               permissions
             /etc/aliases file permissions
CCE-6333-9   should be set appropriately permissions
             /etc/cron.d/at.allow file
             permissions should be set
CCE-6099-6   appropriately                 permissions
             /etc/cron.d/cron.allow file
             permissions should be set
CCE-6332-1   appropriately                 permissions

             /etc/csh file permissions
CCE-6473-3   should be set appropriately   permissions
             /etc/default/* file
             permissions should be set
CCE-6442-8   appropriately                 permissions
             /etc/default/login file
             permissions should be set
CCE-6129-1   appropriately                 permissions
             The /etc/ftpusers file
             should exist or not as
CCE-6539-1   appropriate                   exist/not exist
             /etc/host.lpd file
             permissions should be set
CCE-6257-0   appropriately                 permissions
             /etc/hostname* file
             permissions should be set
CCE-6607-6   appropriately                 permissions

             /etc/hosts file permissions
CCE-6576-3   should be set appropriately permissions
             /etc/xinetd.conf file
             permissions should be set
CCE-5651-5   appropriately               permissions

             /etc/issue file permissions
CCE-6475-8   should be set appropriately permissions

             /etc/jsh file permissions
CCE-6281-0   should be set appropriately permissions

             /etc/ksh file permissions
CCE-6355-2   should be set appropriately permissions
             /etc/mail/aliases file
             permissions should be set
CCE-6540-9   appropriately               permissions

             /etc/motd file permissions
CCE-6241-4   should be set appropriately permissions
             /etc/netconfig file
             permissions should be set
CCE-6509-4   appropriately               permissions
             /etc/notrouter file
             permissions should be set
CCE-5835-4   appropriately                 permissions
             /etc/pam.conf file
             permissions should be set
CCE-6553-2   appropriately                 permissions
             /etc/passwd file
             permissions should be set
CCE-6190-3   appropriately                 permissions
             The /etc/rsh file should
CCE-6269-5   exist or not as appropriate   exist/not exist
             /etc/security file
             permissions should be set
CCE-6410-5   appropriately                 permissions
             /etc/services file
             permissions should be set
CCE-6625-8   appropriately                 permissions

             /etc/sh file permissions
CCE-6599-5   should be set appropriately permissions
             /etc/shadow file
             permissions should be set
CCE-5735-6   appropriately               permissions
             /etc/syslog.conf file
             permissions should be set
CCE-5652-3   appropriately               permissions
CCE-6477-4   DEPRECATED.

             /etc/fstab file permissions
CCE-6569-8   should be set appropriately   permissions
CCE-6649-8   DEPRECATED.
             /var/adm/loginlog file
             permissions should be set
CCE-5911-3   appropriately                 permissions
             /var/adm/messages file
             permissions should be set
CCE-6488-1   appropriately                 permissions
             /var/adm/sulog file
             permissions should be set
CCE-6395-8   appropriately                 permissions
             /var/adm/utmp file
             permissions should be set
CCE-6492-3   appropriately                 permissions
             /var/adm/wtmp file
             permissions should be set
CCE-5654-9   appropriately                 permissions
             /var/adm/authlog file
             permissions should be set
CCE-6586-2   appropriately                 permissions
             /var/adm/syslog file
             permissions should be set
CCE-6309-9   appropriately                 permissions

             /var/mail file permissions
CCE-6402-2   should be set appropriately permissions

             /var/tmp file permissions
CCE-6401-4   should be set appropriately   permissions
             /usr/lib/pt_chmod file
             permissions should be set
CCE-6370-1   appropriately                 permissions
             /usr/lib/embedded_us file
             permissions should be set
CCE-5811-5   appropriately                 permissions
             /usr/lib/sendmail file
             permissions should be set
CCE-6265-3   appropriately                 permissions
             /usr/kerberos/bin/rsh file
             permissions should be set
CCE-6591-2   appropriately                 permissions
             /var/spool/mail file
             permissions should be set
CCE-6608-4   appropriately                 permissions
             smbpassword file
             permissions should be set
CCE-6344-6   appropriately                 permissions
             System files should be
             owned by an appropriate
CCE-6471-7   user                          list of users
             System files should be
             owned by an appropriate
CCE-6061-6   group                         list of groups
             Default/skeleton dot files
             should be owned by an
CCE-5890-9   appropriate user              list of users
             Default/skeleton dot files
             should be owned by an
CCE-5657-2   appropriate group             list of groups
             Global initialization files
             should be owned by an
CCE-6545-8   appropriate user              list of users
             Global initialization files
             should be owned by an
CCE-6516-9   appropriate group             list of groups
             Home directories should be
             owned by an appropriate
CCE-6362-8   user                          list of users
             Home directories should be
             owned by an appropriate
CCE-6587-0   group                         list of groups
             inetd.conf file should be
             owned by an appropriate
CCE-5850-3   user                             list of users
             xinetd.conf file should be
             owned by an appropriate
CCE-6551-6   group                            list of groups
             /etc/services file should be
             owned by an appropriate
CCE-6397-4   user                             list of users
             /etc/services file should be
             owned by an appropriate
CCE-6555-7   group                            list of groups
             /etc/notrouter file should be
             owned by an appropriate
CCE-6621-7   user                             list of users
             /etc/notrouter file should be
             owned by an appropriate
CCE-6396-6   group                            list of groups
CCE-6352-9   DEPRECATED.
CCE-5969-1   DEPRECATED.
             /etc/passwd file should be
             owned by an appropriate
CCE-5673-9   user                             list of users
             /etc/passwd file should be
             owned by an appropriate
CCE-5824-8   group                            list of groups
             /etc/shadow file should be
             owned by an appropriate
CCE-5685-3   user                             list of users
             /etc/shadow file should be
             owned by an appropriate
CCE-5946-9   group                            list of groups
             Environmental variable
             PATH for superuser
             accounts should or should
             not contain world-writable
CCE-5694-5   files as appropriate             should/should not
             Environmental variable
             PATH for superuser
             accounts should not
             contain the current
             directory as the first or last
CCE-6421-2   entry                            should/should not

             The current directory
             should or should not be
             added to the environmental
             variable PATH by global
             initialization files as
CCE-6642-3   appropriate                should/should not
             The current directory
             should or should not be
             added to the environmental
             variable PATH by local
             initialization files as
CCE-6425-3   appropriate                    should/should not
             Local initialization files
             should allow or deny
             access to the terminal as
CCE-5699-4   appropriate                    allow/deny
             The system umask should
CCE-5959-2   be set appropriately           umask
             The user umask should be
CCE-6116-8   set appropriately              umask
             Login to privileged
             accounts should be
             allowed or denied as
CCE-6336-2   appropriate                    allow/deny

             /etc/init.d file permissions
CCE-6102-8   should be set appropriately    permissions
             /boot/grub/grub.conf file
             permissions should be set
CCE-6679-5   appropriately                  permissions
             /boot/grub/grub.conf file
             should be owned by an
CCE-6653-0   appropriate user               list of users
             /boot/grub/grub.conf file
             should be owned by an
CCE-6432-9   appropriate group              list of groups
             /etc/lilo.conf file
             permissions should be set
CCE-6512-8   appropriately                  permissions
             /etc/login.access file
             permissions should be set
CCE-6212-5   appropriately                  permissions
             /etc/security/access.conf
             file permissions should be
CCE-6229-9   set appropriately              permissions
             /etc/sysctl.conf file
             permissions should be set
CCE-5700-0   appropriately                  permissions
             /etc/securetty file
             permissions should be set
CCE-6389-1   appropriately                  permissions
             /etc/audit/auditd.conf file
             permissions should be set
CCE-6698-5   appropriately                  permissions
             audit.rules file permissions
CCE-6420-4   should be set appropriately     permissions
             DEPRECATED in favor of
             CCE-8569-6, CCE-7990-5,
CCE-5953-5   and CCE-8624-9.
             /etc/auto.master file should
             be owned by an
CCE-8569-6   appropriate user                list of users
             /etc/auto.misc file should
             be owned by an
CCE-7990-5   appropriate user                list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8624-9   user                            list of users
             /etc/lilo.conf file should be
             owned by an appropriate
CCE-6547-4   user                            list of users
             /etc/login.access file should
             be owned by an
CCE-5704-2   appropriate user                list of users
             /etc/security/access.conf
             file should be owned by an
CCE-6525-0   appropriate user                list of users
             /etc/sysctl.conf file should
             be owned by an
CCE-6115-0   appropriate user                list of users
             /etc/securetty file should be
             owned by an appropriate
CCE-6383-4   user                            list of users
             /etc/audit/auditd.conf file
             should be owned by an
CCE-5716-6   appropriate user                list of users
             audit.rules file should be
             owned by an appropriate
CCE-6631-6   user                            list of users
             DEPRECATED in favor of
             CCE-8335-2, CCE-8498-8,
CCE-6596-1   and CCE-8383-2.
             /etc/auto.master file should
             be owned by an
CCE-8335-2   appropriate user                list of users
             /etc/auto.misc file should
             be owned by an
CCE-8498-8   appropriate user                list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8383-2   user                            list of users
             /etc/lilo.conf file should be
             owned by an appropriate
CCE-6675-3   group                           list of groups
             /etc/login.access file should
             be owned by an
CCE-6195-2   appropriate group               list of groups
             /etc/security/access.conf
             file should be owned by an
CCE-5900-6   appropriate group               list of groups
             /etc/sysctl.conf file should
             be owned by an
CCE-6304-0   appropriate group               list of groups
             /etc/securetty file should be
             owned by an appropriate
CCE-5720-8   group                           list of groups
             /etc/audit/auditd.conf file
             should be owned by an
CCE-5726-5   appropriate group               list of groups
             audit.rules file should be
             owned by an appropriate
CCE-6376-8   group                           list of groups
             DEPRECATED in favor of
             CCE-8347-7 CCE-8526-6,
CCE-6222-4   and CCE-8369-1.
             /etc/auto.master file should
             be owned by an
CCE-8347-7   appropriate group               list of users
             /etc/auto.misc file should
             be owned by an
CCE-8526-6   appropriate group               list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8369-1   group                           list of users
             Access controls through
             login.access and
             access.conf should be set
             for non-superusers or not
CCE-6424-6   as appropriate                  set/not set
             Global initialization files
             should allow or deny write
             access to the terminal as
CCE-6312-3   appropriate                     allow/deny
             Ctrl-Alt-Delete should be
             enabled or disabled as
CCE-6528-4   appropriate                     enabled/disabled
             An appropriate bootloader
CCE-6691-0   should be used                  list of bootloaders

             GRUB should be
             configured with a password password/no
CCE-6519-3   or not as appropriate      passwor
             LILO should be configured
             with a password or not as      password/no
CCE-6594-6   appropriate                    password
             System should be
             configured to boot and
             appropriate set of operating   list of operating
CCE-8118-2   systems                        systems
             The primary filesystem
             partition should be using an
CCE-5972-5   appropriate filesystem         list of filesystems
             The ugidd daemon should
             be enabled or disabled as
CCE-6364-4   appropriate                    enabled/disabled
             NFS insecure locks should
             be enabled or disabled as
CCE-5813-1   appropriate                    enabled/disabled
             X server audit level should
CCE-5752-1   be set appropriately           audit level
             X server timeout should be
CCE-5753-9   set appropriately              number of minutes
             X server ac should be
             enabled or disabled as
CCE-6297-6   appropriate                    enabled/disabled
             X server core should be
             enabled or disabled as
CCE-6671-2   appropriate                    enabled/disabled
             X server nolock should be
             enabled or disabled as
CCE-6538-3   appropriate                    enabled/disabled
             PAM console should be
             enabled or disabled as
CCE-6486-5   appropriate                    enabled/disabled
             shutdown account should
             be present or not as
CCE-6644-9   appropriate                    present/absent
             halt account should be
             present or not as
CCE-6706-6   appropriate                    present/absent
             games account should be
             present or not as
CCE-6617-5   appropriate                    present/absent
             operator account should be
             present or not as
CCE-5758-8   appropriate                    present/absent
             Auditing should be enabled
             or disabled at boot time as
CCE-6041-8   appropriate                    enabled/disabled
             System logons should be
             audited or not as
CCE-6715-7   appropriate                    audited/not audited
             System logoffs should be
             audited or not as
CCE-6666-2   appropriate              audited/not audited
             Password changes should
             be audited or not as
CCE-6530-0   appropriate              audited/not audited

             su usage should be audited
CCE-5772-9   or not as appropriate          audited/not audited
             Creation of superuser
             groups should be audited
CCE-6759-5   or not as appropriate          audited/not audited
             Clearing of the audit log file
             should be audited or not as
CCE-5778-6   appropriate                    audited/not audited

             Startup/shutdown of audit
             functions should be audited
CCE-6628-2   or not as appropriate          audited/not audited
             Use of
             identification/authorization
             mechanisms should be
             audited or not as
CCE-6470-9   appropriate                    audited/not audited
             Remote access from
             outside the corporate
             network should be audited
CCE-6597-9   or not as appropriate          audited/not audited
             Change of
             permissions/privileges
             should be audited or not as
CCE-6566-4   appropriate                    audited/not audited
             Modification of superuser
             groups should be audited
CCE-6727-2   or not as appropriate          audited/not audited
             Sudo usage should be
             audited or not as
CCE-6692-8   appropriate                    audited/not audited

             Hard core dump size limits Size (0 to disable
CCE-6124-2   should be set appropriately core dumps)
                                         Internal Revenue Service Basic UNIX
                                         Security Requirements (IRS BUSR)
              CCE Technical Mechanisms   http://www.irs.gov/irm/part10/ch03s08.ht
                                         ml




via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)




via /etc/passwd                          10.8.10.4.2.1 (6)

via /etc/security/limits
via ulimit                               10.8.10.4.4 (3)

via /etc/snmp.conf
via /etc/snmp/snmpd.conf                 10.8.10.5.1 (1) c)


via /etc/snmp/snmpd.conf                 10.8.10.5.1 (1) c)




via PAM                                  10.8.10.5.1 (2) a)




via PAM                                  10.8.10.5.1 (2) a)




via PAM                                  10.8.10.5.1 (2) a)




via PAM                                  10.8.10.5.1 (2) a)
via /etc/login.defs        10.8.10.5.1 (2) b)


via /etc/login.defs        10.8.10.5.1 (2) c)




via PAM                    10.8.10.5.1 (2) d)




via PAM                    10.8.10.5.1 (2) e)


via passwd
via /etc/shadow            10.8.10.5.1 (2) f)




via /etc/security/passwd   10.8.10.5.1 (2) g)




via grub                   10.8.10.5.1 (3)




via chown                  10.8.10.5.2 (3)


via chgrp via chown        10.8.10.5.2 (3)


via /etc/motd              10.8.10.5.2 (5) a)

via /etc/ssh/sshd_config
via /etc/motd              10.8.10.5.2 (5) b)


via /etc/motd              10.8.10.5.2 (5) c)


                           10.8.10.5.2 (5) d)


via Xwindows               10.8.10.5.2 (5) e)
via passwd
via /etc/passwd               10.8.10.5.2.1 (2) a)




via passwd
via /etc/passwd               10.8.10.5.2.1 (2) b)


via /etc/passwd               10.8.10.5.2.4 (3)

via /etc/passwd               10.8.10.5.2.4 (9)




via /etc/passwd               10.8.10.5.2.4.1 (1)

via xscreensaver
via dtsession
via /etc/pam.d/xscreensaver   10.8.10.5.2.5 (1)


via chmod                     10.8.10.5.2.6 (1)

via inittab
via /sbin/agetty              10.8.10.5.2.6 (3)


via /etc/securetty            10.8.10.5.2.6 (4)


via filesystem                10.8.10.5.2.6 (6)


via filesystem                10.8.10.5.2.6 (6)


via filesystem                10.8.10.5.2.6 (6)


via filesystem                10.8.10.5.2.6 (6)




via Text editor               10.8.10.5.2.6 (7)
via Text editor               10.8.10.5.2.6 (7)




via Text editor               10.8.10.5.2.6 (7)




via /etc/group                10.8.10.5.2.6 (15)


via /etc/passwd               10.8.10.5.2.6 (16)
via /etc/passwd
via /usr/sbin/useradd
via /etc/default/useradd      10.8.10.5.2.6 (17)




via filesystem                10.8.10.5.2.6 (18)


via filesystem                10.8.10.5.2.6 (24)


via RC scripts                10.8.10.5.3 (3)




via /etc/sysconfig/ntpd

via /etc/default/route.conf
via /etc/sysconfig/network    10.8.10.5.4.1 (4)


via RC scripts                10.8.10.5.4.1 (5)


via xinetd                    10.8.10.5.4.1 (11) #1


via xinetd                    10.8.10.5.4.1 (11) #2
via xinetd   10.8.10.5.4.1 (11) #3


via xinetd   10.8.10.5.4.1 (11) #4


via xinetd   10.8.10.5.4.1 (11) #5


via xinetd   10.8.10.5.4.1 (11) #6


via xinetd   10.8.10.5.4.1 (11) #7


via xinetd   10.8.10.5.4.1 (11) #8


via xinetd   10.8.10.5.4.1 (11) #9


via xinetd   10.8.10.5.4.1 (11) #10


via xinetd   10.8.10.5.4.1 (11) #11


via xinetd   10.8.10.5.4.1 (11) #12


via xinetd   10.8.10.5.4.1 (11) #13


via xinetd   10.8.10.5.4.1 (11) #14




via xinetd   10.8.10.5.4.1 (11) #16


via xinetd   10.8.10.5.4.1 (11) #17


via xinetd   10.8.10.5.4.1 (11) #18


via xinetd   10.8.10.5.4.1 (11) #20
via xinetd            10.8.10.5.4.1 (11) #21


via xinetd            10.8.10.5.4.1 (11) #22


via xinetd            10.8.10.5.4.1 (11) #23


via xinetd            10.8.10.5.4.1 (11) #24


via xinetd            10.8.10.5.4.1 (11) #26


via xinetd            10.8.10.5.4.1 (11) #27


via xinetd            10.8.10.5.4.1 (11) #28


via xinetd            10.8.10.5.4.1 (11) #29


via xinetd            10.8.10.5.4.1 (11) #30




via xinetd            10.8.10.5.4.1 (11) #32




via xinetd            10.8.10.5.4.1 (11) #34


via xinetd            10.8.10.5.4.1.1 (2)




via /etc/named.conf   10.8.10.5.4.1.1 (5)


via RC scripts        10.8.10.5.4.1.5 (1)


via RC scripts        10.8.10.5.4.1.5 (1)


via RC scripts        10.8.10.5.4.1.5 (1)
via RC scripts              10.8.10.5.4.1.5 (1)

via NFS
via /etc/exports            10.8.10.5.4.1.5 (1) f)




via /etc/exports            10.8.10.5.4.1.5 (1) g)




via /etc/fstab              10.8.10.5.4.1.5 (1) i)




via /etc/fstab              10.8.10.5.4.1.5 (1) i)

via inetd
via RC scripts              10.8.10.5.4.2.2 (1)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (3)

via /etc/aliases
via /usr/lib/aliases        10.8.10.5.4.2.2 (4) c)


via rm                      10.8.10.5.4.2.2 (4) e)




via chown                   10.8.10.5.4.2.2 (4) f)




via chown                   10.8.10.5.4.2.2 (4) f)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) g)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) h)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) i)
via sendmailvia /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) k)


via NIS+                                10.8.10.5.4.2.3 (1) b)


via Xwindows                            10.8.10.5.4.2.4 (1)




via /etc/X*.hosts                       10.8.10.5.4.2.4 (2) b)

via xdm
via gdm
via kdm                                 10.8.10.5.4.2.4 (2) d)


via sshd_config                         10.8.10.5.4.2.4 (2) f)
via smbd
via RC scripts                          10.8.10.5.4.2.6 (1)


via smbd
via smb.conf                            10.8.10.5.4.2.6 (3) a)

via smbd
via smb.conf                            10.8.10.5.4.2.6 (3) b)

via smbd
via smb.conf                            10.8.10.5.4.2.6 (3) c)


via smbd
via smb.conf                            10.8.10.5.4.2.6 (3) d)

via ifconfig                            10.8.10.5.4.3 (1)


via chmod                               10.8.10-1 A.1 1) #9


via chmod                               10.8.10-1 A.1 1) #10


via chmod                               10.8.10-1 A.1 1) #11


via chmod                               10.8.10-1 A.1 1) #13
via chmod        10.8.10-1 A.1 1) #14


via chmod        10.8.10-1 A.1 1) #25


via chmod        10.8.10-1 A.1 1) #26


via chmod        10.8.10-1 A.1 1) #27




via chmod        10.8.10-1 A.1 1) #29


via chmod        10.8.10-1 A.1 1) #31


via chmod        10.8.10-1 A.1 1) #32


via chmod        10.8.10-1 A.1 1) #34




via chmod        10.8.10-1 A.1 1) #35




via chmod        10.8.10-1 A.1 1) #36


via chmod        10.8.10-1 A.1 1) #37


via chmod        10.8.10-1 A.1 1) #38


via chmod        10.8.10-1 A.1 1) #39

via filesystem   10.8.10-1 A.1 1) #40


via chmod        10.8.10-1 A.1 1) #41
via chmod        10.8.10-1 A.1 1) #42


via chmod        10.8.10-1 A.1 1) #43


via chmod        10.8.10-1 A.1 1) #44


via chmod        10.8.10-1 A.1 1) #45

via filesystem   10.8.10-1 A.1 1) #46


via chmod        10.8.10-1 A.1 1) #47


via chmod        10.8.10-1 A.1 1) #48


via chmod        10.8.10-1 A.1 1) #49


via chmod        10.8.10-1 A.1 1) #50


via chmod        10.8.10-1 A.1 1) #51

via filesystem   10.8.10-1 A.1 1) #52


via chmod        10.8.10-1 A.1 1) #53


via chmod        10.8.10-1 A.1 1) #54


via chmod        10.8.10-1 A.1 1) #56


via chmod        10.8.10-1 A.1 1) #57


via chmod        10.8.10-1 A.1 1) #58


via chmod        10.8.10-1 A.1 1) #60
via chmod        10.8.10-1 A.1 1) #61


via chmod        10.8.10-1 A.1 1) #62


via chmod        10.8.10-1 A.1 1) #63


via chmod        10.8.10-1 A.1 1) #64


via chmod        10.8.10-1 A.1 1) #65


via chmod        10.8.10-1 A.1 1) #66


via filesystem   10.8.10-1 A.1 1) #69


via chmod        10.8.10-1 A.1 1) #70


via chmod        10.8.10-1 A.1 1) #71


via chmod        10.8.10-1 A.1 1) #72


via chmod        10.8.10-1 A.1 1) #73


via chmod        10.8.10-1 A.1 1) #75


via chmod        10.8.10-1 A.1 1) #76


via chmod        10.8.10-1 A.1 1) #77


via chmod        10.8.10-1 A.1 1) #78


via chmod        10.8.10-1 A.1 1) #79


via chmod        10.8.10-1 A.1 1) #80
via chmod        10.8.10-1 A.1 1) #81


via chmod        10.8.10-1 A.1 1) #82


via chmod        10.8.10-1 A.1 1) #83

via filesystem   10.8.10-1 A.1 1) #84


via chmod        10.8.10-1 A.1 1) #85


via chmod        10.8.10-1 A.1 1) #86


via chmod        10.8.10-1 A.1 1) #87


via chmod        10.8.10-1 A.1 1) #88


via chmod        10.8.10-1 A.1 1) #89




via chmod        10.8.10-1 A.1 1) #91




via chmod        10.8.10-1 A.1 1) #93


via chmod        10.8.10-1 A.1 1) #94


via chmod        10.8.10-1 A.1 1) #95


via chmod        10.8.10-1 A.1 1) #96


via chmod        10.8.10-1 A.1 1) #97


via chmod        10.8.10-1 A.1 1) #98
via chmod   10.8.10-1 A.1 1) #99


via chmod   10.8.10-1 A.1 1) #100


via chmod   10.8.10-1 A.1 1) #101


via chmod   10.8.10-1 A.1 1) #103


via chmod   10.8.10-1 A.1 1) #104


via chmod   10.8.10-1 A.1 1) #105


via chmod   10.8.10-1 A.1 1) #107


via chmod   10.8.10-1 A.1 1) #108


via chmod   10.8.10-1 A.1 1) #109


via chown   10.8.10-1 A.1 2) #8

via chgrp
via chown   10.8.10-1 A.1 2) #8


via chown   10.8.10-1 A.1 2) #9

via chgrp
via chown   10.8.10-1 A.1 2) #9


via chown   10.8.10-1 A.1 2) #10

via chgrp
via chown   10.8.10-1 A.1 2) #10


via chown   10.8.10-1 A.1 2) #11

via chgrp
via chown   10.8.10-1 A.1 2) #11
via chown              10.8.10-1 A.1 2) #12

via chgrp
via chown              10.8.10-1 A.1 2) #12


via chown              10.8.10-1 A.1 2) #16

via chgrp
via chown              10.8.10-1 A.1 2) #16


via chown              10.8.10-1 A.1 2) #18

via chgrp
via chown              10.8.10-1 A.1 2) #18




via chown              10.8.10-1 A.1 2) #35

via chgrp
via chown              10.8.10-1 A.1 2) #35


via chown              10.8.10-1 A.1 2) #36

via chgrp
via chown              10.8.10-1 A.1 2) #36




via chmod
via profile            10.8.10-1 A.2 1) #1




via local init files   10.8.10-1 A.2 1) #2




via local init files   10.8.10-1 A.2 1) #3
via local init files    10.8.10-1 A.2 1) #4




via local init files    10.8.10-1 A.2 1) #6

via global init files   10.8.10-1 A.2 1) #8

via local init files    10.8.10-1 A.2 1) #8




via PAM                 10.8.10.5.2.4 (2)


via chmod               10.8.10-1 A.1 1) #74


via chmod               10.8.10-3 C.1 1) #1


via chown               10.8.10-3 C.1 1) #1

via chgrp
via chown               10.8.10-3 C.1 1) #1


via chmod               10.8.10-3 C.1 1) #2


via chmod               10.8.10-3 C.1 1) #3


via chmod               10.8.10-3 C.1 1) #3


via chmod               10.8.10-3 C.1 1) #4


via chmod               10.8.10-3 C.1 1) #5


via chmod               10.8.10-3 C.1 1) #6
via chmod   10.8.10-3 C.1 1) #7




via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #2


via chown   10.8.10-3 C.1 1) #3


via chown   10.8.10-3 C.1 1) #3


via chown   10.8.10-3 C.1 1) #4


via chown   10.8.10-3 C.1 1) #5


via chown   10.8.10-3 C.1 1) #6


via chown   10.8.10-3 C.1 1) #7




via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9

via chgrp
via chown   10.8.10-3 C.1 1) #2
via chgrp
via chown                        10.8.10-3 C.1 1) #3

via chgrp
via chown                        10.8.10-3 C.1 1) #3

via chgrp
via chown                        10.8.10-3 C.1 1) #4

via chgrp
via chown                        10.8.10-3 C.1 1) #5

via chgrp
via chown                        10.8.10-3 C.1 1) #6

via chgrp
via chown                        10.8.10-3 C.1 1) #7




via chown                        10.8.10-3 C.1 1) #9


via chown                        10.8.10-3 C.1 1) #9


via chown                        10.8.10-3 C.1 1) #9




via /etc/login.access
via /etc/security/acccess.conf   10.8.10-3 C.1.1 1)




via global init files            10.8.10-3 C.2 1) #1


via /etc/inittab                 10.8.10-3 C.3 1)

via bootloader                   10.8.10-3 C.3.2 2)




via /boot/grub/menu.lst          10.8.10-3 C.3.2 3)
                          10.8.10-3 C.3.2 4)




via /boot/grub/menu.lst   10.8.10-3 C.3.2 5)


via /etc/fstab            10.8.10-3 C.4 1)


via rpc.ugidd             10.8.10-3 C.4.1 1)


via /etc/exports          10.8.10-3 C.4.1 3)

via                       10.8.10-3 C.5.1 1)

via RC 5 scripts          10.8.10-3 C.5.1 1)


via RC 5 scripts          10.8.10-3 C.5.1 2)


via RC 5 scripts          10.8.10-3 C.5.1 2)


via RC 5 scripts          10.8.10-3 C.5.1 2)


via PAM                   10.8.10-3 C.5.2 1)


via /etc/passwd           10.8.10-3 C.6 1)


via /etc/passwd           10.8.10-3 C.6 1)


via /etc/passwd           10.8.10-3 C.6 2)


via /etc/passwd           10.8.10-3 C.6 2)


via init files            10.8.10-3 C.7 1)


via syslog                10.8.10-3 C.7 2) #1
via syslog                    10.8.10-3 C.7 2) #2


via syslog                    10.8.10-3 C.7 2) #3


via syslog                    10.8.10-3 C.7 2) #4


via syslog                    10.8.10-3 C.7 2) #5


                              10.8.10-3 C.7 2) #8




via syslog                    10.8.10-3 C.7 2) #9




via syslog                    10.8.10-3 C.7 2) #10




via syslog                    10.8.10-3 C.7 2) #11




via syslog                    10.8.10-3 C.7 2) #13


via syslog                    10.8.10-3 C.7 2) #5


via syslog                    10.8.10-3 C.7 2) #4


/etc/security/limits ulimit   10.8.10.4.4 (3)
                                                   CCE
  CCE ID        CCE Description
                                                Parameters



             The rhnsd service should        enabled / disabled
             be enabled or disabled as
CCE-3416-5   appropriate.
                                             enabled / disabled
             The yum-updatesd service
             should be enabled or
CCE-4218-4   disabled as appropriate.
             The AIDE package should         installed / uninstalled
             be installed or not as
CCE-4209-3   appropriate
             The nodev option should         enabled / disabled
             be enabled or disabled as
             appropriate for all non-root
CCE-4249-9   partitions.
             The nodev option should         enabled / disabled
             be enabled or disabled as
             appropriate for all
CCE-3522-0   removable media.
             The noexec option should        enabled / disabled
             be enabled or disabled as
             appropriate for all
CCE-4275-4   removable media.
             The nosuid option should        enabled / disabled
             be enabled or disabled as
             appropriate for all
CCE-4042-8   removable media.
             Console device ownership        root-only / not root-
             should be restricted to root-   only
CCE-3685-5   only as appropriate.
             The USB device support          loaded / not loaded
             module should be loaded
CCE-4187-1   or not as appropriate
                                        installed / uninstalled
             The USB device support
             module should be installed
CCE-4006-3   or not as appropriate
             USB kernel support should enabled / disabled
             be enabled or disabled as
CCE-4173-1   appropriate.
             The ability to boot from   enabled / disabled
             USB devices should be
             enabled or disabled as
CCE-3944-6   appropriate
             The autofs service should      enabled / disabled
             be enabled or disabled as
CCE-4072-5   appropriate.
                                            enabled / disabled
             The GNOME automounter
             (gnome-volume-manager)
             should be enabled or
CCE-4231-7   disabled as appropriate
             The /etc/shadow file should    group
             be owned by the
CCE-3988-3   appropriate group.
             The /etc/group file should     group
             be owned by the
CCE-3883-6   appropriate group.
             The /etc/group file should     user
             be owned by the
CCE-3276-3   appropriate user.
             File permissions for           permissions
             /etc/gshadow should be set
CCE-3932-1   correctly.
             The /etc/gshadow file          group
             should be owned by the
CCE-4064-2   appropriate group.
             The /etc/gshadow file          user
             should be owned by the
CCE-4210-1   appropriate user.
             The /etc/shadow file should    user
             be owned by the
CCE-3918-0   appropriate user.
             File permissions for           permissions
             /etc/passwd should be set
CCE-3566-7   correctly.
             The /etc/passwd file should    user
             be owned by the
CCE-3958-6   appropriate user.
             File permissions for           permissions
             /etc/group should be set
CCE-3967-7   correctly.
             The /etc/passwd file should    group
             be owned by the
CCE-3495-9   appropriate group.
             File permissions for           permissions
             /etc/shadow should be set
CCE-4130-1   correctly.
             The sticky bit should be set   set / not set
             or not set as appropriate
             for all world-writable
CCE-3399-3   directories.
             The world-write permission     enabled / disabled
             should be enabled or
             disabled as appropriate for
CCE-3795-2   all files.
             The sgid bit should be set   set / not set
             or not set as appropriate
CCE-4178-0   for all files.
             The suid bit should be set   set / not set
             or not set as appropriate
CCE-3324-1   for all files.
             All files should be owned    user / none
CCE-4223-4   by a user as appropriate
             All files should be owned    group / none
CCE-3573-3   by a group as appropriate
             The daemon umask should      permissions mask
             be set as appropriate
CCE-4220-0
             Core dumps for all users     enabled / disabled
             should be enabled or
CCE-4225-9   disabled as appropriate
             Core dumps for setuid        enabled / disabled
             programs should be
             enabled or disabled as
CCE-4247-3   appropriate
             ExecShield randomized        enabled / disabled
             placement of virtual
             memory regions should be
             enabled or disabled as
CCE-4146-7   appropriate
             ExecShield should be         enabled / disabled
             enabled or disabled as
CCE-4168-1   appropriate
             Kernel support for the       enabled / disabled
             XD/NX processor feature
             should be enabled or
CCE-4172-3   disabled as appropriate
             The XD/NX processor          enabled / disabled
             feature should be enabled
             or disabled as appropriate
CCE-4177-2   in the BIOS
             Logins through the           enabled/disabled
             specified virtual console
             interface should be
             enabled or disabled as
CCE-3820-8   appropriate
             Logins through the           enabled/disabled
             specified virtual console
             device should be enabled
CCE-3485-0   or disabled as appropriate
             Logins through the primary   enabled/disabled
             console device should be
             enabled or disabled as
CCE-4111-1   appropriate
             Login prompts on serial    enabled/disabled
             ports should be enabled or
             disabled as appropriate.
CCE-4256-4
             Command access to the      enabled/disabled
             root account should be
             enabled or disabled as
CCE-4274-7   appropriate.
             Sudo privileges should     grant/reject
             granted or rejected to the
             wheel group as appropriate
CCE-4044-4
             Login access to non-root      enabled/disabled
             system accounts should be
             enabled or disabled as
CCE-3987-5   appropriate
             Login access to accounts      enabled/disabled
             without passwords should
             be enabled or disabled as
CCE-4238-2   appropriate
             Anonymous root logins are     enabled/disabled
             enabled or disabled as
CCE-4009-7   appropriate
             The password minimum          length of password
             length should be set
CCE-4154-1   appropriately
             The "minimum password         number of days
             age" policy should meet
CCE-4180-6   minimum requirements.
             The "maximum password         number of days
             age" policy should meet
CCE-4092-3   minimum requirements.
             The password warn age         number of days
             should be set appropriately
CCE-4097-2
             NIS file inclusions should
             be set appropriately in the
CCE-4114-5   /etc/passwd file
             The password strength         password strength
             should meet minimum
CCE-3762-2   requirements
             The "account lockout
             threshold" policy should
             meet minimum
CCE-3410-8   requirements.                 number of attempts
             The /usr/sbin/userhelper      group
             file should be owned by the
CCE-4185-5   appropriate group.
             File permissions for          permissions
             /usr/sbin/userhelper should
CCE-3952-9   be set correctly.
             The PATH variable should path
             be set correctly for user
CCE-3301-9   root
             File permissions should be permissions
             set correctly for the home
             directories for all user
CCE-4090-7   accounts.
                                          umask
             The default umask for all
             users should be set
CCE-3844-8   correctly for the bash shell
             The default umask for all
             users should be set
CCE-4227-5   correctly for the csh shell
             The default umask for all
             users should be set
CCE-3870-3   correctly
             The /etc/grub.conf file      user
             should be owned by the
CCE-4144-2   appropriate user.
             File permissions for         permissions
             /etc/grub.conf should be
CCE-3923-0   set correctly.
             The grub boot loader         password
             should have password
             protection enabled or
CCE-3818-2   disabled as appropriate
             The /etc/grub.conf file      group
             should be owned by the
CCE-4197-0   appropriate group.
             The requirement for a        enabled/disabled
             password to boot into
             single-user mode should
CCE-4241-6   be configured correctly.
             The ability for users to     enabled/disabled
             perform interactive startups
             should be enabled or
             disabled as appropriate.
CCE-4245-7
             The idle time-out value for   number of minutes
             the default /bin/tcsh shell
             should meet the minimum
CCE-3689-7   requirements.
             The idle time-out value for   number of minutes
             the default /bin/bash shell
             should meet the minimum
CCE-3707-7   requirements.
             The allowed period of         number of minutes
             inactivity gnome desktop
             lockout should be
CCE-3315-9   configured correctly.
             The vlock package should number of minutes
             be installed or not as
CCE-3910-7   appropriate
             The system login banner       banner text
             text should be set correctly.
CCE-4060-0
             The direct gnome login     banner text/xml
             warning banner should be
CCE-4188-9   set correctly.
             SELinux should be enabled enforcing /
             or disabled as appropriate permissive / disabled
CCE-3977-6
             The SELinux state should      enforcing /
             be set appropriately.         permissive / disabled
CCE-3999-0
             The SELinux policy should targeted / strict / mls
             be set appropriately.
CCE-3624-4
                                           enabled / disabled
             The setroubleshoot service
             should be enabled or
CCE-4254-9   disabled as appropriate.
             The setroubleshoot            installed / uninstalled
             package should be
             installed or uninstalled as
CCE-4148-3   appropriate.
             The mcstrans service          enabled / disabled
             should be enabled or
CCE-3668-1   disabled as appropriate.
             The restorecond service       enabled / disabled
             should be enabled or
CCE-4129-3   disabled as appropriate.
             The default setting for
             sending ICMP redirects
             should be enabled or
             disabled for network
CCE-4151-7   interfaces as appropriate.    enabled / disabled
             Sending ICMP redirects
             should be enabled or
             disabled for all interfaces
CCE-4155-8   as appropriate.               enabled / disabled
             IP forwarding should be
             enabled or disabled as
CCE-3561-8   appropriate.                  enabled / disabled
             Accepting "secure" ICMP
             redirects (those from
             gateways listed in the
             default gateways list)
             should be enabled or
             disabled for all interfaces
CCE-3472-8   as appropriate.               enabled / disabled
             Accepting ICMP redirects
             should be enabled or
             disabled for all interfaces
CCE-4217-6   as appropriate.               enabled / disabled
             Ignoring bogus ICMP
             responses to broadcasts
             should be enabled or
CCE-4133-5   disabled as appropriate.      enabled / disabled
             Sending TCP syncookies
             should be enabled or
CCE-4265-5   disabled as appropriate.      enabled / disabled
             Ignoring ICMP echo
             requests (pings) sent to
             broadcast / multicast
             addresses should be
             enabled or disabled as
CCE-3644-2   appropriate.                  enabled / disabled
             The default setting for
             accepting ICMP redirects
             should be enabled or
             disabled for network
CCE-4186-3   interfaces as appropriate.    enabled / disabled
             Performing source
             validation by reverse path
             should be enabled or
             disabled for all interfaces
CCE-4080-8   as appropriate.               enabled / disabled
             The default setting for
             accepting "secure" ICMP
             redirects (those from
             gateways listed in the
             default gateways list)
             should be enabled or
             disabled for network
CCE-3339-9   interfaces as appropriate.    enabled / disabled
             Logging of "martian"
             packets (those with
             impossible addresses)
             should be enabled or
             disabled for all interfaces
CCE-4320-8   as appropriate.               enabled / disabled
             The default setting for
             performing source
             validation by reverse path
             should be enabled or
             disabled for network
CCE-3840-6   interfaces as appropriate.    enabled / disabled
             The default setting for
             accepting source routed
             packets should be enabled
             or disabled for network
             interfaces as appropriate.
CCE-4091-5                                  enabled / disabled
             Accepting source routed
             packets should be enabled
             or disabled for all interfaces
CCE-4236-6   as appropriate.                enabled / disabled
             All wireless devices should enabled / disabled
             be enabled or disabled in
             the BIOS as appropriate.
CCE-3628-5
             All wireless interfaces        enabled / disabled
             should be enabled or
CCE-4276-2   disabled as appropriate.
             Device drivers for wireless    included / excluded
             devices should be included
             or excluded from the kernel
CCE-4170-7   as appropriate.
             Automatic loading of the       enabled / disabled
             IPv6 kernel module should
             be enabled or disabled as
CCE-3562-6   appropriate.
             Global IPv6 initialization     enabled / disabled
             should be enabled or
CCE-3377-9   disabled as appropriate.
             IPv6 configuration should      enabled / disabled
             be enabled or disabled as
             appropriate for all
CCE-4296-0   interfaces.
             The default setting for IPv6   enabled / disabled
             configuration should be
             enabled or disabled for
             network interfaces as
CCE-3381-1   appropriate.
             Accepting IPv6 router          enabled / disabled
             advertisements should be
             enabled or disabled as
             appropriate for all network
CCE-4269-7   interfaces.
             The default setting for        enabled / disabled
             accepting IPv6 router
             advertisements should be
             enabled or disabled for
             network interfaces as
CCE-4291-1   appropriate.
             Accepting redirects from       enabled / disabled
             IPv6 routers should be
             enabled or disabled as
             appropriate for all network
CCE-4313-3   interfaces.
             The default setting for        enabled / disabled
             accepting redirects from
             IPv6 routers should be
             enabled or disabled for
             network interfaces as
CCE-4198-8   appropriate.
             IPv6 privacy extensions        disabled / lightweight
             should be configured           / rfc3041 (alias yes)
             appropriately for all
CCE-3842-2   interfaces.
             The default setting for        enabled / disabled
             accepting router
             preference via IPv6 router
             advertisement should be
             enabled or disabled for
             network interfaces as
CCE-4221-8   appropriate.
             The default number of          number
             global unicast IPv6
             addresses allowed per
             network interface should be
CCE-4137-6   set appropriately.
             The default number of IPv6     number
             router solicitations for
             network interfaces to send
             should be set appropriately.
CCE-4159-0
             The default number of IPv6 number
             duplicate address detection
             solicitations for network
             interfaces to send per
             configured address should
             be set appropriately.
CCE-3895-0
             The default setting for        enabled / disabled
             autoconfiguring network
             interfaces using prefix
             information in IPv6 router
             advertisements should be
             enabled or disabled as
CCE-4287-9   appropriate.
             The default setting for       enabled / disabled
             accepting prefix
             information via IPv6 router
             advertisement should be
             enabled or disabled for
             network interfaces as
CCE-4058-4   appropriate.
             The default setting for       enabled / disabled
             accepting a default router
             via IPv6 router
             advertisement should be
             enabled or disabled for
             network interfaces as
CCE-4128-5   appropriate.
             The ip6tables service         enabled / disabled
             should be enabled or
CCE-4167-3   disabled as appropriate.
             The iptables service should   enabled / disabled
             be enabled or disabled as
CCE-4189-7   appropriate.
             The syslog service should     enabled / disabled
             be enabled or disabled as
CCE-3679-8   appropriate.
             All syslog log files should   group
             be owned by the
CCE-3701-0   appropriate group.
             File permissions for all      permissions
             syslog log files should be
CCE-4233-3   set correctly.
             All syslog log files should   user
             be owned by the
CCE-4366-1   appropriate user.
             Syslog logs should be sent    sent / not sent
             to a remote loghost or not
CCE-4260-6   as appropriate
             Syslogd should accept         accept / reject
             remote messages or not as
CCE-3382-9   appropriate
             The logrotate (syslog         enabled / disabled
             rotater) service should be
             enabled or disabled as
CCE-4182-2   appropriate.
             The logwatch service          enabled / disabled
             should be enabled or
CCE-4323-2   disabled as appropriate
             The auditd service should     enabled / disabled
             be enabled or disabled as
CCE-4292-9   appropriate.
             The inetd service should be   enabled / disabled
             enabled or disabled as
CCE-4234-1   appropriate.
             The xinetd service should enabled / disabled
             be enabled or disabled as
CCE-4252-3   appropriate.
             The inetd package should installed / uninstalled
             be installed or uninstalled
CCE-4023-8   as appropriate.
             The xinetd package should installed / uninstalled
             be installed or uninstalled
             as appropriate.
CCE-4164-0
             The telnet service should enabled / disabled
             be enabled or disabled as
CCE-3390-2   appropriate.
             The telnet-server package installed / uninstalled
             should be installed or
             uninstalled as appropriate.
CCE-4330-7
             The rcp service should be     enabled / disabled
             enabled or disabled as
CCE-3974-3   appropriate.
             The rsh service should be     enabled / disabled
             enabled or disabled as
CCE-4141-8   appropriate.
             The rlogin service should     enabled / disabled
             be enabled or disabled as
CCE-3537-8   appropriate.
             The rsh package should be     installed / uninstalled
             installed or uninstalled as
CCE-4308-3   appropriate.
             The ypbind service should     enabled / disabled
             be enabled or disabled as
CCE-3705-1   appropriate.
             The ypserv package should     installed / uninstalled
             be installed or uninstalled
             as appropriate.
CCE-4348-9
             The tftp service should be enabled / disabled
             enabled or disabled as
CCE-4273-9   appropriate.
             The tftp-server package     installed / uninstalled
             should be installed or
             uninstalled as appropriate.
CCE-3916-4
             The firstboot service
             should be enabled or
CCE-3412-4   disabled as appropriate.  enabled / disabled
             The gpm service should be enabled / disabled
             enabled or disabled as
CCE-4229-1   appropriate.
             The irqbalance service    enabled / disabled
             should be enabled or
CCE-4123-6   disabled as appropriate.
             The isdn service should be    enabled / disabled
             enabled or disabled as
CCE-4286-1   appropriate.
             The kdump service should      enabled / disabled
             be enabled or disabled as
CCE-3425-6   appropriate.
             The kudzu service should      enabled / disabled
             be enabled or disabled as
CCE-4211-9   appropriate.
             The mdmonitor service         enabled / disabled
             should be enabled or
CCE-3854-7   disabled as appropriate.
             The microcode_ctl service     enabled / disabled
             should be enabled or
             disabled as appropriate.
CCE-4356-2
             The network service should    enabled / disabled
             be enabled or disabled as
CCE-4369-5   appropriate.
             The pcscd service should      enabled / disabled
             be enabled or disabled as
CCE-4100-4   appropriate.
             The smartd service should     enabled / disabled
             be enabled or disabled as
CCE-3455-3   appropriate.
             The readahead_early           enabled / disabled
             service should be enabled
             or disabled as appropriate.
CCE-4421-4
             The readahead_later         enabled / disabled
             service should be enabled
             or disabled as appropriate.
CCE-4302-6
             The messagebus service        enabled / disabled
             should be enabled or
CCE-3822-4   disabled as appropriate.
             The haldaemon service         enabled / disabled
             should be enabled or
CCE-4364-6   disabled as appropriate.
             The bluetooth service         enabled / disabled
             should be enabled or
CCE-4355-4   disabled as appropriate.
             The hidd service should be    enabled / disabled
             enabled or disabled as
CCE-4377-8   appropriate.
             The apmd service should       enabled / disabled
             be enabled or disabled as
CCE-4289-5   appropriate.
             The acpid service should      enabled / disabled
             be enabled or disabled as
CCE-4298-6   appropriate.
             The cpuspeed service           enabled / disabled
             should be enabled or
CCE-4051-9   disabled as appropriate.
             The crond service should       enabled / disabled
             be enabled or disabled as
CCE-4324-0   appropriate.
             The anacron service            enabled / disabled
             should be enabled or
CCE-4406-5   disabled as appropriate.
             The anacron package            installed / uninstalled
             should be installed or
             uninstalled as appropriate.
CCE-4428-9
             The /etc/cron.monthly file     group
             should be owned by the
CCE-4322-4   appropriate group.
             File permissions for           permissions
             /etc/cron.daily should be
CCE-4450-3   set correctly.
             The /etc/cron.weekly file      group
             should be owned by the
CCE-4331-5   appropriate group.
             The /etc/crontab file should   user
             be owned by the
CCE-3851-3   appropriate user.
             The /etc/anacrontab file       user
             should be owned by the
CCE-4379-4   appropriate user.
             File permissions for           permissions
             /etc/crontab should be set
CCE-4388-5   correctly.
             The /etc/cron.hourly file      group
             should be owned by the
CCE-4054-3   appropriate group.
             The /etc/cron.monthly file     user
             should be owned by the
CCE-4441-2   appropriate user.
             The /etc/cron.d file should    group
             be owned by the
CCE-4212-7   appropriate group.
             The /etc/cron.d file should    user
             be owned by the
CCE-4380-2   appropriate user.
             The /etc/cron.weekly file      user
             should be owned by the
CCE-3833-1   appropriate user.
             The /etc/anacrontab file       group
             should be owned by the
CCE-3604-6   appropriate group.
             File permissions for           permissions
             /etc/cron.hourly should be
CCE-4106-1   set correctly.
             The /etc/cron.hourly file      user
             should be owned by the
CCE-3983-4   appropriate user.
             The /etc/crontab file should   group
             be owned by the
CCE-3626-9   appropriate group.
             The /etc/cron.daily file       user
             should be owned by the
CCE-4022-0   appropriate user.
             File permissions for           permissions
             /etc/anacrontab should be
CCE-4304-2   set correctly.
             File permissions for           permissions
             /etc/cron.weekly should be
CCE-4203-6   set correctly.
             File permissions for           permissions
             /etc/cron.monthly should be
CCE-4251-5   set correctly.
             The /etc/cron.daily file       group
             should be owned by the
CCE-3481-9   appropriate group.
             File permissions for           permissions
             /etc/cron.d should be set
CCE-4250-7   correctly.
             The sshd service should be     enabled / disabled
             enabled or disabled as
CCE-4268-9   appropriate.
             SSH should be installed or     installed / uninstalled
             uninstalled as appropriate
CCE-4272-1
             Inbound connections to the allow / deny
             ssh port should be allowed
             or denied as appropriate
CCE-4295-2
                                          permitted / not
             SSH version 1 protocol       permitted
             support should be enabled
CCE-4325-7   or disabled as appropriate.
             The SSH idle timout          integer (seconds)
             interval should be set to an
CCE-3845-5   appropriate value
             Emulation of the rsh         enabled / disabled
             command through the ssh
             server should be enabled
             or disabled as appropriate
CCE-4475-0
             SSH host-based                 enabled / disabled
             authentication should be
             enabled or disabled as
CCE-4370-3   appropriate
             Root login via SSH should    enabled / disabled
             be enabled or disabled as
CCE-4387-7   appropriate
             Remote connections from      enabled / disabled
             accounts with empty
             passwords should be
             enabled or disabled as
CCE-3660-8   appropriate
             SSH warning banner           enabled / disabled
             should be enabled or
CCE-4431-3   disabled as appropriate
             X Windows should be          enabled / disabled
             enabled or disabled at
             system boot as appropriate
CCE-4462-8
             X Windows should be          installed/removed
             installed or removed as
CCE-4422-2   appropriate
             DEPRECTATED in favor of
CCE-4303-4   CCE-4448-7
             The xfs service should be    enabled / disabled
             enabled or disabled as
CCE-4448-7   appropriate.
             X Windows System             enabled / disabled
             Listening for remote
             connections should be
             enabled or disabled as
CCE-4074-1   appropriate
             Warning banners for gui      enabled / disabled
             login users should be
             enabled or disabled as
CCE-3717-6   appropriate
             The avahi-daemon service     enabled / disabled
             should be enabled or
CCE-4365-3   disabled as appropriate.
             The Avahi daemon should      serve / not serve
             be configured to serve via
CCE-4136-8   Ipv6 or not as appropriate
             The Avahi daemon should      serve / not serve
             be configured to serve via
CCE-4409-9   Ipv4 or not as appropriate
             Avahi should be configured   accept / reject
             to accept packets with a
             TTL field not equal to 255
             or not as appropriate
CCE-4426-3
             Avahi should be configured allow / disallow
             to allow other stacks from
             binding to port 5353 or not
             as appropriate
CCE-4193-9
             Avahi publishing of local      enabled / disabled
             information should be
             enabled or disabled as
CCE-4444-6   appropriate
             Avahi publishing of local      enabled / disabled
             information by user
             applications should be
             enabled or disabled as
CCE-4352-1   appropriate
             Avahi publishing of            enabled / disabled
             hardware information
             should be enabled or
CCE-4433-9   disabled as appropriate
             Avahi publishing of            enabled / disabled
             workstation name should
             be enabled or disabled as
CCE-4451-1   appropriate
             Avahi publishing of IP         enabled / disabled
             addresses should be
             enabled or disabled as
CCE-4341-4   appropriate
             Avahi publishing of domain     enabled / disabled
             name should be enabled or
             disabled as appropriate
CCE-4358-8
             The cups service should be enabled / disabled
             enabled or disabled as
CCE-4112-9   appropriate.
             CUPS service should be      enabled/disabled
             enabled or disabled as
CCE-3755-6   appropriate
             Firewall access to printing enabled / disabled
             service should be enabled
             or disabled as appropriate
CCE-3649-1
             Remote print browsing          enabled / disabled
             should be enabled or
CCE-4420-6   disabled as appropriate
             CUPS should be allowed or      allow / deny
             denied the ability to listen
             for Incoming printer
CCE-4407-3   information as appropriate
             The hplip service should be    enabled / disabled
             enabled or disabled as
CCE-4425-5   appropriate.
             The dhcp client service        enabled / disabled
             should be enabled or
             disabled as appropriate for
CCE-4191-3   each interface.
             The dhcpd service should       enabled / disabled
             be enabled or disabled as
CCE-4336-4   appropriate.
             The dhcp package should installed / uninstalled
             be installed or uninstalled
CCE-4464-4   as appropriate.
             The dynamic DNS feature enabled / disabled
             of the DHCP server should
             be enabled or disabled as
CCE-4257-2   appropriate
             DHCPDECLINE messages accepted / denied
             should be accepted or
             denied by the DHCP server
             as appropriate
CCE-4403-2
             BOOTP queries should be accepted / denied
             accepted or denied by the
             DHCP server as
CCE-4345-5   appropriate
             Domain name server         sent / not sent
             information should be sent
             or not sent by the DHCP
             server as appropriate.
CCE-3724-2
             Default routers should be sent / not sent
             sent or not sent by the
             DHCP server as
CCE-4243-2   appropriate.
             Domain name should be     sent / not sent
             sent or not sent by the
             DHCP server as
CCE-4389-3   appropriate.
             NIS domain should be sent sent / not sent
             or not sent by the DHCP
             server as appropriate.
CCE-3913-1
             NIS servers should be sent sent / not sent
             or not sent by the DHCP
             server as appropriate.
CCE-4169-9
             Time offset should be sent sent / not sent
             or not sent by the DHCP
             server as appropriate.
CCE-4318-2
             NTP servers should be      sent / not sent
             sent or not sent by the
             DHCP server as
CCE-4319-0   appropriate.
             dhcpd logging should be    enabled / disabled
             enabled or disabled as
CCE-3733-3   appropriate.
             The ntpd service should be enabled / disabled
             enabled or disabled as
CCE-4376-0   appropriate.
             Network access to ntpd        allow / deny
             should be allowed or
CCE-4134-3   denied as appropriate
             A remote NTP Server for       ip address
             time synchronization
             should be specified or not
CCE-4385-1   as appropriate
             OpenNTPD should be            installed / uninstalled
             installed or uninstalled as
CCE-4032-9   appropriate
             The ntp daemon should be      enabled / disabled
             enabled or disabled as
CCE-4424-8   appropriate
             The ntp daemon                local ntp server
             synchronization server
             should be set appropriately
CCE-3487-6
             The sendmail service        enabled / disabled
             should be enabled or
CCE-4416-4   disabled as appropriate.
             The listening sendmail      enabled / disabled
             daemon should be enabled
             or disabled as appropriate.
CCE-4293-7
             The ldap service should be enabled / disabled
             enabled or disabled as
CCE-3501-4   appropriate.
                                            permissions
             File permissions for
             /etc/pki/tls/CA/cacert.pem
CCE-4360-4   should be set correctly.
                                            permissions
             File permissions for
             /etc/pki/tls/ldap/serverkey.p
CCE-4378-6   em should be set correctly.
             The /etc/pki/tls/ldap file     user
             should be owned by the
CCE-4492-5   appropriate user.
                                            permissions
             File permissions for
             /etc/pki/tls/ldap/servercert.p
CCE-4263-0   em should be set correctly.
                                            user
             The
             /etc/pki/tls/ldap/serverkey.p
             em file should be owned by
CCE-3502-2   the appropriate user.
             The                            user
             /etc/pki/tls/CA/cacert.pem
             file should be owned by the
CCE-4449-5   appropriate user.
             File permissions for           permissions
             /etc/pki/tls/ldap should be
CCE-4361-2   set correctly.
             The                            group
             /etc/pki/tls/CA/cacert.pem
             file should be owned by the
CCE-4427-1   appropriate group.
                                            group
             The
             /etc/pki/tls/ldap/serverkey.p
             em file should be owned by
CCE-4321-6   the appropriate group.
             The /etc/pki/tls/ldap file     group
             should be owned by the
CCE-4339-8   appropriate group.
                                            user
             The
             /etc/pki/tls/ldap/servercert.p
             em file should be owned by
CCE-4105-3   the appropriate user.
                                            group
             The
             /etc/pki/tls/ldap/servercert.p
             em file should be owned by
CCE-3718-4   the appropriate group.
             The /var/lib/ldap/* files      group
             should be owned by the
CCE-4484-2   appropriate group.
             The /var/lib/ldap/* files      user
             should be owned by the
CCE-4502-1   appropriate user.
             The nfslock service should enabled / disabled
             be enabled or disabled as
CCE-4396-8   appropriate.
             The rpcgssd service should enabled / disabled
             be enabled or disabled as
CCE-3535-2   appropriate.
             The rpcidmapd service          enabled / disabled
             should be enabled or
CCE-3568-3   disabled as appropriate.
             The netfs service should       enabled / disabled
             be enabled or disabled as
CCE-4533-6   appropriate.
             The portmap service            enabled / disabled
             should be enabled or
CCE-4550-0   disabled as appropriate.
             The lockd service should       static / dynamic
             be configured to use a
             static port or a dynamic
             portmapper port for TCP as
CCE-4559-1   appropriate
             The statd service should be   static / dynamic
             configured to use an
             outgoing static port or an
             outgoing dynamic
             portmapper port as
CCE-4015-4   appropriate
             The statd service should be   static / dynamic
             configured to use a static
             port or a dynamic
             portmapper port as
CCE-3667-3   appropriate
             The lockd service should      static / dynamic
             be configured to use a
             static port or a dynamic
             portmapper port for UDP
CCE-4310-9   as appropriate
             The mountd service should     static / dynamic
             be configured to use a
             static port or a dynamic
             portmapper port as
CCE-4438-8   appropriate
             The rquotad service should    static / dynamic
             be configured to use a
             static port or a dynamic
             portmapper port as
CCE-3579-0   appropriate
             The nfs service should be     enabled / disabled
             enabled or disabled as
CCE-4473-5   appropriate
             The rpcsvcgssd service        enabled / disabled
             should be enabled or
CCE-4491-7   disabled as appropriate
             The nodev option should       enabled / disabled
             be enabled or disabled for
             all NFS mounts as
CCE-4368-7   appropriate
             The nosuid option should      enabled / disabled
             be enabled or disabled for
             all NFS mounts as
CCE-4024-6   appropriate
             The noexec option should      enabled / disabled
             be enabled or disabled for
             all NFS mounts as
CCE-4526-0   appropriate
             Root squashing should be      enabled / disabled
             enabled or disabled as
             appropriate for all NFS
CCE-4544-3   shares
             Restriction of NFS clients    enabled / disabled
             to privileged ports should
             be enabled or disabled as
CCE-4465-1   appropriate
             Write access to NFS           enabled / disabled
             shares should be enabled
CCE-4350-5   or disabled as appropriate
             The named service should      enabled / disabled
             be enabled or disabled as
CCE-3578-2   appropriate.
             The bind package should       installed / uninstalled
             be installed or uninstalled
CCE-4219-2   as appropriate.
             The                           group
             /var/named/chroot/etc/nam
             ed.conf file should be
             owned by the appropriate
CCE-3985-9   group.
             File permissions for          permissions
             /var/named/chroot/etc/nam
             ed.conf should be set
CCE-4487-5   correctly.
             The                           user
             /var/named/chroot/etc/nam
             ed.conf file should be
             owned by the appropriate
CCE-4258-0   user.
             LDAP's dynamic updates        enabled / disabled
             feature should be enabled
CCE-4399-2   or disabled as appropriate
             The vsftpd service should     enabled / disabled
             be enabled or disabled as
CCE-3919-8   appropriate.
             Logging of vsftpd             enabled / disabled
             transactions should be
             enabled or disabled as
CCE-4549-2   appropriate
             A warning banner for all      enabled / disabled
             FTP users should be
             enabled or disabled as
CCE-4554-2   appropriate
             Local user login to the       enabled / disabled
             vsftpd service should be
             enabled or disabled as
CCE-4443-8   appropriate
             File uploads via vsftpd       enabled / disabled
             should be enabled or
CCE-4461-0   disabled as appropriate
             The httpd service should      enabled / disabled
             be enabled or disabled as
CCE-4338-0   appropriate.
             The httpd package should      installed / uninstalled
             be installed or uninstalled
CCE-4514-6   as appropriate.
             The apache 2 server       installed / uninstalled
             software should be
             installed or removed as
CCE-4346-3   appropriate
             The apache2 server's      text
             ServerTokens value should
             be set appropriately
CCE-4474-3
             The apache2 server's
             ServerSignature value
             should be set appropriately
CCE-3756-4
             File permissions for           permissions
             /etc/httpd/conf should be
CCE-4509-6   set correctly.
             File permissions for           permissions
             /etc/httpd/conf/* should be
CCE-4386-9   set correctly.
             File permissions for           permissions
             /usr/sbin/httpd should be
CCE-4029-5   set correctly.
             The /etc/httpd/conf/* files
             should be owned by the
CCE-3581-6   appropriate group.
             File permissions for           permissions
             /var/log/httpd should be set
CCE-4574-0   correctly.
             The dovecot service should     enabled / disabled
             be enabled or disabled as
CCE-3847-1   appropriate.
             The dovecot package            installed / uninstalled
             should be installed or
             uninstalled as appropriate.
CCE-4239-0
             Dovecot should be              support / not support
             configured to support the
             imaps protocol or not as
CCE-4384-4   necessary
             Dovecot should be              support / not support
             configured to support the
             pop3s protocol or not as
CCE-3887-7   necessary
             Dovecot should be              support / not support
             configured to support the
             pop3 protocol or not as
CCE-4530-2   necessary
             Dovecot should be              support / not support
             configured to support the
             imap protocol or not as
CCE-4547-6   necessary
             Dovecot plaintext          enabled / disabled
             authentication of clients
             should be enabled or
CCE-4552-6   disabled as necessary
             The Dovecot option to drop enabled / disabled
             privileges to user before
             executing mail process
             should be enabled or not
             as appropriate
CCE-4371-1
             The Dovecot option to         enabled / disabled
             spawn a new login process
             per connection should be
             enabled or not as
CCE-4410-7   appropriate
             The smb service should be     enabled / disabled
             enabled or disabled as
CCE-4551-8   appropriate.
             The squid service should      enabled / disabled
             be enabled or disabled as
CCE-4556-7   appropriate.
             The squid package should      installed / uninstalled
             be installed or uninstalled
             as appropriate.
CCE-4076-6
             The Squid option to force     enabled / disabled
             FTP passive connections
             should be enabled or not
CCE-4454-5   as appropriate
             The Squid max request         data length
             HTTP header length should
             be set to an appropriate
CCE-4353-9   value
             The Squid option to check     enabled / disabled
             for RFC compliant
             hostnames should be
             enabled or not as
CCE-4503-9   appropriate
             The Squid option to ignore    enabled / disabled
             unknown nameservers
             should be enabled or not
             as appropriate
CCE-3585-7
             The Squid max reply HTTP data length
             header length should be
             set to an appropriate value
CCE-4419-8
             The Squid EUID should be user
             set to an appropriate user
CCE-3692-1
             The Squid option to       enabled / disabled
             perform FTP sanity checks
             should be enabled or not
             as appropriate
CCE-4459-4
             The Squid GUID should be group
             set to an appropriate group
CCE-4476-8
             The Squid option to show enabled / disabled
             proxy client IP addresses in
             HTTP headers should be
             enabled or disabled as
CCE-4181-4   appropriate
             The Squid option to log      enabled / disabled
             HTTP MIME headers
             should be enabled or
CCE-4577-3   disabled as appropriate
             The Squid option to allow enabled / disabled
             underscores in hostnames
             should be enabled or
             disabled as appropriate
CCE-4344-8
             The Squid option to         enabled / disabled
             suppress the httpd version
             string should be enabled or
             disabled as appropriate
CCE-4494-1
             Squid should be configured allow / deny
             to allow gss-http traffic or
             not as appropriate
CCE-4511-2
             Squid should be configured allow / deny
             to allow https traffic or not
             as appropriate
CCE-4529-4
             Squid should be configured allow / deny
             to allow wais traffic or not
             as appropriate
CCE-3610-3
             Squid should be configured allow / deny
             to allow multiling http traffic
             or not as appropriate
CCE-4466-9
             Squid should be configured allow / deny
             to allow http traffic or not as
             appropriate
CCE-4607-8
             Squid should be configured allow / deny
             to allow ftp traffic or not as
             appropriate
CCE-4255-6
             Squid should be configured allow / deny
             to allow gopher traffic or
             not as appropriate
CCE-4127-7
             Squid should be configured allow / deny
             to allow filemaker traffic or
             not as appropriate
CCE-4519-5
             Squid proxy access to       allow / deny
             localhost should be allowed
             or denied as appropriate
CCE-4413-1
             Squid should be configured allow / deny
             to allow http-mgmt traffic or
             not as appropriate
CCE-4373-7
             The snmpd service should enabled / disabled
             be enabled or disabled as
CCE-3765-5   appropriate.
             The net-smtp package        installed / uninstalled
             should be installed or
             uninstalled as appropriate.
CCE-4404-0
                                                       NSA "Guide to the
                                                     Secure Configuration of
                 CCE Technical Mechanisms
                                                       Red Hat Enterprise
                                                       Linux 5" (Section)


via chkconfig                                        2.1.2.2


via chkconfig                                        2.1.2.3.2



via yum                                              2.1.3.1.1


via /etc/fstab                                       2.2.1.1



via /etc/fstab                                       2.2.1.2



via /etc/fstab                                       2.2.1.2



via /etc/fstab                                       2.2.1.2



via /etc/security/console.perms.d/50-default.perms   2.2.2.1


via /etc/modprobe.conf                               2.2.2.2.1


via kernel                                           2.2.2.2.2



via /etc/grub.conf                                   2.2.2.2.3


via BIOS                                             2.2.2.2.4
via chkconfig   2.2.2.3


via gconf       2.2.2.4




via chown       2.2.3.1


via chown       2.2.3.1


via chown       2.2.3.1


via chmod       2.2.3.1


via chown       2.2.3.1


via chown       2.2.3.1


via chown       2.2.3.1


via chmod       2.2.3.1


via chown       2.2.3.1


via chmod       2.2.3.1


via chown       2.2.3.1


via chmod       2.2.3.1


via chmod       2.2.3.2



via chmod       2.2.3.3
via chmod                                2.2.3.4


via chmod                                2.2.3.4


via chown                                2.2.3.5

via chgrp                                2.2.3.5

via /etc/sysconfig/init                  2.2.4.1


via /etc/security/limits.conf            2.2.4.2


via sysctl - fs.suid_dumpable            2.2.4.2



via sysctl - kernel.randomize_va_space   2.2.4.3




via sysctl - kernel.exec-shield          2.2.4.3


via kernel-PAE                           2.2.4.4.2



via BIOS                                 2.2.4.4.3



via /etc/securetty                       2.3.1.1




via /etc/securetty                       2.3.1.1



via /etc/securetty                       2.3.1.1
via /etc/securetty    2.3.1.1



via pam               2.3.1.2



vi /etc/sudoers       2.3.1.3



via /etc/passwd       2.3.1.4



via /etc/shadow       2.3.1.5



via /etc/passwd       2.3.1.6


via /etc/login.defs   2.3.1.7


via /etc/login.defs   2.3.1.7


via /etc/login.defs   2.3.1.7


via /etc/login.defs   2.3.1.7


                      2.3.1.8


via PAM               2.3.3.1


via PAM               2.3.3.2



via chgrp             2.3.3.4


via chmod             2.3.3.4
                          2.3.4.1


                          2.3.4.2



umask                     2.3.4.4



                          2.3.4.4


                          2.3.4.4


via chown                 2.3.5.2


via chmod                 2.3.5.2


via /etc/grub.conf        2.3.5.2



via chown                 2.3.5.2


via /etc/inittab          2.3.5.3



via /etc/sysconfig/init   2.3.5.4




via autolockout           2.3.5.5



via /etc/profile.d        2.3.5.5



via gconftool-2           2.3.5.6.1
via gconftool-2                                     2.3.5.6.1


via /etc/issue                                      2.3.7.1


via RHEL.xml                                        2.3.7.2


via /etc/selinux/config                             2.4.2


via /etc/selinux/config                             2.4.2


via /etc/selinux/config                             2.4.2


via chkconfig                                       2.4.3.1



via yum                                             2.4.3.1



via chkconfig                                       2.4.3.2


via chkconfig                                       2.4.3.3


via sysctl - net.ipv4.conf.default.send_redirects   2.5.1.1




via sysctl - net.ipv4.conf.all.send_redirects       2.5.1.1



via sysctl - net.ipv4.ip_forward                    2.5.1.1


via sysctl - net.ipv4.conf.all.secure_redirects     2.5.1.2
via sysctl - net.ipv4.conf.all.accept_redirects          2.5.1.2



via sysctl - net.ipv4.icmp_ignore_bogus_error_messages   2.5.1.2



via sysctl - net.ipv4.tcp_syncookies                     2.5.1.2


via sysctl - net.ipv4.icmp_echo_ignore_broadcasts        2.5.1.2




via sysctl - net.ipv4.conf.default.accept_redirects      2.5.1.2




via sysctl - net.ipv4.conf.all.rp_filter                 2.5.1.2




via sysctl - net.ipv4.conf.default.secure_redirects      2.5.1.2




via sysctl - net.ipv4.conf.all.log_martians              2.5.1.2




via sysctl - net.ipv4.conf.default.rp_filter             2.5.1.2
via sysctl - net.ipv4.conf.default.accept_source_route             2.5.1.2




via sysctl - net.ipv4.conf.all.accept_source_route                 2.5.1.2



via BIOS menus                                                     2.5.2.2.1



via ifconfig                                                       2.5.2.2.2


via modprobe                                                       2.5.2.2.3



via /etc/modprobe.conf                                             2.5.3.1.1



via /etc/sysconfig/network                                         2.5.3.1.2


via IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-<interface>   2.5.3.1.2



via /etc/sysconfig/network                                         2.5.3.1.2




via sysctl -w net.ipv6.conf.default.accept_ra=1                    2.5.3.2.1




via IPV6_AUTOCONF in /etc/sysconfig/network                        2.5.3.2.1
via sysctl -w net.ipv6.conf.default.accept_redirects=1      2.5.3.2.1




via IPV6_AUTOCONF in /etc/sysconfig/network                 2.5.3.2.1




via IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-   2.5.3.2.3
<interface>


via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref       2.5.3.2.5




via sysctl - net.ipv6.conf.default.max_addresses            2.5.3.2.5




via sysctl - net.ipv6.conf.default.router_solicitations     2.5.3.2.5




via sysctl - net.ipv6.conf.default.dad_transmits            2.5.3.2.5




via sysctl - net.ipv6.conf.default.autoconf                 2.5.3.2.5
via sysctl - net.ipv6.conf.default.accept_ra_pinfo    2.5.3.2.5




via sysctl - net.ipv6.conf.default.accept_ra_defrtr   2.5.3.2.5




via chkconfig                                         2.5.5.1


via chkconfig                                         2.5.5.1


via chkconfig                                         2.6.1


via chown                                             2.6.1.2


via chmod                                             2.6.1.2


via chown                                             2.6.1.2


via /etc/syslog.conf                                  2.6.1.3


via /etc/sysconfig/syslog                             2.6.1.4


via cron                                              2.6.1.5



via cron                                              2.6.1.6


via chkconfig                                         2.6.2.1


via chkconfig                                         3.2.1
via chkconfig   3.2.1


via yum         3.2.1


via yum         3.2.1



via chkconfig   3.2.2


via yum         3.2.2



via chkconfig   3.2.3.1


via chkconfig   3.2.3.1


via chkconfig   3.2.3.1


via yum         3.2.3.1


via chkconfig   3.2.4


via yum         3.2.4



via chkconfig   3.2.5


via yum         3.2.5



via chkconfig   3.3.1


via chkconfig   3.3.2


via chkconfig   3.3.3
via chkconfig   3.3.4


via chkconfig   3.3.5


via chkconfig   3.3.6


via chkconfig   3.3.7


via chkconfig   3.3.8



via chkconfig   3.3.9


via chkconfig   3.3.10


via chkconfig   3.3.11


via chkconfig   3.3.12



via chkconfig   3.3.12



via chkconfig   3.3.13.1


via chkconfig   3.3.13.2


via chkconfig   3.3.14.1


via chkconfig   3.3.14.2


via chkconfig   3.3.15.1


via chkconfig   3.3.15.2
via chkconfig   3.3.15.3


via chkconfig   3.4


via chkconfig   3.4.1


via yum         3.4.1



via chown       3.4.2


via chmod       3.4.2


via chown       3.4.2


via chown       3.4.2


via chown       3.4.2


via chmod       3.4.2


via chown       3.4.2


via chown       3.4.2


via chown       3.4.2


via chown       3.4.2


via chown       3.4.2


via chown       3.4.2


via chmod       3.4.2
via chown                  3.4.2


via chown                  3.4.2


via chown                  3.4.2


via chmod                  3.4.2


via chmod                  3.4.2


via chmod                  3.4.2


via chown                  3.4.2


via chmod                  3.4.2


via chkconfig              3.5.1.1


via yum                    3.5.1.1


/etc/sysconfig/iptables    3.5.1.2



via /etc/ssh/sshd_config   3.5.2.1



via /etc/ssh/sshd_config   3.5.2.3


via /etc/ssh/sshd_config   3.5.2.4




via /etc/ssh/sshd_config   3.5.2.5
via /etc/ssh/sshd_config           3.5.2.6


via /etc/ssh/sshd_config           3.5.2.7




via /etc/ssh/sshd_config           3.5.2.8


via /etc/inittab                   3.6.1.1



via yum                            3.6.1.2




via chkconfig                      3.6.1.3.1


via /etc/X11/xinit/xserverrc       3.6.1.3.2




via /etc/gdm/custom.conf           3.6.2.1



via chkconfig                      3.7.1.1


via /etc/avahi/avahi-daemon.conf   3.7.2.1


via /etc/avahi/avahi-daemon.conf   3.7.2.1


via /etc/avahi/avahi-daemon.conf   3.7.2.2




via /etc/avahi/avahi-daemon.conf   3.7.2.3
via /etc/avahi/avahi-daemon.conf                 3.7.2.4



via /etc/avahi/avahi-daemon.conf                 3.7.2.5




via /etc/avahi/avahi-daemon.conf                 3.7.2.5



via /etc/avahi/avahi-daemon.conf                 3.7.2.5



via /etc/avahi/avahi-daemon.conf                 3.7.2.5



via /etc/avahi/avahi-daemon.conf                 3.7.2.5



via chkconfig                                    3.8.1


via chkconfig                                    3.8.1


via /etc/sysconfig/iptables                      3.8.2



via /etc/cups/cupsd.conf                         3.8.3.1.1


via /etc/cups/cupsd.conf                         3.8.3.1.1



via chkconfig                                    3.8.4.1


via /etc/sysconfig/network-scripts/ifcfg-IFACE   3.9.1



via chkconfig                                    3.9.3
via yum                3.9.3


via /etc/dhcpd.conf    3.9.4.1



via /etc/dhcpd.conf    3.9.4.2




via /etc/dhcpd.conf    3.9.4.3



via /etc/dhcpd.conf    3.9.4.4




via /etc/dhcpd.conf    3.9.4.4



via /etc/dhcpd.conf    3.9.4.4



via /etc/dhcpd.conf    3.9.4.4



via /etc/dhcpd.conf    3.9.4.4



via /etc/dhcpd.conf    3.9.4.4



via /etc/dhcpd.conf    3.9.4.4



via /etc/syslog.conf   3.9.4.5


via chkconfig          3.10.2.2.1
via /etc/ntp.conf              3.10.2.2.2


via /etc/ntp.conf              3.10.2.2.3



via openntpd package           3.10.3.1


via /etc/rc.local              3.10.3.2.1


via /usr/local/etc/ntpd.conf   3.10.3.2.2



via chkconfig                  3.11


via /etc/sysconfig/sendmail    3.11.2.1



via chkconfig                  3.12.3.1


via chmod                      3.12.3.4.2



via chmod                      3.12.3.4.2



via chown                      3.12.3.4.2


via chmod                      3.12.3.4.2



via chown                      3.12.3.4.2




via chown                      3.12.3.4.2
via chmod                3.12.3.4.2


via chown                3.12.3.4.2



via chown                3.12.3.4.2




via chown                3.12.3.4.2


via chown                3.12.3.4.2




via chown                3.12.3.4.2




via chown                3.12.3.7


via chown                3.12.3.7


via chkconfig            3.13.1.1


via chkconfig            3.13.1.1


via chkconfig            3.13.1.1


via chkconfig            3.13.1.2


via chkconfig            3.13.1.3


via /etc/sysconfig/nfs   3.13.2.3
via /etc/sysconfig/nfs   3.13.2.3




via /etc/sysconfig/nfs   3.13.2.3




via /etc/sysconfig/nfs   3.13.2.3




via /etc/sysconfig/nfs   3.13.2.3




via /etc/sysconfig/nfs   3.13.2.3




via chkconfig            3.13.3.1


via chkconfig            3.13.3.1


via /etc/fstab           3.13.3.2



via /etc/fstab           3.13.3.2



via /etc/fstab           3.13.3.2



via /etc/exports         3.13.4.1.2



via /etc/exports         3.13.4.1.3
via /etc/exports       3.13.4.1.4


via chkconfig          3.14.1


via yum                3.14.1


via chown              3.14.3.2




via chmod              3.14.3.2



via chown              3.14.3.2




via /etc/named.conf    3.14.4.5


via chkconfig          3.15.1


via /etc/vsftpd.conf   3.15.3.1



via /etc/vsftpd.conf   3.15.3.2



via /etc/vsftpd.conf   3.15.3.3.1



via /etc/vsftpd.conf   3.15.3.4


via chkconfig          3.16.1


via yum                3.16.1
via yum                          3.16.2.1



via /etc/httpd/conf/httpd.conf   3.16.3.1



via /etc/httpd/conf/httpd.conf   3.16.3.1



via chmod                        3.16.5.1


via chmod                        3.16.5.1


via chmod                        3.16.5.1


via chgrp                        3.16.5.1


via chmod                        3.16.5.1


via chkconfig                    3.17.1


via yum                          3.17.1



via /etc/dovecot.conf            3.17.2.1



via /etc/dovecot.conf            3.17.2.1



via /etc/dovecot.conf            3.17.2.1



via /etc/dovecot.conf            3.17.2.1
via /etc/dovecot.conf       3.17.2.2.4



via /etc/dovecot.conf       3.17.2.3




via /etc/dovecot.conf       3.17.2.3




via chkconfig               3.18.1


via chkconfig               3.19.1


via yum                     3.19.1



via /etc/squid/squid.conf   3.19.2.2



via /etc/squid/squid.conf   3.19.2.2



via /etc/squid/squid.conf   3.19.2.2




via /etc/squid/squid.conf   3.19.2.2




via /etc/squid/squid.conf   3.19.2.2



via /etc/squid/squid.conf   3.19.2.2
via /etc/squid/squid.conf   3.19.2.2




via /etc/squid/squid.conf   3.19.2.2


via /etc/squid/squid.conf   3.19.2.3




via /etc/squid/squid.conf   3.19.2.3



via /etc/squid/squid.conf   3.19.2.3




via /etc/squid/squid.conf   3.19.2.3




via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5
via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5



via /etc/squid/squid.conf   3.19.2.5



via chkconfig               3.20.1


via yum                     3.20.1
  NSA "Guide to the
Secure Configuration of
                        Old "Unix-CCE-
  Red Hat Enterprise
                         DRAFT-2" ID
       Linux 5"
(Recommended Value)

disabled

                      CCE-U-203
disabled


                      CCE-U-203
installed


enabled



enabled


                      Similar to CCE-U-170
enabled


                      Similar to CCE-U-170
enabled               CCE-U-170



root-only


not loaded


uninstalled



disabled


disabled
disabled

           CCE-U-203
disabled



           CCE-U-203
root

           CCE-U-23
root

           CCE-U-202
root

           CCE-U-201
400

           CCE-U-200
root

           CCE-U-202
root

           CCE-U-201
root

           CCE-U-22
644

           CCE-U-19
root

           CCE-U-20
644

           CCE-U-200
root

           CCE-U-21
400

           CCE-U-24
set        CCE-U-171



disabled


           CCE-U-24
not set


not set


user

group

027


disabled


disabled



enabled




enabled


enabled



enabled



enabled



           CCE-U-200
enabled


           CCE-U-200
enabled


           CCE-U-200
enabled


            CCE-U-155
enabled


            CCE-U-15
granted


            CCE-U-200
disabled


            CCE-U-200
disabled


            CCE-U-200
disabled

            CCE-U-200
8

            CCE-U-200
7

            CCE-U-7
180

            CCE-U-8
8

            CCE-U-200


            CCE-U-200
???

            CCE-U-200
???


            CCE-U-4
usergroup

            CCE-U-202
4710        CCE-U-200
???

            CCE-U-26
g-w,o-rwx


            CCE-U-162
077


            CCE-U-31
077

            CCE-U-31
077

            CCE-U-31
root

            CCE-U-201
600

            CCE-U-200
???



root

            CCE-U-202
enabled


            CCE-U-1
disabled




10



10



10


            CCE-U-6
enabled


enforcing


targeted


disabled


              CCE-U-203
uninstalled



disabled

              CCE-U-203
enabled       CCE-U-203


disabled




disabled



disabled

              CCE-U-134
disabled
disabled



enabled



enabled


enabled




disabled




enabled




disabled




enabled




enabled
disabled




disabled



disabled



disabled


excluded



disabled



disabled


disabled



disabled




disabled




disabled
disabled




disabled




rfc3041



disabled




1




0




0




disabled
disabled




disabled




enabled    CCE-U-203


enabled    CCE-U-203


enabled    CCE-U-203


root

           CCE-U-202?
600

           CCE-U-200?
root

           CCE-U-201?
sent


accept

           CCE-U-131
enabled


           CCE-U-203
disabled

           CCE-U-203
enabled

           CCE-U-203
disabled   CCE-U-72
disabled      CCE-U-73


uninstalled


uninstalled



disabled      CCE-U-104


uninstalled



disabled      CCE-U-203


disabled      CCE-U-83


disabled      CCE-U-82


uninstalled


disabled      CCE-U-203


uninstalled



disabled      CCE-U-118


uninstalled



disabled

              CCE-U-203
disabled      CCE-U-203


enabled       CCE-U-203
disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203



enabled    CCE-U-203


disabled   CCE-U-203


enabled    CCE-U-203


disabled   CCE-U-203



disabled   CCE-U-203



disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


enabled    CCE-U-203
enabled       CCE-U-203


enabled       CCE-U-203


disabled      CCE-U-203


uninstalled



root

              CCE-U-202
700

              CCE-U-200
root

              CCE-U-202
root

              CCE-U-201
root

              CCE-U-201
600

              CCE-U-200
root

              CCE-U-202
root

              CCE-U-201
root

              CCE-U-202
root

              CCE-U-201
root

              CCE-U-201
root

              CCE-U-202
700

              CCE-U-200
root

                CCE-U-201
root

                CCE-U-202
root

                CCE-U-201
600

                CCE-U-200
700

                CCE-U-200
700

                CCE-U-200
root

                CCE-U-202
700

                CCE-U-200
disabled        CCE-U-203


uninstalled


disabled



not permitted


                CCE-U-132
no suggestion


disabled




disabled
disabled


disabled




enabled


disabled



uninstalled




disabled        CCE-U-203


disabled




enabled



disabled        CCE-U-203


no suggestion


no suggestion


reject




disallow
disabled



disabled




disabled



disabled



disabled



disabled



disabled   CCE-U-203


disabled


disabled



disabled


deny



disabled   CCE-U-203


disabled   CCE-U-203



disabled   CCE-U-203
uninstalled


disabled



denied




denied



not sent




not sent



not sent



not sent



not sent



not sent



not sent



enabled


disabled      CCE-U-203
deny


no suggestion



no suggestion


enabled


ntp server



enabled         CCE-U-203


disabled        CCE-U-203



disabled        CCE-U-203


644


                CCE-U-200
755


                CCE-U-200
root

                CCE-U-201
755


                CCE-U-200
root



                CCE-U-201
root


                CCE-U-201
755

           CCE-U-200
root


           CCE-U-202
ldap



           CCE-U-202
root

           CCE-U-202
root



           CCE-U-201
ldap



           CCE-U-202
root

           CCE-U-202
ldap

           CCE-U-201
disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


disabled   CCE-U-203


static
static




static




static




static




static




disabled


disabled


enabled



enabled



enabled



enabled



disabled
disabled


disabled      CCE-U-203


uninstalled


root



              CCE-U-202
644


              CCE-U-200
root



              CCE-U-201
disabled


disabled      CCE-U-203


enabled



enabled



disabled



disabled


disabled      CCE-U-203


uninstalled
installed



Prod



Off



750

              CCE-U-200
640

              CCE-U-200
511

              CCE-U-200
apache

              CCE-U-202
750

              CCE-U-200
disabled      CCE-U-203


uninstalled



not support



not support



not support



not support
disabled



enabled




enabled




disabled      CCE-U-203


disabled      CCE-U-160


uninstalled



enabled



20kb



enabled




enabled




20kb



squid
enabled




squid


disabled




enabled



disabled




enabled




deny



allow



deny



deny



allow



allow
deny



deny



deny



deny



disabled      CCE-U-203


uninstalled
                                                 CCE
  CCE ID        CCE Description
                                              Parameters



             /export/home should be
             configured on an
             appropriate filesystem
CCE-5943-6   partition                     partition
             /var should be configured
             on an appropriate
CCE-6771-0   filesystem partition          partition
             /opt should be configured
             on an appropriate
CCE-6723-1   filesystem partition          partition
             The shell for the root
             account should be located
             on the appropriate
CCE-6505-2   filesystem                    filesystem

             Core dump size limits         Size (0 to disable
CCE-6725-6   should be set appropriately   core dumps)
             The read-only SNMP
             community string should be
CCE-5779-4   set appropriately.            string
             The read/write SNMP
             community string should be
CCE-6193-7   set appropriately.            string
CCE-6162-2   DEPRECATED.

             Password policy should
             ban or allow words found in
CCE-6074-9   a dictionary as appropriate. ban/allow

             Password policy should
             enforce the correct amount    number of special
CCE-6382-6   of special characters         characters
             Password policy should
             enforce or not enforce the
             requirement to have mixed
             case passwords as
CCE-6228-1   appropriate.                  enforce/not enforce
             The minimum password
             age should be set as
CCE-6386-7   appropriate                   number of days
             The minimum required
             password length should be       number of
CCE-5781-0   set as appropriate              characters
             Password history should be
             saved for an appropriate
             number of password              number of password
CCE-6529-2   changes                         changes
             The number of consecutive
             failed login attempts
             required to trigger a lockout   number of
             should be set as                consecutive failed
CCE-6106-9   appropriate                     login attempts
             Login access to accounts
             without passwords should
             be enabled or disabled as
CCE-5787-7   appropriate                     enabled/disabled
             New users should be
             required or not required to
             change their password on
CCE-5989-9   first login as appropriate      required/not required
             Access to single-user
             mode (maintainence mode)
             should require the root
             password or not as
CCE-6694-4   appropriate                     required/not required
             The delay between failed
             logins should be set as
CCE-6711-6   appropriate                     number of seconds

             All files should be owned       existing account
             by an existing account or       required / existing
CCE-6178-8   not as appropriate.             account not required
             All files should be owned       existing group
             by an existing group or not     required / existing
CCE-6015-2   as appropriate.                 group not required

             The console login banner
CCE-6398-2   should be set appropriately. banner text or null

             The SSH login banner
CCE-5869-3   should be set appropriately. banner text or null

             The telnet login banner
CCE-6774-4   should be set appropriately. banner text or null

             The ftp login banner should
CCE-6616-7   be set appropriately.       banner text or null

             The graphical login banner
CCE-5792-7   should be set appropriately. banner text or null
             Accounts other than root
             should be allowed to have
             the UID 0 or not as
CCE-6590-4   appropriate                     allowed/not allowed
             Accounts other than root
             and locked system
             accounts should be
             allowed to have a GID of 0
CCE-6436-0   or not as appropriate           allowed/not allowed
             Each account should be
             assigned a unique UID or
CCE-5827-1   not as appropriate              unique/not unique
             The ftp account should
CCE-6779-3   exist or not as appropriate     exist/not exist
             Login accounts should
             include an appropriate
             GECOS identifier or no
CCE-6735-5   GECOS identifier                GECOS value, null
             The screen lock should
             activate after an
             appropriate period of
CCE-6532-6   inactivity                      number of minutes
             File permissions should be
             set appropriately for all
CCE-6739-7   shell executables.              permissions
             Remote (serial) consoles
             should be enabled or
CCE-6316-4   disabled as appropriate.        enabled/disabled
             Root logins should be
             restricted to the console or    restricted/not
CCE-5793-5   not as appropriate.             restricted
             .netrc files should exist or
             not as appropriate for all
CCE-6676-1   users.                          exist/not exist
             .rhosts files should exist or
             not as appropriate for all
CCE-6707-4   users.                          exist/not exist
             .shosts files should exist or
             not as appropriate for all
CCE-6266-1   users.                          exist/not exist
             The /etc/hosts.equiv file
             should exist or not as
CCE-6487-3   appropriate.                    exist/not exist

             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/passwd
             file should be allowed or
CCE-6521-9   disallowed as appropriate. allowed/not allowed
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/shadow
             file should be allowed or
CCE-5865-1   disallowed as appropriate.       allowed/not allowed
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/group
             file should be allowed or
CCE-6239-8   disallowed as appropriate.       allowed/not allowed
             The /etc/shells file should
CCE-6556-5   exist or not as appropriate      exist/not exist
             Shells referenced in
             /etc/passwd should be
             included in /etc/shells or
CCE-5795-0   not as appropriate               included/not included
             Groups referenced in
             /etc/passwd should be
             included in /etc/group or
CCE-6772-8   not as appropriate.              included/not included
             The home directory for the
             root account should be set
CCE-6662-1   appropriately.                   path
             The home directory for
             each user account should
CCE-5814-9   be set appropriately.            path
             Home directories
             referenced in /etc/passwd
             should exist or not as
CCE-6496-4   appropriate                      exist/not exist
             All device files should be
             located inside an
CCE-6716-5   appropriate path                 path
             The ntpd service should be
             enabled or disabled as
CCE-6627-4   appropriate.                     enabled/disabled

             The Network Time Protocol
             (ntp) synchronization
             server should be set
CCE-5971-7   appropriately.                timeserver
             All logon attempts should
             be logged or not logged as
CCE-6808-0   appropriate                   logged/not logged
             All su (switch user) activity
             should be logged or not as
CCE-5966-7   appropriate                   logged/not logged
             Filesystem
             logging/journaling should
             be performed or not as        performed/not
CCE-6812-2   appropriate                   performed
             Automount should be
             enabled or disabled as
CCE-6160-6   appropriate                   enabled/disabled
             Source-routed packets
             should be accepted or
CCE-6781-9   rejected as appropriate.      accepted/rejected
             Response to ICMP
             timestamp requests should
             be enabled or disabled as
CCE-5818-0   appropriate                   enabled/disabled
             Response to ICMP
             timestamp broadcast
             requests should be
             enabled or disabled as
CCE-6164-8   appropriate                   enabled/disabled
             Response to ICMP echo
             (ping) requests should be
             enabled or disabled as
CCE-5823-0   appropriate                   enabled/disabled
             Executable stack should be
             enabled or disabled as
CCE-6574-8   appropriate                   enabled/disabled

             The default gateway should
CCE-6340-4   be set appropriately.         IP address/disabled
             The inetd service should be
             enabled or disabled as
CCE-5826-3   appropriate.                  enabled/disabled
             echo service should be
             enabled or disabled as
CCE-6720-7   appropriate                   enabled/disabled
             netstat service should be
             enabled or disabled as
CCE-6795-9   appropriate                   enabled/disabled
             rcp service should be
             enabled or disabled as
CCE-6623-3   appropriate                   enabled/disabled
             chargen service should be
             enabled or disabled as
CCE-6288-5   appropriate                   enabled/disabled
             finger service should be
             enabled or disabled as
CCE-6755-3   appropriate                   enabled/disabled
             tftpd service should be
             enabled or disabled as
CCE-5831-3   appropriate                   enabled/disabled
             walld service should be
             enabled or disabled as
CCE-6478-2   appropriate                 enabled/disabled
             rstatd service should be
             enabled or disabled as
CCE-6821-3   appropriate                 enabled/disabled
             sprayd service should be
             enabled or disabled as
CCE-6482-4   appropriate                 enabled/disabled
             rusersd service should be
             enabled or disabled as
CCE-6543-3   appropriate                 enabled/disabled
             rlogin service should be
             enabled or disabled as
CCE-6636-5   appropriate                 enabled/disabled
             rsh service should be
             enabled or disabled as
CCE-6418-8   appropriate                 enabled/disabled
             ftp service should be
             enabled or disabled as
CCE-6119-2   appropriate                 enabled/disabled
             telnet service should be
             enabled or disabled as
CCE-6634-0   appropriate                 enabled/disabled
CCE-6339-6   DEPRECATED.
             inn service should be
             enabled or disabled as
CCE-6823-9   appropriate                 enabled/disabled
             uucp service should be
             enabled or disabled as
CCE-5845-3   appropriate                 enabled/disabled
             rexec service should be
             enabled or disabled as
CCE-6806-4   appropriate                 enabled/disabled
             inetd logging should be
             enabled or disabled as
CCE-6325-5   appropriate                 enabled/disabled
             font-service should be
             enabled or disabled as
CCE-5920-4   appropriate                 enabled/disabled
             imap2 service should be
             enabled or disabled as
CCE-6766-0   appropriate                 enabled/disabled
             pop3 service should be
             enabled or disabled as
CCE-6614-2   appropriate                 enabled/disabled
             ident service should be
             enabled or disabled as
CCE-6728-0   appropriate                 enabled/disabled
             rexd service should be
             enabled or disabled as
CCE-6494-9   appropriate                   enabled/disabled
             sadmin service should be
             enabled or disabled as
CCE-6834-6   appropriate                   enabled/disabled
             daytime service should be
             enabled or disabled as
CCE-6777-7   appropriate                   enabled/disabled
             dtspc (cde-spc) service
             should be enabled or
CCE-6305-7   disabled as appropriate       enabled/disabled
             rquotad service should be
             enabled or disabled as
CCE-6776-9   appropriate                   enabled/disabled
             cmsd service should be
             enabled or disabled as
CCE-5857-8   appropriate                   enabled/disabled
             tooltalk service should be
             enabled or disabled as
CCE-6154-9   appropriate                   enabled/disabled
             xdmcp service should be
             enabled or disabled as
CCE-6334-7   appropriate                   enabled/disabled
             discard service should be
             enabled or disabled as
CCE-6810-6   appropriate                   enabled/disabled
CCE-6639-9   DEPRECATED.
             vino-server service should
             be enabled or disabled as
CCE-5965-9   appropriate                   enabled/disabled
             The bind service should be
             enabled or disabled as
CCE-6484-0   appropriate.                  enabled/disabled
             The version string reported
             by the bind service should
             be configured
CCE-6704-1   appropriately.                string
             SSH Protocol v1 should be
             enabled or disabled as
CCE-5866-9   appropriate                   enabled/disabled
             TCP_WRAPPERS should
             be enabled or disabled as
CCE-6682-9   appropriate                   enabled/disabled
             SNMP version 1 should be
             enabled or disabled as
CCE-6651-4   appropriate                   enabled/disabled
             The nfsd service should be
             enabled or disabled as
CCE-6686-0   appropriate                   enabled/disabled
             The mountd service should
             be enabled or disabled as
CCE-6655-5   appropriate                    enabled/disabled
             The statd service should be
             enabled or disabled as
CCE-6754-6   appropriate                    enabled/disabled
             The lockd service should
             be enabled or disabled as
CCE-6345-3   appropriate                    enabled/disabled
             NFS should be configured
             to respond or not as
             appropriate to client
             requests that do not
CCE-6816-3   include a user id .            respond/not respond
             NFS should be configured
             to respond or not as
             appropriate to client
             requests that do not
             originate from a privileged
CCE-6842-9   port.                          respond/not respond
             NFS should be configured
             with appropriate
CCE-6807-2   authentication methods         list of auth methods
             The read-only (ro) option
             should be enabled or
             disabled as appropriate for
CCE-6573-0   all NFS exports.               enabled/disabled
             The nosuid option should
             be enabled or disabled for
             all NFS mounts as
CCE-5874-3   appropriate                    enabled/disabled
             Sendmail should be
             enabled or disabled as
CCE-6775-1   appropriate                    enabled/disabled

             The sendmail banner
CCE-6537-5   should be set appropriately.   string
             The decode sendmail alias
             should be enabled or
CCE-6740-5   disabled as appropriate.       enabled/disabled
             .forward files should be
             allowed or disallowed as
CCE-6874-2   appropriate for all users      allow/disallow
             Programs executed
             through the aliases file
             should be owned by an
CCE-6843-7   appropriate user               user
             Programs executed
             through the aliases file
             should reside a directory
             with an appropriate user
CCE-6654-8   owner                          user
             Sendmail vrfy command
             should be allowed or not as
CCE-6063-2   appropriate                    allow/disallow
             Sendmail expn command
             should be allowed or not as
CCE-6526-8   appropriate                    allow/disallow
             Sendmail should be
             configured with an
CCE-5880-0   appropriate logging level      logging level
             Sendmail help command
             should be allowed or not as
CCE-6756-1   appropriate                    allow/disallow
             NIS+ server should operate
             at an appropriate security
CCE-6853-6   level                          security level
             X-Windows should be
             enabled or disabled as
CCE-6513-6   appropriate                    enabled/disabled

             Authorized X-clients should
             be listed or not in the
CCE-6588-8   X*.hosts file as appropriate   listed/not listed
             X-Windows should write
             .Xauthority files to users'
             home directories or not as
CCE-5914-7   appropriate                    write/not write
             X11 forwarding via SSH
             should be enabled or
CCE-5881-8   disabled as appropriate.       enabled/disabled
             Samba should be enabled
CCE-6169-7   or disabled as appropriate     enabled/disabled
             Samba 'hosts allow' option
             should be configured with
             an appropriate set of
CCE-6811-4   networks                       list of networks
             Samba 'security option'
             option should be set as
CCE-6763-7   appropriate
             Samba 'encrypt' passwords
             option should be set as
CCE-6605-0   appropriate                    yes/no
             Samba 'smb passwd file'
             option should be set to an
             appropriate password file
CCE-6749-6   or no password file            file/nothing
             IPv6 should be enabled or
CCE-6216-6   disabled as appropriate        enabled/disabled
             The "at" utility directory
             permissions should be set
CCE-6467-5   as appropriate                 permissions

             at.allow file permissions
CCE-6687-8   should be set appropriately permissions

             at.deny file permissions
CCE-6657-1   should be set appropriately permissions

             Cron directory permissions
CCE-6097-0   should be set appropriately permissions
             Crontab directory
             permissions should be set
CCE-6784-3   appropriately               permissions

             Cron log file permissions
CCE-6498-0   should be set appropriately permissions

             cron.allow file permissions
CCE-6533-4   should be set appropriately permissions

             cron.deny file permissions
CCE-6736-3   should be set appropriately permissions

             Crontab file permissions
CCE-6652-2   should be set appropriately permissions

             /dev/kmem file permissions
CCE-6832-0   should be set appropriately permissions

             /dev/mem file permissions
CCE-6445-1   should be set appropriately permissions

             /dev/null file permissions
CCE-6356-0   should be set appropriately permissions

             resolv.conf file permissions
CCE-5892-5   should be set appropriately    permissions
             /etc/named.conf file
             permissions should be set
CCE-5895-8   appropriately                  permissions
             File permissions should be
             set appropriately for all
CCE-6033-5   user home directories.         permissions
             /etc/exports file
             permissions should be set
CCE-6377-6   appropriately                  permissions
             /usr/bin/at file permissions
CCE-6751-2   should be set appropriately permissions
             /usr/bin/rdist file
             permissions should be set
CCE-6848-6   appropriately                permissions
             /usr/sbin/sync file
             permissions should be set
CCE-6883-3   appropriately                permissions

             Superuser account home
             directories' permissions
CCE-6724-9   should be set appropriately permissions
             /etc/samba/smb.conf file
             permissions should be set
CCE-6663-9   appropriately               permissions
             smbpassword executable
             permissions should be set
CCE-6570-6   appropriately               permissions

             Aliases file permissions
CCE-6667-0   should be set appropriately permissions
             File permissions should be
             set as appropriate for the
             log file configured to
             capture critical sendmail
CCE-5897-4   messages.                   permissions
             All files executed through
             /etc/aliases file entries
             should have file
             permissions set
CCE-6380-0   appropriately               permissions

             /bin/csh file permissions
CCE-5901-4   should be set appropriately permissions

             /bin/jsh file permissions
CCE-6142-4   should be set appropriately permissions

             /bin/ksh file permissions
CCE-5902-2   should be set appropriately permissions
             The /bin/rsh file should
CCE-6544-1   exist or not as appropriate exist/not exist

             /bin/sh file permissions
CCE-6830-4   should be set appropriately permissions

             /bin/bash file permissions
CCE-6407-1   should be set appropriately permissions
             /sbin/csh file permissions
CCE-6693-6   should be set appropriately permissions

             /sbin/jsh file permissions
CCE-6750-4   should be set appropriately permissions

             /sbin/ksh file permissions
CCE-6719-9   should be set appropriately permissions
             The /sbin/rsh file should
CCE-6506-0   exist or not as appropriate exist/not exist

             /sbin/sh file permissions
CCE-6598-7   should be set appropriately permissions

             /sbin/bash file permissions
CCE-6593-8   should be set appropriately permissions
             /usr/bin/csh file
             permissions should be set
CCE-6188-7   appropriately               permissions

             /usr/bin/jsh file permissions
CCE-6034-3   should be set appropriately permissions
             /usr/bin/ksh file
             permissions should be set
CCE-6664-7   appropriately                 permissions
             The /usr/bin/rsh file should
CCE-6131-7   exist or not as appropriate exist/not exist

             /usr/bin/sh file permissions
CCE-6897-3   should be set appropriately permissions
             /usr/bin/bash file
             permissions should be set
CCE-6884-1   appropriately                permissions
             snmpd.conf file
             permissions should be set
CCE-6584-7   appropriately                permissions

             /tmp file permissions
CCE-6879-1   should be set appropriately permissions

             /usr/tmp file permissions
CCE-6461-8   should be set appropriately permissions
             traceroute executable file
             permissions should be set
CCE-6742-1   appropriately                permissions
             .Xauthority file permissions
             should be set appropriately
CCE-6839-5   for all users.               permissions
             /etc/aliases file permissions
CCE-6773-6   should be set appropriately permissions
             /etc/cron.d/at.allow file
             permissions should be set
CCE-6429-5   appropriately                 permissions
             /etc/cron.d/cron.allow file
             permissions should be set
CCE-6901-3   appropriately                 permissions

             /etc/csh file permissions
CCE-5908-9   should be set appropriately permissions
             /etc/default/* file
             permissions should be set
CCE-6875-9   appropriately               permissions
             /etc/default/login file
             permissions should be set
CCE-6347-9   appropriately               permissions

             /etc/dfs file permissions
CCE-5916-2   should be set appropriately permissions

             /etc/fs file permissions
CCE-6714-0   should be set appropriately   permissions
             The /etc/ftpusers file
             should exist or not as
CCE-5924-6   appropriate                   exist/not exist
             /etc/host.lpd file
             permissions should be set
CCE-6814-8   appropriately                 permissions
             /etc/hostname* file
             permissions should be set
CCE-6801-5   appropriately                 permissions

             /etc/hosts file permissions
CCE-6695-1   should be set appropriately permissions
             /etc/inetd.conf file
             permissions should be set
CCE-6893-2   appropriately               permissions

             /etc/issue file permissions
CCE-6722-3   should be set appropriately permissions

             /etc/jsh file permissions
CCE-5928-7   should be set appropriately permissions

             /etc/ksh file permissions
CCE-6857-7   should be set appropriately permissions
             /etc/mail/aliases file
             permissions should be set
CCE-5935-2   appropriately               permissions
             /etc/motd file permissions
CCE-6849-4   should be set appropriately    permissions
             /etc/netconfig file
             permissions should be set
CCE-5948-5   appropriately                  permissions
             /etc/notrouter file
             permissions should be set
CCE-5958-4   appropriately                  permissions
             /etc/pam.conf file
             permissions should be set
CCE-6788-4   appropriately                  permissions
             /etc/passwd file
             permissions should be set
CCE-6757-9   appropriately                  permissions
             The /etc/rsh file should
CCE-6669-6   exist or not as appropriate    exist/not exist
             /etc/security file
             permissions should be set
CCE-6872-6   appropriately                  permissions
             /etc/services file
             permissions should be set
CCE-6889-0   appropriately                  permissions

             /etc/sh file permissions
CCE-6717-3   should be set appropriately permissions
             /etc/shadow file
             permissions should be set
CCE-6827-0   appropriately               permissions
             /etc/syslog.conf file
             permissions should be set
CCE-6464-2   appropriately               permissions

             /etc/ufs file permissions
CCE-5960-0   should be set appropriately permissions

             /etc/vfstab file permissions
CCE-6809-8   should be set appropriately    permissions
             /etc/vold.conf file
             permissions should be set
CCE-5967-5   appropriately                  permissions
             /var/adm/loginlog file
             permissions should be set
CCE-6385-9   appropriately                  permissions
             /var/adm/messages file
             permissions should be set
CCE-6005-3   appropriately                  permissions
             /var/adm/sulog file
             permissions should be set
CCE-6226-5   appropriately                  permissions
             /var/adm/utmp file
             permissions should be set
CCE-6137-4   appropriately                 permissions
             /var/adm/wtmp file
             permissions should be set
CCE-6732-2   appropriately                 permissions
             /var/adm/authlog file
             permissions should be set
CCE-6789-2   appropriately                 permissions
             /var/adm/syslog file
             permissions should be set
CCE-6855-1   appropriately                 permissions

             /var/mail file permissions
CCE-6824-7   should be set appropriately permissions

             /var/tmp file permissions
CCE-6965-8   should be set appropriately   permissions
             /usr/lib/pt_chmod file
             permissions should be set
CCE-6916-1   appropriately                 permissions
             /usr/lib/embedded_us file
             permissions should be set
CCE-6745-4   appropriately                 permissions
             /usr/lib/sendmail file
             permissions should be set
CCE-6295-0   appropriately                 permissions
             /usr/kerberos/bin/rsh file
             permissions should be set
CCE-6123-4   appropriately                 permissions
             /var/spool/mail file
             permissions should be set
CCE-6449-3   appropriately                 permissions
             smbpassword file
             permissions should be set
CCE-6718-1   appropriately                 permissions
             At directory should be
             owned by an appropriate
CCE-6815-5   user                          list of users
             At directory should be
             owned by an appropriate
CCE-6967-4   group                         list of groups
             at.allow file should be
             owned by an appropriate
CCE-6403-0   user                          list of users
             at.allow file should be
             owned by an appropriate
CCE-6747-0   group                         list of groups
             at.deny file should be
             owned by an appropriate
CCE-6909-6   user                          list of users
             at.deny file should be
             owned by an appropriate
CCE-6125-9   group                          list of groups
             Cron directories should be
             owned by an appropriate
CCE-6878-3   user                           list of users
             Cron directories should be
             owned by an appropriate
CCE-5998-0   group                          list of groups
             Crontab directories should
             be owned by an
CCE-6971-6   appropriate user               list of users
             Crontab directories should
             be owned by an
CCE-6613-4   appropriate group              list of groups
             cron.allow file should be
             owned by an appropriate
CCE-6006-1   user                           list of users
             cron.allow file should be
             owned by an appropriate
CCE-6589-6   group                          list of groups

             cron.deny should be owned
CCE-6201-8   by an appropriate user         list of users
             cron.deny data should be
             owned by an appropriate
CCE-6866-8   group                          list of groups
             crontab files should be
             owned by an appropriate
CCE-6791-8   user                           list of users
             crontab files should be
             owned by an appropriate
CCE-6008-7   group                          list of groups
             /etc/resolv.conf file should
             be owned by an
CCE-6907-0   appropriate user               list of users
             /etc/resolv.conf file should
             be owned by an
CCE-6374-3   appropriate group              list of groups
             /etc/named.boot file should
             be owned by an
CCE-6938-5   appropriate user               list of users
             /etc/named.boot file should
             be owned by an
CCE-6019-4   appropriate group              list of groups
             /etc/named.conf file should
             be owned by an
CCE-6825-4   appropriate user               list of users
             /etc/named.conf file should
             be owned by an
CCE-6922-9   appropriate group              list of groups
CCE-6770-2   DEPRECATED.
CCE-6863-5   DEPRECATED.
CCE-6036-8   DEPRECATED.
CCE-6994-8   DEPRECATED.
CCE-6946-8   DEPRECATED.
CCE-6963-3   DEPRECATED.
CCE-6822-1   DEPRECATED.
CCE-6962-5   DEPRECATED.
             Each user home directory
             should be owned by an
CCE-6416-2   appropriate user.               list of users
             Each user home directory
             should be owned by an
CCE-6244-8   appropriate group.              list of groups
             inetd.conf file should be
             owned by an appropriate
CCE-6958-3   user                            list of users
             inetd.conf file should be
             owned by an appropriate
CCE-6038-4   group                           list of groups
             /etc/exports should be
             owned by an appropriate
CCE-6804-9   user                            list of users
             /etc/exports should be
             owned by an appropriate
CCE-6518-5   user                            list of groups
             Exported files and
             directories should be
             owned by an appropriate
CCE-6989-8   user                            list of users
             Exported files and
             directories should be
             owned by an appropriate
CCE-6896-5   user                            list of groups
CCE-6209-1   DEPRECATED.
CCE-6997-1   DEPRECATED.
CCE-6838-7   DEPRECATED.
CCE-6790-0   DEPRECATED.
CCE-6982-3   DEPRECATED.
CCE-6968-2   DEPRECATED.
             /etc/services file should be
             owned by an appropriate
CCE-6986-4   user                            list of users
             /etc/services file should be
             owned by an appropriate
CCE-6942-7   group                           list of groups
CCE-6726-4   DEPRECATED.
CCE-6924-5   DEPRECATED.
             /etc/notrouter file should be
             owned by an appropriate
CCE-6769-4   user                            list of users
             /etc/notrouter file should be
             owned by an appropriate
CCE-6796-7   group                           list of groups
CCE-6637-3   DEPRECATED.
CCE-7018-5   DEPRECATED.
             /etc/samba/smb.conf file
             should be owned by an
CCE-6987-2   appropriate user                list of users
             /etc/samba/smb.conf file
             should be owned by an
CCE-6798-3   appropriate group               list of groups
             smbpasswd executable
             should be owned by an
CCE-6705-8   appropriate user                list of users
             smbpasswd executable
             should be owned by an
CCE-6930-2   appropriate group               list of groups
CCE-6819-7   DEPRECATED.
CCE-6647-2   DEPRECATED.
CCE-6974-0   DEPRECATED.
CCE-6898-1   DEPRECATED.
             Programs executed
             through aliases file entries
             should be owned by an
CCE-6854-4   appropriate user                list of groups
             Programs executed
             through aliases file entries
             should be owned by an
CCE-6678-7   appropriate group               list of users
CCE-6914-6   DEPRECATED.
CCE-6446-9   DEPRECATED.
CCE-7006-0   DEPRECATED.
             snmpd.conf file should be
             owned by an appropriate
CCE-6350-3   user                            list of users
             snmpd.conf file should be
             owned by an appropriate
CCE-6261-2   group                           list of groups
             /etc/syslog.conf file should
             be owned by an
CCE-6040-0   appropriate user                list of users
             /etc/syslog.conf file should
             be owned by an
CCE-6859-3   appropriate group               list of groups
             traceroute executable
             should be owned by an
CCE-6701-7   appropriate user                list of users
             traceroute executable
             should be owned by an
CCE-6802-3   appropriate group               list of groups
             /usr/lib/sendmail file should
             be owned by an
CCE-6098-8   appropriate user                 list of users
             /usr/lib/sendmail file should
             be owned by an
CCE-6053-3   appropriate group                list of groups
             /etc/passwd file should be
             owned by an appropriate
CCE-6700-9   user                             list of users
             /etc/passwd file should be
             owned by an appropriate
CCE-6943-5   group                            list of groups
             /etc/shadow file should be
             owned by an appropriate
CCE-6890-8   user                             list of users
             /etc/shadow file should be
             owned by an appropriate
CCE-6660-5   group                            list of groups
             smbpasswd file should be
             owned by an appropriate
CCE-6059-0   user                             list of users
             smbpasswd file should be
             owned by an appropriate
CCE-6648-0   group                            list of groups
             Environmental variable
             PATH for superuser
             accounts should or should
             not contain world-writable
CCE-6060-8   files as appropriate             should/should not
             Environmental variable
             PATH for superuser
             accounts should not
             contain the current
             directory as the first or last
CCE-6681-1   entry                            should/should not
             The current wokring
             directory should or should
             not be added to the
             environmental variable
             PATH by global
             initialization files as
CCE-6709-0   appropriate                  should/should not
             The current working
             directory should or should
             not be added to the
             environmental variable
             PATH by local initialization
CCE-6934-4   files as appropriate         should/should not
CCE-6762-9   DEPRECATED.
             The current directory
             should or should not be
             added to the environmental
             variable PATH by run
             control scripts as
CCE-6064-0   appropriate                    should/should not
             The system umask should
CCE-6748-8   be set appropriately           umask
             The user umask should be
CCE-6906-2   set appropriately              umask
CCE-6611-8   DEPRECATED.
CCE-7061-5   DEPRECATED.
CCE-6831-2   DEPRECATED.
CCE-6818-9   DEPRECATED.
             The cron.allow file should
             be configured with the set
             of users permitted to use
             the cron facility as
CCE-8393-1   appropriate.                   list of users
             The cron.deny file should
             be configured with the set
             of users not permitted to
             use the cron facility as
CCE-7925-1   appropriate.                   list of users
             Cron logging should be
             enabled or disabled as
CCE-7771-9   appropriate                    enabled/disabled
             The at.allow file should be
             configured with the set of
             users permitted to use the
CCE-7961-6   at facility as appropriate.    list of users
             The at.deny file should be
             configured with the set of
             users not permitted to use
             the at facility as
CCE-7674-5   appropriate.                   list of users

             /etc/init.d file permissions
CCE-6071-5   should be set appropriately    permissions
             /usr/aset/userlist file
             permissions should be set
CCE-6246-3   appropriately                  permissions
             /etc/rmmount.conf file
             permissions should be set
CCE-6072-3   appropriately                  permissions
             /var/log/pamlog file
             permissions should be set
CCE-6964-1   appropriately                  permissions
             /etc/security/audit_control
             file permissions should be
CCE-6073-1   set appropriately                permissions
             /etc/security/audit_class file
             permissions should be set
CCE-6846-0   appropriately                    permissions
             /etc/security/audit_event
             file permissions should be
CCE-6155-6   set appropriately                permissions
             /usr/aset/userlist file
             permissions should be set
CCE-6873-4   appropriately                    permissions
             /etc/auto_* file should be
             owned by an appropriate
CCE-6404-8   user                             list of users
             /etc/auto.master file should
             be owned by an
CCE-8457-4   appropriate user                 list of users
             /etc/auto.misc file should
             be owned by an
CCE-7984-8   appropriate user                 list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-7800-6   user                             list of users
             /etc/rmmount.conf file
             should be owned by an
CCE-6858-5   appropriate user                 list of users
             /var/log/pamlog file should
             be owned by an
CCE-7002-9   appropriate user                 list of users
             /etc/security/audit_control
             file should be owned by an
CCE-6329-7   appropriate user                 list of users
             /etc/security/audit_class file
             should be owned by an
CCE-6941-9   appropriate user                 list of users
             /etc/security/audit_event
             file should be owned by an
CCE-6954-2   appropriate user                 list of users
             DEPRECATED in favor of
             CCE-8338-6, CCE-8428-5,
CCE-6782-7   and CCE-8539-9.
             /etc/auto.master file should
             be owned by an
CCE-8338-6   appropriate group                list of users
             /etc/auto.misc file should
             be owned by an
CCE-8428-5   appropriate group                list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8539-9   group                            list of users
             /usr/aset/userlist file should
             be owned by an
CCE-7050-8   appropriate group                list of groups
             /etc/rmmount.conf file
             should be owned by an
CCE-7019-3   appropriate group                list of groups
             /var/log/pamlog file should
             be owned by an
CCE-6112-7   appropriate group                list of groups
             /etc/security/audit_control
             file should be owned by an
CCE-6786-8   appropriate group                list of groups
             /etc/security/audit_class file
             should be owned by an
CCE-6381-8   appropriate group                list of groups
             /etc/security/audit_event
             file should be owned by an
CCE-6411-3   appropriate group                list of groups
             DEPRECATED in favor of
             CCE-8399-8, CCE-8304-8,
CCE-6882-5   and CCE-8642-1.
             /etc/auto.master file should
             be owned by an
CCE-8399-8   appropriate group                list of users
             /etc/auto.misc file should
             be owned by an
CCE-8304-8   appropriate group                list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8642-1   group                            list of users
CCE-7068-0   DEPRECATED.
CCE-6851-0   DEPRECATED.
             Generic PAM
             authentication should be
             enabled or disabled as
CCE-7072-2   appropriate                      enabled/disabled
             rsh auth should be allowed
             or disallowed by PAM as
CCE-6077-2   appropriate                      allowed/not allowed
             rlogin auth should be
             allowed by pam.d or not as
CCE-6917-9   appropriate                      allowed/not allowed
             PAM access to
             /dev/console should be
             logged at an appropriate
             level or not logged as
CCE-6090-5   appropriate                      logging level
             PAM should be logged at
CCE-7055-7   an appropriate level             logging level
             /usr/aset/masters/uid_alias
             es should contain an
             appropriate listing of
CCE-6871-8   aliases                        list of aliases
             The Solaris Automated
             Security Enhancement
             Tool (ASET) tune.low file
             should exist or not as
CCE-6412-1   appropriate                    exist/not exist
             The Solaris Automated
             Security Enhancement
             Tool (ASET) tune.med file
             should exist or not as
CCE-6092-1   appropriate                    exist/not exist
             The Solaris Automated
             Security Enhancement
             Tool (ASET) tune.high file
             should exist or not as
CCE-6828-8   appropriate                    exist/not exist
             The uid_aliases file should
CCE-6361-0   exist or not as appropriate    exist/not exist
             The low security directory
             list should be set
CCE-7044-1   appropriately                  directory list
             The medium security
             directory list should be set
CCE-6409-7   appropriately                  directory list
             The high security directory
             list should be set
CCE-6797-5   appropriately                  directory list
             The ASET periodic
             schedule setting should be
CCE-6391-7   set appropriately              schedule stanza

             The UID aliases pointer
CCE-7015-1   should be set appropriately file
             Users should be listed in
             the ASET userlist file or not
CCE-6359-4   as appropriate                list of users

             ASET should check NIS+
CCE-6456-8   tables or not as appropriate enabled/disabled

             EEPROM security mode
CCE-6101-0   should be set appropriately security mode

             EEPROM warning banner
CCE-6931-0   should be set appropriately banner text
             The noexec_user_stack
             parameter should be set or
CCE-6199-4   not as appropriate         set/not set
             The
             no_exec_user_stack_log
             parameter should be set or
CCE-6433-7   not as appropriate         enabled/disabled

             The default login console
CCE-6887-4   should be set appropriately path to console
             Default sleeptime should
CCE-6111-9   be set appropriately        number of minutes
             Default number of allowed
             retries should be set
CCE-6368-5   appropriately               number of retries

             The default number of
             syslog failed logins retried
CCE-6273-7   should be set appropriately number of retries
             Default su console should
CCE-6126-7   be set appropriately         path to console

             auditing should be logged
CCE-6127-5   to an appropriate directory   path to log
             login and logout events (lo
             class) should be audited or
CCE-6351-1   not as appropriate            audited/not audited
CCE-6699-3   DEPRECATED.
             Non attributable events (na
             class) should be audited or
CCE-6915-3   not as appropriate            audited/not audited
             The free space threshold to
             warn at should be set         percentage of
CCE-6132-5   appropriately                 filesystem
CCE-6888-2   DEPRECATED.
CCE-6923-7   DEPRECATED.
CCE-6500-3   DEPRECATED.
             Password changes should
             be audited or not as
CCE-6703-3   appropriate                   audited/not audited

             su usage should be audited
CCE-6752-0   or not as appropriate          audited/not audited
             Creation/modification of
             superuser groups should
             be audited or not as
CCE-6862-7   appropriate                    audited/not audited
             Clearing of the audit log file
             should be audited or not as
CCE-6139-0   appropriate                    audited/not audited
             Use of
             identification/authorization
             mechanisms should be
             audited or not as
CCE-7088-8   appropriate                    audited/not audited
             chmod command should
             be audited or not as
CCE-7040-9   appropriate                    audited/not audited
             The user audit file should
             contain an appropriate set
CCE-6577-1   of never-audit flags           set of allowed flags
             The /var/log/authlog log
             should be enabled or
CCE-6419-6   disabled as appropriate        enabled/disabled
             The /var/log/syslog log
             should be enabled or
CCE-6167-1   disabled as appropriate        enabled/disabled
             The /var/adm/messages
             log should be enabled or
CCE-6638-1   disabled as appropriate        enabled/disabled
             The /var/adm/sulog log
             should be enabled or
CCE-6145-7   disabled as appropriate        enabled/disabled
             The /var/adm/utmp[x] log
             should be enabled or
CCE-6894-0   disabled as appropriate        enabled/disabled
             The /var/adm/wtmp[x] log
             should be enabled or
CCE-7079-7   disabled as appropriate        enabled/disabled
             The /var/adm/sshlog log
             should be enabled or
CCE-6674-6   disabled as appropriate        enabled/disabled
             The /var/log/pamlog log
             should be enabled or
CCE-6457-6   disabled as appropriate        enabled/disabled
             Unsuccessful login attemps
             should be logged or not as
CCE-7039-1   appropriate                    logged/not logged

             su usage should be audited
CCE-7051-6   or not as appropriate          audited/not audited
             auth usage should be
             audited or not as
CCE-6629-0   appropriate                    audited/not audited
             /var directory should be
             owned by an appropriate
CCE-6497-2   user                           list of users
             /var/log directory should be
             owned by an appropriate
CCE-7135-7   user                           list of users
             /var/adm directory should
             be owned by an
CCE-6840-3   appropriate user              list of users
CCE-6996-3   DEPRECATED.
             BSM auditing should be
             enabled or disabled as
CCE-6948-4   appropriate                   enabled/disabled
CCE-6900-5   DEPRECATED.
CCE-6542-5   DEPRECATED.
CCE-6278-6   DEPRECATED.
             The serial port listener
             should be enabled or
CCE-6546-6   disabled as appropriate       enabled/disabled
             The TCP max connection
             limit should be set           max number of
CCE-6626-6   appropriately                 connections

             The TCP abort interval
CCE-7075-5   should be set appropriately   limit
             Forwarding of directed
             broadcasts should be
             enabled or disabled as
CCE-6612-6   appropriate                   enabled/disabled
             Response to echo (ping)
             request broadcasts should
             be enabled or disabled as
CCE-6330-5   appropriate                   enabled/disabled
             Response to ICMP
             timestamp requests should
             be enabled or disabled as
CCE-6826-2   appropriate                   enabled/disabled
             Response to ICMP
             timestamp broadcast
             requests should be
             enabled or disabled as
CCE-7042-5   appropriate                   enabled/disabled
             Response to mask
             addresses should be
             enabled or disabled as
CCE-6993-0   appropriate                   enabled/disabled

             ARP cleanup interval
CCE-6918-7   should be set appropriately interval
             ARP IRE interval should be
CCE-7121-7   set appropriately           interval
             IP redirects should be
             followed or ignored as
CCE-7077-1   appropriate                 follow/ignore
             Sending of IP redirects
             should be enabled or
CCE-7090-4   disabled as appropriate        enabled/disabled
             Forwarding of source
             routed packets should be
             enabled or disabled as
CCE-6561-5   appropriate                    enabled/disabled
             IP forwarding should be
             enabled or disabled as
CCE-6970-8   appropriate                    enabled/disabled
             Strict destination
             multihoming should be
             enabled or disabled as
CCE-6279-4   appropriate                    enabled/disabled
             Forwarding of source
             routed IPv6 packets should
             be enabled or disabled as
CCE-7001-1   appropriate                    enabled/disabled
             IPv6 forwarding should be
             enabled or disabled as
CCE-6940-1   appropriate                    enabled/disabled
             TCP reverse source routes
             should be enabled or
CCE-7032-6   disabled as appropriate        enabled/disabled
             Routing should be enabled
CCE-6534-2   or disabled as appropriate     enabled/disabled

             Caching of the RBAC
             prof_attr should be enabled
CCE-6148-1   or disabled as appropriate     enabled/disabled
             Multicast route assignment
             should be enabled or
CCE-6978-1   disabled as appropriate        enabled/disabled
             Print services through inetd
             should be enabled or
CCE-6744-7   disabled as appropriate        enabled/disabled
             NFS server logging should
             be enabled or disabled as
CCE-7070-6   appropriate                    enabled/disabled
             Global initialization files
             should allow or deny write
             access to the terminal as
CCE-6836-1   appropriate                    allow/deny
CCE-7074-8   DEPRECATED.
CCE-7012-8   DEPRECATED.
             Caching of the RBAC
             exec_attr should be
             enabled or disabled as
CCE-7041-7   appropriate                    enabled/disabled
             Caching of the RBAC
             user_attr should be
             enabled or disabled as
CCE-7116-7   appropriate                   enabled/disabled
             The chmod command
             system call should be
             audited or not as
CCE-8477-2   appropriate                   audited/not audited
             The chown system call
             should be audited or not as
CCE-7027-6   appropriate                   audited/not audited
             The fchmod system call
             should be audited or not as
CCE-6618-3   appropriate                   audited/not audited
             The fchown system call
             should be audited or not as
CCE-6680-3   appropriate                   audited/not audited
             The lchown system call
             should be audited or not as
CCE-6152-3   appropriate                   audited/not audited
             The setgroups system call
             should be audited or not as
CCE-6153-1   appropriate                   audited/not audited
             The setpgrp system call
             should be audited or not as
CCE-6658-9   appropriate                   audited/not audited
             The setreuid system call
             should be audited or not as
CCE-6908-8   appropriate                   audited/not audited
             The setregid system call
             should be audited or not as
CCE-7124-1   appropriate                   audited/not audited
             The setegid system call
             should be audited or not as
CCE-6761-1   appropriate                   audited/not audited
             The seteuid system call
             should be audited or not as
CCE-6176-2   appropriate                   audited/not audited
             System ftp logoffs should
             be audited or not as
CCE-6181-2   appropriate                   audited/not audited
             System telnet logons
             should be audited or not as
CCE-6183-8   appropriate                   audited/not audited
             System ssh logons should
             be audited or not as
CCE-6447-7   appropriate                   audited/not audited
             System rlogin logons
             should be audited or not as
CCE-7099-5   appropriate                   audited/not audited
             System rshd logons should
             be audited or not as
CCE-6187-9   appropriate                   audited/not audited
             System rexecd logons
             should be audited or not as
CCE-6622-5   appropriate                   audited/not audited
             System rexd logons should
             be audited or not as
CCE-7182-9   appropriate                   audited/not audited
             System ftp logons should
             be audited or not as
CCE-7151-4   appropriate                   audited/not audited
             rlogin auth should be
             allowed or disallowed by
CCE-7122-5   PAM as appropriate            allowed/not allowed
             rlogin auth should be
             allowed by pam.d or not as
CCE-7091-2   appropriate                   allowed/not allowed

             Hard core dump size limits Size (0 to disable
CCE-6937-7   should be set appropriately core dumps)
             Root logins should be
             allowed or not as
             appropriate from SSH
CCE-6844-5   consoles                    allowed/not allowed
                                         Internal Revenue Service Basic
                                         UNIX Security Requirements (IRS
              CCE Technical Mechanisms   BUSR)
                                         http://www.irs.gov/irm/part10/ch03
                                         s08.html




via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)




via /etc/passwd                          10.8.10.4.2.1 (6)

via /etc/security/limits
via ulimit                               10.8.10.4.4 (3)


via /etc/snmp/conf/snmpd.conf            10.8.10.5.1 (1) c)


via /etc/snmp/conf/snmpd.conf            10.8.10.5.1 (1) c)




via /etc/default/passwd                  10.8.10.5.1 (2) a)




via /etc/default/passwd                  10.8.10.5.1 (2) a)




via /etc/default/passwd                  10.8.10.5.1 (2) a)


via /etc/default/passwd                  10.8.10.5.1 (2) b)
via /etc/default/passwd       10.8.10.5.1 (2) c)




via /etc/default/passwd       10.8.10.5.1 (2) d)




via /etc/default/passwd       10.8.10.5.1 (2) e)


via passwd
via /etc/shadow               10.8.10.5.1 (2) f)




via /etc/security/passwd      10.8.10.5.1 (2) g)




                              10.8.10.5.1 (3)


                              10.8.10.5.1 (5)




via chown                     10.8.10.5.2 (3)

via chgrp
via chown                     10.8.10.5.2 (3)

via /etc/security/login.cfg
via /etc/motd                 10.8.10.5.2 (5) a)


via sshd_config               10.8.10.5.2 (5) b)


via /etc/default/telnetd      10.8.10.5.2 (5) c)


                              10.8.10.5.2 (5) d)


via Xwindows                  10.8.10.5.2 (5) e)
via passwd
via /etc/passwd          10.8.10.5.2.1 (2) a)


via passwd
via /etc/passwd
via /etc/group           10.8.10.5.2.1 (2) b)


via /etc/passwd          10.8.10.5.2.4 (3)

via /etc/passwd          10.8.10.5.2.4 (9)




via /etc/passwd          10.8.10.5.2.4.1 (1)


via Xscreensaver
via dtsession            10.8.10.5.2.5 (1)


via chmod                10.8.10.5.2.6 (1)


                         10.8.10.5.2.6 (3)


via /etc/default/login   10.8.10.5.2.6 (4)


via filesystem           10.8.10.5.2.6 (6)


via filesystem           10.8.10.5.2.6 (6)


via filesystem           10.8.10.5.2.6 (6)


via filesystem           10.8.10.5.2.6 (6)




via Text editor          10.8.10.5.2.6 (7)
via Text editor    10.8.10.5.2.6 (7)




via Text editor    10.8.10.5.2.6 (7)

via /etc/shells    10.8.10.5.2.6 (11)




via /etc/shells    10.8.10.5.2.6 (12)




via /etc/group     10.8.10.5.2.6 (15)


via /etc/passwd    10.8.10.5.2.6 (16)


via /etc/passwd    10.8.10.5.2.6 (17)




via filesystem     10.8.10.5.2.6 (18)


via filesystem     10.8.10.5.2.6 (24)


via RC scripts     10.8.10.5.3 (3)




via D64ntpd.conf


                   10.8.10.5.3 (4)


                   10.8.10.5.3 (5)
                              10.8.10.5.3 (6)


                              10.8.10.5.4.1 (12)


                              10.8.10.5.4.1 (2) a)




                              10.8.10.5.4.1 (2) c)




                              10.8.10.5.4.1 (2) d)




                              10.8.10.5.4.1 (2) e)


                              10.8.10.5.4.1 (3)


via /etc/default/route.conf   10.8.10.5.4.1 (4)


via RC scripts                10.8.10.5.4.1 (5)

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #1

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #2

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #3

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #4

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #5

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #6
via inetd
via inetd.conf   10.8.10.5.4.1 (11) #7

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #8

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #9

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #10

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #11

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #12

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #13

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #14


via inetd
via inetd.conf   10.8.10.5.4.1 (11) #16

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #17

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #18


                 10.8.10.5.4.1 (11) #19

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #20

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #21

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #22

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #23
via inetd
via inetd.conf        10.8.10.5.4.1 (11) #24

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #25

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #26

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #27

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #28

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #29

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #30

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #31

via inetd
via inetd.conf        10.8.10.5.4.1 (11) #32


via inetd
via inetd.conf        10.8.10.5.4.1 (11) #34

via inetd
via inetd.conf        10.8.10.5.4.1.1 (2)




via /etc/named.conf   10.8.10.5.4.1.1 (5)


                      10.8.10.5.4.1.2 (2)

via inetadm
via svccfg            10.8.10.5.4.1.3 (1)


                      10.8.10.5.4.1.4 (1)


via RC scripts        10.8.10.5.4.1.5 (1)
via RC scripts              10.8.10.5.4.1.5 (1)


via RC scripts              10.8.10.5.4.1.5 (1)


via RC scripts              10.8.10.5.4.1.5 (1)




                            10.8.10.5.4.1.5 (1) a)




                            10.8.10.5.4.1.5 (1) a)

via NFS
via /etc/exports            10.8.10.5.4.1.5 (1) f)




via /etc/exports            10.8.10.5.4.1.5 (1) g)




via /etc/fstab              10.8.10.5.4.1.5 (1) i)

via inetd
via RC scripts              10.8.10.5.4.2.2 (1)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (3)

via /etc/aliases
via /usr/lib/aliases        10.8.10.5.4.2.2 (4) c)


via rm                      10.8.10.5.4.2.2 (4) e)




via chown                   10.8.10.5.4.2.2 (4) f)
via chown                   10.8.10.5.4.2.2 (4) f)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) g)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) h)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) i)

via sendmail
via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) k)


via NIS+                    10.8.10.5.4.2.3 (1) b)


via Xwindows                10.8.10.5.4.2.4 (1)




via /etc/X*.hosts           10.8.10.5.4.2.4 (2) b)

via xdm
via gdm
via kdm                     10.8.10.5.4.2.4 (2) d)


via sshd_config             10.8.10.5.4.2.4 (2) f)
via smbd
via RC scripts              10.8.10.5.4.2.6 (1)


via smbd
via smb.conf                10.8.10.5.4.2.6 (3) a)

via smbd
via smb.conf                10.8.10.5.4.2.6 (3) b)

via smbd
via smb.conf                10.8.10.5.4.2.6 (3) c)


via smbd
via smb.conf                10.8.10.5.4.2.6 (3) d)
via ifconfig   10.8.10.5.4.3 (1)


via chmod      10.8.10-1 A.1 1) #1


via chmod      10.8.10-1 A.1 1) #2


via chmod      10.8.10-1 A.1 1) #2


via chmod      10.8.10-1 A.1 1) #5


via chmod      10.8.10-1 A.1 1) #5


via chmod      10.8.10-1 A.1 1) #6


via chmod      10.8.10-1 A.1 1) #7


via chmod      10.8.10-1 A.1 1) #7


via chmod      10.8.10-1 A.1 1) #8


via chmod      10.8.10-1 A.1 1) #9


via chmod      10.8.10-1 A.1 1) #10


via chmod      10.8.10-1 A.1 1) #11


via chmod      10.8.10-1 A.1 1) #13


via chmod      10.8.10-1 A.1 1) #14


via chmod      10.8.10-1 A.1 1) #21


via chmod      10.8.10-1 A.1 1) #23
via chmod        10.8.10-1 A.1 1) #25


via chmod        10.8.10-1 A.1 1) #26


via chmod        10.8.10-1 A.1 1) #27




via chmod        10.8.10-1 A.1 1) #29


via chmod        10.8.10-1 A.1 1) #31


via chmod        10.8.10-1 A.1 1) #32


via chmod        10.8.10-1 A.1 1) #34




via chmod        10.8.10-1 A.1 1) #35




via chmod        10.8.10-1 A.1 1) #36


via chmod        10.8.10-1 A.1 1) #37


via chmod        10.8.10-1 A.1 1) #38


via chmod        10.8.10-1 A.1 1) #39

via filesystem   10.8.10-1 A.1 1) #40


via chmod        10.8.10-1 A.1 1) #41


via chmod        10.8.10-1 A.1 1) #42
via chmod        10.8.10-1 A.1 1) #43


via chmod        10.8.10-1 A.1 1) #44


via chmod        10.8.10-1 A.1 1) #45

via filesystem   10.8.10-1 A.1 1) #46


via chmod        10.8.10-1 A.1 1) #47


via chmod        10.8.10-1 A.1 1) #48


via chmod        10.8.10-1 A.1 1) #49


via chmod        10.8.10-1 A.1 1) #50


via chmod        10.8.10-1 A.1 1) #51

via filesystem   10.8.10-1 A.1 1) #52


via chmod        10.8.10-1 A.1 1) #53


via chmod        10.8.10-1 A.1 1) #54


via chmod        10.8.10-1 A.1 1) #56


via chmod        10.8.10-1 A.1 1) #57


via chmod        10.8.10-1 A.1 1) #58


via chmod        10.8.10-1 A.1 1) #59


via chmod        10.8.10-1 A.1 1) #60
via chmod        10.8.10-1 A.1 1) #61


via chmod        10.8.10-1 A.1 1) #62


via chmod        10.8.10-1 A.1 1) #63


via chmod        10.8.10-1 A.1 1) #64


via chmod        10.8.10-1 A.1 1) #65


via chmod        10.8.10-1 A.1 1) #66


via chmod        10.8.10-1 A.1 1) #67


via chmod        10.8.10-1 A.1 1) #68


via filesystem   10.8.10-1 A.1 1) #69


via chmod        10.8.10-1 A.1 1) #70


via chmod        10.8.10-1 A.1 1) #71


via chmod        10.8.10-1 A.1 1) #72


via chmod        10.8.10-1 A.1 1) #73


via chmod        10.8.10-1 A.1 1) #75


via chmod        10.8.10-1 A.1 1) #76


via chmod        10.8.10-1 A.1 1) #77


via chmod        10.8.10-1 A.1 1) #78
via chmod        10.8.10-1 A.1 1) #79


via chmod        10.8.10-1 A.1 1) #80


via chmod        10.8.10-1 A.1 1) #81


via chmod        10.8.10-1 A.1 1) #82


via chmod        10.8.10-1 A.1 1) #83

via filesystem   10.8.10-1 A.1 1) #84


via chmod        10.8.10-1 A.1 1) #85


via chmod        10.8.10-1 A.1 1) #86


via chmod        10.8.10-1 A.1 1) #87


via chmod        10.8.10-1 A.1 1) #88


via chmod        10.8.10-1 A.1 1) #89


via chmod        10.8.10-1 A.1 1) #90


via chmod        10.8.10-1 A.1 1) #91


via chmod        10.8.10-1 A.1 1) #92


via chmod        10.8.10-1 A.1 1) #93


via chmod        10.8.10-1 A.1 1) #94


via chmod        10.8.10-1 A.1 1) #95
via chmod   10.8.10-1 A.1 1) #96


via chmod   10.8.10-1 A.1 1) #97


via chmod   10.8.10-1 A.1 1) #98


via chmod   10.8.10-1 A.1 1) #99


via chmod   10.8.10-1 A.1 1) #100


via chmod   10.8.10-1 A.1 1) #101


via chmod   10.8.10-1 A.1 1) #103


via chmod   10.8.10-1 A.1 1) #104


via chmod   10.8.10-1 A.1 1) #105


via chmod   10.8.10-1 A.1 1) #107


via chmod   10.8.10-1 A.1 1) #108


via chmod   10.8.10-1 A.1 1) #109


via chown   10.8.10-1 A.1 2) #1

via chgrp
via chown   10.8.10-1 A.1 2) #1


via chown   10.8.10-1 A.1 2) #2

via chgrp
via chown   10.8.10-1 A.1 2) #2


via chown   10.8.10-1 A.1 2) #2
via chgrp
via chown   10.8.10-1 A.1 2) #2


via chown   10.8.10-1 A.1 2) #4

via chgrp
via chown   10.8.10-1 A.1 2) #4


via chown   10.8.10-1 A.1 2) #4

via chgrp
via chown   10.8.10-1 A.1 2) #4


via chown   10.8.10-1 A.1 2) #5

via chgrp
via chown   10.8.10-1 A.1 2) #5


via chown   10.8.10-1 A.1 2) #5

via chgrp
via chown   10.8.10-1 A.1 2) #5


via chown   10.8.10-1 A.1 2) #6

via chgrp
via chown   10.8.10-1 A.1 2) #6


via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7


via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7


via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7
via chown   10.8.10-1 A.1 2) #11

via chgrp
via chown   10.8.10-1 A.1 2) #11


via chown   10.8.10-1 A.1 2) #12

via chgrp
via chown   10.8.10-1 A.1 2) #12


via chown   10.8.10-1 A.1 2) #13

via chgrp
via chown   10.8.10-1 A.1 2) #13




via chown   10.8.10-1 A.1 2) #14


via chgrp
via chown   10.8.10-1 A.1 2) #14




via chown   10.8.10-1 A.1 2) #16

via chgrp
via chown   10.8.10-1 A.1 2) #16




via chown   10.8.10-1 A.1 2) #18
via chgrp
via chown   10.8.10-1 A.1 2) #18




via chown   10.8.10-1 A.1 2) #21

via chgrp
via chown   10.8.10-1 A.1 2) #21


via chown   10.8.10-1 A.1 2) #22

via chgrp
via chown   10.8.10-1 A.1 2) #22




via chgrp
via chown   10.8.10-1 A.1 2) #26




via chown   10.8.10-1 A.1 2) #27




via chown   10.8.10-1 A.1 2) #29

via chgrp
via chown   10.8.10-1 A.1 2) #29


via chown   10.8.10-1 A.1 2) #30

via chgrp
via chown   10.8.10-1 A.1 2) #30


via chown   10.8.10-1 A.1 2) #31

via chgrp
via chown   10.8.10-1 A.1 2) #31
via chown              10.8.10-1 A.1 2) #32

via chgrp
via chown              10.8.10-1 A.1 2) #32


via chown              10.8.10-1 A.1 2) #35

via chgrp
via chown              10.8.10-1 A.1 2) #35


via chown              10.8.10-1 A.1 2) #36

via chgrp
via chown              10.8.10-1 A.1 2) #36


via chown              10.8.10-1 A.1 2) #37

via chgrp
via chown              10.8.10-1 A.1 2) #37




via chmod
via profile            10.8.10-1 A.2 1) #1




via local init files   10.8.10-1 A.2 1) #2




via local init files   10.8.10-1 A.2 1) #3




via local init files   10.8.10-1 A.2 1) #4
                        10.8.10-1 A.2 1) #7

via global init files   10.8.10-1 A.2 1) #8

via local init files    10.8.10-1 A.2 1) #8




Text editor




Text editor


                        10.8.10-1 A.3 4)




Text editor




Text editor


via chmod               10.8.10-1 A.1 1) #74


via chmod               10.8.10-2 B.1 1) #1


via chmod               10.8.10-2 B.1 1) #3


via chmod               10.8.10-2 B.1 1) #4
via chmod   10.8.10-2 B.1 1) #5


via chmod   10.8.10-2 B.1 1) #6


via chmod   10.8.10-2 B.1 1) #7


via chmod   10.8.10-2 B.1 1) #8


via chown   10.8.10-2 B.1 1) #1


via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-2 B.1 1) #3


via chown   10.8.10-2 B.1 1) #4


via chown   10.8.10-2 B.1 1) #5


via chown   10.8.10-2 B.1 1) #6


via chown   10.8.10-2 B.1 1) #7




via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9


via chown   10.8.10-3 C.1 1) #9
via chgrp
via chown              10.8.10-2 B.1 1) #1

via chgrp
via chown              10.8.10-2 B.1 1) #3

via chgrp
via chown              10.8.10-2 B.1 1) #4

via chgrp
via chown              10.8.10-2 B.1 1) #5

via chgrp
via chown              10.8.10-2 B.1 1) #6

via chgrp
via chown              10.8.10-2 B.1 1) #7




via chown              10.8.10-3 C.1 1) #9


via chown              10.8.10-3 C.1 1) #9


via chown              10.8.10-3 C.1 1) #9




via PAM                10.8.10-2 B.2.1 1)


via /etc/pam.conf      10.8.10-2 B.2.1 2) a)


via /etc/pam.d         10.8.10-2 B.2.1 2) b)




via /etc/syslog.conf   10.8.10-2 B.2.1 3)

via /etc/syslog.conf   10.8.10-2 B.2.1 3)
via /usr/aset/masters/uid_aliases   10.8.10-2 B.2.2 1)




via filesystem                      10.8.10-2 B.2.2 2)




via filesystem                      10.8.10-2 B.2.2 2)




via filesystem                      10.8.10-2 B.2.2 2)

via filesystem                      10.8.10-2 B.2.2 2)


via /usr/aset/asetenv               10.8.10-2 B.2.2 3)


via /usr/aset/asetenv               10.8.10-2 B.2.2 3)


via /usr/aset/asetenv               10.8.10-2 B.2.2 3)


via /usr/aset/asetenv               10.8.10-2 B.2.2 3)


via /usr/aset/asetenv               10.8.10-2 B.2.2 3)


via /usr/aset/userlist              10.8.10-2 B.2.2 4)


via /usr/aset/asetenv               10.8.10-2 B.2.2 5)


via EEPROM                          10.8.10-2 B.3 2)


via EEPROM                          10.8.10-2 B.3 3)
via /etc/system                                     10.8.10-2 B.4 1)




via /etc/system                                     10.8.10-2 B.4 1)


via /etc/default/login                              10.8.10-2 B.4 2)

via /etc/default/login                              10.8.10-2 B.4 2)


via /etc/default/login                              10.8.10-2 B.4 2)




via /etc/default/login                              10.8.10-2 B.4 2)

via /etc/default/su                                 10.8.10-2 B.4 3)


via "dir" flag in /etc/security/audit_control       10.8.10-2 B.5 1) a)


via "lo" flag in /etc/security/audit_control        10.8.10-2 B.5 1) b)




via "na" flag in /etc/security/audit_control        10.8.10-2 B.5 1) c)


via "minfree" flag in /etc/security/audit_control   10.8.10-2 B.5 1) d)




via /etc/security/audit_event                       10.8.10-2 B.5 4) #3


via /etc/security/audit_event                       10.8.10-2 B.5 4) #4




via /etc/security/audit_event                       10.8.10-2 B.5 4) #5


via /etc/security/audit_event                       10.8.10-2 B.5 4) #8
via /etc/security/audit_event   10.8.10-2 B.5 4) #10


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_user    10.8.10-2 B.5 5)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /var/adm/loginlog           10.8.10-2 B.5 7)


via /etc/syslog.conf            10.8.10-2 B.5 8)


via /etc/syslog.conf            10.8.10-2 B.5 9)


via chown                       10.8.10-2 B.5 11)


via chown                       10.8.10-2 B.5 11)
via chown                                                           10.8.10-2 B.5 11)




via /etc/security/bsmconv                                           10.8.10-2 B.5.2 2)




via /etc/inittab                                                    10.8.10-2 B.6 1)


via the tcp_conn_req_max value set with the ndd utility             10.8.10-2 B.6 3)


via the tcp_ip_abort_interval value set with the ndd utility        10.8.10-2 B.6 3)


via the ip_forward_directed_broadcasts value set with the ndd
utility                                                             10.8.10-2 B.6 3)


via the ip_respond_to_echo_broadcast value set with the ndd
utility                                                             10.8.10-2 B.6 3)




via the ip_respond_to_timestamp value set with the ndd utility      10.8.10-2 B.6 3)




via the ip_respond_to_timestamp_broadcast value set with the
ndd utility                                                         10.8.10-2 B.6 3)


via the ip_respond_to_address_mask_broadcast value set
with the ndd utility                                                10.8.10-2 B.6 3)


via the arp_cleanup_interval value value set with the ndd utility   10.8.10-2 B.6 3)
via the ip_ire_arp_interval value set with the ndd utility
/etc/rc2.d/S70ndd-security                                          10.8.10-2 B.6 3)

via the ip_ignore_redirect and ip6_ignore_redirect values set
with the ndd utility                                                10.8.10-2 B.6 3)
via the ip_send_redirects value set with the ndd utility           10.8.10-2 B.6 3)




via the ip_forward_src_routed set with the ndd utility             10.8.10-2 B.6 3)


via the ip_forwarding value set with the ndd utility               10.8.10-2 B.6 3)




via the ip_strict_dst_multihoming value set with the ndd utility   10.8.10-2 B.6 3)




via the ip6_forward_src_routed value set with the ndd utility      10.8.10-2 B.6 3)


via the ip6_forwarding value set with the ndd utility              10.8.10-2 B.6 3)


via the tcp_rev_src_routes value set with the ndd utility          10.8.10-2 B.6 3)

via /etc/notrouter                                                 10.8.10-2 B.6 4)




via /etc/nscd.conf                                                 10.8.10-2 B.6 6)


via /etc/init.d/inetsvc                                            10.8.10-2 B.6 7)


via /etc/inetd.conf                                                10.8.10-2 B.6.1 1)


via /etc/dfs/dfstab                                                10.8.10-2 B.6.3 1)




via global init files                                              10.8.10-2 B.8 1) #1




via /etc/nscd.conf                                                 10.8.10-2 B.6 6)
via /etc/nscd.conf              10.8.10-2 B.6 6)




via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #2


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1
via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/pam.conf               10.8.10-2 B.2.1 2) a)


via /etc/pam.d                  10.8.10-2 B.2.1 2) b)

/etc/security/limits
ulimit                          10.8.10.4.4 (3)




                                10.8.10.5.2.6 (4)
                                                 CCE
  CCE ID        CCE Description
                                              Parameters



             /export/home should be
             configured on an
             appropriate filesystem
CCE-7173-8   partition                     partition
             /var should be configured
             on an appropriate
CCE-6194-5   filesystem partition          partition
             /opt should be configured
             on an appropriate
CCE-6995-5   filesystem partition          partition
             The shell for the root
             account should be located
             on the appropriate
CCE-6632-4   filesystem                    filesystem

             Core dump size limits         Size (0 to disable
CCE-6196-0   should be set appropriately   core dumps)
             The read-only SNMP
             community string should be
CCE-6981-5   set appropriately.            string
             The read/write SNMP
             community string should be
CCE-6951-8   set appropriately.            string
CCE-7167-0   DEPRECATED.

             Password policy should
             ban or allow words found in
CCE-6919-5   a dictionary as appropriate. ban/allow

             Password policy should
             enforce the correct amount    number of special
CCE-6198-6   of special characters         characters
             Password policy should
             enforce or not enforce the
             requirement to have mixed
             case passwords as
CCE-7049-0   appropriate.                  enforce/not enforce
             The minimum password
             age should be set as
CCE-7146-4   appropriate                   number of days
             The minimum required
             password length should be       number of
CCE-7080-5   set as appropriate              characters
             Password history should be
             saved for an appropriate
             number of password              number of password
CCE-7086-2   changes                         changes
             The number of consecutive
             failed login attempts
             required to trigger a lockout   number of
             should be set as                consecutive failed
CCE-6434-5   appropriate                     login attempts
             Login access to accounts
             without passwords should
             be enabled or disabled as
CCE-7196-9   appropriate                     enabled/disabled
             New users should be
             required or not required to
             change their password on
CCE-7024-3   first login as appropriate      required/not required
             Access to single-user
             mode (maintainence mode)
             should require the root
             password or not as
CCE-7104-3   appropriate                     required/not required
             The delay between failed
             logins should be set as
CCE-7028-4   appropriate                     number of seconds

             All files should be owned       existing account
             by an existing account or       required / existing
CCE-7108-4   not as appropriate.             account not required
             All files should be owned       existing group
             by an existing group or not     required / existing
CCE-6323-0   as appropriate.                 group not required

             The console login banner
CCE-6218-2   should be set appropriately. banner text or null

             The SSH login banner
CCE-7066-4   should be set appropriately. banner text or null

             The telnet login banner
CCE-6903-9   should be set appropriately. banner text or null

             The ftp login banner should
CCE-6837-9   be set appropriately.       banner text or null

             The graphical login banner
CCE-6683-7   should be set appropriately. banner text or null
             Accounts other than root
             should be allowed to have
             the UID 0 or not as
CCE-6841-1   appropriate                     allowed/not allowed
             Accounts other than root
             and locked system
             accounts should be
             allowed to have a GID of 0
CCE-7185-2   or not as appropriate           allowed/not allowed
             Each account should be
             assigned a unique UID or
CCE-6255-4   not as appropriate              unique/not unique
             The ftp account should
CCE-6688-6   exist or not as appropriate     exist/not exist
             Login accounts should
             include an appropriate
             GECOS identifier or no
CCE-7164-7   GECOS identifier                GECOS value, null
             The screen lock should
             activate after an
             appropriate period of
CCE-6926-0   inactivity                      number of minutes
             File permissions should be
             set appropriately for all
CCE-6895-7   shell executables.              permissions
             Remote (serial) consoles
             should be enabled or
CCE-7245-4   disabled as appropriate.        enabled/disabled
             Root logins should be
             restricted to the console or    restricted/not
CCE-7232-2   not as appropriate.             restricted
             .netrc files should exist or
             not as appropriate for all
CCE-6311-5   users.                          exist/not exist
             .rhosts files should exist or
             not as appropriate for all
CCE-6976-5   users.                          exist/not exist
             .shosts files should exist or
             not as appropriate for all
CCE-7157-1   users.                          exist/not exist
             The /etc/hosts.equiv file
             should exist or not as
CCE-6712-4   appropriate.                    exist/not exist

             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/passwd
             file should be allowed or
CCE-7183-7   disallowed as appropriate. set of allowed values
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/shadow
             file should be allowed or
CCE-7117-5   disallowed as appropriate.       set of allowed values
             The use of NIS special
             characters (+ or -) in the
             first field of the /etc/group
             file should be allowed or
CCE-7152-2   disallowed as appropriate.       set of allowed values
             The /etc/shells file should
CCE-7214-0   exist or not as appropriate      exist/not exist
             Shells referenced in
             /etc/passwd should be
             included in /etc/shells or
CCE-6258-8   not as appropriate               included/not included
             Groups referenced in
             /etc/passwd should be
             included in /etc/group or
CCE-6536-7   not as appropriate.              included/not included
             The home directory for the
             root account should be set
CCE-6324-8   appropriately.                   path
             The home directory for
             each user account should
CCE-7258-7   be set appropriately.            path
             Home directories
             referenced in /etc/passwd
             should exist or not as
CCE-6260-4   appropriate                      exist/not exist
             All device files should be
             located inside an
CCE-7119-1   appropriate path                 path
             The ntpd service should be
             enabled or disabled as
CCE-7105-0   appropriate.                     enabled/disabled

             The Network Time Protocol
             (ntp) synchronization
             server should be set
CCE-6264-6   appropriately.                timeserver
             All logon attempts should
             be logged or not logged as
CCE-7201-7   appropriate                   logged/not logged
             All su (switch user) activity
             should be logged or not as
CCE-6902-1   appropriate                   logged/not logged
             Filesystem
             logging/journaling should
             be performed or not as        performed/not
CCE-7186-0   appropriate                   performed
             Automount should be
             enabled or disabled as
CCE-6267-9   appropriate                   enabled/disabled
             Source-routed packets
             should be accepted or
CCE-6276-0   rejected as appropriate.      accepted/rejected
             Response to ICMP
             timestamp requests should
             be enabled or disabled as
CCE-6885-8   appropriate                   enabled/disabled
             Response to ICMP
             timestamp broadcast
             requests should be
             enabled or disabled as
CCE-6485-7   appropriate                   enabled/disabled
             Response to ICMP echo
             (ping) requests should be
             enabled or disabled as
CCE-7017-7   appropriate                   enabled/disabled
             Executable stack should be
             enabled or disabled as
CCE-6285-1   appropriate                   enabled/disabled

             The default gateway should
CCE-7053-2   be set appropriately.         IP address/disabled
             The inetd service should be
             enabled or disabled as
CCE-6713-2   appropriate.                  enabled/disabled
             echo service should be
             enabled or disabled as
CCE-6541-7   appropriate                   enabled/disabled
             netstat service should be
             enabled or disabled as
CCE-6585-4   appropriate                   enabled/disabled
             rcp service should be
             enabled or disabled as
CCE-6287-7   appropriate                   enabled/disabled
             chargen service should be
             enabled or disabled as
CCE-7156-3   appropriate                   enabled/disabled
             finger service should be
             enabled or disabled as
CCE-7045-8   appropriate                   enabled/disabled
             tftpd service should be
             enabled or disabled as
CCE-6746-2   appropriate                   enabled/disabled
             walld service should be
             enabled or disabled as
CCE-7137-3   appropriate                 enabled/disabled
             rstatd service should be
             enabled or disabled as
CCE-7234-8   appropriate                 enabled/disabled
             sprayd service should be
             enabled or disabled as
CCE-6299-2   appropriate                 enabled/disabled
             rusersd service should be
             enabled or disabled as
CCE-6307-3   appropriate                 enabled/disabled
             rlogin service should be
             enabled or disabled as
CCE-6567-2   appropriate                 enabled/disabled
             rsh service should be
             enabled or disabled as
CCE-7098-7   appropriate                 enabled/disabled
             ftp service should be
             enabled or disabled as
CCE-7067-2   appropriate                 enabled/disabled
             telnet service should be
             enabled or disabled as
CCE-7005-2   appropriate                 enabled/disabled
CCE-4909-8   DEPRECATED.
             inn service should be
             enabled or disabled as
CCE-6630-8   appropriate                 enabled/disabled
             uucp service should be
             enabled or disabled as
CCE-7145-6   appropriate                 enabled/disabled
             rexec service should be
             enabled or disabled as
CCE-6308-1   appropriate                 enabled/disabled
             inetd logging should be
             enabled or disabled as
CCE-6803-1   appropriate                 enabled/disabled
             font-service should be
             enabled or disabled as
CCE-6604-3   appropriate                 enabled/disabled
             imap2 service should be
             enabled or disabled as
CCE-7058-1   appropriate                 enabled/disabled
             pop3 service should be
             enabled or disabled as
CCE-7274-4   appropriate                 enabled/disabled
             ident service should be
             enabled or disabled as
CCE-7149-8   appropriate                 enabled/disabled
             rexd service should be
             enabled or disabled as
CCE-7118-3   appropriate                   enabled/disabled
             sadmin service should be
             enabled or disabled as
CCE-6650-6   appropriate                   enabled/disabled
             daytime service should be
             enabled or disabled as
CCE-7153-0   appropriate                   enabled/disabled
             dtspc (cde-spc) service
             should be enabled or
CCE-7307-2   disabled as appropriate       enabled/disabled
             rquotad service should be
             enabled or disabled as
CCE-6945-0   appropriate                   enabled/disabled
             cmsd service should be
             enabled or disabled as
CCE-6685-2   appropriate                   enabled/disabled
             tooltalk service should be
             enabled or disabled as
CCE-7059-9   appropriate                   enabled/disabled
             xdmcp service should be
             enabled or disabled as
CCE-7275-1   appropriate                   enabled/disabled
             discard service should be
             enabled or disabled as
CCE-7249-6   appropriate                   enabled/disabled
CCE-4923-9   DEPRECATED.
             vino-server service should
             be enabled or disabled as
CCE-7089-6   appropriate                   enabled/disabled
             The bind service should be
             enabled or disabled as
CCE-6603-5   appropriate.                  enabled/disabled
             The version string reported
             by the bind service should
             be configured
CCE-6947-6   appropriately.                string
             SSH Protocol v1 should be
             enabled or disabled as
CCE-7172-0   appropriate                   enabled/disabled
             TCP_WRAPPERS should
             be enabled or disabled as
CCE-6321-4   appropriate                   enabled/disabled
             SNMP version 1 should be
             enabled or disabled as
CCE-6322-2   appropriate                   enabled/disabled
             The nfsd service should be
             enabled or disabled as
CCE-7189-4   appropriate                   enabled/disabled
             The mountd service should
             be enabled or disabled as
CCE-7154-8   appropriate                    enabled/disabled
             The statd service should be
             enabled or disabled as
CCE-6595-3   appropriate                    enabled/disabled
             The lockd service should
             be enabled or disabled as
CCE-7031-8   appropriate                    enabled/disabled
             NFS should be configured
             to respond or not as
             appropriate to client
             requests that do not
CCE-8602-5   include a user id .            respond/not respond
             NFS should be configured
             to respond or not as
             appropriate to client
             requests that do not
             originate from a privileged
CCE-6877-5   port                           respond/not respond
             NFS should be configured
             with appropriate
CCE-7097-9   authentication methods         list of auth methods
             The read-only (ro) option
             should be enabled or
             disabled as appropriate for
CCE-7220-7   all NFS exports.               enabled/disabled
             The nosuid option should
             be enabled or disabled for
             all NFS mounts as
CCE-7062-3   appropriate                    enabled/disabled
             Sendmail should be
             enabled or disabled as
CCE-6453-5   appropriate                    enabled/disabled

             The sendmail banner
CCE-7299-1   should be set appropriately.   string
             The decode sendmail alias
             should be enabled or
CCE-6643-1   disabled as appropriate.       enabled/disabled
             .forward files should be
             allowed or disallowed as
CCE-6328-9   appropriate for all users      allow/disallow
             Programs executed
             through the aliases file
             should be owned by an
CCE-6338-8   appropriate user               user
             Programs executed
             through the aliases file
             should reside a directory
             with an appropriate user
CCE-7158-9   owner                          user
             Sendmail vrfy command
             should be allowed or not as
CCE-6489-9   appropriate                    allow/disallow
             Sendmail expn command
             should be allowed or not as
CCE-7317-1   appropriate                    allow/disallow
             Sendmail should be
             configured with an
CCE-7096-1   appropriate logging level      logging level
             Sendmail help command
             should be allowed or not as
CCE-6696-9   appropriate                    allow/disallow
             DEPRECTATED in favor of
             CCE-8421-0 and CCE-
CCE-7193-6   8330-3
             NIS clinent should be
             enabled or disabled as
CCE-8421-0   appropriate                    enabled/disabled
             NIS server should be
             enabled or disabled as
CCE-8330-3   appropriate                    enabled/disabled
             NIS+ server should operate
             at an appropriate security
CCE-7290-0   level                          security level
             X-Windows should be
             enabled or disabled as
CCE-7259-5   appropriate                    enabled/disabled

             Authorized X-clients should
             be listed or not in the
CCE-7038-3   X*.hosts file as appropriate   listed/not listed
             X-Windows should write
             .Xauthority files to users'
             home directories or not as
CCE-7228-0   appropriate                    write/not write
             X11 forwarding via SSH
             should be enabled or
CCE-7197-7   disabled as appropriate.       enabled/disabled
             Samba should be enabled
CCE-7230-6   or disabled as appropriate     enabled/disabled
             Samba 'hosts allow' option
             should be configured with
             an appropriate set of
CCE-6557-3   networks                       list of networks
             Samba 'security option'
             option should be set as
CCE-6961-7   appropriate
             Samba 'encrypt' passwords
             option should be set as
CCE-6341-2   appropriate                  yes/no
             Samba 'smb passwd file'
             option should be set to an
             appropriate password file
CCE-7264-5   or no password file          file/nothing
             IPv6 should be enabled or
CCE-6783-5   disabled as appropriate      enabled/disabled
             The "at" utility directory
             permissions should be set
CCE-6342-0   as appropriate               permissions

             at.allow file permissions
CCE-7251-2   should be set appropriately permissions

             at.deny file permissions
CCE-6367-7   should be set appropriately permissions

             Cron directory permissions
CCE-7215-7   should be set appropriately permissions
             Crontab directory
             permissions should be set
CCE-7336-1   appropriately               permissions

             Cron log file permissions
CCE-6428-7   should be set appropriately permissions

             cron.allow file permissions
CCE-7194-4   should be set appropriately permissions

             cron.deny file permissions
CCE-7181-1   should be set appropriately permissions

             Crontab file permissions
CCE-7120-9   should be set appropriately permissions

             /dev/kmem file permissions
CCE-7150-6   should be set appropriately permissions

             /dev/mem file permissions
CCE-6378-4   should be set appropriately permissions

             /dev/null file permissions
CCE-7029-2   should be set appropriately permissions

             resolv.conf file permissions
CCE-7231-4   should be set appropriately permissions
             /etc/named.conf file
             permissions should be set
CCE-7179-5   appropriately              permissions
             File permissions should be
             set appropriately for all
CCE-6491-5   user home directories.     permissions
             /etc/exports file
             permissions should be set
CCE-7337-9   appropriately              permissions

             /usr/bin/at file permissions
CCE-6668-8   should be set appropriately permissions
             /usr/bin/rdist file
             permissions should be set
CCE-6936-9   appropriately                permissions
             /usr/sbin/sync file
             permissions should be set
CCE-7174-6   appropriately                permissions

             Superuser account home
             directories' permissions
CCE-7063-1   should be set appropriately permissions
             /etc/samba/smb.conf file
             permissions should be set
CCE-7248-8   appropriately               permissions
             smbpassword executable
             permissions should be set
CCE-7218-1   appropriately               permissions

             Aliases file permissions
CCE-7376-7   should be set appropriately permissions
             File permissions should be
             set as appropriate for the
             log file configured to
             capture critical sendmail
CCE-7217-3   messages.                   permissions
             All files executed through
             /etc/aliases file entries
             should have file
             permissions set
CCE-7109-2   appropriately               permissions

             /bin/csh file permissions
CCE-6933-6   should be set appropriately permissions

             /bin/jsh file permissions
CCE-7136-5   should be set appropriately permissions

             /bin/ksh file permissions
CCE-7171-2   should be set appropriately permissions
             The /bin/rsh file should
CCE-7250-4   exist or not as appropriate   exist/not exist

             /bin/sh file permissions
CCE-7267-8   should be set appropriately permissions

             /bin/bash file permissions
CCE-7003-7   should be set appropriately permissions

             /sbin/csh file permissions
CCE-7329-6   should be set appropriately permissions

             /sbin/jsh file permissions
CCE-6721-5   should be set appropriately permissions

             /sbin/ksh file permissions
CCE-6672-0   should be set appropriately permissions
             The /sbin/rsh file should
CCE-7309-8   exist or not as appropriate exist/not exist

             /sbin/sh file permissions
CCE-7278-5   should be set appropriately permissions

             /sbin/bash file permissions
CCE-7353-6   should be set appropriately permissions
             /usr/bin/csh file
             permissions should be set
CCE-7269-4   appropriately               permissions

             /usr/bin/jsh file permissions
CCE-6490-7   should be set appropriately permissions
             /usr/bin/ksh file
             permissions should be set
CCE-7286-8   appropriately                 permissions
             The /usr/bin/rsh file should
CCE-7348-6   exist or not as appropriate exist/not exist

             /usr/bin/sh file permissions
CCE-7176-1   should be set appropriately permissions
             /usr/bin/bash file
             permissions should be set
CCE-6379-2   appropriately                permissions
             snmpd.conf file
             permissions should be set
CCE-7292-6   appropriately                permissions

             /tmp file permissions
CCE-7243-9   should be set appropriately permissions
             /usr/tmp file permissions
CCE-7355-1   should be set appropriately permissions
             traceroute executable file
             permissions should be set
CCE-7095-3   appropriately                permissions
             .Xauthority file permissions
             should be set appropriately
CCE-7113-4   for all users.               permissions

             /etc/aliases file permissions
CCE-6439-4   should be set appropriately permissions
             /etc/cron.d/at.allow file
             permissions should be set
CCE-7144-9   appropriately                 permissions
             /etc/cron.d/cron.allow file
             permissions should be set
CCE-6927-8   appropriately                 permissions

             /etc/csh file permissions
CCE-6645-6   should be set appropriately permissions
             /etc/default/* file
             permissions should be set
CCE-6768-6   appropriately               permissions
             /etc/default/login file
             permissions should be set
CCE-6861-9   appropriately               permissions

             /etc/dfs file permissions
CCE-6835-3   should be set appropriately permissions

             /etc/fs file permissions
CCE-7293-4   should be set appropriately   permissions
             The /etc/ftpusers file
             should exist or not as
CCE-6624-1   appropriate                   exist/not exist
             /etc/host.lpd file
             permissions should be set
CCE-6950-0   appropriately                 permissions
             /etc/hostname* file
             permissions should be set
CCE-6610-0   appropriately                 permissions

             /etc/hosts file permissions
CCE-7187-8   should be set appropriately permissions
             /etc/inetd.conf file
             permissions should be set
CCE-6953-4   appropriately               permissions

             /etc/issue file permissions
CCE-6390-9   should be set appropriately permissions
             /etc/jsh file permissions
CCE-7008-6   should be set appropriately permissions

             /etc/ksh file permissions
CCE-7184-5   should be set appropriately permissions
             /etc/mail/aliases file
             permissions should be set
CCE-6392-5   appropriately               permissions

             /etc/motd file permissions
CCE-6615-9   should be set appropriately   permissions
             /etc/netconfig file
             permissions should be set
CCE-7087-0   appropriately                 permissions
             /etc/notrouter file
             permissions should be set
CCE-6805-6   appropriately                 permissions
             /etc/pam.conf file
             permissions should be set
CCE-7069-8   appropriately                 permissions
             /etc/passwd file
             permissions should be set
CCE-6399-0   appropriately                 permissions
             The /etc/rsh file should
CCE-7289-2   exist or not as appropriate   exist/not exist
             /etc/security file
             permissions should be set
CCE-6778-5   appropriately                 permissions
             /etc/services file
             permissions should be set
CCE-6394-1   appropriately                 permissions

             /etc/sh file permissions
CCE-7022-7   should be set appropriately permissions
             /etc/shadow file
             permissions should be set
CCE-6991-4   appropriately               permissions
             /etc/syslog.conf file
             permissions should be set
CCE-6733-0   appropriately               permissions

             /etc/ufs file permissions
CCE-6562-3   should be set appropriately permissions

             /etc/vfstab file permissions
CCE-7011-0   should be set appropriately permissions
             /etc/vold.conf file
             permissions should be set
CCE-6400-6   appropriately                permissions
             /var/adm/loginlog file
             permissions should be set
CCE-7272-8   appropriately                 permissions
             /var/adm/messages file
             permissions should be set
CCE-7347-8   appropriately                 permissions
             /var/adm/sulog file
             permissions should be set
CCE-6990-6   appropriately                 permissions
             /var/adm/utmp file
             permissions should be set
CCE-7210-8   appropriately                 permissions
             /var/adm/wtmp file
             permissions should be set
CCE-7240-5   appropriately                 permissions
             /var/adm/authlog file
             permissions should be set
CCE-6928-6   appropriately                 permissions
             /var/adm/syslog file
             permissions should be set
CCE-7020-1   appropriately                 permissions

             /var/mail file permissions
CCE-7159-7   should be set appropriately permissions

             /var/tmp file permissions
CCE-7397-3   should be set appropriately   permissions
             /usr/lib/pt_chmod file
             permissions should be set
CCE-7273-6   appropriately                 permissions
             /usr/lib/embedded_us file
             permissions should be set
CCE-7366-8   appropriately                 permissions
             /usr/lib/sendmail file
             permissions should be set
CCE-7340-3   appropriately                 permissions
             /usr/kerberos/bin/rsh file
             permissions should be set
CCE-7101-9   appropriately                 permissions
             /var/spool/mail file
             permissions should be set
CCE-7207-4   appropriately                 permissions
             smbpassword file
             permissions should be set
CCE-7326-2   appropriately                 permissions
             At directory should be
             owned by an appropriate
CCE-6405-5   user                          list of users
             At directory should be
             owned by an appropriate
CCE-7393-2   group                         list of groups
             at.allow file should be
             owned by an appropriate
CCE-7203-3   user                           list of users
             at.allow file should be
             owned by an appropriate
CCE-6767-8   group                          list of groups
             at.deny file should be
             owned by an appropriate
CCE-6860-1   user                           list of users
             at.deny file should be
             owned by an appropriate
CCE-6452-7   group                          list of groups
             Cron directories should be
             owned by an appropriate
CCE-7378-3   user                           list of users
             Cron directories should be
             owned by an appropriate
CCE-7161-3   group                          list of groups
             Crontab directories should
             be owned by an
CCE-7236-3   appropriate user               list of users
             Crontab directories should
             be owned by an
CCE-7351-0   appropriate group              list of groups
             cron.allow file should be
             owned by an appropriate
CCE-6601-9   user                           list of users
             cron.allow file should be
             owned by an appropriate
CCE-6580-5   group                          list of groups

             cron.deny should be owned
CCE-7225-6   by an appropriate user         list of users
             cron.deny data should be
             owned by an appropriate
CCE-7305-6   group                          list of groups
             crontab files should be
             owned by an appropriate
CCE-7283-5   user                           list of users
             crontab files should be
             owned by an appropriate
CCE-6670-4   group                          list of groups
             /etc/resolv.conf file should
             be owned by an
CCE-7115-9   appropriate user               list of users
             /etc/resolv.conf file should
             be owned by an
CCE-7400-5   appropriate group              list of groups
             /etc/named.boot file should
             be owned by an
CCE-7242-1   appropriate user               list of users
             /etc/named.boot file should
             be owned by an
CCE-7304-9   appropriate group             list of groups
             /etc/named.conf file should
             be owned by an
CCE-7092-0   appropriate user              list of users
             /etc/named.conf file should
             be owned by an
CCE-7308-0   appropriate group             list of groups
CCE-7306-4   DEPRECATED.
CCE-7398-1   DEPRECATED.
CCE-6459-2   DEPRECATED.
CCE-7035-9   DEPRECATED.
CCE-7110-0   DEPRECATED.
CCE-7440-1   DEPRECATED.
CCE-7453-4   DEPRECATED.
CCE-7052-4   DEPRECATED.
             Each user home directory
             should be owned by an
CCE-7457-5   appropriate user.             list of users
             Each user home directory
             should be owned by an
CCE-7268-6   appropriate group.            list of groups
             inetd.conf file should be
             owned by an appropriate
CCE-7237-1   user                          list of users
             inetd.conf file should be
             owned by an appropriate
CCE-7147-2   group                         list of groups
             /etc/exports should be
             owned by an appropriate
CCE-7363-5   user                          list of users
             /etc/exports should be
             owned by an appropriate
CCE-6737-1   group                         list of groups
             Exported files and
             directories should be
             owned by an appropriate
CCE-7459-1   user                          list of users
             Exported files and
             directories should be
             owned by an appropriate
CCE-8359-2   group                         list of groups
CCE-7434-4   DEPRECATED.
CCE-7276-9   DEPRECATED.
CCE-7064-9   DEPRECATED.
CCE-7407-0   DEPRECATED.
CCE-7359-3   DEPRECATED.
CCE-7280-1   DEPRECATED.
             /etc/services file should be
             owned by an appropriate
CCE-6469-1   user                            list of users
             /etc/services file should be
             owned by an appropriate
CCE-6474-1   group                           list of groups
CCE-6729-8   DEPRECATED.
CCE-7430-2   DEPRECATED.
             /etc/notrouter file should be
             owned by an appropriate
CCE-7358-5   user                            list of users
             /etc/notrouter file should be
             owned by an appropriate
CCE-7438-5   group                           list of groups
CCE-7262-9   DEPRECATED.
CCE-6479-0   DEPRECATED.
             /etc/samba/smb.conf file
             should be owned by an
CCE-7125-8   appropriate user                list of users
             /etc/samba/smb.conf file
             should be owned by an
CCE-7282-7   appropriate group               list of groups
             smbpasswd executable
             should be owned by an
CCE-7471-6   appropriate user                list of users
             smbpasswd executable
             should be owned by an
CCE-7441-9   appropriate group               list of groups
CCE-6850-2   DEPRECATED.
CCE-6480-8   DEPRECATED.
CCE-7071-4   DEPRECATED.
CCE-7296-7   DEPRECATED.
             Programs executed
             through aliases file entries
             should be owned by an
CCE-6886-6   appropriate user                list of users
             Programs executed
             through aliases file entries
             should be owned by an
CCE-7401-3   appropriate group               list of groups
CCE-7368-4   DEPRECATED.
CCE-7352-8   DEPRECATED.
CCE-7056-5   DEPRECATED.
             snmpd.conf file should be
             owned by an appropriate
CCE-7460-9   user                            list of users
             snmpd.conf file should be
             owned by an appropriate
CCE-6481-6   group                           list of groups
             /etc/syslog.conf file should
             be owned by an
CCE-7241-3   appropriate user                 list of users
             /etc/syslog.conf file should
             be owned by an
CCE-7404-7   appropriate group                list of groups
             traceroute executable
             should be owned by an
CCE-6495-6   appropriate user                 list of users
             traceroute executable
             should be owned by an
CCE-6633-2   appropriate group                list of groups
             /usr/lib/sendmail file should
             be owned by an
CCE-7461-7   appropriate user                 list of users
             /usr/lib/sendmail file should
             be owned by an
CCE-7078-9   appropriate group                list of groups
             /etc/passwd file should be
             owned by an appropriate
CCE-7300-7   user                             list of users
             /etc/passwd file should be
             owned by an appropriate
CCE-7270-2   group                            list of groups
             /etc/shadow file should be
             owned by an appropriate
CCE-7076-3   user                             list of users
             /etc/shadow file should be
             owned by an appropriate
CCE-6904-7   group                            list of groups
             smbpasswd file should be
             owned by an appropriate
CCE-6983-1   user                             list of users
             smbpasswd file should be
             owned by an appropriate
CCE-7247-0   group                            list of groups
             Environmental variable
             PATH for superuser
             accounts should or should
             not contain world-writable
CCE-7238-9   files as appropriate             should/should not
             Environmental variable
             PATH for superuser
             accounts should not
             contain the current
             directory as the first or last
CCE-7375-9   entry                            should/should not
             The current wokring
             directory should or should
             not be added to the
             environmental variable
             PATH by global
             initialization files as
CCE-7458-3   appropriate                    should/should not
             The current working
             directory should or should
             not be added to the
             environmental variable
             PATH by local initialization
CCE-7155-5   files as appropriate           should/should not
CCE-7481-5   DEPRECATED.
             The current directory
             should or should not be
             added to the environmental
             variable PATH by run
             control scripts as
CCE-7331-2   appropriate                    should/should not
             The system umask should
CCE-7361-9   be set appropriately           umask
             The user umask should be
CCE-6921-1   set appropriately              umask
             DEPRECATED in favor of
CCE-6503-7   CCE-7736-2.
             DEPRECATED in favor of
CCE-7060-7   CCE-8221-4.
             DEPRECATED in favor of
CCE-7497-1   CCE-7736-2.
             DEPRECATED in favor of
CCE-6787-6   CCE-8221-4.
             The cron.allow file should
             be configured with the set
             of users permitted to use
             the cron facility as
CCE-7736-2   appropriate.                   list of users
             The cron.deny file should
             be configured with the set
             of users not permitted to
             use the cron facility as
CCE-8221-4   appropriate.                   list of users
             Cron logging should be
             enabled or disabled as
CCE-6998-9   appropriate                    enabled/disabled
             DEPRECATED in favor of
CCE-7206-6   CCE-8171-1.
             DEPRECATED in favor of
CCE-7345-2   CCE-7839-4.
             The at.allow file should be
             configured with the set of
             users permitted to use the
CCE-8171-1   at facility as appropriate.      list of users
             The at.deny file should be
             configured with the set of
             users not permitted to use
             the at facility as
CCE-7839-4   appropriate.                     list of users

             /etc/init.d file permissions
CCE-6697-7   should be set appropriately      permissions
             /usr/aset/userlist file
             permissions should be set
CCE-7010-2   appropriately                    permissions
             /etc/rmmount.conf file
             permissions should be set
CCE-7424-5   appropriately                    permissions
             /var/log/pamlog file
             permissions should be set
CCE-6511-0   appropriately                    permissions
             /etc/security/audit_control
             file permissions should be
CCE-6517-7   set appropriately                permissions
             /etc/security/audit_class file
             permissions should be set
CCE-6549-0   appropriately                    permissions
             /etc/security/audit_event
             file permissions should be
CCE-6550-8   set appropriately                permissions
             /usr/aset/userlist file
             permissions should be set
CCE-6880-9   appropriately                    permissions
             DEPRECATED in favor of
             CE-8488-9, CCE-8494-7
CCE-7470-8   and CCE-8314-7.
             /etc/auto.master file should
             be owned by an
CCE-8488-9   appropriate user                 list of users
             /etc/auto.misc file should
             be owned by an
CCE-8494-7   appropriate user                 list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8314-7   user                             list of users
             /etc/rmmount.conf file
             should be owned by an
CCE-7380-9   appropriate user                 list of users
             /var/log/pamlog file should
             be owned by an
CCE-6582-1   appropriate user                 list of users
             /etc/security/audit_control
             file should be owned by an
CCE-7406-2   appropriate user                 list of users
             /etc/security/audit_class file
             should be owned by an
CCE-7190-2   appropriate user                 list of users
             /etc/security/audit_event
             file should be owned by an
CCE-7265-2   appropriate user                 list of users
CCE-6563-1   DEPRECATED.
             /usr/aset/userlist file should
             be owned by an
CCE-6565-6   appropriate group                list of groups
             /etc/rmmount.conf file
             should be owned by an
CCE-7223-1   appropriate group                list of groups
             /var/log/pamlog file should
             be owned by an
CCE-7394-0   appropriate group                list of groups
             /etc/security/audit_control
             file should be owned by an
CCE-7222-3   appropriate group                list of groups
             /etc/security/audit_class file
             should be owned by an
CCE-7553-1   appropriate group                list of groups
             /etc/security/audit_event
             file should be owned by an
CCE-7444-3   appropriate group                list of groups

             DEPRECATED in favor of
             CCE-8665-2, CCE-7766-9,
CCE-6568-0   CCE-8264-4.
             /etc/auto.master file should
             be owned by an
CCE-8665-2   appropriate group                list of users
             /etc/auto.misc file should
             be owned by an
CCE-7766-9   appropriate group                list of users
             /etc/auto.net file should be
             owned by an appropriate
CCE-8264-4   group                            list of users
CCE-6575-5   DEPRECATED.
CCE-7025-0   DEPRECATED.
             Generic PAM
             authentication should be
             enabled or disabled as
CCE-7126-6   appropriate                      enabled/disabled
             rsh auth should be allowed
             or disallowed by PAM as
CCE-7491-4   appropriate                      allowed/not allowed
             rlogin auth should be
             allowed by pam.d or not as
CCE-7482-3   appropriate                    allowed/not allowed
             PAM access to
             /dev/console should be
             logged at an appropriate
             level or not logged as
CCE-7244-7   appropriate                    logging level
             PAM should be logged at
CCE-7323-9   an appropriate level           logging level
             /usr/aset/masters/uid_alias
             es should contain an
             appropriate listing of
CCE-7420-3   aliases                        list of aliases
             The Solaris Automated
             Security Enhancement
             Tool (ASET) tune.low file
             should exist or not as
CCE-7341-1   appropriate                    exist/not exist
             The Solaris Automated
             Security Enhancement
             Tool (ASET) tune.med file
             should exist or not as
CCE-7169-6   appropriate                    exist/not exist
             The Solaris Automated
             Security Enhancement
             Tool (ASET) tune.high file
             should exist or not as
CCE-6935-1   appropriate                    exist/not exist
             The uid_aliases file should
CCE-7548-1   exist or not as appropriate    exist/not exist
             The low security directory
             list should be set
CCE-7486-4   appropriately                  directory list
             The medium security
             directory list should be set
CCE-6891-6   appropriately                  directory list
             The high security directory
             list should be set
CCE-7468-2   appropriately                  directory list
             The ASET periodic
             schedule setting should be
CCE-7310-6   set appropriately              schedule stanza

             The UID aliases pointer
CCE-7344-5   should be set appropriately file
             Users should be listed in
             the ASET userlist file or not
CCE-7547-3   as appropriate                list of users
             ASET should check NIS+
CCE-7563-0   tables or not as appropriate enabled/disabled

             EEPROM security mode
CCE-7514-3   should be set appropriately security mode

             EEPROM warning banner
CCE-7127-4   should be set appropriately banner text
             The noexec_user_stack
             flag should be set on the
             user stack or not as
CCE-7016-9   appropriate                 set/not set
             Attempted stack eploit
             logging should be enabled
CCE-6579-7   or disabled as appropriate enabled/disabled

             The default login console
CCE-7141-5   should be set appropriately path to console
             Default sleeptime should
CCE-6581-3   be set appropriately        number of minutes
             Default number of allowed
             retries should be set
CCE-7188-6   appropriately               number of retries

             The default number of
             syslog failed logins retried
CCE-7315-5   should be set appropriately number of retries
             Default su console should
CCE-7302-3   be set appropriately         path to console

             auditing should be logged
CCE-7542-4   to an appropriate directory path to log
             login and logout events (lo
             class) should be audited or
CCE-7009-4   not as appropriate          audited/not audited
CCE-7445-0   DEPRECATED.

             Non attributable events (na
             class) should be audited or
CCE-6977-3   not as appropriate          audited/not audited
             The free space threshold to
             warn at should be set       percentage of
CCE-7577-0   appropriately               filesystem
CCE-6600-1   DEPRECATED.
             DEPRECATED in favor of
CCE-7437-7   CCE-7009-4.
             DEPRECATED in favor of
CCE-7388-2   CCE-7009-4.
             Password changes should
             be audited or not as
CCE-7586-1   appropriate             audited/not audited

             su usage should be audited
CCE-6899-9   or not as appropriate            audited/not audited
             Creation/modification of
             superuser groups should
             be audited or not as
CCE-6868-4   appropriate                      audited/not audited
             Clearing of the audit log file
             should be audited or not as
CCE-7483-1   appropriate                      audited/not audited
             Use of
             identification/authorization
             mechanisms should be
             audited or not as
CCE-7580-4   appropriate                      audited/not audited
             chmod command should
             be audited or not as
CCE-6606-8   appropriate                      audited/not audited
             The user audit file should
             contain an appropriate set
CCE-6929-4   of never-audit flags             set of allowed flags
             The /var/log/authlog log
             should be enabled or
CCE-6793-4   disabled as appropriate          enabled/disabled
             The /var/log/syslog log
             should be enabled or
CCE-7559-8   disabled as appropriate          enabled/disabled
             The /var/adm/messages
             log should be enabled or
CCE-7510-1   disabled as appropriate          enabled/disabled
             The /var/adm/sulog log
             should be enabled or
CCE-7399-9   disabled as appropriate          enabled/disabled
             The /var/adm/utmp[x] log
             should be enabled or
CCE-7501-0   disabled as appropriate          enabled/disabled
             The /var/adm/wtmp[x] log
             should be enabled or
CCE-6609-2   disabled as appropriate          enabled/disabled
             The /var/adm/sshlog log
             should be enabled or
CCE-6619-1   disabled as appropriate          enabled/disabled
             The /var/log/pamlog log
             should be enabled or
CCE-6730-6   disabled as appropriate          enabled/disabled
             DEPRECATED in favor of
CCE-6910-4   CCE-7009-4.
             su usage should be audited
CCE-7254-6   or not as appropriate          audited/not audited
             auth usage should be
             audited or not as
CCE-6690-2   appropriate                    audited/not audited
             /var directory should be
             owned by an appropriate
CCE-7474-0   user                           list of users
             /var/log directory should be
             owned by an appropriate
CCE-7320-5   user                           list of users
             /var/adm directory should
             be owned by an
CCE-7584-6   appropriate user               list of users
CCE-7412-0   DEPRECATED.
             BSM auditing should be
             enabled or disabled as
CCE-7492-2   appropriate                    enabled/disabled
CCE-7515-0   DEPRECATED.
CCE-7216-5   DEPRECATED.
CCE-7436-9   DEPRECATED.
CCE-7312-2   DEPRECATED.
             The TCP max connection
             limit should be set            max number of
CCE-7533-3   appropriately                  connections

             The TCP abort interval
CCE-6620-9   should be set appropriately    limit
             Forwarding of directed
             broadcasts should be
             enabled or disabled as
CCE-7503-6   appropriate                    enabled/disabled
             Response to echo (ping)
             request broadcasts should
             be enabled or disabled as
CCE-6640-7   appropriate                    enabled/disabled
             Response to ICMP
             timestamp requests should
             be enabled or disabled as
CCE-7130-8   appropriate                    enabled/disabled
             Response to ICMP
             timestamp broadcast
             requests should be
             enabled or disabled as
CCE-7496-3   appropriate                    enabled/disabled
             Response to mask
             addresses should be
             enabled or disabled as
CCE-6741-3   appropriate                    enabled/disabled
             ARP cleanup interval
CCE-7335-3   should be set appropriately    interval
             ARP IRE interval should be
CCE-7432-8   set appropriately              interval
             IP redirects should be
             followed or ignored as
CCE-7449-2   appropriate                    follow/ignore
             Sending of IP redirects
             should be enabled or
CCE-7414-6   disabled as appropriate        enabled/disabled
             Forwarding of source
             routed packets should be
             enabled or disabled as
CCE-6641-5   appropriate                    enabled/disabled
             IP forwarding should be
             enabled or disabled as
CCE-6646-4   appropriate                    enabled/disabled
             Strict destination
             multihoming should be
             enabled or disabled as
CCE-6865-0   appropriate                    enabled/disabled
             Forwarding of source
             routed IPv6 packets should
             be enabled or disabled as
CCE-7626-5   appropriate                    enabled/disabled
             IPv6 forwarding should be
             enabled or disabled as
CCE-7107-6   appropriate                    enabled/disabled
             TCP reverse source routes
             should be enabled or
CCE-7488-0   disabled as appropriate        enabled/disabled
             Routing should be enabled
CCE-6656-3   or disabled as appropriate     enabled/disabled

             Caching of the RBAC
             prof_attr should be enabled
CCE-7653-9   or disabled as appropriate     enabled/disabled
             Multicast route assignment
             should be enabled or
CCE-7057-3   disabled as appropriate        enabled/disabled
             Print services through inetd
             should be enabled or
CCE-7405-4   disabled as appropriate        enabled/disabled
             NFS server logging should
             be enabled or disabled as
CCE-7000-3   appropriate                    enabled/disabled
             Global initialization files
             should allow or deny write
             access to the terminal as
CCE-6876-7   appropriate                   allow/deny
CCE-7343-7   DEPRECATED.
CCE-7607-5   DEPRECATED.
             Caching of the RBAC
             exec_attr should be
             enabled or disabled as
CCE-7581-2   appropriate                   enabled/disabled
             Caching of the RBAC
             user_attr should be
             enabled or disabled as
CCE-6673-8   appropriate                   enabled/disabled

             The chmod system call
             should be audited or not as
CCE-8236-2   appropriate                   audited/not audited
             The chown system call
             should be audited or not as
CCE-6659-7   appropriate                   audited/not audited
             The fchmod system call
             should be audited or not as
CCE-6661-3   appropriate                   audited/not audited
             The fchown system call
             should be audited or not as
CCE-7590-3   appropriate                   audited/not audited
             The lchown system call
             should be audited or not as
CCE-6665-4   appropriate                   audited/not audited
             The setgroups system call
             should be audited or not as
CCE-7493-0   appropriate                   audited/not audited
             The setpgrp system call
             should be audited or not as
CCE-7277-7   appropriate                   audited/not audited
             The setreuid system call
             should be audited or not as
CCE-6677-9   appropriate                   audited/not audited
             The setregid system call
             should be audited or not as
CCE-7526-7   appropriate                   audited/not audited
             The setegid system call
             should be audited or not as
CCE-7253-8   appropriate                   audited/not audited
             The seteuid system call
             should be audited or not as
CCE-6702-5   appropriate                   audited/not audited
             System ftp logoffs should
             be audited or not as
CCE-7603-4   appropriate                   audited/not audited
             System telnet logons
             should be audited or not as
CCE-6684-5   appropriate                   audited/not audited
             System ssh logons should
             be audited or not as
CCE-7390-8   appropriate                   audited/not audited
             System rlogin logons
             should be audited or not as
CCE-7178-7   appropriate                   audited/not audited
             System rshd logons should
             be audited or not as
CCE-7381-7   appropriate                   audited/not audited
             System rexecd logons
             should be audited or not as
CCE-7521-8   appropriate                   audited/not audited
             System rexd logons should
             be audited or not as
CCE-7350-2   appropriate                   audited/not audited
             System ftp logons should
             be audited or not as
CCE-7588-7   appropriate                   audited/not audited
             rlogin auth should be
             allowed or disallowed by
CCE-7103-5   PAM as appropriate            allowed/not allowed
             rlogin auth should be
             allowed by pam.d or not as
CCE-6944-3   appropriate                   allowed/not allowed

             Hard core dump size limits Size (0 to disable
CCE-7568-9   should be set appropriately core dumps)
             Root logins should be
             allowed or not as
             appropriate from SSH
CCE-7665-3   consoles                    allowed/not allowed
                                         Internal Revenue Service Basic
                                         UNIX Security Requirements (IRS
              CCE Technical Mechanisms   BUSR)
                                         http://www.irs.gov/irm/part10/ch03
                                         s08.html




via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)


via fstab                                10.8.10.4.2.1 (5)




via /etc/passwd                          10.8.10.4.2.1 (6)

via /etc/security/limits
via ulimit                               10.8.10.4.4 (3)


via /etc/snmp/conf/snmpd.conf            10.8.10.5.1 (1) c)


via /etc/snmp/conf/snmpd.conf            10.8.10.5.1 (1) c)




via /etc/default/passwd                  10.8.10.5.1 (2) a)




via /etc/default/passwd                  10.8.10.5.1 (2) a)




via /etc/default/passwd                  10.8.10.5.1 (2) a)


via /etc/default/passwd                  10.8.10.5.1 (2) b)
via /etc/default/passwd       10.8.10.5.1 (2) c)




via /etc/default/passwd       10.8.10.5.1 (2) d)




via /etc/default/passwd       10.8.10.5.1 (2) e)


via passwd
via /etc/shadow               10.8.10.5.1 (2) f)




via /etc/security/passwd      10.8.10.5.1 (2) g)




                              10.8.10.5.1 (3)


                              10.8.10.5.1 (5)




via chown                     10.8.10.5.2 (3)

via chgrp
via chown                     10.8.10.5.2 (3)

via /etc/security/login.cfg
via /etc/motd                 10.8.10.5.2 (5) a)


via sshd_config               10.8.10.5.2 (5) b)


via /etc/default/telnetd      10.8.10.5.2 (5) c)


                              10.8.10.5.2 (5) d)


via Xwindows                  10.8.10.5.2 (5) e)
via passwd
via /etc/passwd          10.8.10.5.2.1 (2) a)


via passwd
via /etc/passwd
via /etc/group           10.8.10.5.2.1 (2) b)


via /etc/passwd          10.8.10.5.2.4 (3)

via /etc/passwd          10.8.10.5.2.4 (9)




via /etc/passwd          10.8.10.5.2.4.1 (1)


via Xscreensaver
via dtsession            10.8.10.5.2.5 (1)


via chmod                10.8.10.5.2.6 (1)


via BIOS                 10.8.10.5.2.6 (3)


via /etc/default/login   10.8.10.5.2.6 (4)


via filesystem           10.8.10.5.2.6 (6)


via filesystem           10.8.10.5.2.6 (6)


via filesystem           10.8.10.5.2.6 (6)


via filesystem           10.8.10.5.2.6 (6)




via Text editor          10.8.10.5.2.6 (7)
via Text editor   10.8.10.5.2.6 (7)




via Text editor   10.8.10.5.2.6 (7)

via /etc/shells   10.8.10.5.2.6 (11)




via /etc/shells   10.8.10.5.2.6 (12)




via /etc/group    10.8.10.5.2.6 (15)


via /etc/passwd   10.8.10.5.2.6 (16)


via /etc/passwd   10.8.10.5.2.6 (17)




via filesystem    10.8.10.5.2.6 (18)


via filesystem    10.8.10.5.2.6 (24)


via RC scripts    10.8.10.5.3 (3)




via ntpd.conf


                  10.8.10.5.3 (4)


                  10.8.10.5.3 (5)
                              10.8.10.5.3 (6)


                              10.8.10.5.4.1 (12)


                              10.8.10.5.4.1 (2) a)




                              10.8.10.5.4.1 (2) c)




                              10.8.10.5.4.1 (2) d)




                              10.8.10.5.4.1 (2) e)


                              10.8.10.5.4.1 (3)


via /etc/default/route.conf   10.8.10.5.4.1 (4)


via RC scripts                10.8.10.5.4.1 (5)

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #1

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #2

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #3

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #4

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #5

via inetd
via inetd.conf                10.8.10.5.4.1 (11) #6
via inetd
via inetd.conf   10.8.10.5.4.1 (11) #7

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #8

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #9

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #10

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #11

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #12

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #13

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #14


via inetd
via inetd.conf   10.8.10.5.4.1 (11) #16

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #17

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #18


                 10.8.10.5.4.1 (11) #19

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #20

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #21

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #22

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #23
via inetd
via inetd.conf   10.8.10.5.4.1 (11) #24

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #25

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #26

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #27

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #28

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #29

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #30

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #31

via inetd
via inetd.conf   10.8.10.5.4.1 (11) #32


via inetd
via inetd.conf   10.8.10.5.4.1 (11) #34

via inetd
via inetd.conf   10.8.10.5.4.1.1 (2)


via inetd
via inetd.conf   10.8.10.5.4.1.1 (5)


                 10.8.10.5.4.1.2 (2)

via inetd
via inetd.conf   10.8.10.5.4.1.3 (1)


                 10.8.10.5.4.1.4 (1)


via RC scripts   10.8.10.5.4.1.5 (1)
via RC scripts              10.8.10.5.4.1.5 (1)


via RC scripts              10.8.10.5.4.1.5 (1)


via RC scripts              10.8.10.5.4.1.5 (1)




                            10.8.10.5.4.1.5 (1) a)




                            10.8.10.5.4.1.5 (1) a)

via NFS
via /etc/exports            10.8.10.5.4.1.5 (1) f)




via /etc/exports            10.8.10.5.4.1.5 (1) g)




via /etc/fstab              10.8.10.5.4.1.5 (1) i)


via RC scripts              10.8.10.5.4.2.2 (1)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (3)

via /etc/aliases
via /usr/lib/aliases        10.8.10.5.4.2.2 (4) c)


via rm                      10.8.10.5.4.2.2 (4) e)




via chown                   10.8.10.5.4.2.2 (4) f)
via chown                   10.8.10.5.4.2.2 (4) f)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) g)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) h)


via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) i)

via sendmail
via /etc/mail/sendmail.cf   10.8.10.5.4.2.2 (4) k)




via RC scripts              10.8.10.5.4.2.3 (1)


via RC scripts              10.8.10.5.4.2.3 (1)


via NIS+                    10.8.10.5.4.2.3 (1) b)


via Xwindows                10.8.10.5.4.2.4 (1)




via /etc/X*.hosts           10.8.10.5.4.2.4 (2) b)

via xdm
via gdm
via kdm                     10.8.10.5.4.2.4 (2) d)


via sshd_config             10.8.10.5.4.2.4 (2) f)
via smbd
via RC scripts              10.8.10.5.4.2.6 (1)


via smbd
via smb.conf                10.8.10.5.4.2.6 (3) a)
via smbd
via smb.conf   10.8.10.5.4.2.6 (3) b)

via smbd
via smb.conf   10.8.10.5.4.2.6 (3) c)


via smbd
via smb.conf   10.8.10.5.4.2.6 (3) d)

via ifconfig   10.8.10.5.4.3 (1)


via chmod      10.8.10-1 A.1 1) #1


via chmod      10.8.10-1 A.1 1) #2


via chmod      10.8.10-1 A.1 1) #2


via chmod      10.8.10-1 A.1 1) #5


via chmod      10.8.10-1 A.1 1) #5


via chmod      10.8.10-1 A.1 1) #6


via chmod      10.8.10-1 A.1 1) #7


via chmod      10.8.10-1 A.1 1) #7


via chmod      10.8.10-1 A.1 1) #8


via chmod      10.8.10-1 A.1 1) #9


via chmod      10.8.10-1 A.1 1) #10


via chmod      10.8.10-1 A.1 1) #11


via chmod      10.8.10-1 A.1 1) #13
via chmod   10.8.10-1 A.1 1) #14


via chmod   10.8.10-1 A.1 1) #21


via chmod   10.8.10-1 A.1 1) #23


via chmod   10.8.10-1 A.1 1) #25


via chmod   10.8.10-1 A.1 1) #26


via chmod   10.8.10-1 A.1 1) #27




via chmod   10.8.10-1 A.1 1) #29


via chmod   10.8.10-1 A.1 1) #31


via chmod   10.8.10-1 A.1 1) #32


via chmod   10.8.10-1 A.1 1) #34




via chmod   10.8.10-1 A.1 1) #35




via chmod   10.8.10-1 A.1 1) #36


via chmod   10.8.10-1 A.1 1) #37


via chmod   10.8.10-1 A.1 1) #38


via chmod   10.8.10-1 A.1 1) #39
via filesystem   10.8.10-1 A.1 1) #40


via chmod        10.8.10-1 A.1 1) #41


via chmod        10.8.10-1 A.1 1) #42


via chmod        10.8.10-1 A.1 1) #43


via chmod        10.8.10-1 A.1 1) #44


via chmod        10.8.10-1 A.1 1) #45

via filesystem   10.8.10-1 A.1 1) #46


via chmod        10.8.10-1 A.1 1) #47


via chmod        10.8.10-1 A.1 1) #48


via chmod        10.8.10-1 A.1 1) #49


via chmod        10.8.10-1 A.1 1) #50


via chmod        10.8.10-1 A.1 1) #51

via filesystem   10.8.10-1 A.1 1) #52


via chmod        10.8.10-1 A.1 1) #53


via chmod        10.8.10-1 A.1 1) #54


via chmod        10.8.10-1 A.1 1) #56


via chmod        10.8.10-1 A.1 1) #57
via chmod        10.8.10-1 A.1 1) #58


via chmod        10.8.10-1 A.1 1) #59


via chmod        10.8.10-1 A.1 1) #60


via chmod        10.8.10-1 A.1 1) #61


via chmod        10.8.10-1 A.1 1) #62


via chmod        10.8.10-1 A.1 1) #63


via chmod        10.8.10-1 A.1 1) #64


via chmod        10.8.10-1 A.1 1) #65


via chmod        10.8.10-1 A.1 1) #66


via chmod        10.8.10-1 A.1 1) #67


via chmod        10.8.10-1 A.1 1) #68


via filesystem   10.8.10-1 A.1 1) #69


via chmod        10.8.10-1 A.1 1) #70


via chmod        10.8.10-1 A.1 1) #71


via chmod        10.8.10-1 A.1 1) #72


via chmod        10.8.10-1 A.1 1) #73


via chmod        10.8.10-1 A.1 1) #75
via chmod        10.8.10-1 A.1 1) #76


via chmod        10.8.10-1 A.1 1) #77


via chmod        10.8.10-1 A.1 1) #78


via chmod        10.8.10-1 A.1 1) #79


via chmod        10.8.10-1 A.1 1) #80


via chmod        10.8.10-1 A.1 1) #81


via chmod        10.8.10-1 A.1 1) #82


via chmod        10.8.10-1 A.1 1) #83

via filesystem   10.8.10-1 A.1 1) #84


via chmod        10.8.10-1 A.1 1) #85


via chmod        10.8.10-1 A.1 1) #86


via chmod        10.8.10-1 A.1 1) #87


via chmod        10.8.10-1 A.1 1) #88


via chmod        10.8.10-1 A.1 1) #89


via chmod        10.8.10-1 A.1 1) #90


via chmod        10.8.10-1 A.1 1) #91


via chmod        10.8.10-1 A.1 1) #92
via chmod   10.8.10-1 A.1 1) #93


via chmod   10.8.10-1 A.1 1) #94


via chmod   10.8.10-1 A.1 1) #95


via chmod   10.8.10-1 A.1 1) #96


via chmod   10.8.10-1 A.1 1) #97


via chmod   10.8.10-1 A.1 1) #98


via chmod   10.8.10-1 A.1 1) #99


via chmod   10.8.10-1 A.1 1) #100


via chmod   10.8.10-1 A.1 1) #101


via chmod   10.8.10-1 A.1 1) #103


via chmod   10.8.10-1 A.1 1) #104


via chmod   10.8.10-1 A.1 1) #105


via chmod   10.8.10-1 A.1 1) #107


via chmod   10.8.10-1 A.1 1) #108


via chmod   10.8.10-1 A.1 1) #109


via chown   10.8.10-1 A.1 2) #1

via chgrp
via chown   10.8.10-1 A.1 2) #1
via chown   10.8.10-1 A.1 2) #2

via chgrp
via chown   10.8.10-1 A.1 2) #2


via chown   10.8.10-1 A.1 2) #2

via chgrp
via chown   10.8.10-1 A.1 2) #2


via chown   10.8.10-1 A.1 2) #4

via chgrp
via chown   10.8.10-1 A.1 2) #4


via chown   10.8.10-1 A.1 2) #4

via chgrp
via chown   10.8.10-1 A.1 2) #4


via chown   10.8.10-1 A.1 2) #5

via chgrp
via chown   10.8.10-1 A.1 2) #5


via chown   10.8.10-1 A.1 2) #5

via chgrp
via chown   10.8.10-1 A.1 2) #5


via chown   10.8.10-1 A.1 2) #6

via chgrp
via chown   10.8.10-1 A.1 2) #6


via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7


via chown   10.8.10-1 A.1 2) #7
via chgrp
via chown   10.8.10-1 A.1 2) #7


via chown   10.8.10-1 A.1 2) #7

via chgrp
via chown   10.8.10-1 A.1 2) #7




via chown   10.8.10-1 A.1 2) #11

via chgrp
via chown   10.8.10-1 A.1 2) #11


via chown   10.8.10-1 A.1 2) #12

via chgrp
via chown   10.8.10-1 A.1 2) #12


via chown   10.8.10-1 A.1 2) #13

via chgrp
via chown   10.8.10-1 A.1 2) #13




via chown   10.8.10-1 A.1 2) #14


via chgrp
via chown   10.8.10-1 A.1 2) #14
via chown   10.8.10-1 A.1 2) #16

via chgrp
via chown   10.8.10-1 A.1 2) #16




via chown   10.8.10-1 A.1 2) #18

via chgrp
via chown   10.8.10-1 A.1 2) #18




via chown   10.8.10-1 A.1 2) #21

via chgrp
via chown   10.8.10-1 A.1 2) #21


via chown   10.8.10-1 A.1 2) #22

via chgrp
via chown   10.8.10-1 A.1 2) #22




via chown   10.8.10-1 A.1 2) #26


via chgrp
via chown   10.8.10-1 A.1 2) #26




via chown   10.8.10-1 A.1 2) #29

via chgrp
via chown   10.8.10-1 A.1 2) #29
via chown              10.8.10-1 A.1 2) #30

via chgrp
via chown              10.8.10-1 A.1 2) #30


via chown              10.8.10-1 A.1 2) #31

via chgrp
via chown              10.8.10-1 A.1 2) #31


via chown              10.8.10-1 A.1 2) #32


via chgrp via chown    10.8.10-1 A.1 2) #32


via chown              10.8.10-1 A.1 2) #35

via chgrp
via chown              10.8.10-1 A.1 2) #35


via chown              10.8.10-1 A.1 2) #36

via chgrp
via chown              10.8.10-1 A.1 2) #36


via chown              10.8.10-1 A.1 2) #37

via chgrp
via chown              10.8.10-1 A.1 2) #37




via chmod
via profile            10.8.10-1 A.2 1) #1




via local init files   10.8.10-1 A.2 1) #2
via local init files    10.8.10-1 A.2 1) #3




via local init files    10.8.10-1 A.2 1) #4




                        10.8.10-1 A.2 1) #7

via global init files   10.8.10-1 A.2 1) #8

via local init files    10.8.10-1 A.2 1) #8




via Text editor




via Text editor


                        10.8.10-1 A.3 4)
via Text editor




via Text editor


via chmod         10.8.10-1 A.1 1) #74


via chmod         10.8.10-2 B.1 1) #1


via chmod         10.8.10-2 B.1 1) #3


via chmod         10.8.10-2 B.1 1) #4


via chmod         10.8.10-2 B.1 1) #5


via chmod         10.8.10-2 B.1 1) #6


via chmod         10.8.10-2 B.1 1) #7


via chmod         10.8.10-2 B.1 1) #8




via chown         10.8.10-3 C.1 1) #9


via chown         10.8.10-3 C.1 1) #9


via chown         10.8.10-3 C.1 1) #9


via chown         10.8.10-2 B.1 1) #3


via chown         10.8.10-2 B.1 1) #4
via chown           10.8.10-2 B.1 1) #5


via chown           10.8.10-2 B.1 1) #6


via chown           10.8.10-2 B.1 1) #7


via chgrp
via chown           10.8.10-2 B.1 1) #1

via chgrp
via chown           10.8.10-2 B.1 1) #3

via chgrp
via chown           10.8.10-2 B.1 1) #4

via chgrp
via chown           10.8.10-2 B.1 1) #5

via chgrp
via chown           10.8.10-2 B.1 1) #6

via chgrp
via chown           10.8.10-2 B.1 1) #7




via chown           10.8.10-3 C.1 1) #9


via chown           10.8.10-3 C.1 1) #9


via chown           10.8.10-3 C.1 1) #9




via PAM             10.8.10-2 B.2.1 1)


via /etc/pam.conf   10.8.10-2 B.2.1 2) a)
via /etc/pam.d                      10.8.10-2 B.2.1 2) b)




via /etc/syslog.conf                10.8.10-2 B.2.1 3)

via /etc/syslog.conf                10.8.10-2 B.2.1 3)




via /usr/aset/masters/uid_aliases   10.8.10-2 B.2.2 1)




via filesystem                      10.8.10-2 B.2.2 2)




via filesystem                      10.8.10-2 B.2.2 2)




via filesystem                      10.8.10-2 B.2.2 2)

via filesystem                      10.8.10-2 B.2.2 2)


via asetenv                         10.8.10-2 B.2.2 3)


via asetenv                         10.8.10-2 B.2.2 3)


via asetenv                         10.8.10-2 B.2.2 3)


via asetenv                         10.8.10-2 B.2.2 3)


via asetenv                         10.8.10-2 B.2.2 3)


via /usr/aset/userlist              10.8.10-2 B.2.2 4)
via asetenv                                         10.8.10-2 B.2.2 5)


via EEPROM                                          10.8.10-2 B.3 2)


via EEPROM                                          10.8.10-2 B.3 3)




via /etc/system                                     10.8.10-2 B.4 1)


via /etc/system                                     10.8.10-2 B.4 1)


via /etc/default/login                              10.8.10-2 B.4 2)

via /etc/default/login                              10.8.10-2 B.4 2)


via /etc/default/login                              10.8.10-2 B.4 2)




via /etc/default/login                              10.8.10-2 B.4 2)

via /etc/default/su                                 10.8.10-2 B.4 3)


via "dir" flag in /etc/security/audit_control       10.8.10-2 B.5 1) a)


via "lo" flag in /etc/security/audit_control        10.8.10-2 B.5 1) b)




via "na" flag in /etc/security/audit_control        10.8.10-2 B.5 1) c)


via "minfree" flag in /etc/security/audit_control   10.8.10-2 B.5 1) d)
via /etc/security/audit_event   10.8.10-2 B.5 4) #3


via /etc/security/audit_event   10.8.10-2 B.5 4) #4




via /etc/security/audit_event   10.8.10-2 B.5 4) #5


via /etc/security/audit_event   10.8.10-2 B.5 4) #8




via /etc/security/audit_event   10.8.10-2 B.5 4) #10


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_user    10.8.10-2 B.5 5)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)


via /etc/syslog.conf            10.8.10-2 B.5 6)
via /etc/syslog.conf                                             10.8.10-2 B.5 8)


via /etc/syslog.conf                                             10.8.10-2 B.5 9)


via chown                                                        10.8.10-2 B.5 11)


via chown                                                        10.8.10-2 B.5 11)


via chown                                                        10.8.10-2 B.5 11)




via /etc/security/bsmconv                                        10.8.10-2 B.5.2 2)




via the tcp_conn_req_max value set with the ndd utility          10.8.10-2 B.6 3)


via the tcp_ip_abort_interval value set with the ndd utility     10.8.10-2 B.6 3)


via the ip_forward_directed_broadcasts value set with the ndd
utility                                                          10.8.10-2 B.6 3)


via the ip_respond_to_echo_broadcast value set with the ndd
utility                                                          10.8.10-2 B.6 3)




via the ip_respond_to_timestamp value set with the ndd utility   10.8.10-2 B.6 3)




via the ip_respond_to_timestamp_broadcast value set with the
ndd utility                                                      10.8.10-2 B.6 3)


via the ip_respond_to_address_mask_broadcast value set
with the ndd utility                                             10.8.10-2 B.6 3)
via the arp_cleanup_interval value value set with the ndd          10.8.10-2 B.6 3)

via the ip_ire_arp_interval value set with the ndd utility         10.8.10-2 B.6 3)

via the ip_ignore_redirect and ip6_ignore_redirect values set
with the ndd utility                                               10.8.10-2 B.6 3)


via the ip_send_redirects value set with the ndd utility           10.8.10-2 B.6 3)




via the ip_forward_src_routed set with the ndd utility             10.8.10-2 B.6 3)


via the ip_forwarding value set with the ndd utility               10.8.10-2 B.6 3)




via the ip_strict_dst_multihoming value set with the ndd utility   10.8.10-2 B.6 3)




via the ip6_forward_src_routed value set with the ndd utility      10.8.10-2 B.6 3)


via the ip6_forwarding value set with the ndd utility              10.8.10-2 B.6 3)


via the tcp_rev_src_routes value set with the ndd utility          10.8.10-2 B.6 3)

via /etc/notrouter                                                 10.8.10-2 B.6 4)




via /etc/nscd.conf                                                 10.8.10-2 B.6 6)


via /etc/init.d/inetsvc                                            10.8.10-2 B.6 7)


via /etc/inetd.conf                                                10.8.10-2 B.6.1 1)


via /etc/dfs/dfstab                                                10.8.10-2 B.6.3 1)
via global init files           10.8.10-2 B.8 1) #1




via /etc/nscd.conf              10.8.10-2 B.6 6)




via /etc/nscd.conf              10.8.10-2 B.6 6)




via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13


via /etc/security/audit_event   10.8.10-2 B.5 4) #13
via /etc/security/audit_event   10.8.10-2 B.5 4) #2


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/security/audit_event   10.8.10-2 B.5 4) #1


via /etc/pam.conf               10.8.10-2 B.2.1 2) a)


via /etc/pam.d                  10.8.10-2 B.2.1 2) b)


/etc/security/limits ulimit     10.8.10.4.4 (3)




                                10.8.10.5.2.6 (4)
                                                 CCE
  CCE ID       CCE Description
                                              Parameters



             The tooltalk service should
             be enabled or disabled as     enabled / disabled /
CCE-4508-8   appropriate                   offline
             The calendar manager
             should be enabled or          enabled / disabled /
CCE-4327-3   disabled as appropriate.      offline
             The GNOME logon service
             should be enabled or          enabled / disabled /
CCE-4468-5   disabled as appropriate       offline
             The CDE logon service
             should be enabled or          enabled / disabled /
CCE-4512-0   disabled as appropriate.      offline
             The sendmail services
             should be enabled or          enabled / disabled /
CCE-4375-2   disabled as appropriate.      offline
             The web console should be
             enabled or disabled as        enabled / disabled /
CCE-4393-5   appropriate.                  offline
             The WBEM services
             should be enabled or          enabled / disabled /
CCE-3662-4   disabled as appropriate.      offline

             The BSD line printer
             protocol should be enabled    enabled / disabled /
CCE-4442-0   or disabled as appropriate.   offline
             The keyserv service should
             be enabled or disabled as     enabled / disabled /
CCE-4596-3   appropriate.                  offline
             The NIS server daemon
             should be enabled or          enabled / disabled /
CCE-4486-7   disabled as appropriate       offline
             The NIS passwd daemon
             should be enabled or          enabled / disabled /
CCE-4362-0   disabled as appropriate       offline
             The NIS update daemon
             should be enabled or          enabled / disabled /
CCE-3622-8   disabled as appropriate       offline
             The NIS xfr daemon should
             be enabled or disabled as     enabled / disabled /
CCE-4299-4   appropriate                   offline
             The NIS client daemons
             should be enabled or          enabled / disabled /
CCE-4592-2   disabled as appropriate       offline
             The nisplus daemons
             should be enabled or          enabled / disabled /
CCE-4614-4   disabled as appropriate       offline
             The ldap cache manager
             should be enabled or          enabled / disabled /
CCE-4279-6   disabled as appropriate       offline
             The Kerberos TGT
             Expiration warning should
             be enabled or disabled as     enabled / disabled /
CCE-4557-5   appropriate                   offline
             The Generic Security
             Service daemons should
             be enabled or disabled as     enabled / disabled /
CCE-4588-0   appropriate                   offline
             The volfs service should be
             enabled or disabled as        enabled / disabled /
CCE-4354-7   appropriate                   offline
             The smserver service
             should be enabled or          enabled / disabled /
CCE-4240-8   disabled as appropriate       offline
             The Samba smbd service
             should be enabled or          enabled / disabled /
CCE-4517-9   disabled as approriate        offline
             The Samba nmbd service
             should be enabled or          enabled / disabled /
CCE-4284-6   disabled as approriate        offline
             The automount daemon
             should be enabled or          enabled / disabled /
CCE-4429-7   disabled as appropriate       offline
             The apache web servicer
             should be enabled or          enabled / disabled /
CCE-4306-7   disabled as appropriate       offline
             The mpxio-upgrade service
             should be enabled or          enabled / disabled /
CCE-4499-0   disabled as appropriate       offline
             The metainit service
             (Solaris 10 <= 11/06)
             should be enabled or          enabled / disabled /
CCE-4266-3   disabled as appropriate       offline
             The mdmonitor service
             (Solaris 10 <= 11/06)
             should be enabled or          enabled / disabled /
CCE-4411-5   disabled as appropriate       offline
             The volume manager GUI
             mdcomm service should be
             enabled or disabled as        enabled / disabled /
CCE-4305-9   appropriate                   offline
             The meta service should
             be enabled or disabled as     enabled / disabled /
CCE-4477-6   appropriate                   offline
             The metaed service should
             be enabled or disabled as     enabled / disabled /
CCE-3650-9   appropriate                   offline
             The metamh service
             should be enabled or          enabled / disabled /
CCE-4571-6   disabled as appropriate       offline

             The local rpc port mapping
             service should be enabled enabled / disabled /
CCE-3950-3   or disabled as appropriate offline

             The Kerberos kadmind
             service should be enabled enabled / disabled /
CCE-4470-1   or disabled as appropriate. offline

             The Kerberos krb5kdc
             service should be enabled enabled / disabled /
CCE-4598-9   or disabled as appropriate. offline

             The Kerberos kpropd
             service should be enabled enabled / disabled /
CCE-4620-1   or disabled as appropriate. offline

             The Kerberos ktkt_warnd
             service should be enabled     enabled / disabled /
CCE-4333-1   or disabled as appropriate.   offline
             NFS server functionality
             should be enabled or          enabled / disabled /
CCE-3857-0   disabled as appropriate.      offline
             NFS client functionality
             should be enabled or          enabled / disabled /
CCE-4359-6   disabled as appropriate.      offline
             The telnet service should
             be enabled or disabled as     enabled / disabled /
CCE-4615-1   appropriate.                  offline
             The FTP service should be
             enabled or disabled as        enabled / disabled /
CCE-4007-1   appropriate.                  offline
             The BOOTP service should
             be enabled or disabled as     enabled / disabled /
CCE-3901-6   appropriate.                  offline
             The RARP service should
             be enabled or disabled as     enabled / disabled /
CCE-4553-4   appropriate.                  offline
             The DHCP server
             functionality should be
             enabled or disabled as        enabled / disabled /
CCE-4584-9   appropriate.                  offline
             The DNS server
             functionality should be
             enabled or disabled as        enabled / disabled /
CCE-4611-0   appropriate.                  offline
             The TFTP server
             functionality should be
             configured and enabled or     enabled / disabled /
CCE-3655-8   disabled as appropriate.      offline
             The BSD print spooler
             should enabled or disabled    enabled / disabled /
CCE-4541-9   as appropriate.               offline
             The Solaris print server
             functionality should be
             enabled or disabled as        enabled / disabled /
CCE-4483-4   appropriate.                  offline
             The IPP listener should be
             enabled or disabled as        enabled / disabled /
CCE-3663-2   appropriate.                  offline
             The SNMP service should
             be enabled or disabled as     enabled / disabled /
CCE-4037-8   appropriate.                  offline
             The read-only SNMP
             community string should be
CCE-4540-1   set appropriately.            string

             TCP Wrappers should be
             enabled or disabled as
CCE-4434-7   appropriate for all services. enabled / disabled

             The core dump directory
CCE-4570-8   owner should be restricted.   user
             The core dump directory
             group owner should be
CCE-4478-4   restricted.                   group
             File permissions for the
             core dump directory should
CCE-4623-5   be set correctly.             permissions
             Core dumps should be
             enabled/disabled as
CCE-4522-9   appropriate                   enabled/disabled
             Kernel stack protection
             should be enabled or
CCE-4297-8   disabled as appropriate.      enabled/disabled
             Strong TCP Sequence
             numbers should be
             enabled or disabled as
CCE-4548-4   appropriate.                  enabled/disabled
             IPv4 source route
             forwarding should be
             enabled or disabled as
CCE-4566-6   appropriate.                  enabled/disabled
             IPv6 source route
             forwarding should be
             enabled or disabled as
CCE-4439-6   appropriate.                  enabled/disabled
             Reverse source routed
             packets should be enabled
CCE-4456-0   or disabled as appropriate.    enabled/disabled
             Forwarding broadcasts
             should be enabled or
CCE-4602-9   disabled as appropriate.       enabled/disabled
             Unestablished tcp
             connection queue should
CCE-3752-3   be set appropriately.          numeral
             Established tcp connection
             queue should be set
CCE-4417-2   appropriately.                 numeral

             Respond to ICMP
             timestamp request should
CCE-4311-7   be enabled or disabled.   enabled/disabled
             Respond to ICMP
             broadcast timestamp
             request should be enabled
CCE-4562-5   or disabled.              enabled/disabled

             Respond to ICMP netmask
             request should be enabled
CCE-4082-4   or disabled as appropriate. enabled/disabled
             Respond to ICMP echo
             broadcast request should
             be enabled or disabled as
CCE-3681-4   appropriate.                enabled/disabled
             The ARP cache cleanup
             interval should be set
CCE-4642-5   appropriately.              numeral

             The ARP IRE scan rate
CCE-4532-8   should be set appropriately.   numeral
             The IPv4 ICMP redirect
             should be enabled or
CCE-4624-3   disabled                       enabled/disabled
             The IPv6 ICMP redirect
             should be enabled or
CCE-4518-7   disabled as appropriate.       enabled/disabled
             Extended TCP reserved
             ports should be set            list of ports above
CCE-4676-3   appropriately.                 1023
             IPv4 strict multihoming
             should be enabled or
CCE-3699-6   disabled as appropriate.       enabled/disabled
             IPv6 strict multihoming
             should be enabled or
CCE-4575-7   disabled as appropriate.       enabled/disabled
             ICMPv4 redirects should
             be enabled or disabled as
CCE-4593-0   appropriate.                  enabled/disabled
             ICMPv6 redirects should
             be enabled or disabled as
CCE-4095-6   appropriate.                  enabled/disabled
             IP forwarding should
             enabled or disabled as
CCE-3684-8   appropriate.                  enabled/disabled
             IP routing should be
             enabled or disabled as
CCE-4288-7   appropriate.                  enabled/disabled
             inetd tracing should be
CCE-4671-4   enabled as appropriate.       enabled / disabled
             The logging option for the
             ftp service should be
             enabled or disabled as
CCE-4455-2   appropriate.                  enabled / disabled

             The daemon debug log file
CCE-4397-6   owner should be restricted.   user
             The daemon debug log file
             permissions should be set
CCE-4415-6   appropriately.                permissions
             The daemon debug log file
             group owner should be
CCE-4560-9   restricted.                   group
             The debug logging option
             for daemons should be
             enabled or disabled as
CCE-4582-3   appropriate.                  enabled / disabled
             Capture of syslog AUTH
             Messages should be
             enabled or disabled as
CCE-3979-2   appropriate                   enabled / disabled
             The loginlog file owner
CCE-4124-4   should be restricted.         user
             The loginlog file
             permissions should be set
CCE-4626-8   appropriately.                permissions

             The loginlog file group
CCE-4635-9   owner should be restricted. group
             Capture of failed login
             attempts should be
             enabled or disabled as
CCE-3930-5   appropriate                 enabled / disabled
             The threshold of syslog
             logging of failed login
             attempts should be
CCE-4309-1   configured correctly.       numeric value
             Cron logging should be
             enabled or disabled as
CCE-4591-4   appropriate.                     enabled / disabled
             Cron log file owner should
CCE-4490-9   be restricted                    user
             Cron log file group owner
CCE-4683-9   should be restricted             group

             Cron log file permissions
CCE-4472-7   should be set appropriately permissions
             System Accounting should
             be enabled or disabled as
CCE-3992-5   appropriate                 enabled / disabled

             The system accounting file
CCE-4481-8   owner should be restricted.      user
             The systems accounting
             file group owner should be
CCE-4630-0   restricted.                      group
             The system accounting file
             permissions should be set
CCE-4542-7   appropriately.                   permissions
             Kernel level auditing should
             be enabled or disabled as
CCE-4675-5   appropriate                      enabled / disabled
             Kernel level auditing for
             login/logout should be
             enabled or disabled as           successfull/unsucces
CCE-4679-7   appropriate                      full
             Kernel level auditing for
             administrative actions
             should be enabled or             successfull/unsucces
CCE-4075-8   disabled as appropriate          full
             Kernel level auditing for file
             attribute modification
             should be enabled or             successfull/unsucces
CCE-4600-3   disabled as appropriate          full
             Kernel level auditing for
             process start/stop should
             be enabled or disabled as        successfull/unsucces
CCE-4498-2   appropriate                      full
             Kernel level auditing for
             process modify should be
             enabled or disabled as           successfull/unsucces
CCE-4401-6   appropriate                      full
             Kernel level auditing for
             processes should be
             enabled or disabled as           successfull/unsucces
CCE-4337-2   appropriate                      full
             Kernel level auditing for
             exec should be enabled or        successfull/unsucces
CCE-4606-0   disabled as appropriate          full
             Kernel level auditing for
             root login/logout should be
             enabled or disabled as         successfull/unsucces
CCE-4610-2   appropriate                    full
             Audit log file ownership
CCE-4126-9   should be restricted.          user
             Audit log file group
             ownership should be
CCE-4633-4   restricted.                    group
             Audit log permissions
CCE-4527-8   should be restricted.          permissions

             The daemon user's umask
CCE-4672-2   should be set appropriately.   string
             The setuid option should
             be enabled or disabled on
             removable media as
CCE-4315-8   appropriate.                   string
             The pkgchk utility should
             be used to verify
             ownership, group
             ownership, and access
             permissions for installed      list of packages, or
CCE-3760-6   packages as appropriate.       all packages
             The pkgchk utility should
             be used to force default
             settings for ownership,
             group ownership, and
             access permissions for
             installed packages as          list of packages, or
CCE-4312-5   appropriate.                   all packages
             The sticky bit should be
             enabled or disabled as
             appropriate for all world-
CCE-4721-7   writable directories.          enabled / disabled

             World-writable files should
             be found and examined for
CCE-4351-3   appropriateness.             permissions
             setgid files should be found
             and examined for
CCE-4743-1   appropriateness              permissions
             setuid files should be found
             and examined for
CCE-4281-2   appropriateness              permissions
             Unowned files should be
             found and removed or
             given to a valid user as
CCE-4660-7   appropriate.
             Files with extended
             attributes should be found
             and handled as
CCE-4682-1   appropriate.
             Serial port login prompts
             should be enabled or
CCE-4435-4   disabled as appropriate.      enabled/disabled
             Access to secure RPC for
             the 'nobody' user should be
             enabled or disabled as
CCE-4576-5   appropriate.                  string
             SSH version 2 protocol
             should be enabled or
CCE-4726-6   disabled as appropriate.      string
             SSH X11 forwarding
             should be enabled or
CCE-4638-3   disabled as appropriate.      string yes/no
             SSH maximum number of
             retries for authentication
             should be set as
CCE-4748-0   appropriate.                  numeral
             SSH maximum number or
             retries for authentication
             log should be set as
CCE-4395-0   appropriate.                  numeral

             SSH integration with
             .rhosts should be enabled
CCE-4030-3   or disabled as appropriate.   string yes/no
             SSH integration with
             .rhosts/hosts.equiv should
             be enabled or disabled as
CCE-4655-7   appropriate.                  string yes/no
             SSH Rhosts RSA
             Authentication should be
             enabled or disabled as
CCE-3946-1   appropriate.                  string yes/no
             Root login via SSH should
             be enabled or disabled as
CCE-4713-4   appropriate.                  string yes/no

             SSH should be configured
             to enable or disable empty
CCE-4708-4   passwords as appropriate. string yes/no
             The SSH banner should be
             enabled or disabled as
CCE-4603-7   appropriate.               uncomment string
             PAM Rhosts support
             should be enabled or
CCE-4021-2   disabled.                  enabled/disabled
             The ftpusers file should
             restrict the root account as
CCE-4678-9   appropriate.                   enabled/disabled
             The ftpusers file should
             restrict the daemon
CCE-4695-3   account as appropriate.        enabled/disabled
             The ftpusers file should
             restrict the bin account as
CCE-4510-4   appropriate.                   enabled/disabled
             The ftpusers file should
             restrict the sys account as
CCE-4157-4   appropriate.                   enabled/disabled
             The ftpusers file should
             restrict the adm account as
CCE-4677-1   appropriate.                   enabled/disabled
             The ftpusers file should
             restrict the lp account as
CCE-4179-8   appropriate.                   enabled/disabled
             The ftpusers file should
             restrict the uucp account
CCE-4589-8   as appropriate.                enabled/disabled
             The ftpusers file should
             restrict the smmsp account
CCE-4113-7   as appropriate.                enabled/disabled
             The ftpusers file should
             restrict the listen account
CCE-4739-9   as appropriate.                enabled/disabled
             The ftpusers file should
             restrict the gdm account as
CCE-4135-0   appropriate.                   enabled/disabled
             The ftpusers file should
             restrict the webservd
CCE-3768-9   account as appropriate.        enabled/disabled
             The ftpusers file should
             restrict the nobody account
CCE-3782-0   as appropriate.                enabled/disabled
             The ftpusers file should
             restrict the noaccess
CCE-4347-1   account as appropriate.        enabled/disabled
             The ftpusers file should
             restrict the nobody4
CCE-4497-4   account as appropriate.        enabled/disabled

             The failed login delay
CCE-4432-1   should be set appropriately. number of seconds

             The default CDE
             screenlock timeout should
CCE-4705-0   be set appropriately.          number of minutes
             The default GNOME
             screenlock timeout should
CCE-4723-3   be set appropriately.           number of minutes
             The GNOME screenlock
             should be enabled or
CCE-4622-7   disabled as appropriate.        boolean true/false
             Use of the cron.allow file
             should be enabled or
CCE-4644-1   disabled as appropriate         enabled/disabled
             Use of the at.allow file
             should be enabled or
CCE-4543-5   disabled as appropriate         enabled/disabled
             The /etc/cron.d/cron.allow
             file should be owned by the
CCE-4437-0   appropriate user.               user
             The /etc/cron.d/cron.allow
             file should be owned by the
CCE-4706-8   appropriate group.              group
             File permissions for the
             /etc/cron.d/cron.allow file
             should be configured
CCE-4693-8   correctly.                      permissions
             File permissions for the
             /etc/cron.d/at.allow file
             should be configured
CCE-4710-0   correctly.                      permissions
             The /etc/cron.d/at.allow file
             should be owned by the
CCE-4230-9   appropriate user.               user
             The /etc/cron.d/at.allow file
             should be owned by the
CCE-4445-3   appropriate group.              group
             The ability to login as root
             directly should be
CCE-4458-6   configured correctly.           enabled/disabled
             The "account lockout
             threshold" policy should
             meet minimum
CCE-4102-0   requirements.                   number of retries
             Account lockout should be
             enabled or disabled as
CCE-4754-8   appropriate.                    yes/no
             The eeprom security mode
             should be configured
CCE-4648-2   appropriately.                  none/full/command
             The grub menu password
             protection should be
             enabled or disabled as
CCE-3826-5   appropriate.                    password
             The daemon account
             should be locked or          locked / unlocked /
CCE-4525-2   unlocked as appropriate.     non-login
             The bin account should be
             locked or unlocked as        locked / unlocked /
CCE-4657-3   appropriate.                 non-login
             The shell for the bin
             account should be
CCE-4661-5   assigned appropriately.      path
             The nuucp account should
             be locked or unlocked as     locked / unlocked /
CCE-4807-4   appropriate.                 non-login
             The shell for the nuucp
             account should be
CCE-4701-9   assigned appropriately.      path
             The smmsp account
             should be locked or          locked / unlocked /
CCE-4669-8   unlocked as appropriate.     non-login
             The shell for the smmsp
             account should be
CCE-4436-2   assigned appropriately.      path
             The listen account should
             be locked or unlocked as     locked / unlocked /
CCE-4815-7   appropriate.                 non-login
             The shell for the listen
             account should be
CCE-4696-1   assigned appropriately.      path
             The gdm account should
             be locked or unlocked as     locked / unlocked /
CCE-4216-8   appropriate.                 non-login
             The shell for the gdm
             account should be
CCE-4758-9   assigned appropriately.      path
             The webservd account
             should be locked or          locked / unlocked /
CCE-4621-9   unlocked as appropriate.     non-login
             The shell for the webservd
             account should be
CCE-4515-3   assigned appropriately.      path
             The nobody account
             should be locked or          locked / unlocked /
CCE-4282-0   unlocked as appropriate.     non-login
             The shell for the nobody
             account should be
CCE-4802-5   assigned appropriately.      path
             The noaccess account
             should be locked or          locked / unlocked /
CCE-4806-6   unlocked as appropriate.     non-login

             The shell for the noaccess
             account should be
CCE-4471-9   assigned appropriately.    path
             The nobody4 account
             should be locked or            locked / unlocked /
CCE-4617-7   unlocked as appropriate.       non-login
             The shell for the nobody4
             account should be
CCE-4418-0   assigned appropriately.        path
             The sys account should be
             locked or unlocked as          locked / unlocked /
CCE-4810-8   appropriate.                   non-login
             The adm account should
             be locked or unlocked as       locked / unlocked /
CCE-3955-2   appropriate.                   non-login
             The shell for the adm
             account should be
CCE-3834-9   assigned appropriately.        path
             The lp account should be
             locked or unlocked as          locked / unlocked /
CCE-4408-1   appropriate.                   non-login
             The shell for the lp account
             should be assigned
CCE-4536-9   appropriately.                 path
             The uucp account should
             be locked or unlocked as       locked / unlocked /
CCE-4809-0   appropriate.                   non-login
             The shell for the uucp
             account should be
CCE-3841-4   assigned appropriately.        path
             All user login accounts with
             empty passwords should
             be locked or unlocked as       locked / unlocked /
CCE-4724-1   appropriate.                   non-login
             The "minimum password
             age" policy should meet
CCE-4367-9   minimum requirements.          numeral
             The "maximum password
             age" policy should meet
CCE-4165-7   minimum requirements.          numeral
             The password expiration
             warning time should be set
CCE-4836-3   appropriately                  numeral
             The strong password
             PASSLENGTH value
             should meet minimum
CCE-4625-0   requirements                   numeral
             The strong password
             NAMECHECK value
             should meet minimum
CCE-4770-4   requirements                   yes/no
             The strong password
             HISTORY value should
             meet minimum
CCE-4563-3   requirements                   numeral
             The strong password
             MINDIFF value should
             meet minimum
CCE-4832-2   requirements                 numeral
             The strong password
             MINALPHA value should
             meet minimum
CCE-4572-4   requirements                 numeral
             The strong password
             MINUPPER value should
             meet minimum
CCE-4480-0   requirements                 numeral
             The strong password
             MINLOWER value should
             meet minimum
CCE-4731-6   requirements                 numeral
             The strong password
             MINNONALPHA value
             should meet minimum
CCE-4753-0   requirements                 numeral
             The strong password
             MAXREPEATS value
             should meet minimum
CCE-4775-3   requirements                 numeral
             The strong password
             WHITESPACE value
             should meet minimum
CCE-3856-2   requirements                 yes / no
             The strong password
             DICTIONDBDIR value
             should be configured
CCE-4402-4   correctly                    path

             The strong password
             DICTIONLIST value should
CCE-4670-6   be configured correctly      path
             No Legacy "+" entries in
             passwd, shadow, and
             group files should be
CCE-4314-1   verified to be appropriate   file list
             No UID 0 Accounts exist
             other than root should be
CCE-4816-5   verified to be appropriate   account list
             Default group for root
             account should be
CCE-4834-8   configured correctly         group
             The home directory of the
             root user should be set
CCE-4728-2   correctly.                   path
             The PATH for the root user        1) Set of directories
             should be configured              to include 2) Set of
CCE-4631-8   correctly.                        directories to exclude
             File permissions should be
             set correctly for the home
             directories for all user
CCE-4538-5   accounts.                         permissions
             File permissions should be
             set correctly for user
CCE-4561-7   configuration files.              permissions

             File permissions should be
CCE-4578-1   set correctly for .netrc files.   permissions
             Presence of .rhost files
             should be checked to be
CCE-4843-9   appropriate                       true/false
             The default umask should
CCE-4737-3   be configured correctly.          permissions mask
             The default umask for ftp
             users should be set
CCE-3897-6   appropriately.                    permissions mask
             The default setting for all
             users to allow terminal
             messages via the mesg
             utility should be configured
CCE-4746-4   correctly.                        enabled / disabled
             General login services
             should display a banner as
             appropriate before
CCE-4760-5   authentication.                   banner text
             General login services
             should display a banner as
             appropriate after
CCE-4301-8   authentication.                   banner text
             CDE should display a
             banner as appropriate
CCE-4698-7   before authentication.            banner text
             GNOME should display a
             banner as appropriate
CCE-4222-6   before authentication.            banner text
             The FTP service should
             display a banner as
             appropriate before
CCE-4103-8   authentication.                   banner text

             The telnet service banner
CCE-4870-2   should be set appropriately. banner text

             The power-on banner
CCE-4896-7   should be set appropriately. banner text
             The sendmail greeting
CCE-4663-1   should be set appropriately. string
                                                 CIS Solaris 10
             CCE Technical Mechanisms           Benchmark v4.0
                                                   (Section)




(1) via svcadm                          2.2.1


(1) via svcadm                          2.2.2


(1) via svcadm                          2.2.3


(1) via svcadm                          2.2.3


(1) via svcadm                          2.2.4


(1) via svcadm                          2.2.5


(1) via svcadm                          2.2.6



(1) via svcadm                          2.2.7


(1) via svcadm                          2.3.1


via svcadm                              2.3.2


via svcadm                              2.3.2


via svcadm                              2.3.2


via svcadm                              2.3.2


via svcadm                              2.3.3
via svcadm                                                  2.3.4


via svcadm                                                  2.3.5



via svcadm                                                  2.3.6



via svcadm                                                  2.3.7


via svcadm                                                  2.3.8


via svcadm                                                  2.3.8
(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv
/etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >=
8/07via svcadm                                              2.3.9
(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv
/etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >=
8/07via svcadm                                              2.3.9


via svcadm                                                  2.3.10


via svcadm                                                  2.3.11


via svcadm                                                  2.3.12



via svcadm                                                  2.3.12



via svcadm                                                  2.3.12



via svcadm                                                  2.3.13


via svcadm                                                  2.3.13
via svcadm        2.3.13


via svcadm        2.3.13



via svcadm        2.3.14



via svcadm        2.4.1



via svcadm        2.4.1



via svcadm        2.4.1



via svcadm        2.4.1


/etc/dfs/dfstab   2.4.2


/etc/vfstab       2.4.3


via svcadm        2.4.4


via svcadm        2.4.5


via svcadm        2.4.6


via svcadm        2.4.7



via svcadm        2.4.8



via svcadm        2.4.9
/etc/inetd.conf                    2.4.10


via inetadm and svcadm             2.4.11



via svcadm                         2.4.11


via svcadm                         2.4.11


via svcadm                         2.4.12


/etc/snmp/conf/snmpd.conf          2.4.12



via inetadm -M                     2.5


/var/core                          3.1


/var/core                          3.1


/var/core                          3.1


/etc/coreadm.conf                  3.1


/etc/system                        3.2



/etc/default/inetinit              3.3



/lib/svc/method/cis_netconfig.sh   3.4



/lib/svc/method/cis_netconfig.sh   3.4
/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4



/lib/svc/method/cis_netconfig.sh   3.4



/lib/svc/method/cis_netconfig.sh   3.4



/lib/svc/method/cis_netconfig.sh   3.4



/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4
/lib/svc/method/cis_netconfig.sh   3.4


/lib/svc/method/cis_netconfig.sh   3.4


via routeadm                       3.5


via routeadm                       3.5

via inetadm -M                     4.1



via inetadm -m                     4.2


/var/log/connlog                   4.3


/var/log/connlog                   4.3


/var/log/connlog                   4.3



/etc/syslog.conf                   4.3



/etc/syslog.conf                   4.4

/var/adm/loginlog                  4.5


/var/adm/loginlog                  4.5


/var/adm/loginlog                  4.5



/var/adm/loginlog                  4.5



/etc/default/login                 4.6
/etc/default/cron                              4.7

/var/cron/log                                  4.7

/var/cron/log                                  4.7


/var/cron/log                                  4.7


via svcadm enable –r svc:/system/sar:default   4.8


/var/adm/sa/*                                  4.8


/var/adm/sa/*                                  4.8


/var/adm/sa/*                                  4.8


via /etc/security/bsmconv                      4.9



/etc/security/audit_control                    4.9



/etc/security/audit_control                    4.9



/etc/security/audit_control                    4.9



/etc/security/audit_control                    4.9



/etc/security/audit_control                    4.9



/etc/security/audit_control                    4.9


/etc/security/audit_control                    4.9
/etc/security/audit_user   4.9

/var/audit/*               4.9


/var/audit/*               4.9

/var/audit/*               4.9


/etc/default/init          5.1



/etc/rmmount.conf          5.2




via pkgchk                 5.3




via pkgchk -f              5.3



via chmod                  5.4



                           5.5


                           5.6.1


                           5.6.2



via chown or rm            5.7
                       5.8


via pmadm              6.1



/etc/default/keyserv   6.2


/etc/ssh/sshd_config   6.3


/etc/ssh/sshd_config   6.3



/etc/ssh/sshd_config   6.3



/etc/ssh/sshd_config   6.3



/etc/ssh/sshd_config   6.3



/etc/ssh/sshd_config   6.3



/etc/ssh/sshd_config   6.3


/etc/ssh/sshd_config   6.3



/etc/ssh/sshd_config   6.3


/etc/ssh/sshd_config   6.3


/etc/pam.conf          6.4
/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/ftpd/ftpusers               6.5


/etc/default/login               6.6



/usr/dt/config/*/sys.resources   6.7
/usr/openwin/lib/app-defaults/Xscreensaver              6.8


/usr/openwin/lib/app-defaults/Xscreensaver              6.8


/etc/cron.d/cron.allow                                  6.9


/etc/cron.d/at.allow                                    6.9


/etc/cron.d/cron.allow                                  6.9


/etc/cron.d/cron.allow                                  6.9



/etc/cron.d/cron.allow                                  6.9



/etc/cron.d/at.allow                                    6.9


/etc/cron.d/at.allow                                    6.9


/etc/cron.d/at.allow                                    6.9


/etc/default/login                                      6.1



/etc/default/login                                      6.11


/etc/security/policy.conf                               6.11


via eeprom at OS command line or setenv at ok> prompt   6.12



vi grub> prompt md5cyrpt command                        6.13
via passwd         7.1


via passwd         7.1


via passmgmt       7.1


via passwd         7.1


via passmgmt       7.1


via passwd         7.1


via passmgmt       7.1


via passwd         7.1


via passmgmt       7.1


via passwd         7.1


via passmgmt       7.1


via passwd         7.1


via passmgmt       7.1


via passwd         7.1


via passmgmt       7.1

               s
via passwd         7.1



via passmgmt       7.1
via passwd                                                      7.1


via passmgmt                                                    7.1


via passwd                                                      7.1


via passwd                                                      7.1


via passmgmt                                                    7.1


via passwd                                                      7.1


via passmgmt                                                    7.1


via passwd                                                      7.1


via passmgmt                                                    7.1



via passwd                                                      7.2


Use the set-user-password-reqs.fin Finish script                7.3


Use the set-user-password-reqs.fin Finish script                7.3


Use the set-user-password-reqs.fin Finish script                7.3


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4


Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts   7.4



Use the check-include-nis-map.aud Audit script.                 7.5


Use the check-uids-unique.aud Audit script                      7,6


Use the set-root-group.fin Finish script                        7.7


Use the set-root-home-dir.fin Finish script                     7.8
Use the check-root-path.aud Audit script                       7.9



Use the check-home-permissions.aud Audit script.               7.1


Use the check-hidden-files.aud Audit script                    7.11


Use the check-netrc-files.aud Audit script                     7.12


Use the print-rhosts.aud Audit script                          7.13

Use the set-user-umask.fin Finish script                       7.14


Use the set-ftpd-umask.fin Finish script.                      7.15




Use the disable-mesg.fin Finish script                         7.16



/etc/issue                                                     8.1



/etc/motd                                                      8.1.1


/usr/dt/config/*/Xresources                                    8.2


/etc/X11/gdm/gdm.conf                                          8.3



/etc/ftpd/banner.msg                                           8.4


/etc/default/telnetd                                           8.5

via the 'eeprom oem-banner=' command (provide a string after
the =) then the "eeprom oem-banner\?=true" command             8.6
via the "O SmtpGreetingMessage" setting in
/etc/mail/sendmail.cf                        8.7
    CIS Solaris 10   Old "Unix-
   Benchmark v4.0   CCE-DRAFT-
(Recommended Value)    2" ID




disabled


disabled


disabled            CCE-U-120


disabled            CCE-U-120


disabled


disabled


disabled



disabled


disabled            CCE-U-203


disabled


disabled


disabled


disabled


disabled
disabled


disabled



disabled



disabled


disabled


disabled


disabled   CCE-U-142


disabled   CCE-U-142


disabled


disabled


disabled



disabled



disabled



disabled


disabled
disabled


disabled



disabled



disabled



disabled



disabled



disabled


disabled


disabled


disabled   CCE-U-104


disabled   CCE-U-103


disabled


disabled



disabled



disabled
disabled   CCE-U-118


disabled



disabled


disabled


disabled


disabled   CCE-U-122



enabled


root       CCE-U-65


root       CCE-U-66


700        CCE-U-67


disabled


enabled    CCE-U-68



2          CCE-U-70



disabled



disabled
disabled


disabled


4096


1024



disabled



disabled



disabled



disabled


60000


60000


enabled


enabled


6112


enabled


enabled
disabled


disabled


disabled


disabled

enabled    CCE-U-80



enabled    CCE-U-113


root


600


root



enabled



enabled    CCE-U-2

root


600


sys



enabled    CCE-U-2



0          CCE-U-2
enabled   CCE-U-38

root

root


600


enabled


sys


sys


600


enabled



enabled



enabled



enabled



enabled



enabled



enabled


enabled
enabled

root


root

600


at least 022



disabled       CCE-U-170




all packages




enabled        CCE-U-171
disabled   CCE-U-155



disabled   CCE-U-161


enabled    CCE-U-132


disabled



5



0



yes



no



no


no



no


enabled


disabled   CCE-U-28
disabled   CCE-U-105


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


disabled   CCE-U-108


4          CCE-U-5



10         CCE-U-158
10


           TRUE


root              CCE-U-32


null              CCE-U-47


root              CCE-U-40


root              CCE-U-41



400               CCE-U-36



400               CCE-U-51


root              CCE-U-54


root              CCE-U-55


disabled          CCE-U-15



3                 CCE-U-4


yes


command



enabled
Locked           CCE-U-174


Locked           CCE-U-175


/usr/bin/false


Locked           CCE-U-180


/usr/bin/false


Locked           CCE-U-181


/usr/bin/false


Locked           CCE-U-182


/usr/bin/false


Locked


/usr/bin/false


Locked


/usr/bin/false


Locked           CCE-U-183


/usr/bin/false


Locked           CCE-U-184



/usr/bin/false
Locked           CCE-U-185


/usr/bin/false


Non-login        CCE-U-176


Non-login        CCE-U-177


/usr/bin/false


Non-login        CCE-U-178


/usr/bin/false


Non-login        CCE-U-179


/usr/bin/false



Locked


7 days           CCE-U-7


91 days          CCE-U-8


28 days



8



yes



10               CCE-U-10
3



2



1



1



1



0



yes



/var/passwd



=/usr/share/lib/dict/words



None


None


GID 0


/root                        CCE-U-11
                                  CCE-U-13
Exclude '.' and any writeable directories



IAW site policy                CCE-U-162


IAW site policy


IAW site policy


dependent upon 6.4

77                             CCE-U-31


77                             CCE-U-115




enabled                        CCE-U-25




empty string, ""
mailer ready (string)   CCE-U-97
                                                  CCE
  CCE ID        CCE Description
                                               Parameters



             The "reset account lockout
             counter after" policy should
             meet minimum                   (1) number of
CCE-2715-1   requirements.                  minutes
             The "account lockout
             duration" policy should
             meet minimum                   (1) number of
CCE-2363-0   requirements.                  minutes
             The "account lockout
             threshold" policy should
             meet minimum                    (1) number of
CCE-3177-3   requirements.                  attempts
             Auditing of "account logon"
             events on success should
             be enabled or disabled as
CCE-2820-9   appropriate..                  enabled/disabled
             Auditing of "account logon"
             events on failure should be
             enabled or disabled as
CCE-3089-0   appropriate..                  enabled/disabled

             Auditing of "account
             management" events on
             success should be enabled
CCE-3234-2   or disabled as appropriate.. enabled/disabled

             Auditing of "account
             management" events on
             failure should be enabled
CCE-3287-0   or disabled as appropriate.. enabled/disabled

             Auditing of "directory
             service access" events on
             success should be enabled
CCE-3041-1   or disabled as appropriate.. enabled/disabled

             Auditing of "directory
             service access" events on
             failure should be enabled
CCE-3309-2   or disabled as appropriate.. enabled/disabled
             Auditing of "logon" events
             on success should be
             enabled or disabled as
CCE-3076-7   appropriate..                  enabled/disabled
             Auditing of "logon" events
             on failure should be
             enabled or disabled as
CCE-2970-2   appropriate..                  enabled/disabled

             Auditing of "object access"
             events on success should
             be enabled or disabled as
CCE-2724-3   appropriate..               enabled/disabled
             Auditing of "object access"
             events on failure should be
             enabled or disabled as
CCE-3243-3   appropriate..               enabled/disabled

             Auditing of "policy change"
             events on success should
             be enabled or disabled as
CCE-2746-6   appropriate..                  enabled/disabled
             Auditing of "policy change"
             events on failure should be
             enabled or disabled as
CCE-2653-4   appropriate..                  enabled/disabled
             Auditing of "privilege use"
             events on success should
             be enabled or disabled as
CCE-2322-6   appropriate..                  enabled/disabled
             Auditing of "privilege use"
             events on failure should be
             enabled or disabled as
CCE-3257-3   appropriate..                  enabled/disabled

             Auditing of "process
             tracking" events on
             success should be enabled
CCE-3024-7   or disabled as appropriate..   enabled/disabled
             Auditing of "process
             tracking" events on failure
             should be enabled or
CCE-2927-2   disabled as appropriate..      enabled/disabled
             Auditing of "system" events
             on success should be
             enabled or disabled as
CCE-2953-8   appropriate..                  enabled/disabled
             Auditing of "system" events
             on failure should be
             enabled or disabled as
CCE-3222-7   appropriate..                  enabled/disabled
             The "restrict guest access
             to application log" policy
CCE-3121-1   should be set correctly.      (1) enabled/disabled


             The application log
             maximum size should be
CCE-3015-5   configured correctly..        (1) size of file



             The "when maximum log
             size is reached" property
             should be set correctly for
CCE-2905-8   the Application log.          type of retention

             The "restrict guest access
             to security log" policy
CCE-2659-1   should be set correctly.      (1) enabled/disabled


             The security log maximum
             size should be configured
CCE-3302-7   correctly..                   (1) size of file



             The "when maximum log
             size is reached" property
             should be set correctly for
CCE-3196-3   the Security log.             type of retention

             The "restrict guest access
             to system log" policy
CCE-2839-9   should be set correctly.      (1) enabled/disabled


             The system log maximum
             size should be configured
CCE-3165-8   correctly.                    (1) size of file



             The "when maximum log
             size is reached" property
             should be set correctly for
CCE-2931-4   the System log.               type of retention
             The "maximum password
             age" policy should meet
CCE-2967-8   minimum requirements.         (1) number of days
             The "minimum password
             age" policy should meet
CCE-3240-9   minimum requirements.        (1) number of days

             The "minimum password
             length" policy should meet
CCE-2883-7   minimum requirements.        (1) number of days
             The "password must meet
             complexity requirments"
             policy should be set
CCE-3033-8   correctly.                   (1) enabled/disabled

             The "enforce password        (1) number of
             history" policy should meet passwords
CCE-2323-4   minimum requirements.       remembered

             The "store password using
             reversible encryption for all
             users in the domain" policy
CCE-3311-8   should be set correctly.      (1) enabled/disabled

             The startup type of the       (1)
             Messenger service should     disabled/manual/aut
CCE-3316-7   be correct.                  omatic
             The startup type of the
             NetMeeting Remote             (1)
             Desktop Sharing service      disabled/manual/aut
CCE-3082-5   should be correct.           omatic
             The behavior surrounding
             Anonymous users' abiliity
             to display lists of SAM      (1)
             accounts and shares          restricted/unrestricte
CCE-3232-6   should be correct.           d
             The behavior surrounding
             Anonymous users' abiliity
             to display lists of SAM      (1)
             accounts should be           restricted/unrestricte
CCE-3272-2   correct.                     d
             The behavior surrounding
             Anonymous SID/Name
             translation should be
CCE-2339-0   correct.                     (1) enabled/disabled

             Use of the built-in Guest
             account