Get documents about "Oval Office Template - Excel
Description
Oval Office Template document sample
Document Sample
Old v4 CCE
CCE ID CCE Description
CCE Id Parameters
The "Security Zones: Use
Only Machine Settings"
setting should be
CCE-4017-0 CCE-5 configured correctly. (1) enabled/disabled
Internet Explorer
Processes (Restrict
CCE-3924-8 CCE-119 ActiveX Install) (1) enabled/disabled
The "Security Zones: Do
Not Allow Users to
Add/Delete Sites" setting
should be configured
CCE-3929-7 CCE-146 correctly. (1) enabled/disabled
The "Disable Periodic
Check For Internet
Explorer Software
Updates" setting should be
CCE-3576-6 CCE-212 configured correctly. (1) enabled/disabled
Internet Explorer
Processes (Zone Elevation
CCE-4043-6 CCE-347 Protection) enabled/disabled
The "Internet Explorer
Processes (Consistent
MIME Handling)" setting
should be configured
CCE-4047-7 CCE-382 correctly. enabled/disabled
The "Allow Software to
Run or Install Even if the
Signature is Invalid"
setting should be
CCE-3941-2 CCE-449 configured correctly. enabled/disabled
The "Internet Explorer
Processes (MK Protocol)"
setting should be
CCE-3338-1 CCE-591 configured correctly. (1) enabled/disabled
The "Disable Software
Update Shell Notifications
on Program Launch"
setting should be
CCE-4118-6 CCE-622 configured correctly. (1) enabled/disabled
The "Internet Explorer
Processes (Restrict File
Download)" setting should
CCE-4122-8 CCE-668 be configured correctly. enabled/disabled
The "Disable Automatic
Install of Internet Explorer
Components" setting
should be configured
CCE-3518-8 CCE-684 correctly. (1) enabled/disabled
The "Make Proxy Settings
Per-Machine (Rather Then
Per-User)" setting should (1) number of proxy
CCE-3201-1 CCE-693 be configured correctly. settings
The "Do Not Allow Users
to enable or Disable Add-
Ons" setting should be
CCE-3744-0 CCE-708 configured correctly. enabled/disabled
The "Turn Off Crash
Detection" setting should
CCE-3894-3 CCE-753 be configured correctly. enabled/disabled
The "Internet Explorer
Processes (Scripted
Window Security
Restrictions)" setting
should be configured
CCE-4162-4 CCE-827 correctly. enabled/disabled
The "Security Zones: Do
Not Allow Users to
Change Policies" setting
should be configured
CCE-3933-9 CCE-833 correctly. (1) enabled/disabled
The "Internet Explorer
Processes (MIME
Sniffing)" setting should be
CCE-4149-1 CCE-985 configured correctly. enabled/disabled
The "Check for Signature
on Downloaded Programs"
setting should be
CCE-4026-1 CCE-1025 configured correctly. enabled/disabled
The "Do Not Allow
Resetting Internet Explorer
Settings" setting should be
CCE-4171-5 CCE-42 configured correctly. enabled/disabled
The "Allow cut, copy, or
paste operations from the
clipboard via script" setting
should be configured
correctly for the Internet
CCE-4109-5 CCE-49 Zone. enabled/disabled
The "Turn Off First- Run
Opt-In" setting should be
configured correctly for the
CCE-3378-7 CCE-863 Internet Zone. enabled/disabled
The "Web Browser
Applications" setting
should be configured
correctly for the Internet
CCE-4131-9 CCE-286 Zone. enabled/disabled
The "Allow cut, copy, or
paste operations from the
clipboard via script" setting
should be configured
correctly for the Restricted
CCE-4013-9 CCE-1031 Sites Zone. enabled/disabled
The "Turn Off First- Run
Opt-In" setting should be
configured correctly for the
CCE-4153-3 CCE-200 Restricted Sites Zone. enabled/disabled
The "Web Browser
Applications" setting
should be configured
correctly for the Restricted
CCE-4052-7 CCE-51 Sites Zone. enabled/disabled
The "Intranet Sites:
Include all network paths
(UNCs)" setting should be
CCE-4175-6 CCE-876 configured correctly. enabled/disabled
The "Disable the
Advanced Page" setting
should be configured
CCE-3695-4 CCE-810 correctly. enabled/disabled
The "Disable the Privacy
Page" setting should be
CCE-3777-0 CCE-811 configured correctly. enabled/disabled
The "Disable the Security
Page" setting should be
CCE-3433-0 CCE-595 configured correctly. enabled/disabled
The "Prevent Ignoing
Certificate Errors" setting
should be configured
CCE-4199-6 CCE-938 correctly. enabled/disabled
The "Turn Off changing
the URL to be displayed
for checking updates to
Internet Explorer and
Internet Tools" setting
should be configured
CCE-3204-5 CCE-946 correctly. enabled/disabled
The "Turn Off Configuring
the Update Check Interval
(In Days)" setting should
CCE-4098-0 CCE-237 be configured correctly. enabled/disabled
The "Add-on List" setting
should be configured
CCE-3741-6 CCE-541 correctly. enabled/disabled
The "Deny all add-ons
unless specifically allowed
in the Add-on List" setting
should be configured
CCE-3997-4 CCE-911 correctly. enabled/disabled
The "Disable "Configuring
History"" setting should be
CCE-4001-4 CCE-66 configured correctly. enabled/disabled
The "Disable Changing
Automatic Configuration
Settings" setting should be
CCE-4147-5 CCE-471 configured correctly. enabled/disabled
The "Disable Changing
Connection Settings"
setting should be
CCE-4059-2 CCE-611 configured correctly. enabled/disabled
The "Disable Changing
Proxy Settings" setting
should be configured
CCE-3935-4 CCE-62 correctly. enabled/disabled
The "Disable Showing the
Splash Screen" setting
should be configured
CCE-3706-9 CCE-556 correctly. enabled/disabled
The "Prevent "Fix settings"
Functionality" setting
should be configured
CCE-3975-0 CCE-948 correctly. enabled/disabled
The "Prevent participation
in the Customer
Experience Improvement
Programs" setting should
CCE-3993-3 CCE-495 be configured correctly. enabled/disabled
The "Prevent performance
of First Run Customize
settings" setting should be
CCE-3207-8 CCE-1006 configured correctly. enabled/disabled
The "Prevent the
deletation of temporary
internet files and cookies"
setting should be
CCE-4073-3 CCE-909 configured correctly. enabled/disabled
The "Turn off "Delete
Browsing History"
functionality" setting
should be configured
CCE-3615-2 CCE-1010 correctly. enabled/disabled
The "Turn off Managing
Phishing Filter" setting
should be configured
CCE-3866-1 CCE-1032 correctly. enabled/disabled
The "Turn off the Security
Settings Check feature"
setting should be
CCE-3875-2 CCE-1054 configured correctly. enabled/disabled
The "Allow Active Content
from CD's to Run on User
Machine" setting should be
CCE-4174-9 CCE-964 configured correctly. enabled/disabled
The "Enable third-party
browser extensions"
setting should be
CCE-4192-1 CCE-598 configured correctly. enabled/disabled
The "Automatically Check
for Internet Explorer
Updates" setting should be
CCE-3584-0 CCE-1008 configured correctly. enabled/disabled
The "Check for Server
Certificate Revocation"
setting should be
CCE-3976-8 CCE-690 configured correctly. enabled/disabled
The "Access data sources
across domains" setting
should be configured
correctly for the Internet enabled/disabled/pro
CCE-3853-9 CCE-47 Zone. mpt
The "Drag and drop or
copy and paste files"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3998-2 CCE-685 Internet Zone. mpt
The "Font download"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3888-5 CCE-491 Internet Zone. mpt
The "Installation of
desktop items" setting
should be configured
correctly for the Internet enabled/disabled/pro
CCE-3906-5 CCE-355 Zone. mpt
The "Allow script-initiated
windows without size or
position constraints"
setting should be
configured correctly for the
CCE-4099-8 CCE-280 Internet Zone. enabled/disabled
The "Allow Scriptlets"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3601-2 CCE-439 Internet Zone. mpt
The "Allow status bar
updates via script" setting
should be configured
correctly for the Internet
CCE-3249-0 CCE-914 Zone. enabled/disabled
The "Automatic prompting
for file downloads" setting
should be configured
correctly for the Internet
CCE-4139-2 CCE-16 Zone. enabled/disabled
The "Download signed
ActiveX controls" setting
should be configured
correctly for the Internet enabled/disabled/pro
CCE-3927-1 CCE-1013 Zone. mpt
The "Download unsigned
ActiveX controls" setting
should be configured
correctly for the Internet enabled/disabled/pro
CCE-3945-3 CCE-176 Zone. mpt
The "Initialize and script
ActiveX controls not
marked as safe for
scripting" setting should be
configured correctly for the enabled/disabled/pro
CCE-4068-3 CCE-586 Internet Zone. mpt
The "Java permissions" Custom/Disable
setting should be Java/High
configured correctly for the safety/Low
CCE-3963-6 CCE-132 Internet Zone. safety/Medium safety
The "Launching programs
and files in an IFRAME"
setting should be
configured correctly for the enabled/disabled/pro
CCE-4104-6 CCE-689 Internet Zone. mpt
Anonymous
logon/Automatic
logon only in
Intranet
zone/Automatic
logon with current
user name and
The "Logon" setting should password/Prompt
be configured correctly for for user name and
CCE-3623-6 CCE-720 the Internet Zone. password
The "Loose XAML" setting
should be configured
correctly for the Internet enabled/disabled/pro
CCE-3751-5 CCE-126 Zone. mpt
The "Navigate sub-frames
across different domains"
setting should be
configured correctly for the enabled/disabled/pro
CCE-4143-4 CCE-245 Internet Zone. mpt
The "Open files based on
content, not file extension"
setting should be
configured correctly for the
CCE-4161-6 CCE-910 Internet Zone. enabled/disabled
The "Software channel
permissions" setting
should be configured
correctly for the Internet High safety/low
CCE-3553-5 CCE-359 Zone. safety/medium safety
The "Use Pop-up Blocker"
setting should be
configured correctly for the
CCE-3619-4 CCE-1002 Internet Zone. enabled/disabled
The "Userdata
persistence" setting should
be configured correctly for
CCE-3914-9 CCE-425 the Internet Zone. enabled/disabled
The "Web sites in less
privileged Web content
zones can navigate into
this zone" setting should
be configured correctly for enabled/disabled/pro
CCE-3570-9 CCE-724 the Internet Zone. mpt
The "XPS documents"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3843-0 CCE-1015 Internet Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the enabled/disabled/pro
CCE-3984-2 CCE-878 Internet Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the enabled/disabled/pro
CCE-3989-1 CCE-288 Intranet Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the
Locked Down Intranet enabled/disabled/pro
CCE-4121-0 CCE-552 Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the enabled/disabled/pro
CCE-4138-4 CCE-473 Local Machine Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the
Locked Down Local enabled/disabled/pro
CCE-4028-7 CCE-239 Machine Zone. mpt
The "Access data sources
across domains" setting
should be configured
correctly for the Restricted enabled/disabled/pro
CCE-3905-7 CCE-636 Sites Zone. mpt
The "Active scripting"
setting should be
configured correctly for the enabled/disabled/pro
CCE-4050-1 CCE-292 Restricted Sites Zone. mpt
The "Binary and script
behaviors" setting should Administrator
be configured correctly for approved/enabled/di
CCE-4196-2 CCE-178 the Restricted Sites Zone. sabled
The "Drag and drop or
copy and paste files"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3337-3 CCE-41 Restricted Sites Zone. mpt
The "File download"
setting should be
configured correctly for the
CCE-4150-9 CCE-970 Restricted Sites Zone. enabled/disabled
The "Font download"
setting should be
configured correctly for the enabled/disabled/pro
CCE-4062-6 CCE-882 Restricted Sites Zone. mpt
The "Installation of
desktop items" setting
should be configured
correctly for the Restricted enabled/disabled/pro
CCE-4079-0 CCE-763 Sites Zone. mpt
The "Allow META
REFRESH" setting should
be configured correctly for
CCE-4084-0 CCE-680 the Restricted Sites Zone. enabled/disabled
The "Allow script-initiated
windows without size or
position constraints"
setting should be
configured correctly for the
CCE-4119-4 CCE-208 Restricted Sites Zone. enabled/disabled
The "Allow Scriptlets"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3639-2 CCE-838 Restricted Sites Zone. mpt
The "Allow status bar
updates via script" setting
should be configured
correctly for the Restricted
CCE-4031-1 CCE-129 Sites Zone. enabled/disabled
The "Automatic prompting
for file downloads" setting
should be configured
correctly for the Restricted
CCE-4053-5 CCE-175 Sites Zone. enabled/disabled
The "Download signed
ActiveX controls" setting
should be configured
correctly for the Restricted enabled/disabled/pro
CCE-4057-6 CCE-52 Sites Zone. mpt
The "Download unsigned
ActiveX controls" setting
should be configured
correctly for the Restricted enabled/disabled/pro
CCE-3564-2 CCE-1012 Sites Zone. mpt
The "Initialize and script
ActiveX controls not
marked as safe for
scripting" setting should be
configured correctly for the enabled/disabled/pro
CCE-4101-2 CCE-26 Restricted Sites Zone. mpt
The "Java permissions" Custom/Disable
setting should be Java/High
configured correctly for the safety/Low
CCE-3996-6 CCE-925 Restricted Sites Zone. safety/Medium safety
The "Launching programs
and files in an IFRAME"
setting should be
configured correctly for the enabled/disabled/pro
CCE-4066-7 CCE-339 Restricted Sites Zone. mpt
Anonymous
logon/Automatic
logon only in
Intranet
zone/Automatic
logon with current
user name and
The "Logon" setting should password/Prompt
be configured correctly for for user name and
CCE-3696-2 CCE-128 the Restricted Sites Zone. password
The "Loose XAML" setting
should be configured
correctly for the Restricted enabled/disabled/pro
CCE-3590-7 CCE-639 Sites Zone. mpt
The "Navigate sub-frames
across different domains"
setting should be
configured correctly for the enabled/disabled/pro
CCE-4110-3 CCE-995 Restricted Sites Zone. mpt
The "Open files based on
content, not file extension"
setting should be
configured correctly for the
CCE-4132-7 CCE-409 Restricted Sites Zone. enabled/disabled
The "Run components not
signed with Authenticode"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3400-9 CCE-678 Restricted Sites Zone. mpt
The "Run components
signed with Authenticode"
setting should be
configured correctly for the enabled/disabled/pro
CCE-4158-2 CCE-563 Restricted Sites Zone. mpt
The "Run ActiveX controls
and plugins" setting should Administrator
be configured correctly for approved/enabled/di
CCE-4163-2 CCE-841 the Restricted Sites Zone. sabled/prompt
The "Script ActiveX
controls marked safe for
scripting" setting should be
configured correctly for the enabled/disabled/pro
CCE-4202-8 CCE-973 Restricted Sites Zone. mpt
The "Scripting of Java
applets" setting should be
configured correctly for the enabled/disabled/pro
CCE-3216-9 CCE-1000 Restricted Sites Zone. mpt
The "Software channel
permissions" setting
should be configured
correctly for the Restricted High safety/low
CCE-3855-4 CCE-520 Sites Zone. safety/medium safety
The "Use Pop-up Blocker"
setting should be
configured correctly for the
CCE-4018-8 CCE-660 Restricted Sites Zone. enabled/disabled
The "Userdata
persistence" setting should
be configured correctly for
CCE-4040-2 CCE-28 the Restricted Sites Zone. enabled/disabled
The "Web sites in less
privileged Web content
zones can navigate into
this zone" setting should
be configured correctly for enabled/disabled/pro
CCE-4215-0 CCE-698 the Restricted Sites Zone. mpt
The "XPS documents"
setting should be
configured correctly for the enabled/disabled/pro
CCE-3991-7 CCE-460 Restricted Sites Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the enabled/disabled/pro
CCE-3264-9 CCE-30 Restricted Sites Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the enabled/disabled/pro
CCE-4087-3 CCE-31 Trusted Sites Zone. mpt
The "Display mixed
content" setting should be
configured correctly for the
Locked Down Trusted enabled/disabled/pro
CCE-4232-5 CCE-666 Sites Zone. mpt
The "Enable Native
XMLHttp Support" setting
should be configured
CCE-4259-8 CCE-528 correctly. enabled/disabled
The "Turn on the auto-
complete feature for user
names and passwords on
form" setting should be
CCE-3647-5 CCE-721 configured correctly. enabled/disabled
The "Allow Install On
Demand (Internet
Explorer)" setting should
CCE-3677-2 CCE-69 be configured correctly. enabled/disabled
The "Turn off page
transitions" setting should
CCE-4056-8 CCE-71 be configured correctly. enabled/disabled
The "Disable
AutoComplete for forms"
setting should be
CCE-4246-5 CCE-478 configured correctly. enabled/disabled
The "Disable Save this
program to disk option"
setting should be
CCE-4214-3 CCE-412 configured correctly. enabled/disabled
The "Disable changing
certificate settings" setting
should be configured
CCE-3606-1 CCE-1037 correctly. enabled/disabled
The "Disable external
branding of Internet
Explorer" setting should be
CCE-4237-4 CCE-1051 configured correctly. enabled/disabled
The "Configure Outlook
Express" setting should be
CCE-3275-5 CCE-963 configured correctly enabled/disabled
The "Turn on the Internet
Connection Wizard Auto
Detect" setting should be
CCE-4036-0 CCE-258 configured correctly. enabled/disabled
The "Disable Internet
Connection wizard" setting
should be configured
CCE-3825-7 CCE-769 correctly. enabled/disabled
The "Disable the Reset
Web Settings feature"
should be configured
CCE-4226-7 CCE-625 correctly. enabled/disabled
The "Disable Downloading
Of Site Subscription
Content" setting should be
CCE-4120-2 CCE-74 configured correctly. enabled/disabled
The "Disable Adding
Schedules For Offline
Pages" setting should be
CCE-4248-1 CCE-122 configured correctly. enabled/disabled
The "Disable Adding
Channels" setting should
CCE-3389-4 CCE-716 be configured correctly. enabled/disabled
The "Disable Editing And
Creating Of Schedule
Groups" setting should be
CCE-3645-9 CCE-610 configured correctly. enabled/disabled
The "Disable All
Scheduled Offline Pages"
setting should be
CCE-3940-4 CCE-619 configured correctly. enabled/disabled
The "Disable Editing
Schedules For Offline
Pages" setting should be
CCE-3821-6 CCE-373 configured correctly. enabled/disabled
The "Disable Channel
User Interface Completely"
setting should be
CCE-3742-4 CCE-298 configured correctly. enabled/disabled
The "Disable Removing
Channels" setting should
CCE-4261-4 CCE-1069 be configured correctly. enabled/disabled
The "Disable Removing
Schedules For Offline
Pages" setting should be
CCE-4190-5 CCE-615 configured correctly. enabled/disabled
The "Disable Offline Page
Hit Logging" setting should
CCE-4208-5 CCE-1003 be configured correctly. enabled/disabled
The "Java permissions"
setting should be Custom/Disable
configured correctly for the Java/High
Locked Down Intranet safety/Low
CCE-3754-9 CCE-320 Zone. safety/Medium safety
The "Java permissions" Custom/Disable
setting should be Java/High
configured correctly for the safety/Low
CCE-3891-9 CCE-138 Local Machine Zone. safety/Medium safety
The "Java permissions"
setting should be Custom/Disable
configured correctly for the Java/High
Locked Down Local safety/Low
CCE-4160-8 CCE-1045 Machine Zone. safety/Medium safety
Computer-wide, rather
than per-user, assignment
of sites to zones for
Internet Explorer should
be enabled or disabled as enabled, disabled,
CCE-4763-9 CCE-1005 appropriate. or not configured
The "Turn on Protected
Mode" setting should be
configured correctly for the
CCE-4643-3 CCE-281 Internet Zone. enabled/disabled
The "Java permissions" Custom/Disable
setting should be Java/High
configured correctly for the safety/Low
CCE-4652-4 CCE-218 Intranet Zone. safety/Medium safety
The "Download signed
ActiveX controls" setting
should be configured
correctly for the Locked- enabled/disabled/pro
CCE-4793-6 CCE-308 Down Internet Zone. mpt
The "Java permissions"
setting should be Custom/Disable
configured correctly for the Java/High
Locked Down Internet safety/Low
CCE-4692-0 CCE-781 Zone. safety/Medium safety
The "Java permissions"
setting should be Custom/Disable
configured correctly for the Java/High
Locked Down Restricted safety/Low
CCE-3902-4 CCE-1088 Sites Zone. safety/Medium safety
The "Allow status bar
updates via script" setting
should be configured
correctly for the Locked-
CCE-4546-8 CCE-1147 Down Trusted Sites Zone. enabled/disabled
The "Java permissions"
setting should be Custom/Disable
configured correctly for the Java/High
Locked Down Trusted safety/Low
CCE-4564-1 CCE-140 Sites Zone. safety/Medium safety
The "Turn on Protected
Mode" setting should be
configured correctly for the
CCE-3909-9 CCE-1211 Restricted Sites Zone. enabled/disabled
The "Java permissions" Custom/Disable
setting should be Java/High
configured correctly for the safety/Low
CCE-4845-4 CCE-675 Trusted Sites Zone. safety/Medium safety
NIST SCAP Microsoft Internet
CCE Technical Mechanisms Explorer Version 7.0 OVAL(SCAP-
IE7-OVAL-Beta-v3.xml)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet Settings\Use_HKLM_only Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1277,
nternet Settings\Security_HKLM_only oval:org.mitre.oval:def:2050
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL!explorer.exe, HKLM\Software\Policies\Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict ActiveX Install, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIV
EXINSTALL\iexplore.exe oval:org.mitre.oval:def:658
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet
Settings\Security_Zones_Map_Edit Local Internet Options:
GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_zones_map_edit oval:org.mitre.oval:def:1400
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoUpdateCheck oval:org.mitre.oval:def:1357
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
!(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
!explorer.exe,
HKLM\Software\Policies\Microsoft\Internet,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Protection From Zone Elevation,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\iexplore.exe oval:org.mitre.oval:def:620
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(
Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!
explorer.exe, HKLM\Software\Policies\Microsoft\Internet
E,Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Binary
Behavior Security Restriction, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(
Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\
explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\i
explore.exe oval:org.mitre.oval:def:884
HKLM\Software\Policies\Microsoft\Internet
Explorer\Download!RunInvalidSignatures,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet oval:org.mitre.oval:def:680,
Explorer\Download\RunInvalidSignatures oval:org.mitre.oval:def:1392
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL!explorer.exe,
HKLM\Software\Policies\Microsoft,Local Internet Options:
GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/MK Protocol Security Restriction,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\iexplore.exe oval:org.mitre.oval:def:617
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Loc
al Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict File Download, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\iexplore.exe oval:org.mitre.oval:def:1188
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD!explorer.exe, Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict File Download, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\iexplore.exe oval:org.mitre.oval:def:320
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoJITSetup oval:org.mitre.oval:def:1198
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet
Settings\ProxySettingsPerUser,Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\ProxySettingsPerUser oval:org.mitre.oval:def:1181
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM | oval:org.mitre.oval:def:1380,
HKCU]\Software\Policies\Microsoft\Internet oval:org.mitre.oval:def:1358,
Explorer\Restrictions\NoExtensionManagement oval:org.mitre.oval:def:1694
HKLM\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoCrashDetection,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Restrictions\NoCrashDetection oval:org.mitre.oval:def:487
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS!explorer.exe, Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Scripted Window Security
Restrictions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRI
CTIONS\iexplore.exe oval:org.mitre.oval:def:465
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet
Settings\Security_options_edit,Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_options_edit oval:org.mitre.oval:def:1404
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(
Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!e
xplorer.exe, Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Mime
Sniffing Safety Feature, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(
Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\e
xplorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\ie
xplore.exe oval:org.mitre.oval:def:317
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Download\CheckExeSignatures oval:org.mitre.oval:def:395
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Control Panel\DisableRIED oval:org.mitre.oval:def:583
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:506,
nternet Settings\Zones\3\1407 oval:org.mitre.oval:def:533
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1208 oval:org.mitre.oval:def:1119
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2400 oval:org.mitre.oval:def:242
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:249,
nternet Settings\Zones\4\1407 oval:org.mitre.oval:def:1393
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1208 oval:org.mitre.oval:def:621
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2400 oval:org.mitre.oval:def:580
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:559,
nternet Settings\ZoneMap\UNCAsIntranet oval:org.mitre.oval:def:1370
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control oval:org.mitre.oval:def:934,
Panel\AdvancedTab oval:org.mitre.oval:def:660
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\PrivacyTab oval:org.mitre.oval:def:1111
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control oval:org.mitre.oval:def:672,
Panel\SecurityTab oval:org.mitre.oval:def:601
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:655,
nternet Settings\PreventIgnoreCertErrors oval:org.mitre.oval:def:1129
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Internet Settings/Component
Updates/Periodic Check for Updates to Internet Explorer and
Internet Tools, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\Update_Check_Page oval:org.mitre.oval:def:715
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Internet Settings/Component
Updates/Periodic Check for Updates to Internet Explorer and
Internet Tools, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\Update_Check_Interval oval:org.mitre.oval:def:1187
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Add-on
Management, Registry Keys:[HKLM |
HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\E
xt\ListBox_Support_CLSID oval:org.mitre.oval:def:626
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Add-on
Management, Registry Keys:[HKLM |
HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\E
xt\RestrictToList oval:org.mitre.oval:def:1278
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\History, [HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:757,
nternet Settings\Url History\DaysToKeep oval:org.mitre.oval:def:1365
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control oval:org.mitre.oval:def:1285,
Panel\Autoconfig oval:org.mitre.oval:def:613
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\Connection Settings, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control oval:org.mitre.oval:def:355,
Panel\Connwiz Admin Lock oval:org.mitre.oval:def:1128
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control oval:org.mitre.oval:def:398,
Panel\Proxy oval:org.mitre.oval:def:635
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoSplash oval:org.mitre.oval:def:1164
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet oval:org.mitre.oval:def:448,
Explorer\Security\DisableFixSecuritySettings oval:org.mitre.oval:def:640
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet oval:org.mitre.oval:def:1171,
Explorer\SQM\DisableCustomerImprovementProgram oval:org.mitre.oval:def:1391
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\DisableFirstRunCustomize oval:org.mitre.oval:def:1322
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control oval:org.mitre.oval:def:1382,
Panel\Settings oval:org.mitre.oval:def:703
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control oval:org.mitre.oval:def:458,
Panel\DisableDeleteBrowsingHistory oval:org.mitre.oval:def:1474
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\PhishingFilter\Enabled oval:org.mitre.oval:def:501
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet oval:org.mitre.oval:def:916,
Explorer\Security\DisableSecuritySettingsCheck oval:org.mitre.oval:def:1034
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCAL oval:org.mitre.oval:def:400
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\Enable Browser Extensions oval:org.mitre.oval:def:110
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet oval:org.mitre.oval:def:656,
Explorer\Main\NoUpdateCheck oval:org.mitre.oval:def:1360
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:172,
nternet Settings\CertificateRevocation oval:org.mitre.oval:def:1502
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:674,
nternet Settings\Zones\3\1406 oval:org.mitre.oval:def:650
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1083,
nternet Settings\Zones\3\1802 oval:org.mitre.oval:def:547
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:524,
nternet Settings\Zones\3\1604 oval:org.mitre.oval:def:659
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:223,
nternet Settings\Zones\3\1800 oval:org.mitre.oval:def:541
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:589,
nternet Settings\Zones\3\2102 oval:org.mitre.oval:def:1476
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1209 oval:org.mitre.oval:def:1043
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:226,
nternet Settings\Zones\3\2103 oval:org.mitre.oval:def:1208
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1113,
nternet Settings\Zones\3\2200 oval:org.mitre.oval:def:562
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1199,
nternet Settings\Zones\3\1001 oval:org.mitre.oval:def:546
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:391,
nternet Settings\Zones\3\1004 oval:org.mitre.oval:def:1200
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1040,
nternet Settings\Zones\3\1201 oval:org.mitre.oval:def:739
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Internet Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1174,
nternet Settings\Zones\3\1C00 oval:org.mitre.oval:def:725
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:611,
nternet Settings\Zones\3\1804 oval:org.mitre.oval:def:1487
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:691,
nternet Settings\Zones\3\1A00 oval:org.mitre.oval:def:1123
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2402 oval:org.mitre.oval:def:240
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:612,
nternet Settings\Zones\3\1607 oval:org.mitre.oval:def:1394
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:953,
nternet Settings\Zones\3\2100 oval:org.mitre.oval:def:1300
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:302,
nternet Settings\Zones\3\1E05 oval:org.mitre.oval:def:1398
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1179,
nternet Settings\Zones\3\1809 oval:org.mitre.oval:def:558
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1606 oval:org.mitre.oval:def:1108
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:265,
nternet Settings\Zones\3\2101 oval:org.mitre.oval:def:1432
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Internet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\2401 oval:org.mitre.oval:def:628
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Locked-Down
Internet Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\3\1609 oval:org.mitre.oval:def:245
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Intranet Zone,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\1\1609 oval:org.mitre.oval:def:1166
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Locked-Down
Intranet Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\1\1609 oval:org.mitre.oval:def:247
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Local Machine
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\0\1609 oval:org.mitre.oval:def:383
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Locked-Down
Local Machine Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\0\1609 oval:org.mitre.oval:def:418
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:652,
nternet Settings\Zones\4\1406 oval:org.mitre.oval:def:750
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:293,
nternet Settings\Zones\4\1400 oval:org.mitre.oval:def:561
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:365,
nternet Settings\Zones\4\2000 oval:org.mitre.oval:def:1314
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:498,
nternet Settings\Zones\4\1802 oval:org.mitre.oval:def:1465
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1184,
nternet Settings\Zones\4\1803 oval:org.mitre.oval:def:1318
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1109,
nternet Settings\Zones\4\1604 oval:org.mitre.oval:def:1410
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:251,
nternet Settings\Zones\4\1800 oval:org.mitre.oval:def:1257
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1218,
nternet Settings\Zones\4\1608 oval:org.mitre.oval:def:1270
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1234,
nternet Settings\Zones\4\2102 oval:org.mitre.oval:def:574
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1209 oval:org.mitre.oval:def:1217
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:378,
nternet Settings\Zones\4\1001 oval:org.mitre.oval:def:1320
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:252,
nternet Settings\Zones\4\2200 oval:org.mitre.oval:def:1312
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1019,
nternet Settings\Zones\4\1001 oval:org.mitre.oval:def:1389
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:949,
nternet Settings\Zones\4\1004 oval:org.mitre.oval:def:579
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:273,
nternet Settings\Zones\4\1201 oval:org.mitre.oval:def:1342
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Restricted Sites Zone, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:824,
nternet Settings\Zones\4\1C00 oval:org.mitre.oval:def:732
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:274,
nternet Settings\Zones\4\1804 oval:org.mitre.oval:def:1223
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:326,
nternet Settings\Zones\4\1A00 oval:org.mitre.oval:def:1378
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2402 oval:org.mitre.oval:def:275
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1229,
nternet Settings\Zones\4\1607 oval:org.mitre.oval:def:1292
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:706,
nternet Settings\Zones\4\2100 oval:org.mitre.oval:def:1421
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:329,
nternet Settings\Zones\4\2004 oval:org.mitre.oval:def:599
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:276,
nternet Settings\Zones\4\2001 oval:org.mitre.oval:def:1428
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:571,
nternet Settings\Zones\4\1200 oval:org.mitre.oval:def:1594
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:602,
nternet Settings\Zones\4\1405 oval:org.mitre.oval:def:1274
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:280,
nternet Settings\Zones\4\1402 oval:org.mitre.oval:def:641
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:290,
nternet Settings\Zones\4\1E05 oval:org.mitre.oval:def:1214
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1100,
nternet Settings\Zones\4\1809 oval:org.mitre.oval:def:1286
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\1606 oval:org.mitre.oval:def:300
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I oval:org.mitre.oval:def:1219,
nternet Settings\Zones\4\2101 oval:org.mitre.oval:def:1243
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Restricted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\4\2401 oval:org.mitre.oval:def:1176
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Locked-Down
Restricted Sites Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\4\1609 oval:org.mitre.oval:def:314
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Trusted Sites
Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\2\1609 oval:org.mitre.oval:def:1153
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Page/Locked-Down
Trusted Sites Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\2\1609 oval:org.mitre.oval:def:1183
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\XMLHTTP oval:org.mitre.oval:def:338
HKCU\Software\Policies\Microsoft\Internet
Explorer\Main!FormSuggest Passwords,
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel\FormSuggest Passwords oval:org.mitre.oval:def:645
HKCU\Software\Policies\Microsoft\Internet
Explorer\Main!NoJITSetup oval:org.mitre.oval:def:523
HKCU\Software\Policies\Microsoft\Internet
Explorer\Main!Page_Transitions oval:org.mitre.oval:def:1206
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use
FormSuggest, HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel!FormSuggest oval:org.mitre.oval:def:1516
HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoSelectDownloadDir oval:org.mitre.oval:def:505
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!Certificates oval:org.mitre.oval:def:1362
HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoExternalBranding oval:org.mitre.oval:def:1384
HKCU\Software\Microsoft\Outlook
Express!BlockExeAttachments oval:org.mitre.oval:def:1238
HKCU\Software\Policies\Microsoft\Internet Connection
Wizard!DisableICW oval:org.mitre.oval:def:604
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!Connwiz Admin Lock oval:org.mitre.oval:def:1355
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!ResetWebSettings oval:org.mitre.oval:def:1437
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoSubscriptionContent oval:org.mitre.oval:def:1080
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoAddingSubscriptions oval:org.mitre.oval:def:1293
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoAddingChannels oval:org.mitre.oval:def:1383
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups oval:org.mitre.oval:def:1397
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoScheduledUpdates oval:org.mitre.oval:def:1501
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoEditingSubscriptions oval:org.mitre.oval:def:1565
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoChannelUI oval:org.mitre.oval:def:1782
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoRemovingChannels oval:org.mitre.oval:def:1801
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions oval:org.mitre.oval:def:1954
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoChannelLogging oval:org.mitre.oval:def:2026
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Intranet
Zone/Java permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\1\1C00 oval:org.mitre.oval:def:2039
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Local Machine Zone/Java
permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\0\1C00 oval:org.mitre.oval:def:1422
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Local Machine
Zone/Java permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\0\1C00 oval:org.mitre.oval:def:1986
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Site to Zone Assignment List
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Internet Zone\Turn on Protected
Mode
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Intranet Zone/Java permissions,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\1\1C00
GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Page/Locked-Down Internet Zone\Download
signed ActiveX controls
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Internet
Zone/Java permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\3\1C00
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Restricted Sites
Zone/Java permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\4\1C00
GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Page/Locked-Down Trusted Sites Zone\Allow
status bar updates via script
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Locked-Down Trusted Sites
Zone/Java permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Lockdown_Zones\2\1C00
(1) GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Restricted Sites Zone\Turn on
Protected Mode (2) Registry
Keys:[HKLM|HKCU]\Software\Policies\Microsoft\Windows\Curr
entVersion\Internet Settings\Zones\4\2500
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Administrative
Templates/Windows Components/Internet Explorer/Internet
Control Panel/Security Page/Trusted Sites Zone/Java
permissions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Zones\2\1C00
FDCC IE7 XCCDF (fdcc-
NIST SCAP Microsoft Internet Explorer
accepted-content-
Version 7.0 XCCDF (SCAP-IE7-XCCDF-
20080110\fdcc-ie7-
Beta-v3.xml
xccdf.xml)
UseOnlyMachineSettings-LocalComputer, use_only_machine_settings_local_co
UseOnlyMachineSettings-LocalComputer-Disabled mputer
IEProcesses_RestrictActiveXInstall_
IEProcesses-RestrictActiveXInstall-LocalComputer LocalComputer
DoNotAllowUsersAddDeleteSites_Lo
DoNotAllowUsersAddDeleteSites-LocalComputer calComputer
DisablePeriodicCheckForIESoftwareUpdates- DisablePeriodicCheckForIESoftware
LocalComputer Updates_LocalComputer
IEProcesses_ProtectionFromZoneEl
evation_LocalComputer
IEProcesses_ConsistentMimeHandli
IEProcesses-ConsistentMimeHandling-LocalComputer ng_LocalComputer
AllowSoftwareRunInstallSignatureInvalid-
LocalComputer,
AllowSoftwareToRununOrInstallEvenIfSignatureInvalid- AllowSoftwareRunInstallSignatureInv
LocalUser alid_LocalComputer
IEProcesses-MKProtocolSecurityRestriction- IEProcesses_MKProtocolSecurityRe
LocalComputer striction_LocalComputer
DisableSoftwareUpdateShellNotifications- DisableSoftwareUpdateShellNotificati
LocalComputer ons_LocalComputer
IEProcesses_RestrictFileDownload_
IEProcesses-RestrictFileDownload-LocalComputer LocalComputer
DisableAutomaticInstallOfIEComponents- DisableAutomaticInstallOfIECompon
LocalComputer ents_LocalComputer
MakeProxySettingsPerMachine_Loca
MakeProxySettingsPerMachine-LocalComputer lComputer
DoNotAllowUsersEnableDisableAddOns-
LocalComputer, DoNotAllowUsersEnableDisableAdd
DoNotAllowUsersEnableDisableAddOns-LocalUser Ons_LocalComputer
TurnOffCrashDetection_LocalCompu
TurnOffCrashDetection-LocalComputer ter
IEProcesses-ScriptedWindowSecurityRestrictions- IEProcesses_ScriptedWindowSecurit
LocalComputer yRestrictions_LocalComputer
DoNotAllowUsersChangePolicies_Lo
DoNotAllowUsersChangePolicies-LocalComputer calComputer
IEProcesses-MimeSniffingSafetyFeature- IEProcesses_MimeSniffingSafetyFea
LocalComputer ture_LocalComputer
CheckSignatureDownloadedProgram
CheckSignatureDownloadedPrograms-LocalComputer s_LocalComputer
DoNotAllowResettingIESettings_Loc
DoNotAllowResettingIESettings-LocalComputer alComputer
AllowCutCopyPasteOperationsFromClipboardViaScript-
InternetZone-LocalComputer, allow_cut_copy_paste_operations_fr
AllowCutCopyPasteOperationsFromClipboardViaScript- om_clipboard_via_script_internet_zo
InternetZone-LocalUser ne_local_computer
TurnOffFirstRunOptIn_InternetZone_
TurnOffFirst-RunOpt-In-InternetZone-LocalComputer LocalComputer
WebBrowserApplications_InternetZo
WebBrowserApplications-InternetZone-LocalComputer ne_LocalComputer
AllowCutCopyPasteOperationsFromClipboardViaScript-
RestrictedSitesZone-LocalComputer, AllowCutCopyPasteOperationsFrom
AllowCutCopyPasteOperationsFromClipboardViaScript- ClipboardViaScript_RestrictedSitesZ
RestrictedSitesZone-LocalUser one_LocalComputer
TurnOffFirst-RunOpt-In-RestrictedSitesZone- TurnOffFirstRunOptIn_RestrictedSite
LocalComputer sZone_LocalComputer
WebBrowserApplications-RestrictedSitesZone- WebBrowserApplications_Restricted
LocalComputer SitesZone_LocalComputer
IncludeAllNetworkPaths-LocalComputer, include_all_network_paths_local_co
IncludeAllNetworkPaths-LocalUser mputer
DisableTheAdvancedPage-LocalComputer,
DisableTheAdvancedPage-LocalUser
DisableThePrivacyPage-LocalComputer
DisableTheSecurityPage-LocalComputer,
DisableTheSecurityPage-LocalUser
PreventIgnoingCertificateErrors-LocalComputer, prevent_ignoring_certificate_errors_l
PreventIgnoingCertificateErrors-LocalUser ocal_computer
TurnOffChangingURLDisplay_LocalC
TurnOffChangingURLDisplay-LocalComputer omputer
TurnOffConfiguringUpdateCheckInterval- TurnOffConfiguringUpdateCheckInter
LocalComputer val_LocalComputer
AddOnList-LocalComputer
DenyAllAddOns-LocalComputer
DisableConfiguringHistory-LocalComputer, DisableConfiguringHistory_LocalCom
DisableConfiguringHistory-LocalUser puter
DisableChangingAutomaticConfigurationSettings-
LocalComputer,
DisableChangingAutomaticConfigurationSettings- DisableChangingAutomaticConfigurat
LocalUser ionSettings_LocalComputer
DisableChangingConnectionSettings-LocalComputer,
DisableChangingConnectionSettings-LocalUser
DisableChangingProxySettings-LocalComputer,
DisableChangingProxySettings-LocalUser
DisableShowingSplashScreen_Local
DisableShowingSplashScreen-LocalComputer Computer
PreventFixSettingsFunctionality-LocalComputer,
PreventFixSettingsFunctionality-LocalUser
PreventParticipationInCustomerExperienceImprovement
Programs-LocalComputer, PreventParticipationInCustomerExpe
PreventParticipationInCustomerExperienceImprovement rienceImprovementPrograms_LocalC
Programs-LocalUser omputer
PreventPerformanceOfFirstRunCustomizeSettings- PreventPerformanceOfFirstRunCusto
LocalComputer mizeSettings_LocalComputer
PerventDeletationOfTempInternetFiles-LocalComputer,
PerventDeletationOfTempInternetFiles-LocalUser
TurnOffDeleteBrowsingHistoryFunctionality-
LocalComputer, TurnOffDeleteBrowsingHistoryFuncti
TurnOffDeleteBrowsingHistoryFunctionality-LocalUser onality_LocalComputer
TurnOffManagingPhishingFilter_Loca
TurnOffManagingPhishingFilter-LocalComputer lComputer
TurnOffSecuritySettingsCheckFeature-LocalComputer, TurnOffSecuritySettingsCheckFeatur
TurnOffSecuritySettingsCheckFeature-LocalUser e_LocalComputer
AllowActiveContentFromCD_LocalCo
AllowActiveContentFromCD-LocalComputer mputer
AllowThird-
PartyBrowserExtensions_LocalComp
AllowThird-PartyBrowserExtensions-LocalComputer uter
AutomaticallyCheckIEUpdates-LocalComputer, AutomaticallyCheckIEUpdates_Local
AutomaticallyCheckForIEUpdates-LocalUser Computer
CheckServerCertificateRevocation-LocalComputer, CheckServerCertificateRevocation_L
CheckForServerCertificateRevocation-LocalUser ocalComputer
AccessDataSourcesAcrossDomains-InternetZone-
LocalComputer, AccessDataSourcesAcrossDomains- access_data_sources_across_domai
InternetZone-LocalUser ns_internet_zone_local_computer
AllowDragDropOrCopyPasteFiles-InternetZone-
LocalComputer, AllowDragDropOrCopyPasteFiles- AllowDragDropOrCopyPasteFiles_Int
InternetZone-LocalUser ernetZone_LocalComputer
AllowFontDownloads-InternetZone-LocalComputer, AllowFontDownloads_InternetZone_L
AllowFontDownloads-InternetZone-LocalUser ocalComputer
AllowInstallationOfDesktopItems-InternetZone-
LocalComputer, AllowInstallationOfDesktopItems- AllowInstallationOfDesktopItems_Inte
InternetZone-LocalUser rnetZone_LocalComputer
AllowScriptInitiatedWindowsWithoutSizeOrPositionCons
traints-InternetZone-LocalComputer, AllowScriptInitiatedWindowsWithoutS
AllowScriptInitiatedWindowsWithoutSizeOrPositionCons izeOrPositionConstraints_InternetZon
traints-InternetZone-LocalUser e_LocalComputer
allow_scriptlets_internet_zone_local_
AllowScriptlets-InternetZone-LocalComputer computer
AllowStatusBarUpdatesViaScript-InternetZone-
LocalComputer, AllowStatusBarUpdatesViaScript- allow_status_bar_updates_via_script
InternetZone-LocalUser _internet_zone_local_computer
AutomaticPromptingFileDownloads-InternetZone-
LocalComputer, AutomaticPromptingFileDownloads- AutomaticPromptingFileDownloads_I
InternetZone-LocalUser nternetZone_LocalComputer
DownloadSignedActiveXControls-InternetZone-
LocalComputer, DownloadSignedActiveXControls- download_signed_activex_controls_I
InternetZone-LocalUser nternetZone_LocalComputer
DownloadUnsignedActiveXControls-InternetZone-
LocalComputer, DownloadUnsignedActiveXControls- DownloadUnsignedActiveXControls_I
InternetZone-LocalUser nternetZone_LocalComputer
InitializeScriptActiveXControlsNotMarkedAsSafe-
InternetZone-LocalComputer, JavaPermissions-
InternetZone-LocalComputer, InitializeScriptActiveXControlsNotMar
InitializeScriptActiveXControlsNotMarkedAsSafe- kedAsSafe_InternetZone_LocalCom
InternetZone-LocalUser puter
java_permissions_internet_zone_loc
JavaPermissions-InternetZone-LocalUser al_computer
LaunchingApplicationsAndFilesInIFRAME-InternetZone-
LocalComputer,
LaunchingApplicationsAndFilesInIFRAME-InternetZone- LaunchingApplicationsAndFilesInIFR
LocalUser AME_InternetZone_LocalComputer
LogonOptions-InternetZone-LocalComputer, LogonOptions_InternetZone_LocalCo
LogonOptions-InternetZone-LocalUser mputer
LooseXAMLFiles_InternetZone_Loca
LooseXAMLFiles-InternetZone-LocalComputer lComputer
NavigateSub-framesAcrossDifferentDomains- navigate_sub_frames_across_differe
InternetZone-LocalComputer, NavigateSub- nt_domains_Internet_zone_local_co
framesAcrossDifferentDomains-InternetZone-LocalUser mputer
OpenFilesBasedOnContent-InternetZone-
LocalComputer, OpenFilesBasedOnContent- OpenFilesBasedOnContent_Internet
InternetZone-LocalUser Zone_LocalComputer
SoftwareChannelPermissions-InternetZone-
LocalComputer, SoftwareChannelPermissions- SoftwareChannelPermissions_Intern
InternetZone-LocalUser etZone_LocalComputer
UsePop-
UsePop-upBlocker-InternetZone-LocalComputer, upBlocker_InternetZone_LocalComp
UsePop-upBlocker-InternetZone-LocalUser uter
UserdataPersistence_InternetZone_L
UserdataPersistence-InternetZone-LocalComputer ocalComputer
WebSitesInLessPrivilegedWebContentZonesCanNaviga
teIntoThisZone-InternetZone-LocalComputer, WebSitesInLessPrivilegedWebConte
WebSitesInLessPrivilegedWebContentZonesCanNaviga ntZonesCanNavigateIntoThisZone_In
teIntoThisZone-InternetZone-LocalUser ternetZone_LocalComputer
XPSFiles-InternetZone-LocalComputer
DisplayMixedContent-LockedDownInternetZone- display_mixed_content_locked_down
LocalComputer _internet_zone_local_computer
display_mixed_content_intranet_zon
DisplayMixedContent-IntranetZone-LocalComputer e_local_computer
display_mixed_content-
DisplayMixedContent-LockedDownIntranetZone- LockedDownintranet_zone_local_co
LocalComputer mputer
DisplayMixedContent-LocalMachineZone- display_mixed_content-
LocalComputer local_machine_zone_local_computer
display_mixed_content-
DisplayMixedContent-LockedDownLocalMachineZone- LockedDownlocal_machine_zone_lo
LocalComputer cal_computer
AccessDataSourcesAcrossDomains-
RestrictedSitesZone-LocalComputer,
AccessDataSourcesAcrossDomains- AccessDataSourcesAcrossDomains_
RestrictedSitesZone-LocalUser RestrictedSitesZone_LocalComputer
AllowActiveScripting-RestrictedSitesZone-
LocalComputer, AllowActiveScripting- AllowActiveScripting_RestrictedSites
RestrictedSitesZone-LocalUser Zone_LocalComputer
AllowBinaryAndScriptBehaviors-RestrictedSitesZone-
LocalComputer, AllowBinaryAndScriptBehaviors- AllowBinaryAndScriptBehaviors_Rest
RestrictedSitesZone-LocalUser rictedSitesZone_LocalComputer
AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-
LocalComputer, AllowDragDropOrCopyPasteFiles- AllowDragDropOrCopyPasteFiles_Re
RestrictedSitesZone-LocalUser strictedSitesZone_LocalComputer
AllowFileDownloads-RestrictedSitesZone-
LocalComputer, AllowFileDownloads- AllowFileDownloads_RestrictedSites
RestrictedSitesZone-LocalUser Zone_LocalComputer
AllowFontDownloads-RestrictedSitesZone-
LocalComputer, AllowFontDownloads- AllowFontDownloads_RestrictedSites
RestrictedSitesZone-LocalUser Zone_LocalComputer
AllowInstallationOfDesktopItems-RestrictedSitesZone-
LocalComputer, AllowInstallationOfDesktopItems- AllowInstallationOfDesktopItems_Re
RestrictedSitesZone-LocalUser strictedSitesZone_LocalComputer
AllowMETAREFRESH-RestrictedSitesZone-
LocalComputer, AllowMETAREFRESH- AllowMETAREFRESH_RestrictedSit
RestrictedSitesZone-LocalUser esZone_LocalComputer
AllowScriptInitiatedWindowsWithoutSizeOrPositionCons
traints-RestrictedSitesZone-LocalComputer, AllowScriptInitiatedWindowsWithoutS
AllowScriptInitiatedWindowsWithoutSizeOrPositionCons izeOrPositionConstraints_Restricted
traints-RestrictedSitesZone-LocalUser SitesZone_LocalComputer
AllowScriptlets-RestrictedSitesZone-LocalComputer
AllowStatusBarUpdatesViaScript-RestrictedSitesZone-
LocalComputer, AllowStatusBarUpdatesViaScript- AllowStatusBarUpdatesViaScript_Re
RestrictedSitesZone-LocalUser strictedSitesZone_LocalComputer
AutomaticPromptingFileDownloads-
RestrictedSitesZone-LocalComputer,
AutomaticPromptingFileDownloads- AutomaticPromptingFileDownloads_
RestrictedSitesZone-LocalUser RestrictedSitesZone_LocalComputer
DownloadSignedActiveXControls-RestrictedSitesZone-
LocalComputer, DownloadSignedActiveXControls- download_signed_activex_controls_
RestrictedSitesZone-LocalUser RestrictedSitesZone_LocalComputer
DownloadUnsignedActiveXControls-
RestrictedSitesZone-LocalComputer,
DownloadUnsignedActiveXControls- DownloadUnsignedActiveXControls_
RestrictedSitesZone-LocalUser RestrictedSitesZone_LocalComputer
InitializeScriptActiveXControlsNotMarkedAsSafe-
RestrictedSitesZone-LocalComputer, InitializeScriptActiveXControlsNotMar
InitializeScriptActiveXControlsNotMarkedAsSafe- kedAsSafe_RestrictedSitesZone_Loc
RestrictedSitesZone-LocalUser alComputer
JavaPermissions-RestrictedSitesZone-LocalComputer, java_permissions_RestrictedSitesZo
JavaPermissions-RestrictedSitesZone-LocalUser ne_LocalComputer
LaunchingApplicationsAndFilesInIFRAME-
RestrictedSitesZone-LocalComputer, LaunchingApplicationsAndFilesInIFR
LaunchingApplicationsAndFilesInIFRAME- AME_RestrictedSitesZone_LocalCo
RestrictedSitesZone-LocalUser mputer
LogonOptions-RestrictedSitesZone-LocalComputer, LogonOptions_RestrictedSitesZone_
LogonOptions-RestrictedSitesZone-LocalUser LocalComputer
LooseXAMLFiles_RestrictedSitesZon
LooseXAMLFiles-RestrictedSitesZone-LocalComputer e_LocalComputer
NavigateSub-framesAcrossDifferentDomains-
RestrictedSitesZone-LocalComputer, NavigateSub- NavigateSub-
framesAcrossDifferentDomains-RestrictedSitesZone- framesAcrossDifferentDomains_Rest
LocalUser rictedSitesZone_LocalComputer
OpenFilesBasedOnContent-RestrictedSitesZone-
LocalComputer, OpenFilesBasedOnContent- OpenFilesBasedOnContent_Restrict
RestrictedSitesZone-LocalUser edSitesZone_LocalComputer
RunNETFrameworkReliantComponentsNotSignedWith
Authenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantCompone
RunNETFrameworkReliantComponentsNotSignedWith ntsNotSignedWithAuthenticode_Rest
Authenticode-RestrictedSitesZone-LocalUser rictedSitesZone_LocalComputer
RunNETFrameworkReliantComponentsSignedWithAuth
enticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantCompone
RunNETFrameworkReliantComponentsSignedWithAuth ntsSignedWithAuthenticode_Restrict
enticode-RestrictedSitesZone-LocalUser edSitesZone_LocalComputer
RunActiveXControlsAndPlugins-RestrictedSitesZone-
LocalComputer, RunActiveXControlsAndPlugins- RunActiveXControlsAndPlugins_Rest
RestrictedSitesZone-LocalUser rictedSitesZone_LocalComputer
ScriptActiveXControlsMarkedSafeForScripting-
RestrictedSitesZone-LocalComputer, ScriptActiveXControlsMarkedSafeFor
ScriptActiveXControlsMarkedSafeForScripting- Scripting_RestrictedSitesZone_Local
RestrictedSitesZone-LocalUser Computer
ScriptingOfJavaApplets-RestrictedSitesZone-
LocalComputer, ScriptingOfJavaApplets- ScriptingOfJavaApplets_RestrictedSit
RestrictedSitesZone-LocalUser esZone_LocalComputer
SoftwareChannelPermissions-RestrictedSitesZone-
LocalComputer, SoftwareChannelPermissions- SoftwareChannelPermissions_Restri
RestrictedSitesZone-LocalUser ctedSitesZone_LocalComputer
UsePop-upBlocker-RestrictedSitesZone- UsePop-
LocalComputer, UsePop-upBlocker- upBlocker_RestrictedSitesZone_Loc
RestrictedSitesZone-LocalUser alComputer
UserdataPersistence-RestrictedSitesZone- UserdataPersistence_RestrictedSites
LocalComputer Zone_LocalComputer
WebSitesInLessPrivilegedWebContentZonesCanNaviga
teIntoThisZone-RestrictedSitesZone-LocalComputer, WebSitesInLessPrivilegedWebConte
WebSitesInLessPrivilegedWebContentZonesCanNaviga ntZonesCanNavigateIntoThisZone_R
teIntoThisZone-RestrictedSitesZone-LocalUser estrictedSitesZone_LocalComputer
XPSFiles-RestrictedSitesZone-LocalComputer
display_mixed_content-
DisplayMixedContent-LockedDownRestrictedSitesZone- LockedDownRestrictedSitesZone_Lo
LocalComputer calComputer
display_mixed_content_trusted_sites
DisplayMixedContent-TrustedSitesZone-LocalComputer _zone_local_computer
DisplayMixedContent-LockedDownTrustedSitesZone- display_mixed_content_LockedDown
LocalComputer trusted_sites_zone_local_computer
EnableNativeXMLHttpSupport_Local
EnableNativeXMLHttpSupport-LocalComputer Computer
TurnOnAutoCompleteFeatureForUse
DisableSaveThisProgramToDiskOption-LocalUser rNamesAndPasswords_LocalUser
allow_install_on_demand_ie_local_c
AllowInstallOnDemandIE-LocalUser omputer
TurnOffPageTransitions-LocalUser TurnOffPageTransitions_LocalUser
DisableAutoCompleteForForms_Loc
DisableAutoCompleteForForms-LocalUser alUser
AllowInstallOnDemandIE-LocalUser
DisableChangingCertificateSettings-LocalUser
DisableExternalBrandingOfIE_LocalU
DisableExternalBrandingOfIE-LocalUser ser
configure_outlook_express_local_us
ConfigureOutlookExpress-LocalUser er
TurnOnInternetConnectionWizardAut
InternetConnectionWizardSettings-LocalUser oDetect_LocalUser
DisableInternetConnectionWizard_Lo
DisableInternetConnectionWizard-LocalUser calUser
DisableResetWebSettingsFeature_L
DisableResetWebSettingsFeature-LocalUser ocalUser
DisableDownloadingOfSiteSubscriptionContent-
LocalUser
DisableAddingSchedulesForOfflinePages-LocalUser
DisableAddingChannels-LocalUser
DisableEditingAndCreatingOfScheduleGroups-
LocalUser
DisableAllScheduledOfflinePages-LocalUser
DisableEditingSchedulesForOfflinePages-LocalUser
DisableChannelUserInterfaceCompletely-LocalUser
DisableRemovingChannels-LocalUser
DisableRemovingSchedulesForOfflinePages-LocalUser
DisableOfflinePageHitLogging-LocalUser
JavaPermissions-LockedDownIntranetZone- java_permissions_LockedDownintran
LocalComputer et_zone_local_computer
java_permissions_local_machine_zo
JavaPermissions-LocalMachineZone-LocalComputer ne_local_computer
JavaPermissions-LockedDownLocalMachineZone- java_permissions_LockedDownlocal
LocalComputer _machine_zone_local_computer
site_to_zone_assignment_list_local_
computer
TurnOnProtectedMode_InternetZone
_LocalComputer
java_permissions_intranet_zone_loc
al_computer
download_signed_activex_controls_l
ocked_down_internet_zone_local_co
mputer
java_permissions_locked_down_inter
net_zone_local_computer
java_permissions_LockedDownRestr
ictedSitesZone_LocalComputer
AllowStatusBarUpdatesViaScript_Loc
kedDowntrusted_sites_zone_local_c
omputer
java_permissions_LockedDowntruste
d_sites_zone_local_computer
TurnOnProtectedMode_RestrictedSit
esZone_LocalComputer
java_permissions_trusted_sites_zon
e_local_computer
FDCC IE7 OVAL (fdcc-
accepted-content-
20080110\fdcc-ie7-oval.xml
oval:gov.nist.fdcc.ie7:def:1277
oval:gov.nist.fdcc.ie7:def:658
oval:gov.nist.fdcc.ie7:def:1400
oval:gov.nist.fdcc.ie7:def:1357
oval:gov.nist.fdcc.ie7:def:620
oval:gov.nist.fdcc.ie7:def:884
oval:gov.nist.fdcc.ie7:def:680
oval:gov.nist.fdcc.ie7:def:617
oval:gov.nist.fdcc.ie7:def:1188
oval:gov.nist.fdcc.ie7:def:320
oval:gov.nist.fdcc.ie7:def:1198
oval:gov.nist.fdcc.ie7:def:1181
oval:gov.nist.fdcc.ie7:def:1694
oval:gov.nist.fdcc.ie7:def:487
oval:gov.nist.fdcc.ie7:def:465
oval:gov.nist.fdcc.ie7:def:1404
oval:gov.nist.fdcc.ie7:def:317
oval:gov.nist.fdcc.ie7:def:395
oval:gov.nist.fdcc.ie7:def:583
oval:gov.nist.fdcc.ie7:def:506
oval:gov.nist.fdcc.ie7:def:1119
oval:gov.nist.fdcc.ie7:def:242
oval:gov.nist.fdcc.ie7:def:249
oval:gov.nist.fdcc.ie7:def:621
oval:gov.nist.fdcc.ie7:def:580
oval:gov.nist.fdcc.ie7:def:559
oval:gov.nist.fdcc.ie7:def:655
oval:gov.nist.fdcc.ie7:def:715
oval:gov.nist.fdcc.ie7:def:1187
oval:gov.nist.fdcc.ie7:def:757
oval:gov.nist.fdcc.ie7:def:1285
oval:gov.nist.fdcc.ie7:def:1164
oval:gov.nist.fdcc.ie7:def:1171
oval:gov.nist.fdcc.ie7:def:1322
oval:gov.nist.fdcc.ie7:def:458
oval:gov.nist.fdcc.ie7:def:501
oval:gov.nist.fdcc.ie7:def:916
oval:gov.nist.fdcc.ie7:def:400
oval:gov.nist.fdcc.ie7:def:110
oval:gov.nist.fdcc.ie7:def:656
oval:gov.nist.fdcc.ie7:def:172
oval:gov.nist.fdcc.ie7:def:674
oval:gov.nist.fdcc.ie7:def:1083
oval:gov.nist.fdcc.ie7:def:524
oval:gov.nist.fdcc.ie7:def:223
oval:gov.nist.fdcc.ie7:def:589
oval:gov.nist.fdcc.ie7:def:1043
oval:gov.nist.fdcc.ie7:def:226
oval:gov.nist.fdcc.ie7:def:1113
oval:gov.nist.fdcc.ie7:def:1199
oval:gov.nist.fdcc.ie7:def:391
oval:gov.nist.fdcc.ie7:def:1040
oval:gov.nist.fdcc.ie7:def:1174
oval:gov.nist.fdcc.ie7:def:611
oval:gov.nist.fdcc.ie7:def:691
oval:gov.nist.fdcc.ie7:def:240
oval:gov.nist.fdcc.ie7:def:612
oval:gov.nist.fdcc.ie7:def:953
oval:gov.nist.fdcc.ie7:def:302
oval:gov.nist.fdcc.ie7:def:1179
oval:gov.nist.fdcc.ie7:def:1108
oval:gov.nist.fdcc.ie7:def:265
oval:gov.nist.fdcc.ie7:def:245
oval:gov.nist.fdcc.ie7:def:1166
oval:gov.nist.fdcc.ie7:def:247
oval:gov.nist.fdcc.ie7:def:383
oval:gov.nist.fdcc.ie7:def:418
oval:gov.nist.fdcc.ie7:def:652
oval:gov.nist.fdcc.ie7:def:293
oval:gov.nist.fdcc.ie7:def:365
oval:gov.nist.fdcc.ie7:def:498
oval:gov.nist.fdcc.ie7:def:1184
oval:gov.nist.fdcc.ie7:def:1109
oval:gov.nist.fdcc.ie7:def:251
oval:gov.nist.fdcc.ie7:def:1218
oval:gov.nist.fdcc.ie7:def:1234
oval:gov.nist.fdcc.ie7:def:378
oval:gov.nist.fdcc.ie7:def:252
oval:gov.nist.fdcc.ie7:def:1019
oval:gov.nist.fdcc.ie7:def:949
oval:gov.nist.fdcc.ie7:def:273
oval:gov.nist.fdcc.ie7:def:824
oval:gov.nist.fdcc.ie7:def:274
oval:gov.nist.fdcc.ie7:def:326
oval:gov.nist.fdcc.ie7:def:275
oval:gov.nist.fdcc.ie7:def:1229
oval:gov.nist.fdcc.ie7:def:706
oval:gov.nist.fdcc.ie7:def:329
oval:gov.nist.fdcc.ie7:def:276
oval:gov.nist.fdcc.ie7:def:571
oval:gov.nist.fdcc.ie7:def:602
oval:gov.nist.fdcc.ie7:def:280
oval:gov.nist.fdcc.ie7:def:290
oval:gov.nist.fdcc.ie7:def:1100
oval:gov.nist.fdcc.ie7:def:300
oval:gov.nist.fdcc.ie7:def:1219
oval:gov.nist.fdcc.ie7:def:314
oval:gov.nist.fdcc.ie7:def:1153
oval:gov.nist.fdcc.ie7:def:1183
oval:gov.nist.fdcc.ie7:def:338
oval:gov.nist.fdcc.ie7:def:645
oval:gov.nist.fdcc.ie7:def:9999
oval:gov.nist.fdcc.ie7:def:1206
oval:gov.nist.fdcc.ie7:def:1516
oval:gov.nist.fdcc.ie7:def:1384
oval:gov.nist.fdcc.ie7:def:1238
oval:gov.nist.fdcc.ie7:def:604
oval:gov.nist.fdcc.ie7:def:1355
oval:gov.nist.fdcc.ie7:def:1437
oval:gov.nist.fdcc.ie7:def:2039
oval:gov.nist.fdcc.ie7:def:1422
oval:gov.nist.fdcc.ie7:def:1986
oval:gov.nist.fdcc.ie7:def:9998
oval:gov.nist.fdcc.ie7:def:111999
oval:gov.nist.fdcc.ie7:def:1883
oval:gov.nist.fdcc.ie7:def:24599
oval:gov.nist.fdcc.ie7:def:1419
oval:gov.nist.fdcc.ie7:def:1753
oval:gov.nist.fdcc.ie7:def:118399
oval:gov.nist.fdcc.ie7:def:1699
oval:gov.nist.fdcc.ie7:def:62199
oval:gov.nist.fdcc.ie7:def:1379
Old v4 CCE
CCE ID CCE Description
CCE Id Parameters
The "Disable VBA for
Office applications" setting
should be configured
CCE-116-4 CCE-116 correctly. enabled/disabled
1 = Do not prompt |
The "ActiveX Control 4 = Prompt user to
Initialization:" setting use control defaults
should be configured | 6 = Prompt user to
CCE-908-4 CCE-908 correctly. use persisted data
The "Enable Customer
Experience Improvement
Program" setting should
CCE-184-2 CCE-184 be configured correctly. enabled/disabled
The "Enable Customer
Experience Improvement
Program" setting should
CCE-276-6 CCE-276 be configured correctly. enabled/disabled
0 = Never show
online content or
entry points | 1 =
Search only offline
content whenever
available | 2 =
The "Online content Search online
options" setting should be content whenever
CCE-967-0 CCE-967 configured correctly. available
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 = No
Settings" setting should be Warnings for all
configured correctly for macros but disable
CCE-427-5 CCE-427 Access 2007. all macros
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 = No
Settings" setting should be Warnings for all
configured correctly for macros but disable
CCE-649-4 CCE-649 Excel 2007. all macros
The "Trust access to
Visual Basic Project"
setting should be
configured correctly for
CCE-862-3 CCE-862 Excel 2007 and 2003. enabled/disabled
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 = No
Settings" setting should be Warnings for all
configured correctly for macros but disable
CCE-567-8 CCE-567 PowerPoint 2007. all macros
The "Trust access to
Visual Basic Project"
setting should be
configured correctly for
CCE-68-7 CCE-68 PowerPoint 2007. enabled/disabled
The "Disable Remember
Password" setting should
CCE-537-1 CCE-537 be configured correctly. enabled/disabled
0 = Trust all or use
Exchange settings if
present | 1 = Trust
all loaded and
installed COM
addins | 2 = Do
The "Configure Add-In NOT trust loaded
Trust Level" setting should and installed COM
CCE-786-4 CCE-786 be configured correctly. addins
The "Disable 'Remember
password' for Internet e-
mail accounts" setting
should be configured
CCE-937-3 CCE-937 correctly. enabled/disabled
The "Minimum encryption
settings" setting should be
CCE-13-3 CCE-13 configured correctly. enabled/disabled
The "Do not check e-mail
address against address
of certificates being using"
setting should be
CCE-316-0 CCE-316 configured correctly. enabled/disabled
The "Send all signed
messages as clear signed
messages" setting should
CCE-14-1 CCE-14 be configured correctly. enabled/disabled
The "Request an S/MIME
receipt for all S/MIME
signed messages" setting
should be configured
CCE-153-7 CCE-153 correctly. enabled/disabled
The "Do not display
'Publish to GAL' button"
setting should be
CCE-345-9 CCE-345 configured correctly. enabled/disabled
0 = Let user decide
if they want to be
warned | 1 = Always
warn about invalid
The "Signature Warning" signatures | 2 =
setting should be Never warn about
CCE-700-5 CCE-700 configured correctly. invalid signatures
The "Enable Cryptography
Icons" setting should be
CCE-695-7 CCE-695 configured correctly. enabled/disabled
0 = Use system
Default | 1 = When
The "Retrieving CRLs online always
(Certificate Revocation retreive the CRL | 2
Lists)" setting should be = Never retreive the
CCE-395-4 CCE-395 configured correctly. CRL
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 = No
Settings" setting should be Warnings for all
configured correctly for macros but disable
CCE-659-3 CCE-659 Word 2007. all macros
The "Trust access to
Visual Basic Project"
setting should be
configured correctly for
CCE-703-9 CCE-703 Word 2007 and 2003. enabled/disabled
The "Warn before printing,
saving or sending a file
that contains tracked
changes or comments"
setting should be
CCE-173-5 CCE-173 configured correctly. enabled/disabled
The "Block updates from
the Office Update Site
from applying" setting
should be configured
CCE-784-9 CCE-784 correctly. enabled/disabled
The "Underline hyperlinks" enabled/disabled
setting should be
configured correctly for
Access 2007.
CCE-1395-3 CCE-1395
The "Number of enabled/disabled
documents in the Recent
Documents list (0-9)"
setting should be
configured correctly for
CCE-1137-9 CCE-1137 Access 2007.
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins" setting
should be configured
correctly for Access 2007.
CCE-1423-3 CCE-1423
The "Disable all enabled/disabled
application add-ins" setting
should be configured
correctly for Access 2007.
CCE-1238-5 CCE-1238
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
CCE-1476-1 CCE-1476 Access 2007.
The "Disable all trusted enabled/disabled
locations" setting should
be configured correctly for
Access 2007.
CCE-1520-6 CCE-1520
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
Access 2007.
CCE-780-7 CCE-780
The "Modal Trust Decision enabled/disabled
Only" setting should be
configured correctly for
Access 2007.
CCE-1214-6 CCE-1214
The "Disable commands" enabled/disabled
setting should be
configured correctly for
Access 2007.
CCE-1370-6 CCE-1370
The "Disable commands - enabled/disabled
Office Button | E-Mail"
setting should be
configured correctly for
Access 2007.
CCE-1268-2 CCE-1268
The "Disable commands - enabled/disabled
Office Button | Access
Options | Customize | All
Commands | Insert
Hyperlink" setting should
be configured correctly for
CCE-1400-1 CCE-1400 Access 2007.
The "Disable commands - enabled/disabled
Database Tools |
Database Tools | Encrypt
with Password" setting
should be configured
correctly for Access 2007.
CCE-1440-7 CCE-1440
The "Disable commands - enabled/disabled
Database Tools |
Administer | Users and
Permission | User and
Group Permissions"
setting should be
configured correctly for
CCE-581-9 CCE-581 Access 2007.
The "Disable commands - enabled/disabled
Database Tools |
Administer | Users and
Permissions | User and
Group Accounts" setting
should be configured
correctly for Access 2007.
CCE-1480-3 CCE-1480
The "Disable commands - enabled/disabled
Database Tools |
Administer | Users and
Permission | User-Level
Security Wizard..." setting
should be configured
correctly for Access 2007.
CCE-1489-4 CCE-1489
The "Disable commands - enabled/disabled
Database Tools |
Database Tools |
Encode/Decode
Database" setting should
be configured correctly for
CCE-1392-0 CCE-1392 Access 2007.
The "Disable commands - enabled/disabled
Database Tools | Macro |
Visual Basic" setting
should be configured
correctly for Access 2007.
CCE-1414-2 CCE-1414
The "Disable commands - enabled/disabled
Database Tools | Macro |
Run Macro" setting should
be configured correctly for
Access 2007.
CCE-1418-3 CCE-1418
The "Database Tools | enabled/disabled
Macro | Convert Macros to
Visual Basic" setting
should be configured
correctly for Access 2007.
CCE-1405-0 CCE-1405
The "Database Tools | enabled/disabled
Macro | Create Shortcut
Menu from Macro" setting
should be configured
correctly for Access 2007.
CCE-1550-3 CCE-1550
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
Access 2007.
CCE-1075-1 CCE-1075
The "Disable commands - enabled/disabled
Ctrl+K (Office Button |
Access Options |
Customize | All
Commands | Insert
Hyperlinks)" setting should
be configured correctly for
Access 2007.
CCE-709-6 CCE-709
The "Disable commands - enabled/disabled
Alt+F11 (Database Tools |
Macro | Visual Basic)"
setting should be
configured correctly for
CCE-1502-4 CCE-1502 Access 2007.
The "Default file format enabled/disabled
(Access 2007 | Access
2002-2003)" setting should
be configured correctly for
Access 2007.
CCE-1260-9 CCE-1260
The "Do not prompt to enabled/disabled
convert older databases"
setting should be
configured correctly for
CCE-1510-7 CCE-1510 Access 2007.
The "Internet and network enabled/disabled
paths as hyperlinks"
setting should be
configured correctly for
Excel 2007.
CCE-1532-1 CCE-1532
The "Save Excel files as enabled/disabled
(Excel Workbook (*.xlsx) |
Excel Macro-Enabled
Workbook (*.xlsm) | Excel
Binary Workbook (*.xlsb) |
Web Page (*.htm; *.html) |
Excel 97-2003 Workbook
(*.xls) | Excel 5.0/95
Workbook (*.xls))" setting
should be configured
correctly for Excel 2007.
CCE-1039-7 CCE-1039
The "Disable enabled/disabled
AutoRepublish" setting
should be configured
CCE-1295-5 CCE-1295 correctly for Excel 2007.
The "AutoRepublish enabled/disabled
Warning Alert (Always
show the alert before
publishing | Never show
the alert before
publishing)" setting should
be configured correctly for
CCE-1334-2 CCE-1334 Excel 2007.
The "Determine whether to enabled/disabled
force encrypted macros to
be scanned in Microsoft
Excel Open XML
workbooks" setting should
be configured correctly
CCE-1308-6 CCE-1308
The "Force file extension enabled/disabled
to match file type (Allow
different | Allow different,
but warn | Always match
file type)" setting should be
configured correctly for
CCE-616-3 CCE-616 Excel 2007.
The "Store macro in enabled/disabled
Personal Macro Workbook
by default" setting should
be configured correctly
CCE-1246-8 CCE-1246
The "Disable all enabled/disabled
application add-ins" setting
should be configured
correctly for Excel 2007.
CCE-1251-8 CCE-1251
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
CCE-1524-8 CCE-1524 Excel 2007.
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins" setting
should be configured
correctly for Excel 2007.
CCE-1422-5 CCE-1422
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
Excel 2007.
CCE-1444-9 CCE-1444
The "Disable all trusted enabled/disabled
locations" setting should
be configured correctly for
Excel 2007.
CCE-1449-8 CCE-1449
The "Ignore other enabled/disabled
applications " setting
should be configured
correctly for Excel 2007.
CCE-1471-2 CCE-1471
The "Ask to update enabled/disabled
automatic links" setting
should be configured
CCE-1119-7 CCE-1119 correctly for Excel 2007.
The "Number of enabled/disabled
documents in the Recent
Documents list (0-17)"
setting should be
configured correctly for
CCE-1378-9 CCE-1378 Excel 2007.
The "Save any additional enabled/disabled
data necessary to maintain
formulas" setting should
be configured correctly for
Excel 2007.
CCE-1277-3 CCE-1277
The "Load pictures from enabled/disabled
Web pages not created in
Excel" setting should be
configured correctly for
CCE-1464-7 CCE-1464 Excel 2007.
The "Do not show data enabled/disabled
extraction options when
opening corrupt
workbooks" setting should
be configured correctly for
CCE-1094-2 CCE-1094 Excel 2007.
The "Assume structured enabled/disabled
storage format of
workbook is intact when
recovering data" setting
should be configured
CCE-1129-6 CCE-1129 correctly for Excel 2007.
The "Corrupt formula enabled/disabled
conversion (Convert
unrecoverable references
to: values | #REF or
#NAME)" setting should be
configured correctly for
CCE-1389-6 CCE-1389 Excel 2007.
The "Connection File enabled/disabled
Locations" setting should
be configured correctly for
Excel 2007.
CCE-1433-2 CCE-1433
The "Automatic Query enabled/disabled
Refresh (Prompt for all
workbooks | Do not
prompt; do not allow auto
refresh | Do not prompt;
allow auto refresh)" setting
should be configured
correctly for Excel 2007.
CCE-1323-5 CCE-1323
The "Disable commands" enabled/disabled
setting should be
configured correctly for
Excel 2007.
CCE-1469-6 CCE-1469
The "Disable commands - enabled/disabled
Office Button | Excel
Options | Customize | All
Commands | Save as Web
Page" setting should be
configured correctly for
CCE-1473-8 CCE-1473 Excel 2007.
The "Disable commands - enabled/disabled
Office Button | Excel
Options | Customize | All
Commands | Web Page
Preview" setting should be
configured correctly for
CCE-1499-3 CCE-1499 Excel 2007.
The "Disable commands - enabled/disabled
Office Button | Send |
Email" setting should be
configured correctly for
Excel 2007.
CCE-1024-9 CCE-1024
The "Disable commands - enabled/disabled
Insert | Links | Hyperlink"
setting should be
configured correctly for
Excel 2007.
CCE-1530-5 CCE-1530
The "Disable commands - enabled/disabled
Review | Changes |
Protect Sheet" setting
should be configured
correctly for Excel 2007.
CCE-1120-5 CCE-1120
The "Disable commands - enabled/disabled
Review | Changes |
Protect Workbook" setting
should be configured
correctly for Excel 2007.
CCE-1252-6 CCE-1252
The "Disable commands - enabled/disabled
Review | Changes |
Protect and Share
Workbook" setting should
be configured correctly for
CCE-1151-0 CCE-1151 Excel 2007.
The "Disable commands - enabled/disabled
View | Macros | Macros"
setting should be
configured correctly for
Excel 2007.
CCE-1301-1 CCE-1301
The "Disable commands - enabled/disabled
Developer | Code |
Macros" setting should be
configured correctly for
Excel 2007.
CCE-1310-2 CCE-1310
The "Disable commands - enabled/disabled
Developer | Code | Record
Macro" setting should be
configured correctly for
Excel 2007.
CCE-1213-8 CCE-1213
The "Disable commands - enabled/disabled
Developer | Code | Macro
Security" setting should be
configured correctly for
Excel 2007.
CCE-1362-3 CCE-1362
The "Disable commands - enabled/disabled
Developer | Code | Visual
Basic" setting should be
configured correctly for
Excel 2007.
CCE-1156-9 CCE-1156
The "Disable commands - enabled/disabled
Office Button | Excel
Options | Customize | All
Commands | Document
Location" setting should be
configured correctly for
CCE-1429-0 CCE-1429 Excel 2007.
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
Excel 2007.
CCE-1182-5 CCE-1182
The "Disable shortcut keys enabled/disabled
- Ctrl+K (Insert | Links |
Hyperlink)" setting should
be configured correctly for
Excel 2007.
CCE-1525-5 CCE-1525
The "Disable shortcut keys enabled/disabled
- Alt+F8 (Developer | Code
| Macros)" setting should
be configured correctly for
Excel 2007.
CCE-1547-9 CCE-1547
The "Disable shortcut keys enabled/disabled
- Alt+F11 (Developer |
Code | Visual Basic)"
setting should be
configured correctly for
CCE-1300-3 CCE-1300 Excel 2007.
The "Block opening of pre- enabled/disabled
release versions of file
formats new to Excel
2007" setting should be
configured correctly for
CCE-1331-8 CCE-1331 Excel 2007.
The "Block opening of enabled/disabled
Open XML file types"
setting should be
configured correctly for
CCE-1468-8 CCE-1468 Excel 2007.
The "Block opening of enabled/disabled
Binary 12 file types" setting
should be configured
correctly for Excel 2007.
CCE-1490-2 CCE-1490
The "Block opening of enabled/disabled
Binary file types" setting
should be configured
correctly for Excel 2007.
CCE-1512-3 CCE-1512
The "Block opening of enabled/disabled
Html and Xmlss files
types" setting should be
configured correctly for
CCE-1543-8 CCE-1543 Excel 2007.
The "Block opening of Xml enabled/disabled
file types" setting should
be configured correctly for
Excel 2007.
CCE-1195-7 CCE-1195
The "Block opening of DIF enabled/disabled
and SYLK file types"
setting should be
configured correctly for
CCE-554-6 CCE-554 Excel 2007.
The "Block opening of enabled/disabled
Text file types" setting
should be configured
correctly for Excel 2007.
CCE-1415-9 CCE-1415
The "Block opening of Xll enabled/disabled
file type" setting should be
configured correctly for
Excel 2007.
CCE-1437-3 CCE-1437
The "Block saving of Open enabled/disabled
Xml file types" setting
should be configured
correctly for Excel 2007.
CCE-1446-4 CCE-1446
The "Block saving of enabled/disabled
Binary12 file types" setting
should be configured
correctly for Excel 2007.
CCE-1098-3 CCE-1098
The "Block saving of enabled/disabled
Binary file types" setting
should be configured
correctly for Excel 2007.
CCE-562-9 CCE-562
The "Block saving of Html enabled/disabled
and Xmlss file types"
setting should be
configured correctly for
CCE-1507-3 CCE-1507 Excel 2007.
The "Block saving Xml file enabled/disabled
types" setting should be
configured correctly for
Excel 2007.
CCE-1406-8 CCE-1406
The "Block saving DIF and enabled/disabled
SYLK file types" setting
should be configured
correctly for Excel 2007.
CCE-573-6 CCE-573
The "Block saving of Text enabled/disabled
file types" setting should
be configured correctly for
Excel 2007.
CCE-1336-7 CCE-1336
The "Locally cache enabled/disabled
network file storages"
setting should be
configured correctly for
CCE-1230-2 CCE-1230 Excel 2007.
The "Locally cache enabled/disabled
PivotTable reports" setting
should be configured
correctly for Excel 2007.
CCE-1375-5 CCE-1375
The "OLAP PivotTable enabled/disabled
User Defined Function
(UDF) security setting
(Allow ALL UDFs | Allow
safe UDFs only | Allow NO
UDFs)" setting should be
configured correctly for
CCE-1380-5 CCE-1380 Excel 2007.
The "Recognize enabled/disabled
SmartTags" setting should
be configured correctly for
CCE-1376-3 CCE-1376 Excel 2007.
The "Number of enabled/disabled
documents in the Recent
Documents list (0 - 9)"
setting should be
configured correctly for
CCE-1398-7 CCE-1398 InfoPath 2007.
The "Offline Mode status enabled/disabled
(Disabled | Enabled,
InfoPath in Offline Mode |
Enabled, InfoPath not in
Offline Mode)" setting
should be configured
correctly for InfoPath 2007.
CCE-569-4 CCE-569
The "Disable commands" enabled/disabled
setting should be
configured correctly for
InfoPath 2007.
CCE-1065-2 CCE-1065
The "Disable commands - enabled/disabled
File | Print" setting should
be configured correctly for
InfoPath 2007.
CCE-1361-5 CCE-1361
The "Disable commands - enabled/disabled
File | Send to Mail
Recipient" setting should
be configured correctly for
InfoPath 2007.
CCE-1096-7 CCE-1096
The "Disable commands - enabled/disabled
File | Open from
SharePoint Site" setting
should be configured
correctly for InfoPath 2007.
CCE-1391-2 CCE-1391
The "Disable commands - enabled/disabled
File | Print Preview" setting
should be configured
correctly for InfoPath 2007.
CCE-1519-8 CCE-1519
The "Disable commands - enabled/disabled
File | Page Setup" setting
should be configured
correctly for InfoPath 2007.
CCE-1523-0 CCE-1523
The "Disable commands - enabled/disabled
Insert | Hyperlinks..."
setting should be
configured correctly for
InfoPath 2007.
CCE-1171-8 CCE-1171
The "Disable commands - enabled/disabled
Tools | Set Language"
setting should be
configured correctly for
InfoPath 2007.
CCE-1457-1 CCE-1457
The "Disable commands - enabled/disabled
Tools | Customize..."
setting should be
configured correctly for
InfoPath 2007.
CCE-1426-6 CCE-1426
The "Disable commands - enabled/disabled
Tools | Options..." setting
should be configured
correctly for InfoPath 2007.
CCE-805-2 CCE-805
The "Disable commands - enabled/disabled
Help | Microsoft Office
Online" setting should be
configured correctly for
InfoPath 2007.
CCE-1453-0 CCE-1453
The "Disable commands - enabled/disabled
Office Diagnostics" setting
should be configured
correctly for InfoPath 2007.
CCE-1351-6 CCE-1351
The "Disable commands - enabled/disabled
Help | Activate Product..."
setting should be
configured correctly for
InfoPath 2007.
CCE-620-5 CCE-620
The "Disable commands - enabled/disabled
Print Default" setting
should be configured
correctly for InfoPath 2007.
CCE-1017-3 CCE-1017
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
InfoPath 2007.
CCE-1021-5 CCE-1021
The "Disable shortcut keys enabled/disabled
- Print Shortcut (Ctrl+P)"
setting should be
configured correctly for
InfoPath 2007.
CCE-1299-7 CCE-1299
The "Disable shortcut keys enabled/disabled
- Insert Hyperlink Shortcut
(Ctrl+K)" setting should be
configured correctly for
InfoPath 2007.
CCE-1197-3 CCE-1197
The "Control behavior for enabled/disabled
Windows SharePoint
Services gradual upgrade
(Allow redirections to any
location | Allow
redirections to Intranet
only | Block all
redirections)" setting
should be configured
correctly for InfoPath 2007.
CCE-704-7 CCE-704
The "Disable opening of enabled/disabled
solutions from the Internet
security zone" setting
should be configured
correctly for InfoPath 2007.
CCE-1105-6 CCE-1105
The "Disable fully trusted enabled/disabled
solutions full access to
computer" setting should
be configured correctly for
` CCE-1114 InfoPath 2007.
The "Allow the use of enabled/disabled
ActiveX Custom Controls
in InfoPath forms" setting
should be configured
correctly for InfoPath 2007.
CCE-761-7 CCE-761
The "Run forms in enabled/disabled
restricted mode if they do
not specify a publish
location and use only
features introduced before
InfoPath 2003 SP1" setting
should be configured
correctly for InfoPath 2007.
CCE-739-3 CCE-739
The "Allow file types as enabled/disabled
attachments to forms"
setting should be
configured correctly for
CCE-1259-1 CCE-1259 InfoPath 2007.
The "Block specific file enabled/disabled
types as attachments to
forms" setting should be
configured correctly for
CCE-1267-4 CCE-1267 InfoPath 2007.
The "Prevent users from enabled/disabled
allowing unsafe file types
to be attached to forms"
setting should be
configured correctly for
CCE-1060-3 CCE-1060 InfoPath 2007.
The "Display a warning enabled/disabled
that a form is digitally
signed" setting should be
configured correctly for
CCE-955-5 CCE-955 InfoPath 2007.
The "Control behavior enabled/disabled
when opening forms in the
Internet security zone
(Block | Prompt | Allow)"
setting should be
configured correctly for
CCE-1479-5 CCE-1479 InfoPath 2007.
The "Control behavior enabled/disabled
when opening forms in the
Intranet security zone
(Block | Prompt | Allow)"
setting should be
configured correctly for
CCE-1360-7 CCE-1360 InfoPath 2007.
The "Control behavior enabled/disabled
when opening forms in the
Local Machine security
zone (Block | Prompt |
Allow)" setting should be
configured correctly for
InfoPath 2007.
CCE-1386-2 CCE-1386
The "Control behavior enabled/disabled
when opening forms in the
Trusted Site security zone
(Block | Prompt | Allow)"
setting should be
configured correctly for
CCE-893-8 CCE-893 InfoPath 2007.
The "Beaconing UI for enabled/disabled
forms opened in InfoPath
(Never show beaconing UI
| Always show beaconing
UI | Show UI if Form
Template is from Internet
Zone)" setting should be
configured correctly for
InfoPath 2007.
CCE-1290-6 CCE-1290
The "Beaconing UI for enabled/disabled
forms opened in InfoPath
Editor ActiveX (Never
show beaconing UI |
Always show beaconing UI
| Show UI if Form
Template is from Internet
Zone)" setting should be
configured correctly for
CCE-1381-3 CCE-1381 InfoPath 2007.
The "Disable all enabled/disabled
application add-ins" setting
should be configured
correctly for InfoPath 2007.
CCE-1135-3 CCE-1135
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
CCE-1157-7 CCE-1157 InfoPath 2007.
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins" setting
should be configured
correctly for InfoPath 2007.
CCE-1434-0 CCE-1434
The "Control behavior enabled/disabled
when opening InfoPath e-
mail forms containing code
or script (Run without
prompting | Prompt before
running | Never run)"
setting should be
configured correctly for
InfoPath 2007.
CCE-1315-1 CCE-1315
The "Disable sending form enabled/disabled
template with e-mail
forms" setting should be
configured correctly for
InfoPath 2007.
CCE-1210-4 CCE-1210
The "Disable dynamic enabled/disabled
caching of the form
template in InfoPath e-mail
forms" setting should be
configured correctly for
InfoPath 2007.
CCE-1236-9 CCE-1236
The "Disable sending enabled/disabled
InfoPath 2003 Forms as e-
mail forms" setting should
be configured correctly for
InfoPath 2007.
CCE-884-7 CCE-884
The "Disable e-mail forms enabled/disabled
running in restricted
security level" setting
should be configured
correctly for InfoPath 2007.
CCE-1518-0 CCE-1518
The "Disable e-mail forms enabled/disabled
from the Internet security
zone" setting should be
configured correctly for
InfoPath 2007.
CCE-1170-0 CCE-1170
The "Disable e-mail forms enabled/disabled
from the Intranet security
zone" setting should be
configured correctly for
InfoPath 2007.
CCE-1316-9 CCE-1316
The "Disable e-mail forms enabled/disabled
from the Full Trust security
zone" setting should be
configured correctly for
InfoPath 2007.
CCE-1567-7 CCE-1567
The "Disable InfoPath e- enabled/disabled
mail forms in Outlook"
setting should be
configured correctly for
CCE-1265-8 CCE-1265 InfoPath 2007.
The "Information Rights enabled/disabled
Management" setting
should be configured
correctly for InfoPath 2007.
CCE-1538-8 CCE-1538
The "Custom code" setting enabled/disabled
should be configured
correctly for InfoPath 2007.
CCE-1564-4 CCE-1564
The "Email Forms enabled/disabled
Beaconing UI (Never show
UI | Always show UI |
Show UI if XSN is in
Internet Zone)" setting
should be configured
correctly for InfoPath 2007.
CCE-1212-0 CCE-1212
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI"
setting should be
configured correctly
CCE-1344-1 CCE-1344
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Word" setting
should be configured
CCE-723-7 CCE-723 correctly
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Excel" setting
should be configured
CCE-1384-7 CCE-1384 correctly
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in PowerPoint"
setting should be
configured correctly
CCE-1159-3 CCE-1159
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Access" setting
should be configured
CCE-1146-0 CCE-1146 correctly
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Outlook"
setting should be
CCE-1542-0 CCE-1542 configured correctly
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar" setting
should be configured
correctly
CCE-582-7 CCE-582
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Word" setting should be
configured correctly
CCE-1291-4 CCE-1291
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Excel" setting should be
configured correctly
CCE-1326-8 CCE-1326
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in PowerPoint" setting
should be configured
CCE-1330-0 CCE-1330 correctly
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Access" setting should
be configured correctly
CCE-1335-9 CCE-1335
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Outlook" setting should
be configured correctly
CCE-1229-4 CCE-1229
The "Disable UI extending enabled/disabled
from documents and
templates" setting should
be configured correctly
CCE-630-4 CCE-630
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Word" setting should be
configured correctly
CCE-1154-4 CCE-1154
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Excel" setting should be
configured correctly
CCE-1410-0 CCE-1410
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
PowerPoint" setting should
be configured correctly
CCE-1432-4 CCE-1432
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Access" setting should be
configured correctly
CCE-1198-1 CCE-1198
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Outlook" setting should be
configured correctly
CCE-929-0 CCE-929
The "Recognize smart enabled/disabled
tags in Excel" setting
should be configured
correctly
CCE-1074-4 CCE-1074
The "Disable Clip Art and enabled/disabled
Media downloads from the
client and from Office
Online website" setting
should be configured
CCE-1458-9 CCE-1458 correctly
The "Disable template enabled/disabled
downloads from the client
and from Office Online
website" setting should be
configured correctly
CCE-1233-6 CCE-1233
The "Disable access to enabled/disabled
updates, add-ins, and
patches on the Office
Online website" setting
should be configured
CCE-1379-7 CCE-1379 correctly
The "Prevents users from enabled/disabled
uploading document
templates to the Office
Online community." setting
should be configured
CCE-1401-9 CCE-1401 correctly
The "Disable training enabled/disabled
practice downloads from
the Office Online website"
setting should be
configured correctly
CCE-1528-9 CCE-1528
The "Disable customer- enabled/disabled
submitted templates
downloads from Office
Online" setting should be
configured correctly
CCE-1533-9 CCE-1533
The "Open Office enabled/disabled
documents as read/write
while browsing" setting
should be configured
correctly
CCE-646-0 CCE-646
The "Rely on VML for enabled/disabled
displaying graphics in
browsers" setting should
be configured correctly
CCE-1438-1 CCE-1438
The "Allow PNG as an enabled/disabled
output format" setting
should be configured
correctly
CCE-711-2 CCE-711
The "Improve Proofing enabled/disabled
Tools" setting should be
configured correctly
CCE-1292-2 CCE-1292
The "Disable Opt-in
Wizard on first run" setting
should be configured
correctly.
CCE-1615-4 CCE-1615 enabled/disabled
The "Microsoft Office enabled/disabled
Online" setting should be
CCE-1191-6 CCE-1191 configured correctly
The "Disable Password enabled/disabled
Caching" setting should be
configured correctly
CCE-1587-5 CCE-1587
The "Disable all Trust Bar enabled/disabled
notifications for security
issues" setting should be
configured correctly
CCE-1486-0 CCE-1486
The "Protect document enabled/disabled
metadata for rights
managed Office Open
XML Files" setting should
be configured correctly
CCE-1508-1 CCE-1508
The "Protect document enabled/disabled
metadata for password
protected files." setting
should be configured
CCE-1640-2 CCE-1640 correctly
The "Encryption type for enabled/disabled
password protected Office
Open XML files" setting
should be configured
CCE-1539-6 CCE-1539 correctly
The "Encryption type for enabled/disabled
password protected Office
97-2003 files" setting
should be configured
CCE-1561-0 CCE-1561 correctly
The "Load Controls in enabled/disabled
Forms3 (1 | 2 | 3 | 4)"
setting should be
CCE-1068-6 CCE-1068 configured correctly
The "Automation Security enabled/disabled
(Disable macros by default
| Use application macro
security level | Macros
enabled)" setting should
be configured correctly
CCE-1574-3 CCE-1574
The "Prevent Word and enabled/disabled
Excel from loading
managed code
extensions" setting should
be configured correctly
CCE-1239-3 CCE-1239
The "Disable hyperlink enabled/disabled
warnings" setting should
be configured correctly
CCE-1623-8 CCE-1623
The "Disable password to enabled/disabled
open UI" setting should be
configured correctly
CCE-1083-5 CCE-1083
The "Download Office enabled/disabled
Controls" setting should be
configured correctly
CCE-1343-3 CCE-1343
The "Disable All ActiveX" enabled/disabled
setting should be
configured correctly
CCE-1242-7 CCE-1242
The "Allow mix of policy enabled/disabled
and user locations" setting
should be configured
correctly
CCE-770-8 CCE-770
The "Disable Smart enabled/disabled
Document's use of
manifests" setting should
be configured correctly
CCE-903-5 CCE-903
The "Completely disable enabled/disabled
the Smart Documents
feature in Word and Excel"
setting should be
configured correctly
CCE-1555-2 CCE-1555
The "Disable Internet Fax enabled/disabled
feature" setting should be
configured correctly
CCE-1061-1 CCE-1061
The "Prevent users from enabled/disabled
changing permissions on
rights managed content"
setting should be
configured correctly
CCE-1603-0 CCE-1603
The "Allow users with enabled/disabled
earlier versions of Office to
read with browsers..."
setting should be
configured correctly
CCE-1612-1 CCE-1612
The "Always require users enabled/disabled
to connect to verify
permission" setting should
be configured correctly
CCE-1493-6 CCE-1493
The "Always expand enabled/disabled
groups in Office when
restricting permission for
documents" setting should
be configured correctly
CCE-1409-2 CCE-1409
The "Never allow users to enabled/disabled
specify groups when
restricting permission for
documents" setting should
be configured correctly
CCE-1589-1 CCE-1589
The "Disable Microsoft enabled/disabled
Passport service for
content with restricted
permission" setting should
be configured correctly
CCE-1237-7 CCE-1237
The "Do not allow users to enabled/disabled
upgrade Information
Rights Management
configuration" setting
should be configured
CCE-1404-3 CCE-1404 correctly
The "Key Usage Filtering" enabled/disabled
setting should be
CCE-1396-1 CCE-1396 configured correctly
The "EKU filtering" setting enabled/disabled
should be configured
correctly
CCE-1167-6 CCE-1167
The "Legacy format enabled/disabled
signatures" setting should
be configured correctly
CCE-1585-9 CCE-1585
The "Suppress Office enabled/disabled
Signing Providers (Enable
Western and East Asian |
Suppress default Western
| Suppress default East
Asian | Suppress both
Western and East Asian)"
setting should be
configured correctly
CCE-1572-7 CCE-1572
The "Suppress external enabled/disabled
signature services menu
item" setting should be
configured correctly
CCE-1220-3 CCE-1220
The "Disable Check For enabled/disabled
Solutions" setting should
be configured correctly
CCE-1634-5 CCE-1634
The "Disable inclusion of enabled/disabled
document properties in
PDF and XPS output"
setting should be
configured correctly
CCE-1643-6 CCE-1643
The "Disable Document enabled/disabled
Information Panel" setting
should be configured
correctly
CCE-1546-1 CCE-1546
The "Document enabled/disabled
Information Panel
Beaconing UI (Never show
UI | Always show UI |
Show UI if XSN is in
Internet Zone)" setting
should be configured
CCE-1505-7 CCE-1505 correctly
The "Disable the Office enabled/disabled
client from polling the
Office server for published
links" setting should be
configured correctly
CCE-1545-3 CCE-1545
The "Block opening of pre- enabled/disabled
release versions of file
formats new to Word 2007
through the Compatibility
Pack for the 2007 Office
system and Word 2007
Open XML/Word 97-2003
Format Converter" setting
should be configured
correctly
CCE-1549-5 CCE-1549
The "Block opening of pre- enabled/disabled
release versions of file
formats new to Excel 2007
through the Compatibility
Pack for the 2007 Office
system and Excel 2007
Converter" setting should
be configured correctly
CCE-1431-6 CCE-1431
The "Block opening of pre- enabled/disabled
release versions of file
formats new to PowerPoint
2007 through the
Compatibility Pack for the
2007 Office system and
PowerPoint 2007
Converter" setting should
be configured correctly
CCE-1594-1 CCE-1594
The "Control Blogging enabled/disabled
(Enabled | Only
SharePoint blogs allowed |
All blogging disabled)"
setting should be
CCE-1241-9 CCE-1241 configured correctly
The "Enable Smart enabled/disabled
Resume" setting should be
configured correctly
CCE-1607-1 CCE-1607
The "Do not upload media enabled/disabled
files" setting should be
configured correctly
CCE-752-6 CCE-752
The "Disable hyperlinks to enabled/disabled
web templates in File |
New and task panes"
setting should be
CCE-1166-8 CCE-1166 configured correctly
The "Prevent access to enabled/disabled
Web-based file storage"
setting should be
configured correctly
CCE-654-4 CCE-654
The "Do not allow enabled/disabled
attachment previewing in
Outlook" setting should be
configured correctly for
Outlook 2007.
CCE-1192-4 CCE-1192
The "Read e-mail as plain enabled/disabled
text" setting should be
configured correctly for
Outlook 2007.
CCE-791-4 CCE-791
The "Read signed e-mail enabled/disabled
as plain text" setting
should be configured
correctly for Outlook 2007.
CCE-1456-3 CCE-1456
The "Prevent publishing to enabled/disabled
Office Online" setting
should be configured
correctly for Outlook 2007.
CCE-1478-7 CCE-1478
The "Prevent publishing to enabled/disabled
a DAV server" setting
should be configured
correctly for Outlook 2007.
CCE-1368-0 CCE-1368
The "Restrict level of enabled/disabled
calendar details users can
publish (All options are
available | Disables 'Full
details' | Disables 'Full
details' and 'Limited
details')" setting should be
configured correctly for
Outlook 2007.
CCE-1641-0 CCE-1641
The "Access to published enabled/disabled
calendars" setting should
be configured correctly for
Outlook 2007.
CCE-1266-6 CCE-1266
The "Restrict upload enabled/disabled
method" setting should be
configured correctly for
Outlook 2007.
CCE-1399-5 CCE-1399
The "Hide Junk Mail UI" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
CCE-1187-4 CCE-1187
The "Junk E-mail enabled/disabled
protection level (No
Protection, Low, High,
Trusted Lists Only)" setting
should be configured
correctly for Outlook 2007.
CCE-1588-3 CCE-1588
The "Trust E-mail from enabled/disabled
Contacts" setting should
be configured correctly for
Outlook 2007.
CCE-1117-1 CCE-1117
The "Add e-mail recipients enabled/disabled
to users' Safe Senders
Lists" setting should be
configured correctly for
Outlook 2007.
CCE-1130-4 CCE-1130
The "Dial-up options" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
CCE-1093-4 CCE-1093
The "Dial-up options - enabled/disabled
Warn before switching dial-
up connection" setting
should be configured
correctly for Outlook 2007.
CCE-1599-0 CCE-1599
The "Dial-up options - enabled/disabled
Hang up when finished
sending, receiving, or
updating" setting should
be configured correctly for
CCE-1621-2 CCE-1621 Outlook 2007.
The "Dial-up options - enabled/disabled
Automatically dial during a
background
Send/Receive" setting
should be configured
correctly for Outlook 2007.
CCE-1269-0 CCE-1269
The "Do not allow creating, enabled/disabled
replying, or forwarding
signatures for e-mail
messages" setting should
be configured correctly for
Outlook 2007.
CCE-1419-1 CCE-1419
The "Send copy of pictures enabled/disabled
with HTML messages
instead of reference to
Internet location" setting
should be configured
correctly for Outlook 2007.
CCE-1551-1 CCE-1551
The "Outlook Rich Text enabled/disabled
options (Convert to HTML
| Convert to Plain Text
format | Send Using
Outlook Rich Text format)"
setting should be
configured correctly for
CCE-655-1 CCE-655 Outlook 2007.
The "Plain text options" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
CCE-1592-5 CCE-1592
The "Plain text options - enabled/disabled
Encode attachments in
UUENCODE format when
sending a plain text
message" setting should
be configured correctly for
Outlook 2007.
CCE-1614-7 CCE-1614
The "Set message format enabled/disabled
(HTML | Rich Text | Plain
Text)" setting should be
configured correctly for
Outlook 2007.
CCE-1526-3 CCE-1526
The "Make Outlook the enabled/disabled
default program for E-mail,
Contacts, and Calendar"
setting should be
configured correctly for
CCE-1111-4 CCE-1111 Outlook 2007.
The "Do not allow folders enabled/disabled
in non-default stores to be
set as folder home pages"
setting should be
configured correctly for
CCE-1494-4 CCE-1494 Outlook 2007.
The "Use Unicode format enabled/disabled
when dragging e-mail
message to file system"
setting should be
configured correctly for
CCE-1287-2 CCE-1287 Outlook 2007.
The "Do not allow Outlook enabled/disabled
object model scripts to run
for shared folders" setting
should be configured
correctly for Outlook 2007.
CCE-1529-7 CCE-1529
The "Do not allow Outlook enabled/disabled
object model scripts to run
for public folders" setting
should be configured
correctly for Outlook 2007.
CCE-1560-2 CCE-1560
The "Set maximum level enabled/disabled
of online status on a
person name (Do not allow
| Allow everywhere except
To and CC field | Allow
everywhere)" setting
should be configured
correctly for Outlook 2007.
CCE-1596-6 CCE-1596
The "Display online status enabled/disabled
on a person name (Never |
Everywhere except To and
CC field | Everywhere)"
setting should be
configured correctly for
Outlook 2007.
CCE-1604-8 CCE-1604
The "Turn off Enable the enabled/disabled
Person Names Smart Tag
option" setting should be
configured correctly for
Outlook 2007.
CCE-1648-5 CCE-1648
The "Outlook Security enabled/disabled
Mode (Outlook Default
Security | Use Security
Form from 'Outlook
Security Settings' Public
Folder | Use Security Form
from 'Outlook 10 Security
Settings' Public Folder |
Use Outlook Security
Group Policy)" setting
should be configured
correctly for Outlook 2007.
CCE-1516-4 CCE-1516
The "Display Level 1 enabled/disabled
attachments" setting
should be configured
correctly for Outlook 2007.
CCE-1296-3 CCE-1296
The "Allow users to enabled/disabled
demote attachments to
Level 2" setting should be
configured correctly for
Outlook 2007.
CCE-1388-8 CCE-1388
The "Do not prompt about enabled/disabled
Level 1 attachments when
sending an item" setting
should be configured
correctly for Outlook 2007.
CCE-1652-7 CCE-1652
The "Do not prompt about enabled/disabled
Level 1 attachments when
closing an item" setting
should be configured
correctly for Outlook 2007.
CCE-1569-3 CCE-1569
The "Allow in-place enabled/disabled
activation of embedded
OLE objects" setting
should be configured
correctly for Outlook 2007.
CCE-1459-7 CCE-1459
The "Display OLE package enabled/disabled
objects" setting should be
configured correctly for
Outlook 2007.
CCE-1608-9 CCE-1608
The "Add file extensions to enabled/disabled
block as Level 1" setting
should be configured
correctly for Outlook 2007.
CCE-1617-0 CCE-1617
The "Remove file enabled/disabled
extensions blocked as
Level 1" setting should be
configured correctly for
Outlook 2007.
CCE-1631-1 CCE-1631
The "Add file extensions to enabled/disabled
block as Level 2" setting
should be configured
correctly for Outlook 2007.
CCE-1155-1 CCE-1155
The "Remove file enabled/disabled
extensions blocked as
Level 2" setting should be
configured correctly for
Outlook 2007.
CCE-1556-0 CCE-1556
The "Allow scripts in one- enabled/disabled
off Outlook forms" setting
should be configured
correctly for Outlook 2007.
CCE-1595-8 CCE-1595
The "Set Outlook object enabled/disabled
model Custom Actions
execution prompt (Prompt
User | Automatically
Approve | Automatically
Deny | Prompt user based
on computer security)"
setting should be
configured correctly for
Outlook 2007.
CCE-1436-5 CCE-1436
The "Set control enabled/disabled
ItemProperty prompt
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)" setting
should be configured
CCE-1586-7 CCE-1586 correctly
The "Configure Outlook enabled/disabled
object model prompt when
sending mail (Prompt User
| Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)" setting
should be configured
correctly for Outlook 2007.
CCE-1590-9 CCE-1590
The "Configure Outlook enabled/disabled
object model prompt when
accessing an address
book (Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)" setting
should be configured
correctly for Outlook 2007.
CCE-1004-1 CCE-1004
The "Configure Outlook enabled/disabled
object model prompt when
reading address
information (Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)" setting
should be configured
correctly for Outlook 2007.
CCE-1273-2 CCE-1273
The "Configure Outlook enabled/disabled
object model prompt when
responding to meeting and
task requests (Prompt
User | Automatically
Approve | Automatically
Deny | Prompt user based
on computer security)"
setting should be
configured correctly for
Outlook 2007.
CCE-1172-6 CCE-1172
The "Configure Outlook enabled/disabled
object model prompt when
executing Save As
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)" setting
should be configured
correctly for Outlook 2007.
CCE-1568-5 CCE-1568
The "Configure Outlook enabled/disabled
object model prompt
When accessing the
Formula property of a
UserProperty object
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)" setting
should be configured
correctly for Outlook 2007.
CCE-1573-5 CCE-1573
The "Configure Outlook enabled/disabled
object model prompt when
accessing address
information via
UserProperties.Find
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)" setting
should be configured
correctly for Outlook 2007.
CCE-1454-8 CCE-1454
The "Required Certificate enabled/disabled
Authority" setting should
be configured correctly for
CCE-1498-5 CCE-1498 Outlook 2007.
The "S/MIME enabled/disabled
interoperability with
external clients: (Handle
internally | Handle
externally | Handle if
possible)" setting should
be configured correctly for
CCE-1630-3 CCE-1630 Outlook 2007.
The "Always use Rich Text enabled/disabled
formatting in S/MIME
messages" setting should
be configured correctly for
Outlook 2007.
CCE-1626-1 CCE-1626
The "S/MIME password enabled/disabled
settings" setting should be
configured correctly for
Outlook 2007.
CCE-1163-5 CCE-1163
The "S/MIME password enabled/disabled
settings - Default S/MIME
password time (minutes):
(0 - 2147483647)" setting
should be configured
correctly for Outlook 2007.
CCE-1445-6 CCE-1445
The "S/MIME password enabled/disabled
settings - Maximum
S/MIME password time
(minutes): (0 -
2147483647)" setting
should be configured
correctly for Outlook 2007.
CCE-1582-6 CCE-1582
The "Message Formats" enabled/disabled
setting should be
configured correctly for
CCE-1357-3 CCE-1357 Outlook 2007.
The "Message Formats - enabled/disabled
Support the following
message formats:
(S/MIME | Exchange |
Fortezza | S/MIME and
Exchange | S/MIME and
Fortezza | Exchange and
Fortezza | S/MIME,
Exchange, and Fortezza)"
setting should be
configured correctly for
CCE-1132-0 CCE-1132 Outlook 2007.
2007: The "Do not provide enabled/disabled
Continue option on
Encryption warning dialog
boxes" setting should be
configured correctly for
Outlook 2007. 2003: The
"Disable Continue button
on all Encryption warning
dialogs" setting should be
configured correctly.
CCE-1511-5 CCE-1511
The "Run in FIPS enabled/disabled
compliant mode" setting
should be configured
correctly for Outlook 2007.
CCE-1018-1 CCE-1018
The "Encrypt all e-mail enabled/disabled
messages" setting should
be configured correctly for
Outlook 2007 and 2003.
CCE-1181-7 CCE-1181
The "Sign all e-mail enabled/disabled
messages" setting should
be configured correctly for
Outlook 2007.
CCE-1639-4 CCE-1639
The "URL for S/MIME enabled/disabled
certificates" setting should
be configured correctly for
Outlook 2007.
CCE-677-5 CCE-677
The "Ensure all S/MIME enabled/disabled
signed messages have a
label" setting should be
configured correctly for
CCE-687-4 CCE-687 Outlook 2007.
The "S/MIME receipt enabled/disabled
requests (Open message
if receipt can't be sent |
Don't open message if
receipt can't be sent |
Always prompt before
sending receipt | Never
send S/MIME )" setting
should be configured
correctly for Outlook 2007.
CCE-1613-9 CCE-1613
The "Fortezza certificate enabled/disabled
policies" setting should be
configured correctly for
CCE-1402-7 CCE-1402 Outlook 2007.
The "Require SuiteB enabled/disabled
algorithms for S/MIME
operations" setting should
be configured correctly for
Outlook 2007.
CCE-1658-4 CCE-1658
The "Missing CRLs" enabled/disabled
setting should be
configured correctly for
CCE-1662-6 CCE-1662 Outlook 2007.
The "Missing CRLs - enabled/disabled
Indicate a missing CRL as
a(n): (warning | error)"
setting should be
configured correctly for
CCE-1080-1 CCE-1080 Outlook 2007.
The "Missing root enabled/disabled
certificates" setting should
be configured correctly for
Outlook 2007.
CCE-1076-9 CCE-1076
The "Missing root enabled/disabled
certificates - Indicate a
missing root certificate as
a(n): (neither error nor
warning | warning | error)"
setting should be
configured correctly for
CCE-1636-0 CCE-1636 Outlook 2007.
The "Promote Level 2 enabled/disabled
errors as errors, not
warnings" setting should
be configured correctly for
CCE-943-1 CCE-943 Outlook 2007.
The "Attachment Secure enabled/disabled
Temporary Folder" setting
should be configured
correctly for Outlook 2007.
CCE-1591-7 CCE-1591
The "Display pictures and enabled/disabled
external content in HTML
e-mail" setting should be
configured correctly for
Outlook 2007.
CCE-1133-8 CCE-1133
The "Automatically enabled/disabled
download content for e-
mail from people in Safe
Senders and Safe
Recipients Lists" setting
should be configured
correctly for Outlook 2007.
CCE-725-2 CCE-725
The "Do not permit enabled/disabled
download of content from
safe zones" setting should
be configured correctly for
Outlook 2007.
CCE-1347-4 CCE-1347
The "Block Trusted Zones" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
CCE-1475-3 CCE-1475
The "Include Internet in enabled/disabled
Safe Zones for Automatic
Picture Download" setting
should be configured
correctly for Outlook 2007.
CCE-1497-7 CCE-1497
The "Include Intranet in enabled/disabled
Safe Zones for Automatic
Picture Download" setting
should be configured
correctly for Outlook 2007.
CCE-1501-6 CCE-1501
The "Security setting for enabled/disabled
macros (Always warn |
Never warn, disable all |
Warn for signed, disable
unsigned | No security
check)" setting should be
configured correctly for
CCE-1030-6 CCE-1030 Outlook 2007.
The "Enable links in e-mail enabled/disabled
messages" setting should
be configured correctly for
Outlook 2007.
CCE-1052-0 CCE-1052
The "Apply macro security enabled/disabled
settings to macros, add-
ins, and SmartTags"
setting should be
configured correctly for
Outlook 2007.
CCE-1462-1 CCE-1462
The "Automatically enabled/disabled
configure profile based on
Active Directory Primary
SMTP address" setting
should be configured
correctly for Outlook 2007.
CCE-1281-5 CCE-1281
The "Do not allow users to enabled/disabled
change permissions on
folders" setting should be
configured correctly for
Outlook 2007.
CCE-1303-7 CCE-1303
The "Enable RPC enabled/disabled
encryption" setting should
be configured correctly for
Outlook 2007.
CCE-1082-7 CCE-1082
The "Authentication with enabled/disabled
Exchange Server
(Kerberos/NTLM
Password Authentication |
Kerberos Password
Authentication | NTLM
Password Authentication)"
setting should be
configured correctly for
Outlook 2007.
CCE-1712-9 CCE-1712
The "Synchronize Outlook enabled/disabled
RSS Feeds with Common
Feed List" setting should
be configured correctly for
Outlook 2007.
CCE-1131-2 CCE-1131
The "Turn off RSS feature" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
CCE-1620-4 CCE-1620
The "Automatically enabled/disabled
download enclosures"
setting should be
configured correctly for
CCE-1541-2 CCE-1541 Outlook 2007.
The "Download full text of enabled/disabled
articles as HTML
attachments" setting
should be configured
correctly for Outlook 2007.
CCE-1311-0 CCE-1311
The "Automatically enabled/disabled
download attachments"
setting should be
configured correctly for
Outlook 2007.
CCE-1682-4 CCE-1682
The "Do not include enabled/disabled
Internet Calendar
integration in Outlook"
setting should be
configured correctly for
CCE-1461-3 CCE-1461 Outlook 2007.
The "Disable user entries enabled/disabled
to server list (Publish
default, allow others |
Publish default, disallow
others)" setting should be
configured correctly for
CCE-1041-3 CCE-1041 Outlook 2007.
The "Do not expand enabled/disabled
distribution lists" setting
should be configured
correctly for Outlook 2007.
CCE-1565-1 CCE-1565
The "Save files in this enabled/disabled
format (PowerPoint
Presentation (*.pptx) |
PowerPoint Macro-
Enabled Presentation
(*.pptm) | PowerPoint 97-
2003 Presentation (*.ppt))"
setting should be
configured correctly for
CCE-1719-4 CCE-1719 PowerPoint 2007.
The "Number of enabled/disabled
documents in the Recent
Documents list (0 - 50)"
setting should be
configured correctly for
CCE-1477-9 CCE-1477 PowerPoint 2007.
The "Determine whether to enabled/disabled
force encrypted macros to
be scanned in Microsoft
PowerPoint Open XML
presentations" setting
should be configured
correctly for PowerPoint
2007.
CCE-1142-9 CCE-1142
The "Run Programs enabled/disabled
(disable (don't run any
programs) | enable
(prompt user before
running) | enable all (run
without prompting))"
setting should be
configured correctly for
CCE-1649-3 CCE-1649 PowerPoint 2007.
The "Make hidden markup enabled/disabled
visible" setting should be
configured correctly for
PowerPoint 2007.
CCE-1279-9 CCE-1279
The "Unblock automatic enabled/disabled
download of linked
images" setting should be
configured correctly for
PowerPoint 2007.
CCE-1451-4 CCE-1451
The "Disable all enabled/disabled
application add-ins" setting
should be configured
correctly for PowerPoint
2007.
CCE-1204-7 CCE-1204
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
CCE-1107-2 CCE-1107 PowerPoint 2007.
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins" setting
should be configured
correctly for PowerPoint
CCE-743-5 CCE-743 2007.
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
PowerPoint 2007.
CCE-747-6 CCE-747
The "Disable all trusted enabled/disabled
locations" setting should
be configured correctly for
PowerPoint 2007.
CCE-782-3 CCE-782
The "Disable commands" enabled/disabled
setting should be
configured correctly for
PowerPoint 2007.
CCE-1327-6 CCE-1327
The "Disable commands - enabled/disabled
Office Button | PowerPoint
Options | Customize | All
Commands | Web Page
Preview" setting should be
configured correctly for
PowerPoint 2007.
CCE-1723-6 CCE-1723
The "Disable commands - enabled/disabled
Office Button | Send |
Email" setting should be
configured correctly for
PowerPoint 2007.
CCE-1366-4 CCE-1366
The "Disable commands - enabled/disabled
Insert | Links | Hyperlink"
setting should be
configured correctly for
PowerPoint 2007.
CCE-1679-0 CCE-1679
The "Disable commands - enabled/disabled
Review | Proofing |
Language" setting should
be configured correctly for
PowerPoint 2007.
CCE-1173-4 CCE-1173
The "Disable commands - enabled/disabled
View | Macros | Macros"
setting should be
configured correctly for
PowerPoint 2007.
CCE-1714-5 CCE-1714
The "Disable commands - enabled/disabled
Developer | Code |
Macros" setting should be
configured correctly for
PowerPoint 2007.
CCE-1485-2 CCE-1485
The "Disable commands - enabled/disabled
Developer | Code | Macro
Security" setting should be
configured correctly for
PowerPoint 2007.
CCE-1687-3 CCE-1687
The "Disable commands - enabled/disabled
Developer | Code | Visual
Basic" setting should be
configured correctly for
PowerPoint 2007.
CCE-1709-5 CCE-1709
The "Disable commands - enabled/disabled
Office Button | PowerPoint
Options | Customize | All
Commands | Document
Location" setting should be
configured correctly for
PowerPoint 2007.
CCE-1463-9 CCE-1463
The "Disable commands - enabled/disabled
Disable shortcut keys"
setting should be
configured correctly for
PowerPoint 2007.
CCE-1467-0 CCE-1467
The "Disable commands - enabled/disabled
Ctrl+K (Insert | Links |
Hyperlink)" setting should
be configured correctly for
PowerPoint 2007.
CCE-1740-0 CCE-1740
The "Disable commands - enabled/disabled
Alt+F8 (Developer | Code |
Macros)" setting should be
configured correctly for
PowerPoint 2007.
CCE-1780-6 CCE-1780
The "Disable commands - enabled/disabled
Alt+F11 (Developer | Code
| Visual Basic)" setting
should be configured
correctly for PowerPoint
CCE-1661-8 CCE-1661 2007.
The "Block opening of pre- enabled/disabled
release versions of file
formats new to PowerPoint
2007" setting should be
configured correctly for
PowerPoint 2007.
CCE-1688-1 CCE-1688
The "Block opening of enabled/disabled
Open Xml files types"
setting should be
configured correctly for
CCE-1701-2 CCE-1701 PowerPoint 2007.
The "Block opening of enabled/disabled
Binary file types" setting
should be configured
correctly for PowerPoint
CCE-1348-2 CCE-1348 2007.
The "Block opening of enabled/disabled
Html file types" setting
should be configured
correctly for PowerPoint
CCE-1644-4 CCE-1644 2007.
The "Block opening of enabled/disabled
Outlines" setting should be
configured correctly for
PowerPoint 2007.
CCE-1194-0 CCE-1194
The "Block opening of enabled/disabled
Converters" setting should
be configured correctly for
PowerPoint 2007.
CCE-1216-1 CCE-1216
The "Block saving of Open enabled/disabled
Xml file types" setting
should be configured
correctly for PowerPoint
CCE-1506-5 CCE-1506 2007.
The "Block saving of enabled/disabled
Binary file types" setting
should be configured
correctly for PowerPoint
CCE-1136-1 CCE-1136 2007.
The "Block saving of Html enabled/disabled
file types" setting should
be configured correctly for
PowerPoint 2007.
CCE-1766-5 CCE-1766
The "Block saving of enabled/disabled
Outlines" setting should be
configured correctly for
PowerPoint 2007.
CCE-1180-9 CCE-1180
The "Block saving of enabled/disabled
GraphicFilters" setting
should be configured
correctly for PowerPoint
CCE-1722-8 CCE-1722 2007.
The "Disable Slide enabled/disabled
Update" setting should be
configured correctly for
PowerPoint 2007.
CCE-1731-9 CCE-1731
The "Hidden text" setting enabled/disabled
should be configured
correctly for Word 2007.
CCE-885-4 CCE-885
The "Save files in this enabled/disabled
format (Word document
(*.docx) | Single Files Web
Page (*.mht) | Web Page
(*.htm; *.html) | Web Page,
Filtered (*.htm, *.html) |
Rich Text Format (*.rtf) |
Plain Text (*.txt) | Word
6.0/95 (*.doc) | Word
6.0/95 - Chinese
(Simplified) (*.doc) | Word
6.0/95 - Chinese
(Traditional) (*.doc) | Word
6.0/95 - Japanese (*.doc) |
Word 6.0/95 - Korean
(*.doc) | Word 97-2002 &
6.0/95 - RTF | Word 5.1
for Macintosh (*.mcw) |
Word 5.0 for Macintosh
(*.mcw) | Word 2.x for
Windows (*.doc) | Works
4.0 for Windows (*.wps) |
WordPerfect 5.x for
Windows (*.doc) |
WordPerfect 5.1 for DOS
(*.doc) | Word 2007 Macro
Enabled Document
(*.docm) | Word 2007
Macro Free Template
(*.dotx) | Word 2007
Macro Enabled Template
CCE-1656-8 CCE-1656 (*.dotm) | Word 97 - 2003
Document (*.doc) | Word
The "Number of enabled/disabled
documents in the Recent
Documents list (0-50)"
setting should be
configured correctly for
CCE-1537-0 CCE-1537 Word 2007.
The "Update automatic enabled/disabled
links at Open" setting
should be configured
correctly for Word 2007.
CCE-1249-2 CCE-1249
The "Save smart tags in e- enabled/disabled
mail" setting should be
configured correctly for
CCE-1509-9 CCE-1509 Word 2007.
The "Determine whether to enabled/disabled
force encrypted macros to
be scanned in Microsoft
Word Open XML
documents" setting should
be configured correctly for
CCE-1280-7 CCE-1280 Word 2007.
The "Disable all enabled/disabled
application add-ins" setting
should be configured
correctly for Word 2007.
CCE-1681-6 CCE-1681
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
CCE-1562-8 CCE-1562 Word 2007.
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins" setting
should be configured
correctly for Word 2007.
CCE-1333-4 CCE-1333
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
Word 2007.
CCE-1355-7 CCE-1355
The "Disable all trusted enabled/disabled
locations" setting should
be configured correctly for
Word 2007.
CCE-1637-8 CCE-1637
The "Disable commands" enabled/disabled
setting should be
configured correctly for
Word 2007.
CCE-1659-2 CCE-1659
The "Disable commands - enabled/disabled
Office Button | Word
Options | Customize | All
Commands | Save As
Web Page" setting should
be configured correctly for
CCE-1329-2 CCE-1329 Word 2007.
The "Disable commands - enabled/disabled
Office Button | Word
Options | Customize | All
Commands | Web Page
Preview" setting should be
configured correctly for
CCE-1632-9 CCE-1632 Word 2007.
The "Disable commands - enabled/disabled
Office Button | Send |
Email" setting should be
configured correctly for
Word 2007.
CCE-1425-8 CCE-1425
The "Disable commands - enabled/disabled
Insert | Links | Hyperlink"
setting should be
configured correctly for
Word 2007.
CCE-1196-5 CCE-1196
The "Disable commands - enabled/disabled
Review | Protect | Protect
Document" setting should
be configured correctly for
Word 2007.
CCE-936-5 CCE-936
The "Disable commands - enabled/disabled
View | Macros | Macros"
setting should be
configured correctly for
Word 2007.
CCE-1354-0 CCE-1354
The "Disable commands - enabled/disabled
Developer | Code |
Macros" setting should be
configured correctly for
Word 2007.
CCE-1125-4 CCE-1125
The "Disable commands - enabled/disabled
Developer | Code | Record
Macro" setting should be
configured correctly for
Word 2007.
CCE-1742-6 CCE-1742
The "Disable commands - enabled/disabled
Developer | Code | Macro
Security" setting should be
configured correctly for
Word 2007.
CCE-1782-2 CCE-1782
The "Disable commands - enabled/disabled
Developer | Code | Visual
Basic" setting should be
configured correctly for
Word 2007.
CCE-1306-0 CCE-1306
The "Disable commands - enabled/disabled
Developer | Templates |
Document Template"
setting should be
configured correctly for
CCE-1548-7 CCE-1548 Word 2007.
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
Word 2007.
CCE-1716-0 CCE-1716
The "Disable shortcut keys enabled/disabled
- Ctrl+F (Home | Editing |
Find)" setting should be
configured correctly for
Word 2007.
CCE-1597-4 CCE-1597
The "Disable shortcut keys enabled/disabled
- Ctrl+K (Insert | Links |
Hyperlink)" setting should
be configured correctly for
Word 2007.
CCE-1689-9 CCE-1689
The "Disable shortcut keys enabled/disabled
- Alt+F8 (Developer | Code
| Macros)" setting should
be configured correctly for
Word 2007.
CCE-1570-1 CCE-1570
The "Disable shortcut keys enabled/disabled
- Alt+F11 (Developer |
Code | Visual Basic)"
setting should be
configured correctly for
CCE-1720-2 CCE-1720 Word 2007.
The "Block opening of pre- enabled/disabled
release versions of file
formats new to Word
2007" setting should be
configured correctly for
CCE-1746-7 CCE-1746 Word 2007.
The "Block opening of enabled/disabled
Open XML file types"
setting should be
configured correctly for
CCE-1504-0 CCE-1504 Word 2007.
The "Block opening of enabled/disabled
Binary file types" setting
should be configured
correctly for Word 2007.
CCE-1654-3 CCE-1654
The "Block opening of enabled/disabled
HTML file types" setting
should be configured
correctly for Word 2007.
CCE-1160-1 CCE-1160
The "Block opening of enabled/disabled
Word 2003 XML file types"
setting should be
configured correctly for
CCE-958-9 CCE-958 Word 2007.
The "Block opening of enabled/disabled
RTF file types" setting
should be configured
correctly for Word 2007.
CCE-1579-2 CCE-1579
The "Block open enabled/disabled
Converters" setting should
be configured correctly for
Word 2007.
CCE-984-5 CCE-984
The "Block opening of enabled/disabled
Text file types" setting
should be configured
correctly for Word 2007.
CCE-1072-8 CCE-1072
The "Block opening of enabled/disabled
Internal file types" setting
should be configured
correctly for Word 2007.
CCE-1503-2 CCE-1503
The "Block opening of files enabled/disabled
before version" setting
should be configured
correctly for Word 2007.
CCE-1371-4 CCE-1371
The "Block saving of Open enabled/disabled
XML file types" setting
should be configured
correctly for Word 2007.
CCE-1019-9 CCE-1019
The "Block saving of enabled/disabled
Binary file types" setting
should be configured
correctly for Word 2007.
CCE-1684-0 CCE-1684
The "Block saving of enabled/disabled
HTML file types" setting
should be configured
correctly for Word 2007.
CCE-1675-8 CCE-1675
The "Block saving of Word enabled/disabled
2003 XML file types"
setting should be
configured correctly for
CCE-1200-5 CCE-1200 Word 2007.
The "Block saving of RTF enabled/disabled
file types" setting should
be configured correctly for
Word 2007.
CCE-1741-8 CCE-1741
The "Block saving of enabled/disabled
Converters" setting should
be configured correctly for
Word 2007.
CCE-1231-0 CCE-1231
The "Block saving of Text enabled/disabled
file types" setting should
be configured correctly for
Word 2007.
CCE-1755-8 CCE-1755
enabled/disabled
The InfoPath APTCA Assembly Whitelist setting should be configured correctly.
CCE-1169-2 CCE-1169
enabled/disabled
The Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Inform
CCE-1735-0 CCE-1735
enabled/disabled
The InfoPath APTCA Assembly Whitelist Enforcement setting should be configured correctly.
CCE-1739-2 CCE-1739
setting should be
The Disable Package Repairenabled/disabled configured correctly.
CCE-933-2 CCE-933
enabled/disabled
The Disable user name and password setting should be configured correctly.
CCE-1563-6 CCE-1563
enabled/disabled
The Disable user name and password - excel.exe setting should be configured correctly.
CCE-1215-3 CCE-1215
enabled/disabled
The Disable user name and password - powerpnt.exe setting should be configured correctly.
CCE-1484-5 CCE-1484
enabled/disabled
The Disable user name and password - pptview.exe setting should be configured correctly.
CCE-1629-5 CCE-1629
enabled/disabled
The Disable user name and password - winword.exe setting should be configured correctly.
CCE-1762-4 CCE-1762
enabled/disabled
The Disable user name and password - outlook.exe setting should be configured correctly.
CCE-1660-0 CCE-1660
enabled/disabled
The Disable user name and password - spDesign.exe setting should be configured correctly.
CCE-1057-9 CCE-1057
enabled/disabled
The Disable user name and password - msaccess.exe setting should be configured correctly.
CCE-1285-6 CCE-1285
enabled/disabled
The Bind to object setting should be configured correctly.
CCE-1669-1 CCE-1669
enabled/disabled
The Bind to object - excel.exe setting should be configured correctly.
CCE-1691-5 CCE-1691
enabled/disabled
The Bind to object - powerpnt.exe setting should be configured correctly.
CCE-1338-3 CCE-1338
enabled/disabled
The Bind to object - pptview.exe setting should be configured correctly.
CCE-1717-8 CCE-1717
enabled/disabled
The Bind to object - winword.exe setting should be configured correctly.
CCE-1488-6 CCE-1488
enabled/disabled
The Bind to object - outlook.exe setting should be configured correctly.
CCE-1638-6 CCE-1638
enabled/disabled
The Bind to object - spDesign.exe setting should be configured correctly.
CCE-1647-7 CCE-1647
enabled/disabled
The Bind to object - msaccess.exe setting should be configured correctly.
CCE-1294-8 CCE-1294
should be configured correctly.
The Saved from URL settingenabled/disabled
CCE-1193-2 CCE-1193
enabled/disabled
The Saved from URL - excel.exe setting should be configured correctly.
CCE-1352-4 CCE-1352
enabled/disabled
The Saved from URL - powerpnt.exe setting should be configured correctly.
CCE-928-2 CCE-928
enabled/disabled
The Saved from URL - pptview.exe setting should be configured correctly.
CCE-1576-8 CCE-1576
enabled/disabled
The Saved from URL - pptview.exe setting should be configured correctly.
CCE-1100-7 CCE-1100
enabled/disabled
The Saved from URL - outlook.exe setting should be configured correctly.
CCE-1232-8 CCE-1232
enabled/disabled
The Saved from URL - spDesign.exe setting should be configured correctly.
CCE-1774-9 CCE-1774
enabled/disabled
The Saved from URL - msaccess.exe setting should be configured correctly.
CCE-906-8 CCE-906
enabled/disabled
The Navigate URL setting should be configured correctly.
CCE-1034-8 CCE-1034
enabled/disabled
The Navigate URL - excel.exe setting should be configured correctly.
CCE-1435-7 CCE-1435
enabled/disabled
The Navigate URL - powerpnt.exe setting should be configured correctly.
CCE-1708-7 CCE-1708
enabled/disabled
The Navigate URL - pptview.exe setting should be configured correctly.
CCE-808-6 CCE-808
enabled/disabled
The Navigate URL - winword.exe setting should be configured correctly.
CCE-1650-1 CCE-1650
enabled/disabled
The Navigate URL - outlook.exe setting should be configured correctly.
CCE-1223-7 CCE-1223
enabled/disabled
The Navigate URL - spDesign.exe setting should be configured correctly.
CCE-1764-0 CCE-1764
enabled/disabled
The Navigate URL - msaccess.exe setting should be configured correctly.
CCE-1769-9 CCE-1769
enabled/disabled
The Block popups setting should be configured correctly.
CCE-1152-8 CCE-1152
enabled/disabled
The Block popups - excel.exe setting should be configured correctly.
CCE-1566-9 CCE-1566
enabled/disabled
The Block popups - powerpnt.exe setting should be configured correctly.
CCE-1077-7 CCE-1077
enabled/disabled
The Block popups - pptview.exe setting should be configured correctly.
CCE-1606-3 CCE-1606
enabled/disabled
The Block popups - winword.exe setting should be configured correctly.
CCE-1738-4 CCE-1738
enabled/disabled
The Block popups - outlook.exe setting should be configured correctly.
CCE-1262-5 CCE-1262
enabled/disabled
The Block popups - spDesign.exe setting should be configured correctly.
CCE-1663-4 CCE-1663
enabled/disabled
The Block popups - msaccess.exe setting should be configured correctly.
CCE-1544-6 CCE-1544
The "Prevent users from
customizing attachment
security settings" setting
should be configured
CCE-1443-1 CCE-1443 correctly. 1 = Enabled
The "Access: Macro 1 = Enabled - Low |
Security Level" setting 2 = Enabled -
should be configured Medium | 3 =
CCE-1161-9 CCE-1161 correctly. Enabled - High
The "Access: Trust all
installed add – ins and
templates" setting should 0 = Enabled | 1 =
CCE-1421-7 CCE-1421 be configured correctly. Disabled
The "Excel: Macro 1 = Enabled - Low |
Security Level" setting 2 = Enabled -
should be configured Medium | 3 =
CCE-1571-9 CCE-1571 correctly. Enabled - High
The "Excel: Trust all
installed add – ins and
templates" setting should 0 = Enabled | 1 =
CCE-1721-0 CCE-1721 be configured correctly. Disabled
The "Outlook: Macro 1 = Enabled - Low |
Security Level" setting 2 = Enabled -
should be configured Medium | 3 =
CCE-1602-2 CCE-1602 correctly. Enabled - High
The "Outlook: Trust all
installed add-ins and
templates" setting should 0 = Enabled | 1 =
CCE-1624-6 CCE-1624 be configured correctly. Disabled
0 = Uses default
administrative
settings | 1 = Look
in the Outlook
Security Settings
folder | 2 = Look in
The "Outlook virus security the Outlook 10
settings" setting should be Security Settings
CCE-1522-2 CCE-1522 configured correctly. folder
0 = Open message
if receipt can't be
sent | 1 = Always
prompt before
sending receipt | 2 =
Never send S/MIME
The "S/MIME receipt receipts | 3 = Don't
requests" setting should open message if
CCE-1183-3 CCE-1183 be configured correctly. receipt can't be sent
The "PowerPoint: Macro 1 = Enabled - Low |
Security Level" setting 2 = Enabled -
should be configured Medium | 3 =
CCE-1611-3 CCE-1611 correctly. Enabled - High
The "PowerPoint: Trust all
installed add – ins and
templates" setting should 0 = Enabled | 1 =
CCE-1633-7 CCE-1633 be configured correctly. Disabled
The "Publisher: Macro 1 = Enabled - Low |
Security Level" setting 2 = Enabled -
should be configured Medium | 3 =
CCE-822-7 CCE-822 correctly. Enabled - High
The "Publisher: Trust all
installed add–ins and
templates" setting should 0 = Enabled | 1 =
CCE-1734-3 CCE-1734 be configured correctly. Disabled
The "Word: Macro 1 = Enabled - Low |
Security Level" setting 2 = Enabled -
should be configured Medium | 3 =
CCE-1628-7 CCE-1628 correctly. Enabled - High
The "Word: Trust all
installed add–ins and
templates" setting should 0 = Enabled | 1 =
CCE-1761-6 CCE-1761 be configured correctly. Disabled
The "Store random
number to improve merge
accuracy" setting should 0 = Enabled | 1 =
CCE-1302-9 CCE-1302 be configured correctly. Disabled
The "Prevent Users from
Changing Office
Encryption Settings"
setting should be 0 = Disabled | 1 =
CCE-1307-8 CCE-1307 configured correctly. Enabled
Microsoft Threats and
CCE Technical Mechanisms
Countermeasures guide
2007: GPO Settings:Computer Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office 2007 System / Security Settings , Registry Keys:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\1
2.0\Common\VbaOff 2003: (1) Computer
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\Disable VBA for Office applications (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Common -
VbaOff (3) User Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Disable
VBA for Office applications (4) Table 1.124. Disable VBA for Office
HKCU\Software\Policies\Microsoft\Office\11.0\Common - applications, Table 2.5. Disable VBA for
VbaOff Office applications
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office 2007 system / Security /ActiveX Control
InitializationSettings , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\C
ommon\Security\UFIControls 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\ActiveX Control Initialization (2)
HKCU\Software\Policies\Microsoft\Office\Common\Security -
UFIControls Table 1.3. ActiveX Control Initialization
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007 /
Privacy / Trust Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.148. Enable Customer
2.0\Common\QMEnable Experience Improvement Program
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007 /
Privacy / Trust Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.23. Automatically receive small
2.0\Common\UpdateReliabilityData updates to improve reliability
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007
system / Tools / Options / General / Service Options / Online
Content , Registry Keys:
HKEY_CURRENT_USER\Softtware\Polices\Microsoft\Office\1
2.0\Common\Internet\UseOnlineContent Table 1.179. Online content options
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Access
2007 / Application Settings / Security / Trust Center , Registry
Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.234. VBA Macro Warning
2.0\Access\Security\VBAWarnings Settings
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Excel 2007 / Excel Options / Security / Trust Center ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.234. VBA Macro Warning
2.0\Excel\Security\VBAWarnings Settings
2007GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Excel 2007 / Excel Options / Security / Trust Center ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Excel\Security\AccessVBOM 2003: (1) Computer
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\Excel: Trust access to Visual Basic
Project (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security -
AccessVBOM (3) User Configuration\Administrative
Templates\Microsoft Office Excel
2003\Tools\Macros\Security\Trust access to Visual Basic
Project (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - Table 1.225. Trust access to Visual
AccessVBOM Basic Project
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office
PowerPoint 2007 / PowerPoint Options / Security / Trust
Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.234. VBA Macro Warning
2.0\PowerPoint\Security\VBAWarnings Settings
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office
PowerPoint 2007 / PowerPoint Options / Security / Trust
Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.225. Trust access to Visual
2.0\PowerPoint\Security\AccessVBOM Basic Project
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\EnableRememberPwd
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\AddinTrust 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Configure Add-In Trust
Level (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - AddinTrust Table 1.72. Configure trusted add-ins
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\EnableRememberPwd
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.173. Minimum encryption
2.0\Outlook\Security\MinEncKey settings
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography , Registry Keys: Table 1.134. Do not check e-mail
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 address against address of certificates
2.0\Outlook\Security\SupressNameChecks being using
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\ClearSign 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Cryptography\Send all
signed messages as clear signed messages (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit Table 1.214. Send all signed messages
y - ClearSign as clear signed messages
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.198. Request an S/MIME
2.0\Outlook\Security\RequestSecureReceipt receipt for all S/MIME signed messages
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\PublishToGalDisabled 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Cryptography\Disable
'Publish to GAL' button (2)
HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security Table 1.135. Do not display 'Publish to
- PublishToGalDisabled GAL' button
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\WarnAboutInvalid 2003: (1) User
Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Cryptography\Signature
Warning (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - WarnAboutInvalid Table 1.220. Signature Warning
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Outlook 2007 / Security / Cryptography , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Outlook\Security\ConvertSMIMEBlobSignedIcons 2003:
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook
2003\Tools\Options\Security\Cryptography\Enable
cryptography icons (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - ConvertSMIMEBlobSignedIcons
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security / Cryptography / Signature Status Dialog Box ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.204. Retrieving CRLs
2.0\Outlook\Security\UseCRLChasing (Certificate Revocation Lists)
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office Word
2007 / Word Options / Security / Trust Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.234. VBA Macro Warning
2.0\Word\Security\VBAWarnings Settings
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Word 2007 / Word Options / Security / Trust Center ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Policies\Microsoft\
Office\12.0\Word\Security\AccessVBOM 2003: (1) Computer
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\Word: Trust access to Visual Basic
Project (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security -
AccessVBOM (3) User Configuration\Administrative
Templates\Microsoft Office Word
2003\Tools\Macro\Security\Trust access to Visual Basic
Project (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - Table 1.225. Trust access to Visual
AccessVBOM Basic Project
2007: GPO Settings:User Configuration / Administrative
Templates / Classic Administrative Templates / Microsoft
Office Word 2007 / Word Options / Security , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Word\Options\vpref\fWarnRevisions_1805_1 2003: (1)
User Configuration\Administrative Templates\Microsoft Office
Word 2003\Tools\Options\Security\Warn before printing or
saving or sending a file that contains tracked changes or
comments (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\v
pre
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007 /
Miscellaneous , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\C Table 1.64. Block updates from the
ommon\OfficeUpdate\BlockUpdates Office Update Site from applying
(1) User Configuration\Administrative Templates\Microsoft Table 1.230. Underline hyperlinks
Office Access 2007\Application Settings\Web
Options\General\Underline hyperlinks (2)
Software\Policies\Microsoft\Office\12.0\Access\Internet
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Application
Settings\General\General\Number of documents in the
Recent Documents list (0-9) (2)
Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Table 1.120. Disable Trust Bar
Office Access 2007\Application Settings\Security\Trust Notification for unsigned application
Center\Disable Trust Bar Notification for unsigned application add-ins
add-ins (2)
Software\Policies\Microsoft\Office\12.0\Access\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.87. Disable all application add-
Office Access 2007\Application Settings\Security\Trust ins
Center\Disable all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Access\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.200. Require that application
Office Access 2007\Application Settings\Security\Trust add-ins are signed by Trusted Publisher
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\Access\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.89. Disable all trusted locations
Office Access 2007\Application Settings\Security\Trust
Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Access\Security\Truste
d Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.11. Allow Trusted Locations not
Office Access 2007\Application Settings\Security\Trust on the computer
Center\Trusted Locations\Allow Trusted Locations not on the
computer (2)
Software\Policies\Microsoft\Office\12.0\Access\Security\Truste
d Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.176. Modal Trust Decision Only
Office Access 2007\Application Settings\Security\Trust
Center\Trusted Locations\Modal Trust Decision Only (2)
Software\Policies\Microsoft\Office\12.0\Access\Security\Truste
d Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Office Button | E-
Mail (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Access Options | Customize | All Commands | Insert
Hyperlink (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Database Tools | Encrypt with Password (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Administer | Users and Permission | User and Group
Permissions (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Administer | Users and Permissions | User and Group
Accounts (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Administer | Users and Permission | User-Level Security
Wizard... (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Database Tools | Encode/Decode Database (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Macro | Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Database Tools |
Macro | Run Macro (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Database Tools | Macro | Convert
Macros to Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Access 2007\Disable items in user
interface\Predefined\Database Tools | Macro | Create
Shortcut Menu from Macro (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Access 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledShortc
utKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Ctrl+K (Office
Button | Access Options | Customize | All Commands | Insert
Hyperlinks) (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledShortc
utKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Access 2007\Disable items in user
interface\Predefined\Disable commands - Alt+F11 (Database
Tools | Macro | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledShortc
utKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.80. Default file format
Office Access 2007\Miscellaneous\Default file format (Access
2007 | Access 2002-2003) (2)
Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Table 1.141. Do not prompt to convert
Office Access 2007\Miscellaneous\Do not prompt to convert older databases
older databases (2)
Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Table 1.164. Internet and network
Office Excel 2007\Excel Options\Proofing\Autocorrect paths as hyperlinks
Options\Internet and network paths as hyperlinks (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Table 1.211. Save Excel files as
Office Excel 2007\Excel Options\Save\Save Excel files as
(Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook
(*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm;
*.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95
Workbook (*.xls)) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Table 1.91. Disable AutoRepublish
Office Excel 2007\Excel Options\Save\Disable AutoRepublish
(2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Table 1.25. AutoRepublish Warning
Office Excel 2007\Excel Options\Save\AutoRepublish Alert
Warning Alert (Always show the alert before publishing |
Never show the alert before publishing) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Table 1.81. Determine whether to force
Office Excel 2007\Excel Options\Security\Determine whether encrypted macros to be scanned in
to force encrypted macros to be scanned in Microsoft Excel Microsoft Excel Open XML workbooks
Open XML workbooks (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.155. Force file extension to
Office Excel 2007\Excel Options\Security\Force file extension match file type
to match file type (Allow different | Allow different, but warn |
Always match file type) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.221. Store macro in Personal
Office Excel 2007\Excel Options\Security\Trust Center\Store Macro Workbook by default
macro in Personal Macro Workbook by default (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.87. Disable all application add-
Office Excel 2007\Excel Options\Security\Trust ins
Center\Disable all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.200. Require that application
Office Excel 2007\Excel Options\Security\Trust add-ins are signed by Trusted Publisher
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.120. Disable Trust Bar
Office Excel 2007\Excel Options\Security\Trust Notification for unsigned application
Center\Disable Trust Bar Notification for unsigned application add-ins
add-ins (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.11. Allow Trusted Locations not
Office Excel 2007\Excel Options\Security\Trust on the computer
Center\Trusted LocationsAllow Trusted Locations not on the
computer (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted
Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.89. Disable all trusted locations
Office Excel 2007\Excel Options\Security\Trust
Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted
Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.159. Ignore other applications
Office Excel 2007\Excel Options\Advanced\Ignore other
applications (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options\BinaryO
ptions
(1) User Configuration\Administrative Templates\Microsoft Table 1.17. Ask to update automatic
Office Excel 2007\Excel Options\Advanced\Ask to update links
automatic links (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Excel Options\Advanced\Number of
documents in the Recent Documents list (0-17) (2)
Software\Policies\Microsoft\Office\12.0\Excel\File MRU
(1) User Configuration\Administrative Templates\Microsoft Table 1.210. Save any additional data
Office Excel 2007\Excel Options\Advanced\Web necessary to maintain formulas
Options…\GeneralSave any additional data necessary to
maintain formulas (2)
Software\Policies\Microsoft\Office\12.0\Excel\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.169. Load pictures from Web
Office Excel 2007\Excel Options\Advanced\Web pages not created in Excel
Options…\GeneralLoad pictures from Web pages not created
in Excel (2)
Software\Policies\Microsoft\Office\12.0\Excel\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.143. Do not show data
Office Excel 2007\Data Recovery\Do not show data extraction extraction options when opening
options when opening corrupt workbooks (2) corrupt workbooks
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Recovery\Assume structured storage
format of workbook is intact when recovering data (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Recovery\Corrupt formula conversion
(Convert unrecoverable references to: values | #REF or
#NAME) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Access Security\Connection File
Locations (2)
Software\Policies\Microsoft\Office\Common\Server
Links\Published
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Data Access Security\Automatic Query
Refresh (Prompt for all workbooks | Do not prompt; do not
allow auto refresh | Do not prompt; allow auto refresh) (2)
Software\Policies\Microsoft\Office\Common\Server
Links\Published
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Excel Options | Customize | All Commands | Save as Web
Page (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Excel Options | Customize | All Commands | Web Page
Preview (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Send | Email (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Links |
Hyperlink (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Review | Changes |
Protect Sheet (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Review | Changes |
Protect Workbook (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Review | Changes |
Protect and Share Workbook (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - View | Macros |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Record Macro (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macro Security (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Excel Options | Customize | All Commands | Document
Location (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Ctrl+K (Insert |
Links | Hyperlink) (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F8
(Developer | Code | Macros) (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Excel 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F11
(Developer | Code | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.34. Block opening of files
Office Excel 2007\Block file formats\Open\Block opening of created by pre-release versions of
pre-release versions of file formats new to Excel 2007 (2) Excel 2007
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.38. Block opening of Open
Office Excel 2007\Block file formats\Open\Block opening of XML file types
Open XML file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.29. Block opening of Binary 12
Office Excel 2007\Block file formats\Open\Block opening of file types
Binary 12 file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.30. Block opening of Binary file
Office Excel 2007\Block file formats\Open\Block opening of types
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.35. Block opening of Html and
Office Excel 2007\Block file formats\Open\Block opening of Xmlss files types
Html and Xmlss files types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.49. Block opening of Xml file
Office Excel 2007\Block file formats\Open\Block opening of types
Xml file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.32. Block opening of DIF and
Office Excel 2007\Block file formats\Open\Block opening of SYLK file types
DIF and SYLK file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.46. Block opening of Text file
Office Excel 2007\Block file formats\Open\Block opening of types
Text file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.48. Block opening of Xll file type
Office Excel 2007\Block file formats\Open\Block opening of
Xll file type (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.57. Block saving of Open Xml
Office Excel 2007\Block file formats\Save\Block saving of file types
Open Xml file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.52. Block saving of Binary12
Office Excel 2007\Block file formats\Save\Block saving of file types
Binary12 file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving of
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.55. Block saving of Html and
Office Excel 2007\Block file formats\Save\Block saving of Xmlss file types
Html and Xmlss file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Block file formats\Save\Block saving Xml
file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.50. Block saving DIF and SYLK
Office Excel 2007\Block file formats\Save\Block saving DIF file types
and SYLK file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.60. Block saving of Text file
Office Excel 2007\Block file formats\Save\Block saving of types
Text file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\Locally cache network file
storages (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\Locally cache PivotTable
reports (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\OLAP PivotTable User
Defined Function (UDF) security setting (Allow ALL UDFs |
Allow safe UDFs only | Allow NO UDFs) (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Excel 2007\Miscellaneous\Recognize SmartTags (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Tools | Options\General\Number of
documents in the Recent Documents list (0 - 9) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath
(1) User Configuration\Administrative Templates\Microsoft Table 1.178. Offline Mode status
Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline
Mode status (Disabled | Enabled, InfoPath in Offline Mode |
Enabled, InfoPath not in Offline Mode) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Editor\Offline
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Print (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Send to Mail
Recipient (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Open from
SharePoint Site (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Print Preview
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - File | Page Setup
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Hyperlinks...
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Tools | Set
Language (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Tools | Customize...
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Tools | Options...
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Help | Microsoft
Office Online (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Office Diagnostics
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Help | Activate
Product... (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable commands - Print Default (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShort
cutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Print Shortcut
(Ctrl+P) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShort
cutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office InfoPath 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Insert Hyperlink
Shortcut (Ctrl+K) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShort
cutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.73. Control behavior for
Office InfoPath 2007\Security\Control behavior for Windows Windows SharePoint Services gradual
SharePoint Services gradual upgrade (Allow redirections to upgrade
any location | Allow redirections to Intranet only | Block all
redirections) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.109. Disable opening of
Office InfoPath 2007\Security\Disable opening of solutions solutions from the Internet security zone
from the Internet security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.102. Disable fully trusted
Office InfoPath 2007\Security\Disable fully trusted solutions solutions full access to computer
full access to computer (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Allow the use of ActiveX
Custom Controls in InfoPath forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Run forms in restricted mode if
they do not specify a publish location and use only features
introduced before InfoPath 2003 SP1 (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.7. Allow file types as
Office InfoPath 2007\Security\Allow file types as attachments attachments to forms
to forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.62. Block specific file types as
Office InfoPath 2007\Security\Block specific file types as attachments to forms
attachments to forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.186. Prevent users from
Office InfoPath 2007\Security\Prevent users from allowing allowing unsafe file types to be
unsafe file types to be attached to forms (2) attached to forms
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Display a warning that a form is
digitally signed (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.74. Control behavior when
Office InfoPath 2007\Security\Control behavior when opening opening forms in the Internet security
forms in the Internet security zone (Block | Prompt | Allow) (2) zone
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors
(1) User Configuration\Administrative Templates\Microsoft Table 1.75. Control behavior when
Office InfoPath 2007\Security\Control behavior when opening opening forms in the Intranet security
forms in the Intranet security zone (Block | Prompt | Allow) (2) zone
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors
(1) User Configuration\Administrative Templates\Microsoft
Office InfoPath 2007\Security\Control behavior when opening
forms in the Local Machine security zone (Block | Prompt |
Allow) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors
(1) User Configuration\Administrative Templates\Microsoft Table 1.76. Control behavior when
Office InfoPath 2007\Security\Control behavior when opening opening forms in the Trusted Site
forms in the Trusted Site security zone (Block | Prompt | security zone
Allow) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors
(1) User Configuration\Administrative Templates\Microsoft Table 1.26. Beaconing UI for forms
Office InfoPath 2007\Security\Beaconing UI for forms opened opened in InfoPath
in InfoPath (Never show beaconing UI | Always show
beaconing UI | Show UI if Form Template is from Internet
Zone) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.27. Beaconing UI for forms
Office InfoPath 2007\Security\Beaconing UI for forms opened opened in InfoPath Editor ActiveX
in InfoPath Editor ActiveX (Never show beaconing UI | Always
show beaconing UI | Show UI if Form Template is from
Internet Zone) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.87. Disable all application add-
Office InfoPath 2007\Security\Trust Center\Disable all ins
application add-ins (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.200. Require that application
Office InfoPath 2007\Security\Trust Center\Require that add-ins are signed by Trusted Publisher
application add-ins are signed by Trusted Publisher (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.120. Disable Trust Bar
Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application
Notification for unsigned application add-ins (2) add-ins
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.77. Control behavior when
Office InfoPath 2007\Disable items in user interface\Control opening InfoPath e-mail forms
behavior when opening InfoPath e-mail forms containing code containing code or script
or script (Run without prompting | Prompt before running |
Never run) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.112. Disable sending form
Office InfoPath 2007\Disable items in user interface\Disable template with e-mail forms
sending form template with e-mail forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment
(1) User Configuration\Administrative Templates\Microsoft Table 1.97. Disable dynamic caching of
Office InfoPath 2007\Disable items in user interface\Disable the form template in InfoPath e-mail
dynamic caching of the form template in InfoPath e-mail forms
forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment
(1) User Configuration\Administrative Templates\Microsoft Table 1.113. Disable sending InfoPath
Office InfoPath 2007\Disable items in user interface\Disable 2003 Forms as e-mail forms
sending InfoPath 2003 Forms as e-mail forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath
(1) User Configuration\Administrative Templates\Microsoft Table 1.101. Disable e-mail forms
Office InfoPath 2007\Disable items in user interface\Disable e- running in restricted security level
mail forms running in restricted security level (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.99. Disable e-mail forms from
Office InfoPath 2007\Disable items in user interface\Disable e- the Internet security zone
mail forms from the Internet security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.100. Disable e-mail forms from
Office InfoPath 2007\Disable items in user interface\Disable e- the Intranet security zone
mail forms from the Intranet security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.98. Disable e-mail forms from
Office InfoPath 2007\Disable items in user interface\Disable e- the Full Trust security zone
mail forms from the Full Trust security zone (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.106. Disable InfoPath e-mail
Office InfoPath 2007\Disable items in user interface\Disable forms in Outlook
InfoPath e-mail forms in Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.163. Information Rights
Office InfoPath 2007\Restricted Features\Information Rights Management
Management (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\Rest
rictedFeatures
(1) User Configuration\Administrative Templates\Microsoft Table 1.79. Custom code
Office InfoPath 2007\Restricted Features\Custom code (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\Rest
rictedFeatures
(1) User Configuration\Administrative Templates\Microsoft Table 1.147. Email Forms Beaconing UI
Office InfoPath 2007\Miscellaneous\Email Forms Beaconing
UI (Never show UI | Always show UI | Show UI if XSN is in
Internet Zone) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.122. Disable user
Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar
customization of Quick Access Toolbar via UI (2) via UI
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.122. Disable user
Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar
customization of Quick Access Toolbar via UI - Disallow in via UI
Word (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.122. Disable user
Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar
customization of Quick Access Toolbar via UI - Disallow in via UI
Excel (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.122. Disable user
Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar
customization of Quick Access Toolbar via UI - Disallow in via UI
PowerPoint (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.122. Disable user
Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar
customization of Quick Access Toolbar via UI - Disallow in via UI
Access (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.122. Disable user
Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar
customization of Quick Access Toolbar via UI - Disallow in via UI
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.90. Disable all user
Office 2007 system\Global Options\Customize\Disable all customization of Quick Access Toolbar
user customization of Quick Access Toolbar (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.90. Disable all user
Office 2007 system\Global Options\Customize\Disable all customization of Quick Access Toolbar
user customization of Quick Access Toolbar - Disallow in
Word (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.90. Disable all user
Office 2007 system\Global Options\Customize\Disable all customization of Quick Access Toolbar
user customization of Quick Access Toolbar - Disallow in
Excel (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.90. Disable all user
Office 2007 system\Global Options\Customize\Disable all customization of Quick Access Toolbar
user customization of Quick Access Toolbar - Disallow in
PowerPoint (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.90. Disable all user
Office 2007 system\Global Options\Customize\Disable all customization of Quick Access Toolbar
user customization of Quick Access Toolbar - Disallow in
Access (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.90. Disable all user
Office 2007 system\Global Options\Customize\Disable all customization of Quick Access Toolbar
user customization of Quick Access Toolbar - Disallow in
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.121. Disable UI extending from
Office 2007 system\Global Options\Customize\Disable UI documents and templates
extending from documents and templates (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.121. Disable UI extending from
Office 2007 system\Global Options\Customize\Disable UI documents and templates
extending from documents and templates - Disallow in Word
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.121. Disable UI extending from
Office 2007 system\Global Options\Customize\Disable UI documents and templates
extending from documents and templates - Disallow in Excel
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.121. Disable UI extending from
Office 2007 system\Global Options\Customize\Disable UI documents and templates
extending from documents and templates - Disallow in
PowerPoint (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.121. Disable UI extending from
Office 2007 system\Global Options\Customize\Disable UI documents and templates
extending from documents and templates - Disallow in
Access (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.121. Disable UI extending from
Office 2007 system\Global Options\Customize\Disable UI documents and templates
extending from documents and templates - Disallow in
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Table 1.194. Recognize smart tags in
Office 2007 system\Tools | AutoCorrect Options... (Excel, Excel
Word, PowerPoint and Access)\Recognize smart tags in
Excel (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Table 1.93. Disable Clip Art and Media
Office 2007 system\Tools | Options | General | Web downloads from the client and from
Options...\Disable Clip Art and Media downloads from the Office Online website
client and from Office Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.117. Disable template
Office 2007 system\Tools | Options | General | Web downloads from the client and from
Options...\Disable template downloads from the client and Office Online website
from Office Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.85. Disable access to updates,
Office 2007 system\Tools | Options | General | Web add-ins, and patches on the Office
Options...\Disable access to updates, add-ins, and patches on Online website
the Office Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.188. Prevents users from
Office 2007 system\Tools | Options | General | Web uploading document templates to the
Options...\Prevents users from uploading document templates Office Online community
to the Office Online community. (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.119. Disable training practice
Office 2007 system\Tools | Options | General | Web downloads from the Office Online
Options...\Disable training practice downloads from the Office website
Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.95. Disable customer-
Office 2007 system\Tools | Options | General | Web submitted templates downloads from
Options...\Disable customer-submitted templates downloads Office Online
from Office Online (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.180. Open Office documents
Office 2007 system\Tools | Options | General | Web as read/write while browsing
Options...\Files\Open Office documents as read/write while
browsing (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.195. Rely on VML for displaying
Office 2007 system\Tools | Options | General | Web graphics in browsers
Options...\Browsers\Rely on VML for displaying graphics in
browsers (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.9. Allow PNG as an output
Office 2007 system\Tools | Options | General | Web format
Options...\Browsers\Allow PNG as an output format (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.160. Improve Proofing Tools
Office 2007 system\Tools | Options | Spelling\Proofing Data
Collection\Improve Proofing Tools (2)
Software\Policies\Microsoft\Office\12.0\Common\PTWatson
(1) User Configuration\Administrative Templates\Classic
Administrative Templates\Microsoft Office 2007\Privacy \Trust
Center\Disable Opt-in Wizard on first run (2)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1 Table 1.110. Disable Opt-in Wizard on
2.0\Common\QMEnable first run
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Help\Microsoft Office Online (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Disable Password
Caching (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.88. Disable all Trust Bar
Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues
notifications for security issues (2)
Software\Policies\Microsoft\Office\12.0\Common\TrustCenter
(1) User Configuration\Administrative Templates\Microsoft Table 1.191. Protect document
Office 2007 system\Security Settings\Protect document metadata for rights managed Office
metadata for rights managed Office Open XML Files (2) Open XML Files
Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.190. Protect document
Office 2007 system\Security Settings\Protect document metadata for password protected files
metadata for password protected files. (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.153. Encryption type for
Office 2007 system\Security Settings\Encryption type for password protected Office Open XML
password protected Office Open XML files (2) files
Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.152. Encryption type for
Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files
password protected Office 97-2003 files (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.168. Load Controls in Forms3
Office 2007 system\Security Settings\Load Controls in
Forms3 (1 | 2 | 3 | 4) (2)
Software\Policies\Microsoft\VBA\Security
2007: (1) User Configuration\Administrative Table 1.24. Automation Security
Templates\Microsoft Office 2007 system\Security
Settings\Automation Security (Disable macros by default |
Use application macro security level | Macros enabled) (2)
Software\Policies\Microsoft\Office\Common\Security 2003: (1)
Computer Configuration\Administrative Templates\Microsoft
Office 2003\Security Settings\Automation Security (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Common\Securi
ty - AutomationSecurity
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Prevent Word and Excel
from loading managed code extensions (2)
Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft Table 1.103. Disable hyperlink warnings
Office 2007 system\Security Settings\Disable hyperlink
warnings (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.111. Disable password to open
Office 2007 system\Security Settings\Disable password to UI
open UI (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Security Settings\Download Office
Controls (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.86. Disable All ActiveX
Office 2007 system\Security Settings\Disable All ActiveX (2)
Software\Policies\Microsoft\Office\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.8. Allow mix of policy and user
Office 2007 system\Security Settings\Trust Center\Allow mix locations
of policy and user locations (2)
Software\Policies\Microsoft\Office\12.0\Common\Security\Trus
ted Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.116. Disable Smart
Office 2007 system\Smart Documents (Word, Excel)\Disable Document's use of manifests
Smart Document's use of manifests (2)
Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Smart Documents (Word,
Excel)\Completely disable the Smart Documents feature in
Word and Excel (2)
Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft Table 1.107. Disable Internet Fax
Office 2007 system\Services\Fax\Disable Internet Fax feature feature
(2)
Software\Policies\Microsoft\Office\12.0\Common\Services\Fax
(1) User Configuration\Administrative Templates\Microsoft Table 1.187. Prevent users from
Office 2007 system\Manage Restricted Permissions\Prevent changing permissions on rights
users from changing permissions on rights managed content managed content
(2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Table 1.13. Allow users with earlier
Office 2007 system\Manage Restricted Permissions\Allow versions of Office to read with
users with earlier versions of Office to read with browsers... browsers…
(2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Table 1.15. Always require users to
Office 2007 system\Manage Restricted Permissions\Always connect to verify permission
require users to connect to verify permission (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Table 1.14. Always expand groups in
Office 2007 system\Manage Restricted Permissions\Always Office when restricting permission for
expand groups in Office when restricting permission for documents
documents (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM\AutoEx
pandDls
(1) User Configuration\Administrative Templates\Microsoft Table 1.177. Never allow users to
Office 2007 system\Manage Restricted Permissions\Never specify groups when restricting
allow users to specify groups when restricting permission for permission for documents
documents (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Table 1.108. Disable Microsoft
Office 2007 system\Manage Restricted Permissions\Disable Passport service for content with
Microsoft Passport service for content with restricted restricted permission
permission (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Manage Restricted Permissions\Do not
allow users to upgrade Information Rights Management
configuration (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Table 1.166. Key Usage Filtering
Office 2007 system\Signing\Key Usage Filtering (2)
Software\Policies\Microsoft\Office\12.0\Common\General
(1) User Configuration\Administrative Templates\Microsoft Table 1.146. EKU filtering
Office 2007 system\Signing\EKU filtering (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Table 1.167. Legacy format signatures
Office 2007 system\Signing\Legacy format signatures (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Table 1.223. Suppress Office Signing
Office 2007 system\Signing\Suppress Office Signing Providers
Providers (Enable Western and East Asian | Suppress default
Western | Suppress default East Asian | Suppress both
Western and East Asian) (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Table 1.222. Suppress external
Office 2007 system\Signing\Suppress external signature signature services menu item
services menu item (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Table 1.92. Disable Check For Solutions
Office 2007 system\Office Diagnostics\Disable Check For
Solutions (2)
Software\Policies\Microsoft\Office\Common\OffDiag
(1) User Configuration\Administrative Templates\Microsoft Table 1.105. Disable inclusion of
Office 2007 system\Microsoft Save As PDF and XPS add- document properties in PDF and XPS
ins\Disable inclusion of document properties in PDF and XPS output
output (2)
Software\Policies\Microsoft\Office\12.0\Common\FixedFormat
(1) User Configuration\Administrative Templates\Microsoft Table 1.96. Disable Document
Office 2007 system\Document Information Panel\Disable Information Panel
Document Information Panel (2)
Software\Policies\Microsoft\Office\12.0\Common\DocumentInf
ormationPanel
(1) User Configuration\Administrative Templates\Microsoft Table 1.144. Document Information
Office 2007 system\Document Information Panel\Document Panel Beaconing UI
Information Panel Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet Zone) (2)
Software\Policies\Microsoft\Office\12.0\Common\DocumentInf
ormationPanel
(1) User Configuration\Administrative Templates\Microsoft Table 1.118. Disable the Office client
Office 2007 system\Server Settings\Disable the Office client from polling the Office server for
from polling the Office server for published links (2) published links
Software\Policies\Microsoft\Office\12.0\Common\Portal
(1) User Configuration\Administrative Templates\Microsoft Table 1.44. Block opening of pre-
Office 2007 system\Office 2007 Converters\Block opening of release versions of file formats new to
pre-release versions of file formats new to Word 2007 through Word 2007 through the Compatibility
the Compatibility Pack for the 2007 Office system and Word Pack for the 2007 Office system and
2007 Open XML/Word 97-2003 Format Converter (2) Word 2007 Open XML/Word 97-2003
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe Format Converter
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.40. Block opening of pre-
Office 2007 system\Office 2007 Converters\Block opening of release versions of file formats new to
pre-release versions of file formats new to Excel 2007 through Excel 2007 through the Compatibility
the Compatibility Pack for the 2007 Office system and Excel Pack for the 2007 Office system and
2007 Converter (2) Excel 2007 Converter
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.42. Block opening of pre-
Office 2007 system\Office 2007 Converters\Block opening of release versions of file formats new to
pre-release versions of file formats new to PowerPoint 2007 PowerPoint 2007 through the
through the Compatibility Pack for the 2007 Office system and Compatibility Pack for the 2007 Office
PowerPoint 2007 Converter (2) system and PowerPoint 2007 Converter
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.78. Control blogging
Office 2007 system\Miscellaneous\Control Blogging (Enabled
| Only SharePoint blogs allowed | All blogging disabled) (2)
Software\Policies\Microsoft\Office\12.0\Common\Blog
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Enable Smart Resume (2)
Software\Policies\Microsoft\Office\12.0\Common\Restore
Workspace
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Do not upload media files
(2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Table 1.104. Disable hyperlinks to web
Office 2007 system\Miscellaneous\Disable hyperlinks to web templates from the client and from
templates in File | New and task panes (2) Office Online website
Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft
Office 2007 system\Miscellaneous\Prevent access to Web-
based file storage (2)
Software\Policies\Microsoft\Office\12.0\Common\WebServices
(1) User Configuration\Administrative Templates\Microsoft Table 1.128. Do not allow attachment
Office Outlook 2007\Tools | Options...\Preferences\E-mail previewing in Outlook
Options\Do not allow attachment previewing in Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Preferences
(1) User Configuration\Administrative Templates\Microsoft Table 1.192. Read e-mail as plain text
Office Outlook 2007\Tools | Options...\Preferences\E-mail
Options\Read e-mail as plain text (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.193. Read signed e-mail as
Office Outlook 2007\Tools | Options...\Preferences\E-mail plain text
Options\Read signed e-mail as plain text (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.185. Prevent publishing to
Office Outlook 2007\Tools | Options...\Preferences\Calendar Office Online
Options\Microsoft Office Online Sharing ServicePrevent
publishing to Office Online (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
(1) User Configuration\Administrative Templates\Microsoft Table 1.184. Prevent publishing to a
Office Outlook 2007\Tools | Options...\Preferences\Calendar DAV server
Options\Microsoft Office Online Sharing ServicePrevent
publishing to a DAV server (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServiceRestrict level
of calendar details users can publish (All options are available
| Disables 'Full details' | Disables 'Full details' and 'Limited
details') (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
Table 1.202. Restrict level of calendar
details users can publish
(1) User Configuration\Administrative Templates\Microsoft Table 1.1. Access to published
Office Outlook 2007\Tools | Options...\Preferences\Calendar calendars
Options\Microsoft Office Online Sharing ServiceAccess to
published calendars (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
(1) User Configuration\Administrative Templates\Microsoft Table 1.203. Restrict upload method
Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServiceRestrict
upload method (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubC
al
(1) User Configuration\Administrative Templates\Microsoft Table 1.158. Hide Junk Mail UI
Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Hide Junk Mail UI (2)
Software\Policies\Microsoft\Office\12.0\Outlook
(1) User Configuration\Administrative Templates\Microsoft Table 1.165. Junk E-mail protection
Office Outlook 2007\Tools | Options...\Preferences\Junk E- level
mail\Junk E-mail protection level (No Protection, Low, High,
Trusted Lists Only) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.226. Trust E-mail from Contacts
Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Trust E-mail from Contacts (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.4. Add e-mail recipients to users' Safe Senders List
Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Add e-mail recipients to users' Safe Senders Lists (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.84. Dial-up options
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.84. Dial-up options
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options - Warn before switching dial-up connection (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.84. Dial-up options
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options - Hang up when finished sending, receiving, or
updating (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.84. Dial-up options
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options - Automatically dial during a background
Send/Receive (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.129. Do not allow creating,
Office Outlook 2007\Tools | Options...\Mail Format\Do not replying, or forwarding signatures for e-
allow creating, replying, or forwarding signatures for e-mail mail messages
messages (2)
Software\Policies\Microsoft\Office\12.0\Common\MailSettings
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Send copy of pictures with HTML messages
instead of reference to Internet location (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.181. Outlook Rich Text options
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Outlook Rich Text options (Convert to HTML |
Convert to Plain Text format | Send Using Outlook Rich Text
format) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.183. Plain text options
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Plain text options (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.183. Plain text options
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Plain text options - Encode attachments in
UUENCODE format when sending a plain text message (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.217. Set message format
Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Message FormatSet message format (HTML |
Rich Text | Plain Text) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.171. Make Outlook the default
Office Outlook 2007\Tools | Options...\Other\Make Outlook program for E-mail, Contacts, and
the default program for E-mail, Contacts, and Calendar (2) Calendar
software\policies\microsoft\office\12.0\outlook\options\general
(1) User Configuration\Administrative Templates\Microsoft Table 1.130. Do not allow folders in non-
Office Outlook 2007\Tools | Options...\Other\Advanced\Do not default stores to be set as folder home
allow folders in non-default stores to be set as folder home pages
pages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.233. Use Unicode format when
Office Outlook 2007\Tools | Options...\Other\Advanced\Use dragging e-mail message to file system
Unicode format when dragging e-mail message to file system
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Gener
al
(1) User Configuration\Administrative Templates\Microsoft Table 1.132. Do not allow Outlook
Office Outlook 2007\Tools | Options...\Other\Advanced\Do not object model scripts to run for shared
allow Outlook object model scripts to run for shared folders folders
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.131. Do not allow Outlook
Office Outlook 2007\Tools | Options...\Other\Advanced\Do not object model scripts to run for public
allow Outlook object model scripts to run for public folders (2) folders
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.216. Set maximum level of
Office Outlook 2007\Tools | Options...\Other\Person online status on a person name
Names\Set maximum level of online status on a person name
(Do not allow | Allow everywhere except To and CC field |
Allow everywhere) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\IM
(1) User Configuration\Administrative Templates\Microsoft Table 1.126. Display online status on a
Office Outlook 2007\Tools | Options...\Other\Person person name
Names\Display online status on a person name (Never |
Everywhere except To and CC field | Everywhere) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\IM
(1) User Configuration\Administrative Templates\Microsoft Table 1.227. Turn off Enable the
Office Outlook 2007\Tools | Options...\Other\Person Person Names Smart Tag option
Names\Turn off Enable the Person Names Smart Tag option
(2) Software\Policies\Microsoft\Office\12.0\Outlook\IM
(1) User Configuration\Administrative Templates\Microsoft Table 1.182. Outlook Security Mode
Office Outlook 2007\Security\Security Form Settings\Outlook
Security Mode (Outlook Default Security | Use Security Form
from 'Outlook Security Settings' Public Folder | Use Security
Form from 'Outlook 10 Security Settings' Public Folder | Use
Outlook Security Group Policy) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.125. Display Level 1
Office Outlook 2007\Security\Security Form attachments
Settings\Attachment Security\Display Level 1 attachments (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.12. Allow users to demote
Office Outlook 2007\Security\Security Form attachments to Level 2
Settings\Attachment Security\Allow users to demote
attachments to Level 2 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.140. Do not prompt about Level
Office Outlook 2007\Security\Security Form 1 attachments when sending an item
Settings\Attachment Security\Do not prompt about Level 1
attachments when sending an item (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.139. Do not prompt about Level
Office Outlook 2007\Security\Security Form 1 attachments when closing an item
Settings\Attachment Security\Do not prompt about Level 1
attachments when closing an item (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Allow in-place activation of
embedded OLE objects (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Display OLE package objects
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.5. Add file extensions to block as Level 1
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Add file extensions to block as
Level 1 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.196. Remove file extensions
Office Outlook 2007\Security\Security Form blocked as Level 1
Settings\Attachment Security\Remove file extensions blocked
as Level 1 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.6. Add file extensions to block as Level 2
Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Add file extensions to block as
Level 2 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.197. Remove file extensions
Office Outlook 2007\Security\Security Form blocked as Level 2
Settings\Attachment Security\Remove file extensions blocked
as Level 2 (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.10. Allow scripts in one-off
Office Outlook 2007\Security\Security Form Settings\Custom Outlook forms
Form Security\Allow scripts in one-off Outlook forms (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.218. Set Outlook object model
Office Outlook 2007\Security\Security Form Settings\Custom Custom Actions execution prompt
Form Security\Set Outlook object model Custom Actions
execution prompt (Prompt User | Automatically Approve |
Automatically Deny | Prompt user based on computer
security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.215. Set control ItemProperty
Office Outlook 2007\Security\Security Form Settings\Custom prompt
Form Security\Set control ItemProperty prompt (Prompt User |
Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.71. Configure Outlook object
Office Outlook 2007\Security\Security Form model prompt when sending mail
Settings\Programmatic Security\Configure Outlook object
model prompt when sending mail (Prompt User |
Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.65. Configure Outlook object
Office Outlook 2007\Security\Security Form model prompt when accessing an
Settings\Programmatic Security\Configure Outlook object address book
model prompt when accessing an address book (Prompt User
| Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.69. Configure Outlook object
Office Outlook 2007\Security\Security Form model prompt when reading address
Settings\Programmatic Security\Configure Outlook object information
model prompt when reading address information (Prompt
User | Automatically Approve | Automatically Deny | Prompt
user based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.70. Configure Outlook object
Office Outlook 2007\Security\Security Form model prompt when responding to
Settings\Programmatic Security\Configure Outlook object meeting and task requests
model prompt when responding to meeting and task requests
(Prompt User | Automatically Approve | Automatically Deny |
Prompt user based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.68. Configure Outlook object
Office Outlook 2007\Security\Security Form model prompt when executing Save As
Settings\Programmatic Security\Configure Outlook object
model prompt when executing Save As (Prompt User |
Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.67. Configure Outlook object
Office Outlook 2007\Security\Security Form model prompt When accessing the
Settings\Programmatic Security\Configure Outlook object Formula property of a UserProperty
model prompt When accessing the Formula property of a object
UserProperty object (Prompt User | Automatically Approve |
Automatically Deny | Prompt user based on computer
security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.66. Configure Outlook object
Office Outlook 2007\Security\Security Form model prompt when accessing address
Settings\Programmatic Security\Configure Outlook object information via UserProperties.Find
model prompt when accessing address information via
UserProperties.Find (Prompt User | Automatically Approve |
Automatically Deny | Prompt user based on computer
security) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.201. Required Certificate
Office Outlook 2007\Security\Cryptography\Required Authority
Certificate Authority (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.207. S/MIME interoperability
Office Outlook 2007\Security\Cryptography\S/MIME with external clients:
interoperability with external clients: (Handle internally |
Handle externally | Handle if possible) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Cryptography\Always use Rich
Text formatting in S/MIME messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.208. S/MIME password settings
Office Outlook 2007\Security\Cryptography\S/MIME password
settings (2)
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Mi
crosoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Table 1.208. S/MIME password settings
Office Outlook 2007\Security\Cryptography\S/MIME password
settings - Default S/MIME password time (minutes): (0 -
2147483647) (2)
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Mi
crosoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Table 1.208. S/MIME password settings
Office Outlook 2007\Security\Cryptography\S/MIME password
settings - Maximum S/MIME password time (minutes): (0 -
2147483647) (2)
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Mi
crosoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Table 1.172. Message Formats
Office Outlook 2007\Security\Cryptography\Message Formats
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.172. Message Formats
Office Outlook 2007\Security\Cryptography\Message Formats
- Support the following message formats: (S/MIME |
Exchange | Fortezza | S/MIME and Exchange | S/MIME and
Fortezza | Exchange and Fortezza | S/MIME, Exchange, and
Fortezza) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
2007: (1) User Configuration\Administrative Table 1.142. Do not provide Continue
Templates\Microsoft Office Outlook option on Encryption warning dialog
2007\Security\Cryptography\Do not provide Continue option boxes
on Encryption warning dialog boxes (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
2003: (1) User Configuration\Administrative
Templates\Microsoft Office Outlook
2003\Tools\Options\Security\Cryptography\Disable Continue
button on all Encryption warning dialogs (2)
HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security
- DisableContinue
(1) User Configuration\Administrative Templates\Microsoft Table 1.205. Run in FIPS compliant
Office Outlook 2007\Security\Cryptography\Run in FIPS mode
compliant mode (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
2007: (1) User Configuration\Administrative Table 1.151. Encrypt all e-mail
Templates\Microsoft Office Outlook messages
2007\Security\Cryptography\Encrypt all e-mail messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
2003: (1) User Configuration\Administrative
Templates\Microsoft Office Outlook
2003\Tools\Options\Security\Cryptography\Encrypt all e-mail
messages (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - AlwaysEncrypt
(1) User Configuration\Administrative Templates\Microsoft Table 1.219. Sign all e-mail messages
Office Outlook 2007\Security\Cryptography\Sign all e-mail
messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.232. URL for S/MIME
Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates
certificates (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.154. Ensure all S/MIME signed
Office Outlook 2007\Security\Cryptography\Ensure all S/MIME messages have a label
signed messages have a label (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.209. S/MIME receipt requests
Office Outlook 2007\Security\Cryptography\S/MIME receipt
requests (Open message if receipt can't be sent | Don't open
message if receipt can't be sent | Always prompt before
sending receipt | Never send S/MIME ) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.156. Fortezza certificate policies
Office Outlook 2007\Security\Cryptography\Fortezza
certificate policies (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.199. Require SuiteB algorithms
Office Outlook 2007\Security\Cryptography\Require SuiteB for S/MIME operations
algorithms for S/MIME operations (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.174. Missing CRLs
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing CRLs (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.174. Missing CRLs
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing CRLs - Indicate a missing CRL as a(n):
(warning | error) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.175. Missing root certificates
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing root certificates (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.175. Missing root certificates
Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing root certificates - Indicate a missing root
certificate as a(n): (neither error nor warning | warning | error)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.189. Promote Level 2 errors as
Office Outlook 2007\Security\Cryptography\Signature Status errors, not warnings
dialog box\Promote Level 2 errors as errors, not warnings (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.18. Attachment Secure
Office Outlook 2007\Security\Cryptography\Signature Status Temporary Folder
dialog box\Attachment Secure Temporary Folder (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.127. Display pictures and
Office Outlook 2007\Security\Automatic Picture Download external content in HTML e-mail
Settings\Display pictures and external content in HTML e-mail
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.22. Automatically download
Office Outlook 2007\Security\Automatic Picture Download content for e-mail from people in Safe
Settings\Automatically download content for e-mail from Senders and Safe Recipients Lists
people in Safe Senders and Safe Recipients Lists (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.138. Do not permit download of
Office Outlook 2007\Security\Automatic Picture Download content from safe zones
Settings\Do not permit download of content from safe zones
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.63. Block Trusted Zones
Office Outlook 2007\Security\Automatic Picture Download
Settings\Block Trusted Zones (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.161. Include Internet in Safe
Office Outlook 2007\Security\Automatic Picture Download Zones for Automatic Picture Download
Settings\Include Internet in Safe Zones for Automatic Picture
Download (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.162. Include Intranet in Safe
Office Outlook 2007\Security\Automatic Picture Download Zones for Automatic Picture Download
Settings\Include Intranet in Safe Zones for Automatic Picture
Download (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.213. Security setting for macros
Office Outlook 2007\Security\Trust Center\Security setting for
macros (Always warn | Never warn, disable all | Warn for
signed, disable unsigned | No security check) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.149. Enable links in e-mail
Office Outlook 2007\Security\Trust Center\Enable links in e- messages
mail messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.16. Apply macro security
Office Outlook 2007\Security\Trust Center\Apply macro settings to macros, add-ins, and
security settings to macros, add-ins, and SmartTags (2) SmartTags
Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.20. Automatically configure
Office Outlook 2007\Tools | Account profile based on Active Directory
Settings\Exchange\Automatically configure profile based on Primary SMTP address
Active Directory Primary SMTP address (2)
Software\Policies\Microsoft\Office\12.0\Outlook\AutoDiscover
(1) User Configuration\Administrative Templates\Microsoft Table 1.133. Do not allow users to
Office Outlook 2007\Tools | Account Settings\Exchange\Do change permissions on folders
not allow users to change permissions on folders (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Folder
s
(1) User Configuration\Administrative Templates\Microsoft Table 1.150. Enable RPC encryption
Office Outlook 2007\Tools | Account
Settings\Exchange\Enable RPC encryption (2)
Software\Policies\Microsoft\Office\12.0\Outlook\RPC
(1) User Configuration\Administrative Templates\Microsoft Table 1.19. Authentication with
Office Outlook 2007\Tools | Account Exchange Server
Settings\Exchange\Authentication with Exchange Server
(Kerberos/NTLM Password Authentication | Kerberos
Password Authentication | NTLM Password Authentication)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.224. Synchronize Outlook RSS
Office Outlook 2007\Tools | Account Settings\RSS Feeds with Common Feed List
Feeds\Synchronize Outlook RSS Feeds with Common Feed
List (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Table 1.228. Turn off RSS feature
Office Outlook 2007\Tools | Account Settings\RSS
Feeds\Turn off RSS feature (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Tools | Account Settings\RSS
Feeds\Automatically download enclosures (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Table 1.145. Download full text of
Office Outlook 2007\Tools | Account Settings\RSS articles as HTML attachments
Feeds\Download full text of articles as HTML attachments (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Table 1.21. Automatically download
Office Outlook 2007\Tools | Account Settings\Internet attachments
Calendars\Automatically download attachments (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebC
al
(1) User Configuration\Administrative Templates\Microsoft Table 1.137. Do not include Internet
Office Outlook 2007\Tools | Account Settings\Internet Calendar integration in Outlook
Calendars\Do not include Internet Calendar integration in
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebC
al
(1) User Configuration\Administrative Templates\Microsoft Table 1.123. Disable user entries to
Office Outlook 2007\Meeting Workspace\Disable user entries server list
to server list (Publish default, allow others | Publish default,
disallow others) (2)
Software\Policies\Microsoft\Office\12.0\Meetings\Profile
(1) User Configuration\Administrative Templates\Microsoft Table 1.136. Do not expand distribution
Office Outlook 2007\Miscellaneous\Do not expand distribution lists
lists (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Table 1.212. Save files in this format
Office PowerPoint 2007\PowerPoint Options\Save\Save files
in this format (PowerPoint Presentation (*.pptx) | PowerPoint
Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003
Presentation (*.ppt)) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Options
(1) User Configuration\Administrative Templates\Microsoft
Office PowerPoint 2007\PowerPoint
Options\Advanced\Number of documents in the Recent
Documents list (0 - 50) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\File MRU
(1) User Configuration\Administrative Templates\Microsoft Table 1.82. Determine whether to force
Office PowerPoint 2007\PowerPoint encrypted macros to be scanned in
Options\Security\Determine whether to force encrypted Microsoft PowerPoint Open XML
macros to be scanned in Microsoft PowerPoint Open XML presentations
presentations (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.206. Run Programs
Office PowerPoint 2007\PowerPoint Options\Security\Run
Programs (disable (don't run any programs) | enable (prompt
user before running) | enable all (run without prompting)) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.170. Make hidden markup
Office PowerPoint 2007\PowerPoint Options\Security\Make visible
hidden markup visible (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.229. Unblock automatic
Office PowerPoint 2007\PowerPoint Options\Security\Unblock download of linked images
automatic download of linked images (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.87. Disable all application add-
Office PowerPoint 2007\PowerPoint Options\Security\Trust ins
Center\Disable all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.200. Require that application
Office PowerPoint 2007\PowerPoint Options\Security\Trust add-ins are signed by Trusted Publisher
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.120. Disable Trust Bar
Office PowerPoint 2007\PowerPoint Options\Security\Trust Notification for unsigned application
Center\Disable Trust Bar Notification for unsigned application add-ins
add-ins (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.11. Allow Trusted Locations not
Office PowerPoint 2007\PowerPoint Options\Security\Trust on the computer
Center\Trusted LocationsAllow Trusted Locations not on the
computer (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Tr
usted Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.89. Disable all trusted locations
Office PowerPoint 2007\PowerPoint Options\Security\Trust
Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Tr
usted Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
PowerPoint Options | Customize | All Commands | Web Page
Preview (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Send | Email (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Links |
Hyperlink (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Review | Proofing |
Language (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - View | Macros |
Macros (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macros (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macro Security (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office PowerPoint 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
PowerPoint Options | Customize | All Commands | Document
Location (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands, Table
Office PowerPoint 2007\Disable items in user 1.114. Disable shortcut keys
interface\Predefined\Disable commands - Disable shortcut
keys (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands, Table
Office PowerPoint 2007\Disable items in user 1.114. Disable shortcut keys
interface\Predefined\Disable commands - Ctrl+K (Insert |
Links | Hyperlink) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands, Table
Office PowerPoint 2007\Disable items in user 1.114. Disable shortcut keys
interface\Predefined\Disable commands - Alt+F8 (Developer |
Code | Macros) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands, Table
Office PowerPoint 2007\Disable items in user 1.114. Disable shortcut keys
interface\Predefined\Disable commands - Alt+F11 (Developer
| Code | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledS
hortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.41. Block opening of pre-
Office PowerPoint 2007\Block file formats\Open\Block release versions of file formats new to
opening of pre-release versions of file formats new to PowerPoint 2007
PowerPoint 2007 (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.38. Block opening of Open
Office PowerPoint 2007\Block file formats\Open\Block XML file types
opening of Open Xml files types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.30. Block opening of Binary file
Office PowerPoint 2007\Block file formats\Open\Block types
opening of Binary file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.36. Block opening of HTML file
Office PowerPoint 2007\Block file formats\Open\Block types
opening of Html file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.39. Block opening of Outlines
Office PowerPoint 2007\Block file formats\Open\Block
opening of Outlines (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.31. Block opening of Converters
Office PowerPoint 2007\Block file formats\Open\Block
opening of Converters (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.57. Block saving of Open Xml
Office PowerPoint 2007\Block file formats\Save\Block saving file types
of Open Xml file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.51. Block saving of Binary file
Office PowerPoint 2007\Block file formats\Save\Block saving types
of Binary file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.56. Block saving of HTML file
Office PowerPoint 2007\Block file formats\Save\Block saving types
of Html file types (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.58. Block saving of Outlines
Office PowerPoint 2007\Block file formats\Save\Block saving
of Outlines (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.54. Block saving of
Office PowerPoint 2007\Block file formats\Save\Block saving GraphicFilters
of GraphicFilters (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.115. Disable Slide Update
Office PowerPoint 2007\Block file
formats\Miscellaneous\Disable Slide Update (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\slide
libraries
(1) User Configuration\Administrative Templates\Microsoft Table 1.157. Hidden text
Office Word 2007\Word Options\Display\Hidden text (2)
Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
(1) User Configuration\Administrative Templates\Microsoft Table 1.212. Save files in this format
Office Word 2007\Word Options\Save\Save files in this format
(Word document (*.docx) | Single Files Web Page (*.mht) |
Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) |
Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95
(*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word
6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 -
Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-
2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word
5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) |
Works 4.0 for Windows (*.wps) | WordPerfect 5.x for
Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word
2007 Macro Enabled Document (*.docm) | Word 2007 Macro
Free Template (*.dotx) | Word 2007 Macro Enabled Template
(*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003
Template (*.dot) | Flat XML Document (*.xml)) (2)
Software\Policies\Microsoft\Office\12.0\Word\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Advanced\Number of
documents in the Recent Documents list (0-50) (2)
Software\Policies\Microsoft\Office\12.0\Word\File MRU
(1) User Configuration\Administrative Templates\Microsoft Table 1.231. Update automatic links at
Office Word 2007\Word Options\Advanced\Update automatic Open
links at Open (2)
Software\Policies\Microsoft\Office\12.0\Word\Options
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2007\Word Options\Advanced\E-mail
Options\Save smart tags in e-mail (2)
Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
(1) User Configuration\Administrative Templates\Microsoft Table 1.83. Determine whether to force
Office Word 2007\Word Options\Security\Trust encrypted macros to be scanned in
Center\Determine whether to force encrypted macros to be Microsoft Word Open XML documents
scanned in Microsoft Word Open XML documents (2)
Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.87. Disable all application add-
Office Word 2007\Word Options\Security\Trust ins
Center\Disable all application add-ins (2)
Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.200. Require that application
Office Word 2007\Word Options\Security\Trust add-ins are signed by Trusted Publisher
Center\Require that application add-ins are signed by Trusted
Publisher (2)
Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.120. Disable Trust Bar
Office Word 2007\Word Options\Security\Trust Notification for unsigned application
Center\Disable Trust Bar Notification for unsigned application add-ins
add-ins (2)
Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Table 1.11. Allow Trusted Locations not
Office Word 2007\Word Options\Security\Trust on the computer
Center\Trusted LocationsAllow Trusted Locations not on the
computer (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted
Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.89. Disable all trusted locations
Office Word 2007\Word Options\Security\Trust
Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted
Locations
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Word Options | Customize | All Commands | Save As Web
Page (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Word Options | Customize | All Commands | Web Page
Preview (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Office Button |
Send | Email (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Insert | Links |
Hyperlink (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Review | Protect |
Protect Document (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - View | Macros |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macros (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Record Macro (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Macro Security (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer | Code |
Visual Basic (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.94. Disable commands
Office Word 2007\Disable items in user
interface\Predefined\Disable commands - Developer |
Templates | Document Template (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBar
ItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Ctrl+F (Home |
Editing | Find) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Ctrl+K (Insert |
Links | Hyperlink) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F8
(Developer | Code | Macros) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.114. Disable shortcut keys
Office Word 2007\Disable items in user
interface\Predefined\Disable shortcut keys - Alt+F11
(Developer | Code | Visual Basic) (2)
Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Table 1.43. Block opening of pre-
Office Word 2007\Block file formats\Open\Block opening of release versions of file formats new to
pre-release versions of file formats new to Word 2007 (2) Word 2007
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.38. Block opening of Open
Office Word 2007\Block file formats\Open\Block opening of XML file types
Open XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.30. Block opening of Binary file
Office Word 2007\Block file formats\Open\Block opening of types
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.36. Block opening of HTML file
Office Word 2007\Block file formats\Open\Block opening of types
HTML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.47. Block opening of Word
Office Word 2007\Block file formats\Open\Block opening of 2003 XML file types
Word 2003 XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.45. Block opening of RTF file
Office Word 2007\Block file formats\Open\Block opening of types
RTF file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.28. Block open Converters
Office Word 2007\Block file formats\Open\Block open
Converters (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.46. Block opening of Text file
Office Word 2007\Block file formats\Open\Block opening of types
Text file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.37. Block opening of Internal
Office Word 2007\Block file formats\Open\Block opening of file types
Internal file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.33. Block opening of files
Office Word 2007\Block file formats\Open\Block opening of before version
files before version (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpe
nBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.57. Block saving of Open Xml
Office Word 2007\Block file formats\Save\Block saving of file types
Open XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.51. Block saving of Binary file
Office Word 2007\Block file formats\Save\Block saving of types
Binary file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.56. Block saving of HTML file
Office Word 2007\Block file formats\Save\Block saving of types
HTML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.61. Block saving of Word 2003
Office Word 2007\Block file formats\Save\Block saving of XML file types
Word 2003 XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.59. Block saving of RTF file
Office Word 2007\Block file formats\Save\Block saving of types
RTF file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.53. Block saving of Converters
Office Word 2007\Block file formats\Save\Block saving of
Converters (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock
(1) User Configuration\Administrative Templates\Microsoft Table 1.60. Block saving of Text file
Office Word 2007\Block file formats\Save\Block saving of types
Text file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSav
eBlock
(1) Computer Configuration\Administrative Table 2.6. InfoPath APTCA Assembly
Templates\Microsoft Office InfoPath 2007 allowable list
(Machine)\Security\InfoPath APTCA Assembly Whitelist (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security\APT
CA
(1) Computer Configuration\Administrative
Templates\Microsoft Office InfoPath 2007
(Machine)\Security\Windows Internet Explorer Feature
Control Opt-In (None | InfoPath.exe, Document Information
Panel and Workflow forms | InfoPath.exe, Document
Information Panel, Workflow forms and 3rd Party Hosting) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) Computer Configuration\Administrative Table 2.7. InfoPath APTCA Assembly
Templates\Microsoft Office InfoPath 2007 Allowable List Enforcement
(Machine)\Security\InfoPath APTCA Assembly Whitelist
Enforcement (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) Computer Configuration\Administrative Table 2.3. Disable Package Repair
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\Disable Package Repair (2)
Software\Policies\Microsoft\Office\12.0\Common\OpenXMLFo
rmat
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password -
excel.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password -
powerpnt.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password -
pptview.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password -
winword.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password -
outlook.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password -
spDesign.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.4. Disable user name and
Templates\Microsoft Office 2007 system (Machine)\Security password
Settings\IE Security\Disable user name and password -
msaccess.exe (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME
_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.1. Bind to object
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Bind to object - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.9. Saved from URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Saved from URL - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.8. Navigate URL
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Navigate URL - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIG
ATE_URL
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - excel.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - powerpnt.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - pptview.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - winword.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - outlook.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - spDesign.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) Computer Configuration\Administrative Table 2.2. Block popups
Templates\Microsoft Office 2007 system (Machine)\Security
Settings\IE Security\Block popups - msaccess.exe (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPM
ANAGEMENT
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2007\Security\Prevent users from customizing
attachment security settings (2)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook -
DisallowAttachmentCustomization
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Access:
Macro Security Leve (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security
- Level (3) User Configuration\Administrative
Templates\Microsoft Office Access
2003\Tools\Macros\Security\Security level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security
- Level
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Access:
Trust all installed add – ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security
- DontTrustInstalledFiles (3) User
Configuration\Administrative Templates\Microsoft Office
Access 2003\Tools\Macros\Security\Trust all installed add-ins
and templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security
- DontTrustInstalledFiles
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Excel:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security -
Level(3) User Configuration\Administrative
Templates\Microsoft Office Excel
2003\Tools\Macros\Security\Security level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security -
Level
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Excel:
Trust all installed add – ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security -
DontTrustInstalledFiles (3) User Configuration\Administrative
Templates\Microsoft Office Excel
2003\Tools\Macros\Security\Trust all installed add-ins and
templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security -
DontTrustInstalledFiles
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Outlook:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - Level (3) User Configuration\Administrative
Templates\Microsoft Office Outlook
2003\Tools\Macros\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook -
Security\Level
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2003\Tools\Macros\Security\Outlook: Trust all
installed add-ins and templates (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - DontTrustInstalledFiles
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook 2003\Tools\Options\Security\Outlook virus
security settings (2)
HKCU\Software\Policies\Microsoft\Security -
CheckAdminSettings
(1) User Configuration\Administrative Templates\Microsoft
Office Outlook
2003\Tools\Options\Security\Cryptography\S/MIME receipt
requests (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Securit
y - RespondToReceiptRequests
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security
Settings\PowerPoint: Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - Level (3) User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2003\Tools\Macro\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint -
Security\Level
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security
Settings\PowerPoint: Trust all installed add – ins and
templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - DontTrustInstalledFiles (3) User
Configuration\Administrative Templates\Microsoft Office
PowerPoint 2003\Tools\Macro\Security\Trust all installed add
– ins and templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - DontTrustInstalledFiles
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Publisher:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Securi
ty - Level
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Publisher:
Trust all installed add–ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Securi
ty - DontTrustInstalledFiles
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Word:
Macro Security Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security -
Level (3) User Configuration\Administrative
Templates\Microsoft Office Word
2003\Tools\Macro\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word -
Security\Level
(1) Computer Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Word:
Trust all installed add–ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security -
DontTrustInstalledFiles (3) User Configuration\Administrative
Templates\Microsoft Office Word
2003\Tools\Macro\Security\Trust all installed add – ins and
templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security -
DontTrustInstalledFiles
(1) User Configuration\Administrative Templates\Microsoft
Office Word 2003\Tools\Options\Security\Store random
number to improve merge accuracy (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\v
pref - fDontSaveRSID_1804_1
(1) User Configuration\Administrative Templates\Microsoft
Office 2003\Security Settings\Prevent Users from Changing
Office Encryption Settings (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Common\Securi
ty - DisableCustomEncryption
NIST SCAP
Microsoft Office 2007 NIST SCAP Microsoft Microsoft Office
Recommendations (Security Office 2007 OVAL (SCAP- 2007 XCCDF
Settings for Office 2007 Office2007-OVAL-Beta- (SCAP-Office2007-
Applications.xlsx) v1.xml) XCCDF-Beta-
v1.xml )
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable VBA
for Office applications, Computer
Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security
Settings\Disable VBA for Office
applications
DisableVBAForOfficeAppl
oval:org.mitre.oval:def:771 ications
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\ActiveX
Control Initialization (1 | 2 | 3 | 4 | 5 | 6)
ActiveXControlInitializatio
oval:org.mitre.oval:def:814 n
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Privacy\Trust Center\Enable
Customer Experience Improvement EnableCustomerExperien
Program oval:org.mitre.oval:def:829 ceImprovementProgram
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Privacy\Trust AutomaticallyReceiveSma
Center\Automatically receive small llUpdatesToImproveRelia
updates to improve reliability oval:org.mitre.oval:def:1473 bility
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General |
Service Options...\Online
Content\Online content options (Never
show online content or entry points |
Search only offline content whenever
available | Search online content
whenever available) oval:org.mitre.oval:def:1302 OnlineContentOptions
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\Security\Trust Center\VBA
Macro Warning Settings (Trust Bar
warning for all macros | Trust Bar
warning for digitally signed macros only
(unsigned macros will be disabled) | No
Warnings for all macros but disable all
macros | No Security checks for
macros (Not recommended, code in all
documents can run)) VBAMacroWarningSettin
oval:org.mitre.oval:def:1403 gs-Access
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\VBA Macro Warning Settings
(Trust Bar warning for all macros | Trust
Bar warning for digitally signed macros
only (unsigned macros will be disabled)
| No Warnings for all macros but
disable all macros | No Security checks
for macros (Not recommended, code in
all documents can run)) VBAMacroWarningSettin
oval:org.mitre.oval:def:649 gs-Excel
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Trust access to Visual Basic
Project
TrustAccessToVisualBasi
oval:org.mitre.oval:def:1560 cProject-Excel
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Trust Center\VBA
Macro Warning Settings (Trust Bar
warning for all macros | Trust Bar
warning for digitally signed macros only
(unsigned macros will be disabled) | No
Warnings for all macros but disable all
macros | No Security checks for
macros (Not recommended, code in all
documents can run)) VBAMacroWarningSettin
oval:org.mitre.oval:def:654 gs-PowerPoint
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Trust Center\Trust
access to Visual Basic Project TrustAccessToVisualBasi
oval:org.mitre.oval:def:665 cProject-PowerPoint
DisableRememberPassw
oval:org.mitre.oval:def:1298 ord
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Trusted Add-insConfigure
trusted add-ins
ConfigureAddInTrustLeve
oval:org.mitre.oval:def:1390 l
DisableRememberPassw
ordForInternetEmailAcco
oval:org.mitre.oval:def:1232 unts
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Minimum
encryption settings
MinimumEncryptionSettin
oval:org.mitre.oval:def:661 gs
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not
check e-mail address against address DoNotCheckEmailAddres
of certificates being used sAgainstAddressOfCertifi
oval:org.mitre.oval:def:1399 catesBeingUsed
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Send all
signed messages as clear signed
messages
SendAllSignedMessages
oval:org.mitre.oval:def:1388 AsClearSignedMessages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Request
an S/MIME receipt for all S/MIME RequestAnSMIMEReceipt
signed messages ForAllSMIMESignedMess
oval:org.mitre.oval:def:705 ages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not
display 'Publish to GAL' button
DoNotDisplayPublishToG
oval:org.mitre.oval:def:741 ALButton
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Warning (Let user decide if they want to
be warned | Always warn about invalid
signatures | Never warn about invalid
signatures)
oval:org.mitre.oval:def:756 SignatureWarning
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Enable
Cryptography Icons
oval:org.mitre.oval:def:1716 EnableCryptographyIcons
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Retrieving CRLs
(Certificate Revocation Lists) (Use
system Default | When online always
retreive the CRL | Never retreive the
CRL) oval:org.mitre.oval:def:1700 RetrievingCRLs
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\VBA Macro Warning Settings
(Trust Bar warning for all macros | Trust
Bar warning for digitally signed macros
only (unsigned macros will be disabled)
| No Warnings for all macros but
disable all macros | No )
VBMacroWarningSettings
oval:org.mitre.oval:def:1350 -Word
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Trust access to Visual Basic
Project
TrustAccessToVisualBasi
oval:org.mitre.oval:def:1713 cProject-Word
WarnBeforePrintingSavin
gOrSendingAFileThatCon
tainsTrackedChangesOr
oval:org.mitre.oval:def:788 Comments
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Block updates BlockUpdatesFromTheOf
from the Office Update Site from ficeUpdateSiteFromApplyi
applying oval:org.mitre.oval:def:1755 ng
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Web
Options\General\Underline hyperlinks
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\General\General\Number of
documents in the Recent Documents
list (0-9)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\Security\Trust Center\Disable
Trust Bar Notification for unsigned
application add-ins
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\Security\Trust Center\Disable
all application add-ins
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\Security\Trust Center\Require
that application add-ins are signed by
Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\Security\Trust Center\Trusted
Locations\Disable all trusted locations
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\Security\Trust Center\Trusted
Locations\Allow Trusted Locations not
on the computer
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\Security\Trust Center\Trusted
Locations\Modal Trust Decision Only
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | E-Mail
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Access
Options | Customize | All Commands |
Insert Hyperlink
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Database Tools |
Database Tools | Encrypt with Password
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Database Tools |
Administer | Users and Permission |
User and Group Permissions
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Database Tools |
Administer | Users and Permissions |
User and Group Accounts
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Database Tools |
Administer | Users and Permission |
User-Level Security Wizard...
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Database Tools |
Database Tools | Encode/Decode
Database
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Database Tools | Macro |
Visual Basic
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Database Tools | Macro |
Run Macro
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Database Tools |
Macro | Convert Macros to Visual Basic
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Database Tools |
Macro | Create Shortcut Menu from
Macro
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Ctrl+K (Office Button |
Access Options | Customize | All
Commands | Insert Hyperlinks)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable
commands - Alt+F11 (Database Tools |
Macro | Visual Basic)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Miscellaneous\Default file format
(Access 2007 | Access 2002-2003)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Miscellaneous\Do not prompt to
convert older databases
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel
Options\Proofing\Autocorrect
Options\Internet and network paths as
hyperlinks
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Save\Save Excel
files as (Excel Workbook (*.xlsx) | Excel
Macro-Enabled Workbook (*.xlsm) |
Excel Binary Workbook (*.xlsb) | Web
Page (*.htm; *.html) | Excel 97-2003
Workbook (*.xls) | Excel 5.0/95
Workbook (*.xls))
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Save\Disable
AutoRepublish
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel
Options\Save\AutoRepublish Warning
Alert (Always show the alert before
publishing | Never show the alert before
publishing)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Determine
whether to force encrypted macros to
be scanned in Microsoft Excel Open
XML workbooks
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Force file
extension to match file type (Allow
different | Allow different, but warn |
Always match file type)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Store macro in Personal Macro
Workbook by default
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Disable all application add-ins
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Require that application add-ins
are signed by Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Disable Trust Bar Notification
for unsigned application add-ins
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Trusted LocationsAllow Trusted
Locations not on the computer
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Trusted LocationsDisable all
trusted locations
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Ignore
other applications
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Ask to
update automatic links
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Number
of documents in the Recent Documents
list (0-17)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Web
Options…\GeneralSave any additional
data necessary to maintain formulas
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Web
Options…\GeneralLoad pictures from
Web pages not created in Excel
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Recovery\Do not show data
extraction options when opening
corrupt workbooks
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Recovery\Assume
structured storage format of workbook
is intact when recovering data
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Recovery\Corrupt formula
conversion (Convert unrecoverable
references to: values | #REF or #NAME)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Access Security\Connection
File Locations
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Access Security\Automatic
Query Refresh (Prompt for all
workbooks | Do not prompt; do not
allow auto refresh | Do not prompt;
allow auto refresh)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Excel
Options | Customize | All Commands |
Save as Web Page
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Excel
Options | Customize | All Commands |
Web Page Preview
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Send |
Email
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Insert | Links | Hyperlink
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Review | Changes |
Protect Sheet
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Review | Changes |
Protect Workbook
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Review | Changes |
Protect and Share Workbook
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - View | Macros | Macros
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Macros
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Record
Macro
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Macro
Security
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Visual
Basic
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Excel
Options | Customize | All Commands |
Document Location
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F8 (Developer | Code |
Macros)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F11 (Developer | Code |
Visual Basic)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of pre-release versions of file
formats new to Excel 2007
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Open XML file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Binary 12 file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Html and Xmlss files types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Xml file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of DIF and SYLK file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Text file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Xll file type
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Open Xml file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Binary12 file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Html and Xmlss file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving Xml file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving DIF and SYLK file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Text file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\Locally cache
network file storages
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\Locally cache
PivotTable reports
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\OLAP PivotTable
User Defined Function (UDF) security
setting (Allow ALL UDFs | Allow safe
UDFs only | Allow NO UDFs)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\Recognize
SmartTags
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Tools | Options\General\Number
of documents in the Recent Documents
list (0 - 9)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Tools |
Options\Advanced\Offline\Offline Mode
status (Disabled | Enabled, InfoPath in
Offline Mode | Enabled, InfoPath not in
Offline Mode)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - File | Print
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - File | Send to Mail
Recipient
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - File | Open from
SharePoint Site
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - File | Print Preview
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - File | Page Setup
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Insert | Hyperlinks...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Tools | Set Language
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Tools | Customize...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Tools | Options...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Help | Microsoft Office
Online
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Office Diagnostics
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Help | Activate Product...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable
commands - Print Default
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Print Shortcut (Ctrl+P)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Insert Hyperlink Shortcut (Ctrl+K)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior for
Windows SharePoint Services gradual
upgrade (Allow redirections to any
location | Allow redirections to Intranet
only | Block all redirections)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Disable opening of
solutions from the Internet security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Disable fully trusted
solutions full access to computer
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Allow the use of ActiveX
Custom Controls in InfoPath forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Run forms in restricted
mode if they do not specify a publish
location and use only features
introduced before InfoPath 2003 SP1
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Allow file types as
attachments to forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Block specific file types
as attachments to forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Prevent users from
allowing unsafe file types to be
attached to forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Display a warning that a
form is digitally signed
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Internet security
zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Intranet security
zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Local Machine
security zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Trusted Site
security zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Beaconing UI for forms
opened in InfoPath (Never show
beaconing UI | Always show beaconing
UI | Show UI if Form Template is from
Internet Zone)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Beaconing UI for forms
opened in InfoPath Editor ActiveX
(Never show beaconing UI | Always
show beaconing UI | Show UI if Form
Template is from Internet Zone)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Trust Center\Disable all
application add-ins
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Trust Center\Require that
application add-ins are signed by
Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Trust Center\Disable
Trust Bar Notification for unsigned
application add-ins
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Control behavior when
opening InfoPath e-mail forms
containing code or script (Run without
prompting | Prompt before running |
Never run)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable sending form template
with e-mail forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable dynamic caching of
the form template in InfoPath e-mail
forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable sending InfoPath
2003 Forms as e-mail forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms running
in restricted security level
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms from the
Internet security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms from the
Intranet security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms from the
Full Trust security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable InfoPath e-mail forms
in Outlook
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Restricted Features\Information
Rights Management
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Restricted Features\Custom code
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Miscellaneous\Email Forms
Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet
Zone)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Word
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in PowerPoint
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Access
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Outlook
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Word
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in PowerPoint
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Access
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Outlook
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Word
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in PowerPoint
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Access
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Outlook
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | AutoCorrect Options...
(Excel, Word, PowerPoint and
Access)\Recognize smart tags in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable Clip Art and Media
downloads from the client and from
Office Online website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable template downloads
from the client and from Office Online
website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable access to updates,
add-ins, and patches on the Office
Online website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Prevents users from
uploading document templates to the
Office Online community.
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable training practice
downloads from the Office Online
website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable customer-submitted
templates downloads from Office Online
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Files\Open Office documents
as read/write while browsing
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Browsers\Rely on VML for
displaying graphics in browsers
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Browsers\Allow PNG as an
output format
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options |
Spelling\Proofing Data
Collection\Improve Proofing Tools
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Privacy\Trust Center\Disable
Opt-in Wizard on first run
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Help\Microsoft Office Online
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable
Password Caching
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable all
Trust Bar notifications for security
issues
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Protect
document metadata for rights managed
Office Open XML Files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Protect
document metadata for password
protected files.
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Encryption
type for password protected Office
Open XML files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Encryption
type for password protected Office 97-
2003 files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Load Controls
in Forms3 (1 | 2 | 3 | 4)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Automation
Security (Disable macros by default |
Use application macro security level |
Macros enabled)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Prevent Word
and Excel from loading managed code
extensions
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable
hyperlink warnings
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable
password to open UI
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Download
Office Controls
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable All
ActiveX
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Trust
Center\Allow mix of policy and user
locations
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Smart Documents (Word,
Excel)\Disable Smart Document's use
of manifests
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Smart Documents (Word,
Excel)\Completely disable the Smart
Documents feature in Word and Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Services\Fax\Disable Internet
Fax feature
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Prevent users from
changing permissions on rights
managed content
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Allow users with earlier
versions of Office to read with
browsers...
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Always require users to
connect to verify permission
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Always expand groups in
Office when restricting permission for
documents
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Never allow users to
specify groups when restricting
permission for documents
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Disable Microsoft Passport
service for content with restricted
permission
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Do not allow users to
upgrade Information Rights
Management configuration
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Key Usage Filtering
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\EKU filtering
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Legacy format
signatures
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Suppress Office
Signing Providers (Enable Western and
East Asian | Suppress default Western |
Suppress default East Asian | Suppress
both Western and East Asian)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Suppress external
signature services menu item
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office Diagnostics\Disable
Check For Solutions
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Microsoft Save As PDF and
XPS add-ins\Disable inclusion of
document properties in PDF and XPS
output
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Document Information
Panel\Disable Document Information
Panel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Document Information
Panel\Document Information Panel
Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet
Zone)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Server Settings\Disable the
Office client from polling the Office
server for published links
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office 2007 Converters\Block
opening of pre-release versions of file
formats new to Word 2007 through the
Compatibility Pack for the 2007 Office
system and Word 2007 Open
XML/Word 97-2003 Format Converter
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office 2007 Converters\Block
opening of pre-release versions of file
formats new to Excel 2007 through the
Compatibility Pack for the 2007 Office
system and Excel 2007 Converter
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office 2007 Converters\Block
opening of pre-release versions of file
formats new to PowerPoint 2007
through the Compatibility Pack for the
2007 Office system and PowerPoint
2007 Converter
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Control Blogging
(Enabled | Only SharePoint blogs
allowed | All blogging disabled)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Enable Smart
Resume
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Do not upload
media files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Disable
hyperlinks to web templates in File |
New and task panes
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Prevent access
to Web-based file storage
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Preferences\E-
mail Options\Do not allow attachment
previewing in Outlook
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Preferences\E-
mail Options\Read e-mail as plain text
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Preferences\E-
mail Options\Read signed e-mail as
plain text
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServicePrevent publishing to Office
Online
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServicePrevent publishing to a DAV
server
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServiceRestrict level of calendar details
users can publish (All options are
available | Disables 'Full details' |
Disables 'Full details' and 'Limited
details')
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServiceAccess to published calendars
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServiceRestrict upload method
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-
mail\Hide Junk Mail UI
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-
mail\Junk E-mail protection level (No
Protection, Low, High, Trusted Lists
Only)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-
mail\Trust E-mail from Contacts
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-mail\Add
e-mail recipients to users' Safe
Senders Lists
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options - Warn before switching dial-
up connection
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options - Hang up when finished
sending, receiving, or updating
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options - Automatically dial during a
background Send/Receive
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Format\Do
not allow creating, replying, or
forwarding signatures for e-mail
messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Send copy
of pictures with HTML messages
instead of reference to Internet location
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Outlook
Rich Text options (Convert to HTML |
Convert to Plain Text format | Send
Using Outlook Rich Text format)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Plain text
options
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Plain text
options - Encode attachments in
UUENCODE format when sending a
plain text message
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Message
FormatSet message format (HTML |
Rich Text | Plain Text)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Make
Outlook the default program for E-mail,
Contacts, and Calendar
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Do not allow
folders in non-default stores to be set
as folder home pages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Use
Unicode format when dragging e-mail
message to file system
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Do not allow
Outlook object model scripts to run for
shared folders
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Do not allow
Outlook object model scripts to run for
public folders
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Person
Names\Set maximum level of online
status on a person name (Do not allow |
Allow everywhere except To and CC
field | Allow everywhere)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Person
Names\Display online status on a
person name (Never | Everywhere
except To and CC field | Everywhere)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Person
Names\Turn off Enable the Person
Names Smart Tag option
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Outlook Security Mode
(Outlook Default Security | Use Security
Form from 'Outlook Security Settings'
Public Folder | Use Security Form from
'Outlook 10 Security Settings' Public
Folder | Use Outlook Security Group
Policy)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Display
Level 1 attachments
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Allow
users to demote attachments to Level 2
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Do not
prompt about Level 1 attachments
when sending an item
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Do not
prompt about Level 1 attachments
when closing an item
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Allow in-
place activation of embedded OLE
objects
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Display
OLE package objects
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Add file
extensions to block as Level 1
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Remove
file extensions blocked as Level 1
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Add file
extensions to block as Level 2
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Remove
file extensions blocked as Level 2
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Custom Form Security\Allow
scripts in one-off Outlook forms
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Custom Form Security\Set
Outlook object model Custom Actions
execution prompt (Prompt User |
Automatically Approve | Automatically
Deny | Prompt user based on computer
security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Custom Form Security\Set
control ItemProperty prompt (Prompt
User | Automatically Approve |
Automatically Deny | Prompt user
based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when sending mail
(Prompt User | Automatically Approve |
Automatically Deny | Prompt user
based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when accessing an
address book (Prompt User |
Automatically Approve | Automatically
Deny | Prompt user based on computer
security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when reading address
information (Prompt User |
Automatically Approve | Automatically
Deny | Prompt user based on computer
security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when responding to
meeting and task requests (Prompt
User | Automatically Approve |
Automatically Deny | Prompt user
based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when executing Save As
(Prompt User | Automatically Approve |
Automatically Deny | Prompt user
based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt When accessing the
Formula property of a UserProperty
object (Prompt User | Automatically
Approve | Automatically Deny | Prompt
user based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when accessing address
information via UserProperties.Find
(Prompt User | Automatically Approve |
Automatically Deny | Prompt user
based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Required
Certificate Authority
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
interoperability with external clients:
(Handle internally | Handle externally |
Handle if possible)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Always use
Rich Text formatting in S/MIME
messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
password settings
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
password settings - Default S/MIME
password time (minutes): (0 -
2147483647)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
password settings - Maximum S/MIME
password time (minutes): (0 -
2147483647)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Message
Formats
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Message
Formats - Support the following
message formats: (S/MIME | Exchange
| Fortezza | S/MIME and Exchange |
S/MIME and Fortezza | Exchange and
Fortezza | S/MIME, Exchange, and
Fortezza)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not
provide Continue option on Encryption
warning dialog boxes
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Run in
FIPS compliant mode
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Encrypt all
e-mail messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Sign all e-
mail messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\URL for
S/MIME certificates
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Ensure all
S/MIME signed messages have a label
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
receipt requests (Open message if
receipt can't be sent | Don't open
message if receipt can't be sent |
Always prompt before sending receipt |
Never send S/MIME )
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Fortezza
certificate policies
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Require
SuiteB algorithms for S/MIME
operations
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing CRLs
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing CRLs -
Indicate a missing CRL as a(n):
(warning | error)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing root
certificates
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing root
certificates - Indicate a missing root
certificate as a(n): (neither error nor
warning | warning | error)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Promote Level 2
errors as errors, not warnings
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Attachment Secure
Temporary Folder
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Display pictures and
external content in HTML e-mail
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Automatically
download content for e-mail from
people in Safe Senders and Safe
Recipients Lists
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Do not permit
download of content from safe zones
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Block Trusted Zones
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Include Internet in
Safe Zones for Automatic Picture
Download
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Include Intranet in
Safe Zones for Automatic Picture
Download
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Trust Center\Security
setting for macros (Always warn | Never
warn, disable all | Warn for signed,
disable unsigned | No security check)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Trust Center\Enable links
in e-mail messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Trust Center\Apply
macro security settings to macros, add-
ins, and SmartTags
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Automatically
configure profile based on Active
Directory Primary SMTP address
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Do not allow users
to change permissions on folders
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Enable RPC
encryption
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Authentication with
Exchange Server (Kerberos/NTLM
Password Authentication | Kerberos
Password Authentication | NTLM
Password Authentication)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Synchronize Outlook RSS Feeds
with Common Feed List
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Turn off RSS feature
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Automatically download
enclosures
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Download full text of articles as
HTML attachments
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\Internet
Calendars\Automatically download
attachments
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\Internet
Calendars\Do not include Internet
Calendar integration in Outlook
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Meeting Workspace\Disable user
entries to server list (Publish default,
allow others | Publish default, disallow
others)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Miscellaneous\Do not expand
distribution lists
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Save\Save
files in this format (PowerPoint
Presentation (*.pptx) | PowerPoint
Macro-Enabled Presentation (*.pptm) |
PowerPoint 97-2003 Presentation
(*.ppt))
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Advanced\Number of
documents in the Recent Documents
list (0 - 50)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Determine whether to
force encrypted macros to be scanned
in Microsoft PowerPoint Open XML
presentations
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Run
Programs (disable (don't run any
programs) | enable (prompt user before
running) | enable all (run without
prompting))
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Make hidden markup
visible
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Unblock automatic
download of linked images
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Trust Center\Disable
all application add-ins
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Trust Center\Require
that application add-ins are signed by
Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Trust Center\Disable
Trust Bar Notification for unsigned
application add-ins
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Trust Center\Trusted
LocationsAllow Trusted Locations not
on the computer
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Trust Center\Trusted
LocationsDisable all trusted locations
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | PowerPoint
Options | Customize | All Commands |
Web Page Preview
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Send |
Email
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Insert | Links | Hyperlink
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Review | Proofing |
Language
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - View | Macros | Macros
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Macros
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Macro
Security
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Visual
Basic
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | PowerPoint
Options | Customize | All Commands |
Document Location
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Disable shortcut keys
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Ctrl+K (Insert | Links |
Hyperlink)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Alt+F8 (Developer | Code |
Macros)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable
commands - Alt+F11 (Developer | Code
| Visual Basic)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of pre-release versions of file
formats new to PowerPoint 2007
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Open Xml files types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Binary file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Html file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Outlines
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Converters
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Open Xml file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Binary file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Html file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Outlines
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of GraphicFilters
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file
formats\Miscellaneous\Disable Slide
Update
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Display\Hidden text
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Save\Save files in
this format (Word document (*.docx) |
Single Files Web Page (*.mht) | Web
Page (*.htm; *.html) | Web Page,
Filtered (*.htm, *.html) | Rich Text
Format (*.rtf) | Plain Text (*.txt) | Word
6.0/95 (*.doc) | Word 6.0/95 - Chinese
(Simplified) (*.doc) | Word 6.0/95 -
Chinese (Traditional) (*.doc) | Word
6.0/95 - Japanese (*.doc) | Word 6.0/95
- Korean (*.doc) | Word 97-2002 &
6.0/95 - RTF | Word 5.1 for Macintosh
(*.mcw) | Word 5.0 for Macintosh
(*.mcw) | Word 2.x for Windows (*.doc)
| Works 4.0 for Windows (*.wps) |
WordPerfect 5.x for Windows (*.doc) |
WordPerfect 5.1 for DOS (*.doc) |
Word 2007 Macro Enabled Document
(*.docm) | Word 2007 Macro Free
Template (*.dotx) | Word 2007 Macro
Enabled Template (*.dotm) | Word 97 -
2003 Document (*.doc) | Word 97 -
2003 Template (*.dot) | Flat XML
Document (*.xml))
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Advanced\Number
of documents in the Recent Documents
list (0-50)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Advanced\Update
automatic links at Open
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Advanced\E-mail
Options\Save smart tags in e-mail
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Determine whether to force
encrypted macros to be scanned in
Microsoft Word Open XML documents
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Disable all application add-ins
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Require that application add-ins
are signed by Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Disable Trust Bar Notification
for unsigned application add-ins
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Trusted LocationsAllow Trusted
Locations not on the computer
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Trusted LocationsDisable all
trusted locations
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Word
Options | Customize | All Commands |
Save As Web Page
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Word
Options | Customize | All Commands |
Web Page Preview
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Office Button | Send |
Email
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Insert | Links | Hyperlink
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Review | Protect | Protect
Document
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - View | Macros | Macros
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Macros
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Record
Macro
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Macro
Security
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Code | Visual
Basic
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable
commands - Developer | Templates |
Document Template
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Ctrl+F (Home | Editing | Find)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F8 (Developer | Code |
Macros)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F11 (Developer | Code |
Visual Basic)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of pre-release versions of file
formats new to Word 2007
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Open XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of HTML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Word 2003 XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of RTF file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
open Converters
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Text file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Internal file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of files before version
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Open XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of HTML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Word 2003 XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of RTF file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Converters
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Text file types
Computer Configuration\Administrative
Templates\Microsoft Office InfoPath
2007 (Machine)\Security\InfoPath
APTCA Assembly Whitelist
Computer Configuration\Administrative
Templates\Microsoft Office InfoPath
2007 (Machine)\Security\Windows
Internet Explorer Feature Control Opt-
In (None | InfoPath.exe, Document
Information Panel and Workflow forms |
InfoPath.exe, Document Information
Panel, Workflow forms and 3rd Party
Hosting)
Computer Configuration\Administrative
Templates\Microsoft Office InfoPath
2007 (Machine)\Security\InfoPath
APTCA Assembly Whitelist
Enforcement
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security
Settings\Disable Package Repair
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Disable user name and
password - msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Bind to object - msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL -
powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL -
spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Saved from URL -
msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Navigate URL - msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007
system (Machine)\Security Settings\IE
Security\Block popups - msaccess.exe
CCE
CCE ID CCE Description
Parameters
The rhnsd service should enabled / disabled
be enabled or disabled as
CCE-3416-5 appropriate.
enabled / disabled
The yum-updatesd service
should be enabled or
CCE-4218-4 disabled as appropriate.
The AIDE package should installed / uninstalled
be installed or not as
CCE-4209-3 appropriate
The nodev option should enabled / disabled
be enabled or disabled as
appropriate for all non-root
CCE-4249-9 partitions.
The nodev option should enabled / disabled
be enabled or disabled as
appropriate for all
CCE-3522-0 removable media.
The noexec option should enabled / disabled
be enabled or disabled as
appropriate for all
CCE-4275-4 removable media.
The nosuid option should enabled / disabled
be enabled or disabled as
appropriate for all
CCE-4042-8 removable media.
root-only / not root-
Console device ownership only
should be restricted to root-
CCE-3685-5 only as appropriate.
The USB device support loaded / not loaded
module should be loaded
CCE-4187-1 or not as appropriate
installed / uninstalled
The USB device support
module should be installed
CCE-4006-3 or not as appropriate
USB kernel support should enabled / disabled
be enabled or disabled as
CCE-4173-1 appropriate.
The ability to boot from enabled / disabled
USB devices should be
enabled or disabled as
CCE-3944-6 appropriate
The autofs service should enabled / disabled
be enabled or disabled as
CCE-4072-5 appropriate.
enabled / disabled
The GNOME automounter
(gnome-volume-manager)
should be enabled or
CCE-4231-7 disabled as appropriate
The /etc/shadow file group
should be owned by the
CCE-3988-3 appropriate group.
The /etc/group file should group
be owned by the
CCE-3883-6 appropriate group.
The /etc/group file should user
be owned by the
CCE-3276-3 appropriate user.
File permissions for permissions
/etc/gshadow should be
CCE-3932-1 set correctly.
The /etc/gshadow file group
should be owned by the
CCE-4064-2 appropriate group.
The /etc/gshadow file user
should be owned by the
CCE-4210-1 appropriate user.
The /etc/shadow file user
should be owned by the
CCE-3918-0 appropriate user.
File permissions for permissions
/etc/passwd should be set
CCE-3566-7 correctly.
The /etc/passwd file user
should be owned by the
CCE-3958-6 appropriate user.
File permissions for permissions
/etc/group should be set
CCE-3967-7 correctly.
The /etc/passwd file group
should be owned by the
CCE-3495-9 appropriate group.
File permissions for permissions
/etc/shadow should be set
CCE-4130-1 correctly.
The sticky bit should be set / not set
set or not set as
appropriate for all world-
CCE-3399-3 writable directories.
The world-write permission enabled / disabled
should be enabled or
disabled as appropriate for
CCE-3795-2 all files.
The sgid bit should be set set / not set
or not set as appropriate
CCE-4178-0 for all files.
The suid bit should be set set / not set
or not set as appropriate
CCE-3324-1 for all files.
All files should be owned user / none
CCE-4223-4 by a user as appropriate
All files should be owned group / none
CCE-3573-3 by a group as appropriate
The daemon umask permissions mask
should be set as
CCE-4220-0 appropriate
Core dumps for all users enabled / disabled
should be enabled or
CCE-4225-9 disabled as appropriate
Core dumps for setuid enabled / disabled
programs should be
enabled or disabled as
CCE-4247-3 appropriate
ExecShield randomized enabled / disabled
placement of virtual
memory regions should be
enabled or disabled as
CCE-4146-7 appropriate
ExecShield should be enabled / disabled
enabled or disabled as
CCE-4168-1 appropriate
Kernel support for the enabled / disabled
XD/NX processor feature
should be enabled or
CCE-4172-3 disabled as appropriate
The XD/NX processor enabled / disabled
feature should be enabled
or disabled as appropriate
CCE-4177-2 in the BIOS
Logins through the enabled/disabled
specified virtual console
interface should be
enabled or disabled as
CCE-3820-8 appropriate
Logins through the enabled/disabled
specified virtual console
device should be enabled
CCE-3485-0 or disabled as appropriate
Logins through the primary enabled/disabled
console device should be
enabled or disabled as
CCE-4111-1 appropriate
Login prompts on serial enabled/disabled
ports should be enabled or
disabled as appropriate.
CCE-4256-4
Command access to the enabled/disabled
root account should be
enabled or disabled as
CCE-4274-7 appropriate.
Sudo privileges should grant/reject
granted or rejected to the
wheel group as appropriate
CCE-4044-4
Login access to non-root enabled/disabled
system accounts should
be enabled or disabled as
CCE-3987-5 appropriate
Login access to accounts enabled/disabled
without passwords should
be enabled or disabled as
appropriate
CCE-4238-2
Anonymous root logins are enabled/disabled
enabled or disabled as
CCE-4009-7 appropriate
The password minimum length of password
length should be set
CCE-4154-1 appropriately
The "minimum password number of days
age" policy should meet
CCE-4180-6 minimum requirements.
number of days
The "maximum password
age" policy should meet
CCE-4092-3 minimum requirements.
The password warn age number of days
should be set appropriately
CCE-4097-2
NIS file inclusions should
be set appropriately in the
CCE-4114-5 /etc/passwd file
The password strength password strength
should meet minimum
CCE-3762-2 requirements
The "account lockout
threshold" policy should
meet minimum
CCE-3410-8 requirements. number of attempts
The /usr/sbin/userhelper group
file should be owned by
CCE-4185-5 the appropriate group.
File permissions for permissions
/usr/sbin/userhelper
CCE-3952-9 should be set correctly.
The PATH variable should path
be set correctly for user
CCE-3301-9 root
File permissions should be permissions
set correctly for the home
directories for all user
CCE-4090-7 accounts.
umask
The default umask for all
users should be set
CCE-3844-8 correctly for the bash shell
The default umask for all
users should be set
CCE-4227-5 correctly for the csh shell
The default umask for all
users should be set
CCE-3870-3 correctly
The /etc/grub.conf file user
should be owned by the
CCE-4144-2 appropriate user.
File permissions for permissions
/etc/grub.conf should be
CCE-3923-0 set correctly.
The grub boot loader password
should have password
protection enabled or
CCE-3818-2 disabled as appropriate
The /etc/grub.conf file group
should be owned by the
CCE-4197-0 appropriate group.
The requirement for a enabled/disabled
password to boot into
single-user mode should
CCE-4241-6 be configured correctly.
The ability for users to enabled/disabled
perform interactive
startups should be
enabled or disabled as
CCE-4245-7 appropriate.
The idle time-out value for number of minutes
the default /bin/tcsh shell
should meet the minimum
CCE-3689-7 requirements.
The idle time-out value for number of minutes
the default /bin/bash shell
should meet the minimum
CCE-3707-7 requirements.
The allowed period of number of minutes
inactivity gnome desktop
lockout should be
CCE-3315-9 configured correctly.
The vlock package should number of minutes
be installed or not as
CCE-3910-7 appropriate
The system login banner banner text
text should be set correctly.
CCE-4060-0
The direct gnome login banner text/xml
warning banner should be
CCE-4188-9 set correctly.
SELinux should be enforcing /
enabled or disabled as permissive / disabled
CCE-3977-6 appropriate
The SELinux state should enforcing /
be set appropriately. permissive / disabled
CCE-3999-0
The SELinux policy should targeted / strict / mls
be set appropriately.
CCE-3624-4
enabled / disabled
The setroubleshoot
service should be enabled
CCE-4254-9 or disabled as appropriate.
The setroubleshoot installed / uninstalled
package should be
installed or uninstalled as
CCE-4148-3 appropriate.
The mcstrans service enabled / disabled
should be enabled or
CCE-3668-1 disabled as appropriate.
The restorecond service enabled / disabled
should be enabled or
CCE-4129-3 disabled as appropriate.
The default setting for
sending ICMP redirects
should be enabled or
disabled for network
CCE-4151-7 interfaces as appropriate. enabled / disabled
Sending ICMP redirects
should be enabled or
disabled for all interfaces
CCE-4155-8 as appropriate. enabled / disabled
IP forwarding should be
enabled or disabled as
CCE-3561-8 appropriate. enabled / disabled
Accepting "secure" ICMP
redirects (those from
gateways listed in the
default gateways list)
should be enabled or
disabled for all interfaces
CCE-3472-8 as appropriate. enabled / disabled
Accepting ICMP redirects
should be enabled or
disabled for all interfaces
as appropriate.
CCE-4217-6 enabled / disabled
Ignoring bogus ICMP
responses to broadcasts
should be enabled or
CCE-4133-5 disabled as appropriate. enabled / disabled
Sending TCP syncookies
should be enabled or
disabled as appropriate.
CCE-4265-5 enabled / disabled
Ignoring ICMP echo
requests (pings) sent to
broadcast / multicast
addresses should be
enabled or disabled as
CCE-3644-2 appropriate. enabled / disabled
The default setting for
accepting ICMP redirects
should be enabled or
disabled for network
interfaces as appropriate.
CCE-4186-3 enabled / disabled
Performing source
validation by reverse path
should be enabled or
disabled for all interfaces
CCE-4080-8 as appropriate. enabled / disabled
The default setting for
accepting "secure" ICMP
redirects (those from
gateways listed in the
default gateways list)
should be enabled or
disabled for network
CCE-3339-9 interfaces as appropriate. enabled / disabled
Logging of "martian"
packets (those with
impossible addresses)
should be enabled or
disabled for all interfaces
CCE-4320-8 as appropriate. enabled / disabled
The default setting for
performing source
validation by reverse path
should be enabled or
disabled for network
CCE-3840-6 interfaces as appropriate. enabled / disabled
The default setting for
accepting source routed
packets should be enabled
or disabled for network
interfaces as appropriate.
CCE-4091-5 enabled / disabled
Accepting source routed
packets should be enabled
or disabled for all
interfaces as appropriate.
CCE-4236-6 enabled / disabled
All wireless devices should enabled / disabled
be enabled or disabled in
the BIOS as appropriate.
CCE-3628-5
All wireless interfaces enabled / disabled
should be enabled or
CCE-4276-2 disabled as appropriate.
Device drivers for wireless included / excluded
devices should be
included or excluded from
the kernel as appropriate.
CCE-4170-7
Automatic loading of the enabled / disabled
IPv6 kernel module should
be enabled or disabled as
CCE-3562-6 appropriate.
Global IPv6 initialization enabled / disabled
should be enabled or
CCE-3377-9 disabled as appropriate.
IPv6 configuration should enabled / disabled
be enabled or disabled as
appropriate for all
CCE-4296-0 interfaces.
The default setting for IPv6 enabled / disabled
configuration should be
enabled or disabled for
network interfaces as
CCE-3381-1 appropriate.
Accepting IPv6 router enabled / disabled
advertisements should be
enabled or disabled as
appropriate for all network
CCE-4269-7 interfaces.
The default setting for enabled / disabled
accepting IPv6 router
advertisements should be
enabled or disabled for
network interfaces as
CCE-4291-1 appropriate.
Accepting redirects from enabled / disabled
IPv6 routers should be
enabled or disabled as
appropriate for all network
CCE-4313-3 interfaces.
The default setting for enabled / disabled
accepting redirects from
IPv6 routers should be
enabled or disabled for
network interfaces as
CCE-4198-8 appropriate.
IPv6 privacy extensions disabled /
should be configured lightweight / rfc3041
appropriately for all (alias yes)
CCE-3842-2 interfaces.
The default setting for enabled / disabled
accepting router
preference via IPv6 router
advertisement should be
enabled or disabled for
network interfaces as
CCE-4221-8 appropriate.
The default number of number
global unicast IPv6
addresses allowed per
network interface should
CCE-4137-6 be set appropriately.
The default number of number
IPv6 router solicitations for
network interfaces to send
should be set appropriately.
CCE-4159-0
The default number of number
IPv6 duplicate address
detection solicitations for
network interfaces to send
per configured address
should be set appropriately.
CCE-3895-0
The default setting for enabled / disabled
autoconfiguring network
interfaces using prefix
information in IPv6 router
advertisements should be
enabled or disabled as
CCE-4287-9 appropriate.
The default setting for enabled / disabled
accepting prefix
information via IPv6 router
advertisement should be
enabled or disabled for
network interfaces as
CCE-4058-4 appropriate.
The default setting for enabled / disabled
accepting a default router
via IPv6 router
advertisement should be
enabled or disabled for
network interfaces as
CCE-4128-5 appropriate.
The ip6tables service enabled / disabled
should be enabled or
CCE-4167-3 disabled as appropriate.
The iptables service enabled / disabled
should be enabled or
CCE-4189-7 disabled as appropriate.
The syslog service should enabled / disabled
be enabled or disabled as
CCE-3679-8 appropriate.
All syslog log files should group
be owned by the
CCE-3701-0 appropriate group.
File permissions for all permissions
syslog log files should be
CCE-4233-3 set correctly.
All syslog log files should user
be owned by the
CCE-4366-1 appropriate user.
Syslog logs should be sent sent / not sent
to a remote loghost or not
CCE-4260-6 as appropriate
Syslogd should accept accept / reject
remote messages or not
CCE-3382-9 as appropriate
The logrotate (syslog enabled / disabled
rotater) service should be
enabled or disabled as
CCE-4182-2 appropriate.
The logwatch service enabled / disabled
should be enabled or
CCE-4323-2 disabled as appropriate
The auditd service should enabled / disabled
be enabled or disabled as
CCE-4292-9 appropriate.
The inetd service should enabled / disabled
be enabled or disabled as
CCE-4234-1 appropriate.
The xinetd service should enabled / disabled
be enabled or disabled as
CCE-4252-3 appropriate.
The inetd package should installed / uninstalled
be installed or uninstalled
as appropriate.
CCE-4023-8
The xifnetd package installed / uninstalled
should be installed or
uninstalled as appropriate.
CCE-4164-0
The telnet service should enabled / disabled
be enabled or disabled as
CCE-3390-2 appropriate.
The telnet-server package installed / uninstalled
should be installed or
uninstalled as appropriate.
CCE-4330-7
The rcp service should be enabled / disabled
enabled or disabled as
CCE-3974-3 appropriate.
The rsh service should be enabled / disabled
enabled or disabled as
CCE-4141-8 appropriate.
The rlogin service should enabled / disabled
be enabled or disabled as
CCE-3537-8 appropriate.
The rsh packagee should installed / uninstalled
be installed or uninstalled
as appropriate.
CCE-4308-3
The ypbind service should enabled / disabled
be enabled or disabled as
CCE-3705-1 appropriate.
The ypserv package installed / uninstalled
should be installed or
uninstalled as appropriate.
CCE-4348-9
The tftp service should be enabled / disabled
enabled or disabled as
CCE-4273-9 appropriate.
The tftp-server package installed / uninstalled
should be installed or
uninstalled as appropriate.
CCE-3916-4
The firstboot service
should be enabled or
CCE-3412-4 disabled as appropriate. enabled / disabled
The gpm service should enabled / disabled
be enabled or disabled as
CCE-4229-1 appropriate.
The irqbalance service enabled / disabled
should be enabled or
CCE-4123-6 disabled as appropriate.
The isdn service should be enabled / disabled
enabled or disabled as
CCE-4286-1 appropriate.
The kdump service should enabled / disabled
be enabled or disabled as
CCE-3425-6 appropriate.
The kudzu service should enabled / disabled
be enabled or disabled as
CCE-4211-9 appropriate.
The mdmonitor service enabled / disabled
should be enabled or
CCE-3854-7 disabled as appropriate.
The microcode_ctl service enabled / disabled
should be enabled or
disabled as appropriate.
CCE-4356-2
The network service enabled / disabled
should be enabled or
CCE-4369-5 disabled as appropriate.
The pcscd service should enabled / disabled
be enabled or disabled as
CCE-4100-4 appropriate.
The smartd service should enabled / disabled
be enabled or disabled as
CCE-3455-3 appropriate.
The readahead_early enabled / disabled
service should be enabled
or disabled as appropriate.
CCE-4421-4
The readahead_later enabled / disabled
service should be enabled
or disabled as appropriate.
CCE-4302-6
The messagebus service enabled / disabled
should be enabled or
CCE-3822-4 disabled as appropriate.
The haldaemon service enabled / disabled
should be enabled or
CCE-4364-6 disabled as appropriate.
The bluetooth service enabled / disabled
should be enabled or
CCE-4355-4 disabled as appropriate.
The hidd service should be enabled / disabled
enabled or disabled as
CCE-4377-8 appropriate.
The apmd service should enabled / disabled
be enabled or disabled as
CCE-4289-5 appropriate.
The acpid service should enabled / disabled
be enabled or disabled as
CCE-4298-6 appropriate.
The cpuspeed service enabled / disabled
should be enabled or
CCE-4051-9 disabled as appropriate.
The crond service should enabled / disabled
be enabled or disabled as
CCE-4324-0 appropriate.
The anacron service enabled / disabled
should be enabled or
CCE-4406-5 disabled as appropriate.
The anacron package installed / uninstalled
should be installed or
uninstalled as appropriate.
CCE-4428-9
The /etc/cron.monthly file group
should be owned by the
CCE-4322-4 appropriate group.
File permissions for permissions
/etc/cron.daily should be
CCE-4450-3 set correctly.
The /etc/cron.weekly file group
should be owned by the
CCE-4331-5 appropriate group.
The /etc/crontab file user
should be owned by the
CCE-3851-3 appropriate user.
The /etc/anacrontab file user
should be owned by the
CCE-4379-4 appropriate user.
File permissions for permissions
/etc/crontab should be set
CCE-4388-5 correctly.
The /etc/cron.hourly file group
should be owned by the
CCE-4054-3 appropriate group.
The /etc/cron.monthly file user
should be owned by the
CCE-4441-2 appropriate user.
The /etc/cron.d file should group
be owned by the
CCE-4212-7 appropriate group.
The /etc/cron.d file should user
be owned by the
CCE-4380-2 appropriate user.
The /etc/cron.weekly file user
should be owned by the
CCE-3833-1 appropriate user.
The /etc/anacrontab file group
should be owned by the
CCE-3604-6 appropriate group.
File permissions for permissions
/etc/cron.hourly should be
CCE-4106-1 set correctly.
The /etc/cron.hourly file user
should be owned by the
CCE-3983-4 appropriate user.
The /etc/crontab file group
should be owned by the
CCE-3626-9 appropriate group.
The /etc/cron.daily file user
should be owned by the
CCE-4022-0 appropriate user.
File permissions for permissions
/etc/anacrontab should be
CCE-4304-2 set correctly.
File permissions for permissions
/etc/cron.weekly should be
CCE-4203-6 set correctly.
File permissions for permissions
/etc/cron.monthly should
CCE-4251-5 be set correctly.
The /etc/cron.daily file group
should be owned by the
CCE-3481-9 appropriate group.
File permissions for permissions
/etc/cron.d should be set
CCE-4250-7 correctly.
The sshd service should enabled / disabled
be enabled or disabled as
CCE-4268-9 appropriate.
SSH should be installed or installed / uninstalled
uninstalled as appropriate
CCE-4272-1
Inbound connections to allow / deny
the ssh port should be
allowed or denied as
CCE-4295-2 appropriate
permitted / not
SSH version 1 protocol permitted
support should be enabled
CCE-4325-7 or disabled as appropriate.
The SSH idle timout integer (seconds)
interval should be set to an
CCE-3845-5 appropriate value
Emulation of the rsh enabled / disabled
command through the ssh
server should be enabled
or disabled as appropriate
CCE-4475-0
SSH host-based enabled / disabled
authentication should be
enabled or disabled as
CCE-4370-3 appropriate
Root login via SSH should enabled / disabled
be enabled or disabled as
CCE-4387-7 appropriate
Remote connections from enabled / disabled
accounts with empty
passwords should be
enabled or disabled as
CCE-3660-8 appropriate
SSH warning banner enabled / disabled
should be enabled or
CCE-4431-3 disabled as appropriate
X Windows should be enabled / disabled
enabled or disabled at
system boot as appropriate
CCE-4462-8
X Windows should be installed/removed
installed or removed as
CCE-4422-2 appropriate
X Font Server should be enabled / disabled
enabled or disabled as
CCE-4303-4 appropriate
The xfs service should be enabled / disabled
enabled or disabled as
CCE-4448-7 appropriate.
X Windows System enabled / disabled
Listening for remote
connections should be
enabled or disabled as
CCE-4074-1 appropriate
Warning banners for gui enabled / disabled
login users should be
enabled or disabled as
CCE-3717-6 appropriate
The avahi-daemon service enabled / disabled
should be enabled or
disabled as appropriate.
CCE-4365-3
The Avahi daemon should serve / not serve
be configured to serve via
Ipv6 or not as appropriate
CCE-4136-8
The Avahi daemon should serve / not serve
be configured to serve via
Ipv4 or not as appropriate
CCE-4409-9
Avahi should be accept / reject
configured to accept
packets with a TTL field
not equal to 255 or not as
CCE-4426-3 appropriate
Avahi should be allow / disallow
configured to allow other
stacks from binding to port
5353 or not as appropriate
CCE-4193-9
Avahi publishing of local enabled / disabled
information should be
enabled or disabled as
CCE-4444-6 appropriate
Avahi publishing of local enabled / disabled
information by user
applications should be
enabled or disabled as
CCE-4352-1 appropriate
Avahi publishing of enabled / disabled
hardware information
should be enabled or
CCE-4433-9 disabled as appropriate
Avahi publishing of enabled / disabled
workstation name should
be enabled or disabled as
CCE-4451-1 appropriate
Avahi publishing of IP enabled / disabled
addresses should be
enabled or disabled as
CCE-4341-4 appropriate
Avahi publishing of domain enabled / disabled
name should be enabled
or disabled as appropriate
CCE-4358-8
The cups service should enabled / disabled
be enabled or disabled as
CCE-4112-9 appropriate.
CUPS service should be enabled/disabled
enabled or disabled as
CCE-3755-6 appropriate
Firewall access to printing enabled / disabled
service should be enabled
or disabled as appropriate
CCE-3649-1
Remote print browsing enabled / disabled
should be enabled or
CCE-4420-6 disabled as appropriate
CUPS should be allowed allow / deny
or denied the ability to
listen for Incoming printer
CCE-4407-3 information as appropriate
The hplip service should enabled / disabled
be enabled or disabled as
CCE-4425-5 appropriate.
The dhcp client service enabled / disabled
should be enabled or
disabled as appropriate for
CCE-4191-3 each interface.
The dhcpd service should enabled / disabled
be enabled or disabled as
CCE-4336-4 appropriate.
The dhcp package should installed / uninstalled
be installed or uninstalled
as appropriate.
CCE-4464-4
The dynamic DNS feature enabled / disabled
of the DHCP server should
be enabled or disabled as
CCE-4257-2 appropriate
DHCPDECLINE accepted / denied
messages should be
accepted or denied by the
DHCP server as
CCE-4403-2 appropriate
BOOTP queries should be accepted / denied
accepted or denied by the
DHCP server as
CCE-4345-5 appropriate
Domain name server sent / not sent
information should be sent
or not sent by the DHCP
server as appropriate.
CCE-3724-2
Default routers should be sent / not sent
sent or not sent by the
DHCP server as
CCE-4243-2 appropriate.
Domain name should be sent / not sent
sent or not sent by the
DHCP server as
CCE-4389-3 appropriate.
NIS domain should be sent / not sent
sent or not sent by the
DHCP server as
CCE-3913-1 appropriate.
NIS servers should be sent / not sent
sent or not sent by the
DHCP server as
CCE-4169-9 appropriate.
Time offset should be sent sent / not sent
or not sent by the DHCP
server as appropriate.
CCE-4318-2
NTP servers should be sent / not sent
sent or not sent by the
DHCP server as
CCE-4319-0 appropriate.
dhcpd logging should be enabled / disabled
enabled or disabled as
CCE-3733-3 appropriate.
The ntpd service should enabled / disabled
be enabled or disabled as
CCE-4376-0 appropriate.
Network access to ntpd allow / deny
should be allowed or
CCE-4134-3 denied as appropriate
A remote NTP Server for ip address
time synchronization
should be specified or not
CCE-4385-1 as appropriate
OpenNTPD should be installed / uninstalled
installed or uninstalled as
CCE-4032-9 appropriate
The ntp daemon should be enabled / disabled
enabled or disabled as
CCE-4424-8 appropriate
The ntp daemon local ntp server
synchronization server
should be set appropriately
CCE-3487-6
The sendmail service enabled / disabled
should be enabled or
CCE-4416-4 disabled as appropriate.
The listening sendmail enabled / disabled
daemon should be
enabled or disabled as
CCE-4293-7 appropriate.
The ldap service should be enabled / disabled
enabled or disabled as
CCE-3501-4 appropriate.
permissions
File permissions for
/etc/pki/tls/CA/cacert.pem
CCE-4360-4 should be set correctly.
permissions
File permissions for
/etc/pki/tls/ldap/serverkey.p
CCE-4378-6 em should be set correctly.
The /etc/pki/tls/ldap file user
should be owned by the
CCE-4492-5 appropriate user.
permissions
File permissions for
/etc/pki/tls/ldap/servercert.p
CCE-4263-0 em should be set correctly.
user
The
/etc/pki/tls/ldap/serverkey.p
em file should be owned
CCE-3502-2 by the appropriate user.
The user
/etc/pki/tls/CA/cacert.pem
file should be owned by
CCE-4449-5 the appropriate user.
File permissions for permissions
/etc/pki/tls/ldap should be
CCE-4361-2 set correctly.
The group
/etc/pki/tls/CA/cacert.pem
file should be owned by
CCE-4427-1 the appropriate group.
group
The
/etc/pki/tls/ldap/serverkey.p
em file should be owned
CCE-4321-6 by the appropriate group.
The /etc/pki/tls/ldap file group
should be owned by the
CCE-4339-8 appropriate group.
user
The
/etc/pki/tls/ldap/servercert.p
em file should be owned
CCE-4105-3 by the appropriate user.
group
The
/etc/pki/tls/ldap/servercert.p
em file should be owned
CCE-3718-4 by the appropriate group.
The /var/lib/ldap/* files group
should be owned by the
CCE-4484-2 appropriate group.
The /var/lib/ldap/* files user
should be owned by the
CCE-4502-1 appropriate user.
The nfslock service should enabled / disabled
be enabled or disabled as
CCE-4396-8 appropriate.
The rpcgssd service enabled / disabled
should be enabled or
CCE-3535-2 disabled as appropriate.
The rpcidmapd service enabled / disabled
should be enabled or
CCE-3568-3 disabled as appropriate.
The netfs service should enabled / disabled
be enabled or disabled as
CCE-4533-6 appropriate.
The portmap service enabled / disabled
should be enabled or
CCE-4550-0 disabled as appropriate.
The lockd service should static / dynamic
be configured to use a
static port or a dynamic
portmapper port for TCP
CCE-4559-1 as appropriate
The statd service should static / dynamic
be configured to use an
outgoing static port or an
outgoing dynamic
portmapper port as
CCE-4015-4 appropriate
The statd service should static / dynamic
be configured to use a
static port or a dynamic
portmapper port as
CCE-3667-3 appropriate
The lockd service should static / dynamic
be configured to use a
static port or a dynamic
portmapper port for UDP
CCE-4310-9 as appropriate
The mountd service static / dynamic
should be configured to
use a static port or a
dynamic portmapper port
CCE-4438-8 as appropriate
The rquotad service static / dynamic
should be configured to
use a static port or a
dynamic portmapper port
CCE-3579-0 as appropriate
The nfs service should be enabled / disabled
enabled or disabled as
CCE-4473-5 appropriate
The rpcsvcgssd service enabled / disabled
should be enabled or
CCE-4491-7 disabled as appropriate
The nodev option should enabled / disabled
be enabled or disabled for
all NFS mounts as
CCE-4368-7 appropriate
The nosuid option should enabled / disabled
be enabled or disabled for
all NFS mounts as
CCE-4024-6 appropriate
The noexec option should enabled / disabled
be enabled or disabled for
all NFS mounts as
CCE-4526-0 appropriate
Root squashing should be enabled / disabled
enabled or disabled as
appropriate for all NFS
CCE-4544-3 shares
Restriction of NFS clients enabled / disabled
to privileged ports should
be enabled or disabled as
CCE-4465-1 appropriate
Write access to NFS enabled / disabled
shares should be enabled
or disabled as appropriate
CCE-4350-5
The named service should enabled / disabled
be enabled or disabled as
CCE-3578-2 appropriate.
The bind package should installed / uninstalled
be installed or uninstalled
as appropriate.
CCE-4219-2
The group
/var/named/chroot/etc/nam
ed.conf file should be
owned by the appropriate
CCE-3985-9 group.
File permissions for permissions
/var/named/chroot/etc/nam
ed.conf should be set
CCE-4487-5 correctly.
The user
/var/named/chroot/etc/nam
ed.conf file should be
owned by the appropriate
CCE-4258-0 user.
LDAP's dynamic updates enabled / disabled
feature should be enabled
or disabled as appropriate
CCE-4399-2
The vsftpd service should enabled / disabled
be enabled or disabled as
CCE-3919-8 appropriate.
Logging of vsftpd enabled / disabled
transactions should be
enabled or disabled as
CCE-4549-2 appropriate
A warning banner for all enabled / disabled
FTP users should be
enabled or disabled as
CCE-4554-2 appropriate
Local user login to the enabled / disabled
vsftpd service should be
enabled or disabled as
CCE-4443-8 appropriate
File uploads via vsftpd enabled / disabled
should be enabled or
CCE-4461-0 disabled as appropriate
The httpd service should enabled / disabled
be enabled or disabled as
CCE-4338-0 appropriate.
The httpd package should installed / uninstalled
be installed or uninstalled
as appropriate.
CCE-4514-6
The apache 2 server installed / uninstalled
software should be
installed or removed as
CCE-4346-3 appropriate
The apache2 server's text
ServerTokens value
should be set appropriately
CCE-4474-3
The apache2 server's
ServerSignature value
should be set appropriately
CCE-3756-4
File permissions for permissions
/etc/httpd/conf should be
CCE-4509-6 set correctly.
File permissions for permissions
/etc/httpd/conf/* should be
CCE-4386-9 set correctly.
File permissions for permissions
/usr/sbin/httpd should be
CCE-4029-5 set correctly.
The /etc/httpd/conf/* files
should be owned by the
CCE-3581-6 appropriate group.
File permissions for permissions
/var/log/httpd should be
CCE-4574-0 set correctly.
The dovecot service enabled / disabled
should be enabled or
CCE-3847-1 disabled as appropriate.
The dovecot package installed / uninstalled
should be installed or
uninstalled as appropriate.
CCE-4239-0
Dovecot should be support / not support
configured to support the
imaps protocol or not as
CCE-4384-4 necessary
Dovecot should be support / not support
configured to support the
pop3s protocol or not as
CCE-3887-7 necessary
Dovecot should be support / not support
configured to support the
pop3 protocol or not as
CCE-4530-2 necessary
Dovecot should be support / not support
configured to support the
imap protocol or not as
CCE-4547-6 necessary
Dovecot plaintext enabled / disabled
authentication of clients
should be enabled or
CCE-4552-6 disabled as necessary
The Dovecot option to enabled / disabled
drop privileges to user
before executing mail
process should be enabled
or not as appropriate
CCE-4371-1
The Dovecot option to enabled / disabled
spawn a new login
process per connection
should be enabled or not
CCE-4410-7 as appropriate
The smb service should enabled / disabled
be enabled or disabled as
CCE-4551-8 appropriate.
The squid service should enabled / disabled
be enabled or disabled as
CCE-4556-7 appropriate.
The squid package should installed / uninstalled
be installed or uninstalled
as appropriate.
CCE-4076-6
The Squid option to force enabled / disabled
FTP passive connections
should be enabled or not
CCE-4454-5 as appropriate
The Squid max request data length
HTTP header length
should be set to an
CCE-4353-9 appropriate value
The Squid option to check enabled / disabled
for RFC compliant
hostnames should be
enabled or not as
CCE-4503-9 appropriate
The Squid option to ignore enabled / disabled
unknown nameservers
should be enabled or not
as appropriate
CCE-3585-7
The Squid max reply data length
HTTP header length
should be set to an
CCE-4419-8 appropriate value
The Squid EUID should be user
set to an appropriate user
CCE-3692-1
The Squid option to enabled / disabled
perform FTP sanity checks
should be enabled or not
as appropriate
CCE-4459-4
The Squid GUID should be group
set to an appropriate group
CCE-4476-8
The Squid option to show enabled / disabled
proxy client IP addresses
in HTTP headers should
be enabled or disabled as
appropriate
CCE-4181-4
The Squid option to log enabled / disabled
HTTP MIME headers
should be enabled or
CCE-4577-3 disabled as appropriate
The Squid option to allow enabled / disabled
underscores in hostnames
should be enabled or
disabled as appropriate
CCE-4344-8
The Squid option to enabled / disabled
suppress the httpd version
string should be enabled
or disabled as appropriate
CCE-4494-1
Squid should be allow / deny
configured to allow gss-
http traffic or not as
CCE-4511-2 appropriate
Squid should be allow / deny
configured to allow https
traffic or not as appropriate
CCE-4529-4
Squid should be allow / deny
configured to allow wais
traffic or not as appropriate
CCE-3610-3
Squid should be allow / deny
configured to allow
multiling http traffic or not
CCE-4466-9 as appropriate
Squid should be allow / deny
configured to allow http
traffic or not as appropriate
CCE-4607-8
Squid should be allow / deny
configured to allow ftp
traffic or not as appropriate
CCE-4255-6
Squid should be allow / deny
configured to allow gopher
traffic or not as appropriate
CCE-4127-7
Squid should be allow / deny
configured to allow
filemaker traffic or not as
CCE-4519-5 appropriate
Squid proxy access to allow / deny
localhost should be
allowed or denied as
CCE-4413-1 appropriate
Squid should be allow / deny
configured to allow http-
mgmt traffic or not as
CCE-4373-7 appropriate
The snmpd service should enabled / disabled
be enabled or disabled as
CCE-3765-5 appropriate.
The net-smtp package installed / uninstalled
should be installed or
uninstalled as appropriate.
CCE-4404-0
NSA "Guide to the
Secure Configuration
CCE Technical Mechanisms
of Red Hat Enterprise
Linux 5" (Section)
via chkconfig 2.1.2.2
via chkconfig 2.1.2.3.2
via yum 2.1.3.1.1
via /etc/fstab 2.2.1.1
via /etc/fstab 2.2.1.2
via /etc/fstab 2.2.1.2
2.2.1.2
via /etc/security/console.perms.d/50-default.perms 2.2.2.1
via /etc/modprobe.conf 2.2.2.2.1
via kernel 2.2.2.2.2
via /etc/grub.conf 2.2.2.2.3
via BIOS 2.2.2.2.4
via chkconfig 2.2.2.3
via gconf 2.2.2.4
via chown 2.2.3.1
via chown 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chown 2.2.3.1
via chown 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chmod 2.2.3.2
via chmod 2.2.3.3
via chmod 2.2.3.4
via chmod 2.2.3.4
via chown 2.2.3.5
via chgrp 2.2.3.5
via /etc/sysconfig/init 2.2.4.1
via /etc/security/limits.conf 2.2.4.2
via sysctl - fs.suid_dumpable 2.2.4.2
via sysctl - kernel.randomize_va_space 2.2.4.3
via sysctl - kernel.exec-shield 2.2.4.3
via kernel-PAE 2.2.4.4.2
via BIOS 2.2.4.4.3
via /etc/securetty 2.3.1.1
via /etc/securetty 2.3.1.1
via /etc/securetty 2.3.1.1
via /etc/securetty 2.3.1.1
via pam 2.3.1.2
vi /etc/sudoers 2.3.1.3
via /etc/passwd 2.3.1.4
via /etc/shadow 2.3.1.5
via /etc/passwd 2.3.1.6
via /etc/login.defs 2.3.1.7
via /etc/login.defs 2.3.1.7
via /etc/login.defs 2.3.1.7
via /etc/login.defs 2.3.1.7
2.3.1.8
via PAM 2.3.3.1
via PAM 2.3.3.2
via chgrp 2.3.3.4
via chmod 2.3.3.4
2.3.4.1
2.3.4.2
umask 2.3.4.4
2.3.4.4
2.3.4.4
via chown 2.3.5.2
via chmod 2.3.5.2
via /etc/grub.conf 2.3.5.2
via chown 2.3.5.2
via /etc/inittab 2.3.5.3
via /etc/sysconfig/init 2.3.5.4
via autolockout 2.3.5.5
via /etc/profile.d 2.3.5.5
via gconftool-2 2.3.5.6.1
via gconftool-2 2.3.5.6.1
via /etc/issue 2.3.7.1
via RHEL.xml 2.3.7.2
via /etc/selinux/config 2.4.2
via /etc/selinux/config 2.4.2
via /etc/selinux/config 2.4.2
via chkconfig 2.4.3.1
via yum 2.4.3.1
via chkconfig 2.4.3.2
via chkconfig 2.4.3.3
via sysctl - net.ipv4.conf.default.send_redirects 2.5.1.1
via sysctl - net.ipv4.conf.all.send_redirects 2.5.1.1
via sysctl - net.ipv4.ip_forward 2.5.1.1
via sysctl - net.ipv4.conf.all.secure_redirects 2.5.1.2
via sysctl - net.ipv4.conf.all.accept_redirects 2.5.1.2
via sysctl - net.ipv4.icmp_ignore_bogus_error_messages 2.5.1.2
via sysctl - net.ipv4.tcp_syncookies 2.5.1.2
via sysctl - net.ipv4.icmp_echo_ignore_broadcasts 2.5.1.2
via sysctl - net.ipv4.conf.default.accept_redirects 2.5.1.2
via sysctl - net.ipv4.conf.all.rp_filter 2.5.1.2
via sysctl - net.ipv4.conf.default.secure_redirects 2.5.1.2
via sysctl - net.ipv4.conf.all.log_martians 2.5.1.2
via sysctl - net.ipv4.conf.default.rp_filter 2.5.1.2
via sysctl - net.ipv4.conf.default.accept_source_route 2.5.1.2
via sysctl - net.ipv4.conf.all.accept_source_route 2.5.1.2
via BIOS menus 2.5.2.2.1
via ifconfig 2.5.2.2.2
via modprobe 2.5.2.2.3
via /etc/modprobe.conf 2.5.3.1.1
via /etc/sysconfig/network 2.5.3.1.2
via IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-<interface> 2.5.3.1.2
via /etc/sysconfig/network 2.5.3.1.2
(1) via sysctl (2) via IPV6_AUTOCONF in 2.5.3.2.1
/etc/sysconfig/network
(1) via sysctl (2) via IPV6_AUTOCONF in 2.5.3.2.1
/etc/sysconfig/network
(1) via sysctl (2) via IPV6_AUTOCONF in 2.5.3.2.1
/etc/sysconfig/network
(1) via sysctl (2) via IPV6_AUTOCONF in 2.5.3.2.1
/etc/sysconfig/network
via IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg- 2.5.3.2.3
<interface>
via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref 2.5.3.2.5
via sysctl - net.ipv6.conf.default.max_addresses 2.5.3.2.5
via sysctl - net.ipv6.conf.default.router_solicitations 2.5.3.2.5
via sysctl - net.ipv6.conf.default.dad_transmits 2.5.3.2.5
via sysctl - net.ipv6.conf.default.autoconf 2.5.3.2.5
via sysctl - net.ipv6.conf.default.accept_ra_pinfo 2.5.3.2.5
via sysctl - net.ipv6.conf.default.accept_ra_defrtr 2.5.3.2.5
via chkconfig 2.5.5.1
via chkconfig 2.5.5.1
via chkconfig 2.6.1
via chown 2.6.1.2
via chmod 2.6.1.2
via chown 2.6.1.2
via /etc/syslog.conf 2.6.1.3
via /etc/sysconfig/syslog 2.6.1.4
via cron 2.6.1.5
via cron 2.6.1.6
via chkconfig 2.6.2.1
via chkconfig 3.2.1
via chkconfig 3.2.1
via yum 3.2.1
via yum 3.2.1
via chkconfig 3.2.2
via yum 3.2.2
via chkconfig 3.2.3.1
via chkconfig 3.2.3.1
via chkconfig 3.2.3.1
via yum 3.2.3.1
via chkconfig 3.2.4
via yum 3.2.4
via chkconfig 3.2.5
via yum 3.2.5
via chkconfig 3.3.1
via chkconfig 3.3.2
via chkconfig 3.3.3
via chkconfig 3.3.4
via chkconfig 3.3.5
via chkconfig 3.3.6
via chkconfig 3.3.7
via chkconfig 3.3.8
via chkconfig 3.3.9
via chkconfig 3.3.10
via chkconfig 3.3.11
via chkconfig 3.3.12
via chkconfig 3.3.12
via chkconfig 3.3.13.1
via chkconfig 3.3.13.2
via chkconfig 3.3.14.1
via chkconfig 3.3.14.2
via chkconfig 3.3.15.1
via chkconfig 3.3.15.2
via chkconfig 3.3.15.3
via chkconfig 3.4
via chkconfig 3.4.1
via yum 3.4.1
via chown 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chown 3.4.2
s
via chown 3.4.2
via chmod 3.4.2
via chmod 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chmod 3.4.2
via chkconfig 3.5.1.1
via yum 3.5.1.1
/etc/sysconfig/iptables 3.5.1.2
via /etc/ssh/sshd_config 3.5.2.1
via /etc/ssh/sshd_config 3.5.2.3
via /etc/ssh/sshd_config 3.5.2.4
via /etc/ssh/sshd_config 3.5.2.5
via /etc/ssh/sshd_config 3.5.2.6
via /etc/ssh/sshd_config 3.5.2.7
via /etc/ssh/sshd_config 3.5.2.8
via /etc/inittab 3.6.1.1
via yum 3.6.1.2
via chkconfig 3.6.1.3.1
via chkconfig 3.6.1.3.1
via /etc/X11/xinit/xserverrc 3.6.1.3.2
via /etc/gdm/custom.conf 3.6.2.1
via chkconfig 3.7.1.1
via /etc/avahi/avahi-daemon.conf 3.7.2.1
via /etc/avahi/avahi-daemon.conf 3.7.2.1
via /etc/avahi/avahi-daemon.conf 3.7.2.2
via /etc/avahi/avahi-daemon.conf 3.7.2.3
via /etc/avahi/avahi-daemon.conf 3.7.2.4
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via chkconfig 3.8.1
via chkconfig 3.8.1
via /etc/sysconfig/iptables 3.8.2
via /etc/cups/cupsd.conf 3.8.3.1.1
via /etc/cups/cupsd.conf 3.8.3.1.1
via chkconfig 3.8.4.1
via /etc/sysconfig/network-scripts/ifcfg-IFACE 3.9.1
via chkconfig 3.9.3
via yum 3.9.3
via /etc/dhcpd.conf 3.9.4.1
via /etc/dhcpd.conf 3.9.4.2
via /etc/dhcpd.conf 3.9.4.3
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/syslog.conf 3.9.4.5
via chkconfig 3.10.2.2.1
via /etc/ntp.conf 3.10.2.2.2
via /etc/ntp.conf 3.10.2.2.3
via openntpd package 3.10.3.1
via /etc/rc.local 3.10.3.2.1
via /usr/local/etc/ntpd.conf 3.10.3.2.2
via chkconfig 3.11
via /etc/sysconfig/sendmail 3.11.2.1
via chkconfig 3.12.3.1
via chmod 3.12.3.4.2
via chmod 3.12.3.4.2
via chown 3.12.3.4.2
via chmod 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chmod 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.7
via chown 3.12.3.7
via chkconfig 3.13.1.1
via chkconfig 3.13.1.1
via chkconfig 3.13.1.1
via chkconfig 3.13.1.2
via chkconfig 3.13.1.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via chkconfig 3.13.3.1
via chkconfig 3.13.3.1
via /etc/fstab 3.13.3.2
via /etc/fstab 3.13.3.2
via /etc/fstab 3.13.3.2
via /etc/exports 3.13.4.1.2
via /etc/exports 3.13.4.1.3
via /etc/exports 3.13.4.1.4
via chkconfig 3.14.1
via yum 3.14.1
via chown 3.14.3.2
via chmod 3.14.3.2
via chown 3.14.3.2
via /etc/named.conf 3.14.4.5
via chkconfig 3.15.1
via /etc/vsftpd.conf 3.15.3.1
via /etc/vsftpd.conf 3.15.3.2
via /etc/vsftpd.conf 3.15.3.3.1
via /etc/vsftpd.conf 3.15.3.4
via chkconfig 3.16.1
via yum 3.16.1
via yum 3.16.2.1
via /etc/httpd/conf/httpd.conf 3.16.3.1
via /etc/httpd/conf/httpd.conf 3.16.3.1
via chmod 3.16.5.1
via chmod 3.16.5.1
via chmod 3.16.5.1
via chgrp 3.16.5.1
via chmod 3.16.5.1
via chkconfig 3.17.1
via yum 3.17.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.2.4
via /etc/dovecot.conf 3.17.2.3
via /etc/dovecot.conf 3.17.2.3
via chkconfig 3.18.1
via chkconfig 3.19.1
via yum 3.19.1
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via chkconfig 3.20.1
via yum 3.20.1
NSA "Guide to the
Secure Configuration
Old "Unix-CCE-
of Red Hat Enterprise
DRAFT-2" ID
Linux 5"
(Recommended Value)
disabled
CCE-U-203
disabled
CCE-U-203
installed
enabled
enabled
Similar to CCE-U-170
enabled
Similar to CCE-U-170
enabled CCE-U-170
root-only
not loaded
uninstalled
disabled
disabled
disabled
CCE-U-203
disabled
CCE-U-203
root
CCE-U-23
root
CCE-U-202
root
CCE-U-201
400
CCE-U-200
root
CCE-U-202
root
CCE-U-201
root
CCE-U-22
644
CCE-U-19
root
CCE-U-20
644
CCE-U-200
root
CCE-U-21
400
CCE-U-24
set CCE-U-171
disabled
CCE-U-24
not set
not set
user
group
027
disabled
disabled
enabled
enabled
enabled
enabled
enabled
CCE-U-200
enabled
CCE-U-200
enabled
CCE-U-200
enabled
CCE-U-155
enabled
CCE-U-15
granted
CCE-U-200
disabled
CCE-U-200
disabled
CCE-U-200
disabled
CCE-U-200
8
CCE-U-200
7
CCE-U-7
180
CCE-U-8
8
CCE-U-200
CCE-U-200
???
CCE-U-200
???
CCE-U-4
usergroup
CCE-U-202
4710 CCE-U-200
???
CCE-U-26
g-w,o-rwx
CCE-U-162
077
CCE-U-31
077
CCE-U-31
077
CCE-U-31
root
CCE-U-201
600
CCE-U-200
???
root
CCE-U-202
enabled
CCE-U-1
disabled
10
10
10
CCE-U-6
enabled
enforcing
targeted
disabled
CCE-U-203
uninstalled
disabled
CCE-U-203
enabled CCE-U-203
disabled
disabled
disabled
CCE-U-134
disabled
disabled
enabled
enabled
enabled
disabled
enabled
disabled
enabled
enabled
disabled
disabled
disabled
disabled
excluded
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
rfc3041
disabled
1
0
0
disabled
disabled
disabled
enabled CCE-U-203
enabled CCE-U-203
enabled CCE-U-203
root
CCE-U-202?
600
CCE-U-200?
root
CCE-U-201?
sent
accept
CCE-U-131
enabled
CCE-U-203
disabled
CCE-U-203
enabled
CCE-U-203
disabled CCE-U-72
disabled CCE-U-73
uninstalled
uninstalled
disabled CCE-U-104
uninstalled
disabled CCE-U-203
disabled CCE-U-83
disabled CCE-U-82
uninstalled
disabled CCE-U-203
uninstalled
disabled CCE-U-118
uninstalled
disabled
CCE-U-203
disabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
enabled CCE-U-203
enabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
uninstalled
root
CCE-U-202
700
CCE-U-200
root
CCE-U-202
root
CCE-U-201
root
CCE-U-201
600
CCE-U-200
root
CCE-U-202
root
CCE-U-201
root
CCE-U-202
root
CCE-U-201
root
CCE-U-201
root
CCE-U-202
700
CCE-U-200
root
CCE-U-201
root
CCE-U-202
root
CCE-U-201
600
CCE-U-200
700
CCE-U-200
700
CCE-U-200
root
CCE-U-202
700
CCE-U-200
disabled CCE-U-203
uninstalled
disabled
not permitted
CCE-U-132
no suggestion
disabled
disabled
disabled
disabled
enabled
disabled
uninstalled
disabled
disabled CCE-U-203
disabled
enabled
disabled CCE-U-203
no suggestion
no suggestion
reject
disallow
disabled
disabled
disabled
disabled
disabled
disabled
disabled CCE-U-203
disabled
disabled
disabled
deny
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
uninstalled
disabled
denied
denied
not sent
not sent
not sent
not sent
not sent
not sent
not sent
enabled
disabled CCE-U-203
deny
no suggestion
no suggestion
enabled
ntp server
enabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
644
CCE-U-200
755
CCE-U-200
root
CCE-U-201
755
CCE-U-200
root
CCE-U-201
root
CCE-U-201
755
CCE-U-200
root
CCE-U-202
ldap
CCE-U-202
root
CCE-U-202
root
CCE-U-201
ldap
CCE-U-202
root
CCE-U-202
ldap
CCE-U-201
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
static
static
static
static
static
static
disabled
disabled
enabled
enabled
enabled
enabled
disabled
disabled
disabled CCE-U-203
uninstalled
root
CCE-U-202
644
CCE-U-200
root
CCE-U-201
disabled
disabled CCE-U-203
enabled
enabled
disabled
disabled
disabled CCE-U-203
uninstalled
installed
Prod
Off
750
CCE-U-200
640
CCE-U-200
511
CCE-U-200
apache
CCE-U-202
750
CCE-U-200
disabled CCE-U-203
uninstalled
not support
not support
not support
not support
disabled
enabled
enabled
disabled CCE-U-203
disabled CCE-U-160
uninstalled
enabled
20kb
enabled
enabled
20kb
squid
enabled
squid
disabled
enabled
disabled
enabled
deny
allow
deny
deny
allow
allow
deny
deny
deny
deny
disabled CCE-U-203
uninstalled
CCE
CCE ID CCE Description
Parameters
The tooltalk service should
be enabled or disabled as enabled / disabled /
CCE-4508-8 appropriate offline
The calendar manager
should be enabled or enabled / disabled /
CCE-4327-3 disabled as appropriate. offline
The GNOME logon service
should be enabled or enabled / disabled /
CCE-4468-5 disabled as appropriate offline
The CDE logon service
should be enabled or enabled / disabled /
CCE-4512-0 disabled as appropriate. offline
The sendmail services
should be enabled or enabled / disabled /
CCE-4375-2 disabled as appropriate. offline
The web console should
be enabled or disabled as enabled / disabled /
CCE-4393-5 appropriate. offline
The WBEM services
should be enabled or enabled / disabled /
CCE-3662-4 disabled as appropriate. offline
The BSD line printer
protocol should be
enabled or disabled as enabled / disabled /
CCE-4442-0 appropriate. offline
The keyserv service
should be enabled or enabled / disabled /
CCE-4596-3 disabled as appropriate. offline
The NIS server daemon
should be enabled or enabled / disabled /
CCE-4486-7 disabled as appropriate offline
The NIS passwd daemon
should be enabled or enabled / disabled /
CCE-4362-0 disabled as appropriate offline
The NIS update daemon
should be enabled or enabled / disabled /
CCE-3622-8 disabled as appropriate offline
The NIS xfr daemon
should be enabled or enabled / disabled /
CCE-4299-4 disabled as appropriate offline
The NIS client daemons
should be enabled or enabled / disabled /
CCE-4592-2 disabled as appropriate offline
The nisplus daemons
should be enabled or enabled / disabled /
CCE-4614-4 disabled as appropriate offline
The ldap cache manager
should be enabled or enabled / disabled /
CCE-4279-6 disabled as appropriate offline
The Kerberos TGT
Expiration warning should
be enabled or disabled as enabled / disabled /
CCE-4557-5 appropriate offline
The Generic Security
Service daemons should
be enabled or disabled as enabled / disabled /
CCE-4588-0 appropriate offline
The volfs service should
be enabled or disabled as enabled / disabled /
CCE-4354-7 appropriate offline
The smserver service
should be enabled or enabled / disabled /
CCE-4240-8 disabled as appropriate offline
The Samba smbd service
should be enabled or enabled / disabled /
CCE-4517-9 disabled as approriate offline
The Samba nmbd service
should be enabled or enabled / disabled /
CCE-4284-6 disabled as approriate offline
The automount daemon
should be enabled or enabled / disabled /
CCE-4429-7 disabled as appropriate offline
The apache web servicer
should be enabled or enabled / disabled /
CCE-4306-7 disabled as appropriate offline
The mpxio-upgrade
service should be enabled enabled / disabled /
CCE-4499-0 or disabled as appropriate offline
The metainit service
(Solaris 10 <= 11/06)
should be enabled or enabled / disabled /
CCE-4266-3 disabled as appropriate offline
The mdmonitor service
(Solaris 10 <= 11/06)
should be enabled or enabled / disabled /
CCE-4411-5 disabled as appropriate offline
The volume manager GUI
mdcomm service should
be enabled or disabled as enabled / disabled /
CCE-4305-9 appropriate offline
The meta service should
be enabled or disabled as enabled / disabled /
CCE-4477-6 appropriate offline
The metaed service
should be enabled or enabled / disabled /
CCE-3650-9 disabled as appropriate offline
The metamh service
should be enabled or enabled / disabled /
CCE-4571-6 disabled as appropriate offline
The local rpc port mapping
service should be enabled enabled / disabled /
CCE-3950-3 or disabled as appropriate offline
The Kerberos kadmind
service should be enabled enabled / disabled /
CCE-4470-1 or disabled as appropriate. offline
The Kerberos krb5kdc
service should be enabled enabled / disabled /
CCE-4598-9 or disabled as appropriate. offline
The Kerberos kpropd
service should be enabled enabled / disabled /
CCE-4620-1 or disabled as appropriate. offline
The Kerberos ktkt_warnd
service should be enabled enabled / disabled /
CCE-4333-1 or disabled as appropriate. offline
NFS server functionality
should be enabled or enabled / disabled /
CCE-3857-0 disabled as appropriate. offline
NFS client functionality
should be enabled or enabled / disabled /
CCE-4359-6 disabled as appropriate. offline
The telnet service should
be enabled or disabled as enabled / disabled /
CCE-4615-1 appropriate. offline
The FTP service should
be enabled or disabled as enabled / disabled /
CCE-4007-1 appropriate. offline
The BOOTP service
should be enabled or enabled / disabled /
CCE-3901-6 disabled as appropriate. offline
The RARP service should
be enabled or disabled as enabled / disabled /
CCE-4553-4 appropriate. offline
The DHCP server
functionality should be
enabled or disabled as enabled / disabled /
CCE-4584-9 appropriate. offline
The DNS server
functionality should be
enabled or disabled as enabled / disabled /
CCE-4611-0 appropriate. offline
The TFTP server
functionality should be
configured and enabled or enabled / disabled /
CCE-3655-8 disabled as appropriate. offline
The BSD print spooler
should enabled or disabled enabled / disabled /
CCE-4541-9 as appropriate. offline
The Solaris print server
functionality should be
enabled or disabled as enabled / disabled /
CCE-4483-4 appropriate. offline
The IPP listener should be
enabled or disabled as enabled / disabled /
CCE-3663-2 appropriate. offline
The SNMP service should
be enabled or disabled as enabled / disabled /
CCE-4037-8 appropriate. offline
The read-only SNMP
community string should
CCE-4540-1 be set appropriately. string
TCP Wrappers should be
enabled or disabled as
CCE-4434-7 appropriate for all services. enabled / disabled
The core dump directory
CCE-4570-8 owner should be restricted. user
The core dump directory
group owner should be
CCE-4478-4 restricted. group
File permissions for the
core dump directory
CCE-4623-5 should be set correctly. permissions
Core dumps should be
enabled/disabled as
CCE-4522-9 appropriate enabled/disabled
Kernel stack protection
should be enabled or
CCE-4297-8 disabled as appropriate. enabled/disabled
Strong TCP Sequence
numbers should be
enabled or disabled as
CCE-4548-4 appropriate. enabled/disabled
IPv4 source route
forwarding should be
enabled or disabled as
CCE-4566-6 appropriate. enabled/disabled
IPv6 source route
forwarding should be
enabled or disabled as
CCE-4439-6 appropriate. enabled/disabled
Reverse source routed
packets should be enabled
CCE-4456-0 or disabled as appropriate. enabled/disabled
Forwarding broadcasts
should be enabled or
CCE-4602-9 disabled as appropriate. enabled/disabled
Unestablished tcp
connection queue should
CCE-3752-3 be set appropriately. numeral
Established tcp connection
queue should be set
CCE-4417-2 appropriately. numeral
Respond to ICMP
timestamp request should
CCE-4311-7 be enabled or disabled. enabled/disabled
Respond to ICMP
broadcast timestamp
request should be enabled
CCE-4562-5 or disabled. enabled/disabled
Respond to ICMP
netmask request should
be enabled or disabled as
CCE-4082-4 appropriate. enabled/disabled
Respond to ICMP echo
broadcast request should
be enabled or disabled as
CCE-3681-4 appropriate. enabled/disabled
The ARP cache cleanup
interval should be set
CCE-4642-5 appropriately. numeral
The ARP IRE scan rate
CCE-4532-8 should be set appropriately. numeral
The IPv4 ICMP redirect
should be enabled or
CCE-4624-3 disabled enabled/disabled
The IPv6 ICMP redirect
should be enabled or
CCE-4518-7 disabled as appropriate. enabled/disabled
Extended TCP reserved
ports should be set list of ports above
CCE-4676-3 appropriately. 1023
IPv4 strict multihoming
should be enabled or
CCE-3699-6 disabled as appropriate. enabled/disabled
IPv6 strict multihoming
should be enabled or
CCE-4575-7 disabled as appropriate. enabled/disabled
ICMPv4 redirects should
be enabled or disabled as
CCE-4593-0 appropriate. enabled/disabled
ICMPv6 redirects should
be enabled or disabled as
CCE-4095-6 appropriate. enabled/disabled
IP forwarding should
enabled or disabled as
CCE-3684-8 appropriate. enabled/disabled
IP routing should be
enabled or disabled as
CCE-4288-7 appropriate. enabled/disabled
inetd tracing should be
CCE-4671-4 enabled as appropriate. enabled / disabled
The logging option for the
ftp service should be
enabled or disabled as
CCE-4455-2 appropriate. enabled / disabled
The daemon debug log file
CCE-4397-6 owner should be restricted. user
The daemon debug log file
permissions should be set
CCE-4415-6 appropriately. permissions
The daemon debug log file
group owner should be
CCE-4560-9 restricted. group
The debug logging option
for daemons should be
enabled or disabled as
CCE-4582-3 appropriate. enabled / disabled
Capture of syslog AUTH
Messages should be
enabled or disabled as
CCE-3979-2 appropriate enabled / disabled
The loginlog file owner
CCE-4124-4 should be restricted. user
The loginlog file
permissions should be set
CCE-4626-8 appropriately. permissions
The loginlog file group
CCE-4635-9 owner should be restricted. group
Capture of failed login
attempts should be
enabled or disabled as
CCE-3930-5 appropriate enabled / disabled
The threshold of syslog
logging of failed login
attempts should be
CCE-4309-1 configured correctly. numeric value
Cron logging should be
enabled or disabled as
CCE-4591-4 appropriate. enabled / disabled
Cron log file owner should
CCE-4490-9 be restricted user
Cron log file group owner
CCE-4683-9 should be restricted group
Cron log file permissions
CCE-4472-7 should be set appropriately permissions
System Accounting should
be enabled or disabled as
CCE-3992-5 appropriate enabled / disabled
The system accounting file
CCE-4481-8 owner should be restricted. user
The systems accounting
file group owner should be
CCE-4630-0 restricted. group
The system accounting file
permissions should be set
CCE-4542-7 appropriately. permissions
Kernel level auditing
should be enabled or
CCE-4675-5 disabled as appropriate enabled / disabled
Kernel level auditing for
login/logout should be
enabled or disabled as successfull/unsucces
CCE-4679-7 appropriate full
Kernel level auditing for
administrative actions
should be enabled or successfull/unsucces
CCE-4075-8 disabled as appropriate full
Kernel level auditing for
file attribute modification
should be enabled or successfull/unsucces
CCE-4600-3 disabled as appropriate full
Kernel level auditing for
process start/stop should
be enabled or disabled as successfull/unsucces
CCE-4498-2 appropriate full
Kernel level auditing for
process modify should be
enabled or disabled as successfull/unsucces
CCE-4401-6 appropriate full
Kernel level auditing for
processes should be
enabled or disabled as successfull/unsucces
CCE-4337-2 appropriate full
Kernel level auditing for
exec should be enabled or successfull/unsucces
CCE-4606-0 disabled as appropriate full
Kernel level auditing for
root login/logout should be
enabled or disabled as successfull/unsucces
CCE-4610-2 appropriate full
Audit log file ownership
CCE-4126-9 should be restricted. user
Audit log file group
ownership should be
CCE-4633-4 restricted. group
Audit log permissions
CCE-4527-8 should be restricted. permissions
The daemon user's umask
CCE-4672-2 should be set appropriately. string
The setuid option should
be enabled or disabled on
removable media as
CCE-4315-8 appropriate. string
The pkgchk utility should
be used to verify
ownership, group
ownership, and access
permissions for installed list of packages, or
CCE-3760-6 packages as appropriate. all packages
The pkgchk utility should
be used to force default
settings for ownership,
group ownership, and
access permissions for
installed packages as list of packages, or
CCE-4312-5 appropriate. all packages
The sticky bit should be
enabled or disabled as
appropriate for all world-
CCE-4721-7 writable directories. enabled / disabled
World-writable files should
be found and examined for
CCE-4351-3 appropriateness. permissions
setgid files should be
found and examined for
CCE-4743-1 appropriateness permissions
setuid files should be
found and examined for
CCE-4281-2 appropriateness permissions
Unowned files should be
found and removed or
given to a valid user as
CCE-4660-7 appropriate.
Files with extended
attributes should be found
and handled as
CCE-4682-1 appropriate.
Serial port login prompts
should be enabled or
CCE-4435-4 disabled as appropriate. enabled/disabled
Access to secure RPC for
the 'nobody' user should
be enabled or disabled as
CCE-4576-5 appropriate. string
SSH version 2 protocol
should be enabled or
CCE-4726-6 disabled as appropriate. string
SSH X11 forwarding
should be enabled or
CCE-4638-3 disabled as appropriate. string yes/no
SSH maximum number of
retries for authentication
should be set as
CCE-4748-0 appropriate. numeral
SSH maximum number or
retries for authentication
log should be set as
CCE-4395-0 appropriate. numeral
SSH integration with
.rhosts should be enabled
CCE-4030-3 or disabled as appropriate. string yes/no
SSH integration with
.rhosts/hosts.equiv should
be enabled or disabled as
CCE-4655-7 appropriate. string yes/no
SSH Rhosts RSA
Authentication should be
enabled or disabled as
CCE-3946-1 appropriate. string yes/no
Root login via SSH should
be enabled or disabled as
CCE-4713-4 appropriate. string yes/no
SSH should be configured
to enable or disable empty
CCE-4708-4 passwords as appropriate. string yes/no
The SSH banner should
be enabled or disabled as
CCE-4603-7 appropriate. uncomment string
PAM Rhosts support
should be enabled or
CCE-4021-2 disabled. enabled/disabled
The ftpusers file should
restrict the root account as
CCE-4678-9 appropriate. enabled/disabled
The ftpusers file should
restrict the daemon
CCE-4695-3 account as appropriate. enabled/disabled
The ftpusers file should
restrict the bin account as
CCE-4510-4 appropriate. enabled/disabled
The ftpusers file should
restrict the sys account as
CCE-4157-4 appropriate. enabled/disabled
The ftpusers file should
restrict the adm account
CCE-4677-1 as appropriate. enabled/disabled
The ftpusers file should
restrict the lp account as
CCE-4179-8 appropriate. enabled/disabled
The ftpusers file should
restrict the uucp account
CCE-4589-8 as appropriate. enabled/disabled
The ftpusers file should
restrict the smmsp
CCE-4113-7 account as appropriate. enabled/disabled
The ftpusers file should
restrict the listen account
CCE-4739-9 as appropriate. enabled/disabled
The ftpusers file should
restrict the gdm account
CCE-4135-0 as appropriate. enabled/disabled
The ftpusers file should
restrict the webservd
CCE-3768-9 account as appropriate. enabled/disabled
The ftpusers file should
restrict the nobody
CCE-3782-0 account as appropriate. enabled/disabled
The ftpusers file should
restrict the noaccess
CCE-4347-1 account as appropriate. enabled/disabled
The ftpusers file should
restrict the nobody4
CCE-4497-4 account as appropriate. enabled/disabled
The failed login delay
CCE-4432-1 should be set appropriately. number of seconds
The default CDE
screenlock timeout should
CCE-4705-0 be set appropriately. number of minutes
The default GNOME
screenlock timeout should
CCE-4723-3 be set appropriately. number of minutes
The GNOME screenlock
should be enabled or
CCE-4622-7 disabled as appropriate. boolean true/false
Use of the cron.allow file
should be enabled or
CCE-4644-1 disabled as appropriate enabled/disabled
Use of the at.allow file
should be enabled or
CCE-4543-5 disabled as appropriate enabled/disabled
The /etc/cron.d/cron.allow
file should be owned by
CCE-4437-0 the appropriate user. user
The /etc/cron.d/cron.allow
file should be owned by
CCE-4706-8 the appropriate group. group
File permissions for the
/etc/cron.d/cron.allow file
should be configured
CCE-4693-8 correctly. permissions
File permissions for the
/etc/cron.d/at.allow file
should be configured
CCE-4710-0 correctly. permissions
The /etc/cron.d/at.allow file
should be owned by the
CCE-4230-9 appropriate user. user
The /etc/cron.d/at.allow file
should be owned by the
CCE-4445-3 appropriate group. group
The ability to login as root
directly should be
CCE-4458-6 configured correctly. enabled/disabled
The "account lockout
threshold" policy should
meet minimum
CCE-4102-0 requirements. number of retries
Account lockout should be
enabled or disabled as
CCE-4754-8 appropriate. yes/no
The eeprom security mode
should be configured
CCE-4648-2 appropriately. none/full/command
The grub menu password
protection should be
enabled or disabled as
CCE-3826-5 appropriate. password
The daemon account
should be locked or locked / unlocked /
CCE-4525-2 unlocked as appropriate. non-login
The bin account should be
locked or unlocked as locked / unlocked /
CCE-4657-3 appropriate. non-login
The shell for the bin
account should be
CCE-4661-5 assigned appropriately. path
The nuucp account should
be locked or unlocked as locked / unlocked /
CCE-4807-4 appropriate. non-login
The shell for the nuucp
account should be
CCE-4701-9 assigned appropriately. path
The smmsp account
should be locked or locked / unlocked /
CCE-4669-8 unlocked as appropriate. non-login
The shell for the smmsp
account should be
CCE-4436-2 assigned appropriately. path
The listen account should
be locked or unlocked as locked / unlocked /
CCE-4815-7 appropriate. non-login
The shell for the listen
account should be
CCE-4696-1 assigned appropriately. path
The gdm account should
be locked or unlocked as locked / unlocked /
CCE-4216-8 appropriate. non-login
The shell for the gdm
account should be
CCE-4758-9 assigned appropriately. path
The webservd account
should be locked or locked / unlocked /
CCE-4621-9 unlocked as appropriate. non-login
The shell for the webservd
account should be
CCE-4515-3 assigned appropriately. path
The nobody account
should be locked or locked / unlocked /
CCE-4282-0 unlocked as appropriate. non-login
The shell for the nobody
account should be
CCE-4802-5 assigned appropriately. path
The noaccess account
should be locked or locked / unlocked /
CCE-4806-6 unlocked as appropriate. non-login
The shell for the noaccess
account should be
CCE-4471-9 assigned appropriately. path
The nobody4 account
should be locked or locked / unlocked /
CCE-4617-7 unlocked as appropriate. non-login
The shell for the nobody4
account should be
CCE-4418-0 assigned appropriately. path
The sys account should be
locked or unlocked as locked / unlocked /
CCE-4810-8 appropriate. non-login
The adm account should
be locked or unlocked as locked / unlocked /
CCE-3955-2 appropriate. non-login
The shell for the adm
account should be
CCE-3834-9 assigned appropriately. path
The lp account should be
locked or unlocked as locked / unlocked /
CCE-4408-1 appropriate. non-login
The shell for the lp
account should be
CCE-4536-9 assigned appropriately. path
The uucp account should
be locked or unlocked as locked / unlocked /
CCE-4809-0 appropriate. non-login
The shell for the uucp
account should be
CCE-3841-4 assigned appropriately. path
All user login accounts
with empty passwords
should be locked or locked / unlocked /
CCE-4724-1 unlocked as appropriate. non-login
The "minimum password
age" policy should meet
CCE-4367-9 minimum requirements. numeral
The "maximum password
age" policy should meet
CCE-4165-7 minimum requirements. numeral
The password expiration
warning time should be set
CCE-4836-3 appropriately numeral
The strong password
PASSLENGTH value
should meet minimum
CCE-4625-0 requirements numeral
The strong password
NAMECHECK value
should meet minimum
CCE-4770-4 requirements yes/no
The strong password
HISTORY value should
meet minimum
CCE-4563-3 requirements numeral
The strong password
MINDIFF value should
meet minimum
CCE-4832-2 requirements numeral
The strong password
MINALPHA value should
meet minimum
CCE-4572-4 requirements numeral
The strong password
MINUPPER value should
meet minimum
CCE-4480-0 requirements numeral
The strong password
MINLOWER value should
meet minimum
CCE-4731-6 requirements numeral
The strong password
MINNONALPHA value
should meet minimum
CCE-4753-0 requirements numeral
The strong password
MAXREPEATS value
should meet minimum
CCE-4775-3 requirements numeral
The strong password
WHITESPACE value
should meet minimum
CCE-3856-2 requirements yes / no
The strong password
DICTIONDBDIR value
should be configured
CCE-4402-4 correctly path
The strong password
DICTIONLIST value
should be configured
CCE-4670-6 correctly path
No Legacy "+" entries in
passwd, shadow, and
group files should be
CCE-4314-1 verified to be appropriate file list
No UID 0 Accounts exist
other than root should be
CCE-4816-5 verified to be appropriate account list
Default group for root
account should be
CCE-4834-8 configured correctly group
The home directory of the
root user should be set
CCE-4728-2 correctly. path
The PATH for the root 1) Set of directories
user should be configured to include 2) Set of
CCE-4631-8 correctly. directories to exclude
File permissions should be
set correctly for the home
directories for all user
CCE-4538-5 accounts. permissions
File permissions should be
set correctly for user
CCE-4561-7 configuration files. permissions
File permissions should be
CCE-4578-1 set correctly for .netrc files. permissions
Presence of .rhost files
should be checked to be
CCE-4843-9 appropriate true/false
The default umask should
CCE-4737-3 be configured correctly. permissions mask
The default umask for ftp
users should be set
CCE-3897-6 appropriately. permissions mask
The default setting for all
users to allow terminal
messages via the mesg
utility should be configured
CCE-4746-4 correctly. enabled / disabled
General login services
should display a banner as
appropriate before
CCE-4760-5 authentication. banner text
General login services
should display a banner as
appropriate after
CCE-4301-8 authentication. banner text
CDE should display a
banner as appropriate
CCE-4698-7 before authentication. banner text
GNOME should display a
banner as appropriate
CCE-4222-6 before authentication. banner text
The FTP service should
display a banner as
appropriate before
CCE-4103-8 authentication. banner text
The telnet service banner
CCE-4870-2 should be set appropriately. banner text
The power-on banner
CCE-4896-7 should be set appropriately. banner text
The sendmail greeting
CCE-4663-1 should be set appropriately. string
CIS Solaris 10
CCE Technical Mechanisms Benchmark v4.0
(Section)
(1) via svcadm 2.2.1
(1) via svcadm 2.2.2
(1) via svcadm 2.2.3
(1) via svcadm 2.2.3
(1) via svcadm 2.2.4
(1) via svcadm 2.2.5
(1) via svcadm 2.2.6
(1) via svcadm 2.2.7
(1) via svcadm 2.3.1
via svcadm 2.3.2
via svcadm 2.3.2
via svcadm 2.3.2
via svcadm 2.3.2
via svcadm 2.3.3
via svcadm 2.3.4
via svcadm 2.3.5
via svcadm 2.3.6
via svcadm 2.3.7
via svcadm 2.3.8
via svcadm 2.3.8
(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv
/etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >=
8/07via svcadm 2.3.9
(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv
/etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >=
8/07via svcadm 2.3.9
via svcadm 2.3.10
via svcadm 2.3.11
via svcadm 2.3.12
via svcadm 2.3.12
via svcadm 2.3.12
via svcadm 2.3.13
via svcadm 2.3.13
via svcadm 2.3.13
via svcadm 2.3.13
via svcadm 2.3.14
via svcadm 2.4.1
via svcadm 2.4.1
via svcadm 2.4.1
via svcadm 2.4.1
/etc/dfs/dfstab 2.4.2
/etc/vfstab 2.4.3
via svcadm 2.4.4
via svcadm 2.4.5
via svcadm 2.4.6
via svcadm 2.4.7
via svcadm 2.4.8
via svcadm 2.4.9
/etc/inetd.conf 2.4.10
via inetadm and svcadm 2.4.11
via svcadm 2.4.11
via svcadm 2.4.11
via svcadm 2.4.12
/etc/snmp/conf/snmpd.conf 2.4.12
via inetadm -M 2.5
/var/core 3.1
/var/core 3.1
/var/core 3.1
/etc/coreadm.conf 3.1
/etc/system 3.2
/etc/default/inetinit 3.3
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
via routeadm 3.5
via routeadm 3.5
via inetadm -M 4.1
via inetadm -m 4.2
/var/log/connlog 4.3
/var/log/connlog 4.3
/var/log/connlog 4.3
/etc/syslog.conf 4.3
/etc/syslog.conf 4.4
/var/adm/loginlog 4.5
/var/adm/loginlog 4.5
/var/adm/loginlog 4.5
/var/adm/loginlog 4.5
/etc/default/login 4.6
/etc/default/cron 4.7
/var/cron/log 4.7
/var/cron/log 4.7
/var/cron/log 4.7
via svcadm enable –r svc:/system/sar:default 4.8
/var/adm/sa/* 4.8
/var/adm/sa/* 4.8
/var/adm/sa/* 4.8
via /etc/security/bsmconv 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_user 4.9
/var/audit/* 4.9
/var/audit/* 4.9
/var/audit/* 4.9
/etc/default/init 5.1
/etc/rmmount.conf 5.2
via pkgchk 5.3
via pkgchk -f 5.3
via chmod 5.4
5.5
5.6.1
5.6.2
via chown or rm 5.7
5.8
via pmadm 6.1
/etc/default/keyserv 6.2
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/pam.conf 6.4
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/default/login 6.6
/usr/dt/config/*/sys.resources 6.7
/usr/openwin/lib/app-defaults/Xscreensaver 6.8
/usr/openwin/lib/app-defaults/Xscreensaver 6.8
/etc/cron.d/cron.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/cron.d/cron.allow 6.9
/etc/cron.d/cron.allow 6.9
/etc/cron.d/cron.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/default/login 6.1
/etc/default/login 6.11
/etc/security/policy.conf 6.11
via eeprom at OS command line or setenv at ok> prompt 6.12
vi grub> prompt md5cyrpt command 6.13
via passwd 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
s
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.2
Use the set-user-password-reqs.fin Finish script 7.3
Use the set-user-password-reqs.fin Finish script 7.3
Use the set-user-password-reqs.fin Finish script 7.3
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the set-user-password-reqs.fin, set-strict-password-
checks.fin and the enable-password-history.fin Finish scripts 7.4
Use the check-include-nis-map.aud Audit script. 7.5
Use the check-uids-unique.aud Audit script 7,6
Use the set-root-group.fin Finish script 7.7
Use the set-root-home-dir.fin Finish script 7.8
Use the check-root-path.aud Audit script 7.9
Use the check-home-permissions.aud Audit script. 7.1
Use the check-hidden-files.aud Audit script 7.11
Use the check-netrc-files.aud Audit script 7.12
Use the print-rhosts.aud Audit script 7.13
Use the set-user-umask.fin Finish script 7.14
Use the set-ftpd-umask.fin Finish script. 7.15
Use the disable-mesg.fin Finish script 7.16
/etc/issue 8.1
/etc/motd 8.1.1
/usr/dt/config/*/Xresources 8.2
/etc/X11/gdm/gdm.conf 8.3
/etc/ftpd/banner.msg 8.4
/etc/default/telnetd 8.5
via the 'eeprom oem-banner=' command (provide a string
after the =) then the "eeprom oem-banner\?=true" command 8.6
via the "O SmtpGreetingMessage" setting in
/etc/mail/sendmail.cf 8.7
CIS Solaris 10 Old "Unix-
Benchmark v4.0 CCE-
(Recommended Value) DRAFT-2" ID
disabled
disabled
disabled CCE-U-120
disabled CCE-U-120
disabled
disabled
disabled
disabled
disabled CCE-U-203
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled CCE-U-142
disabled CCE-U-142
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled CCE-U-104
disabled CCE-U-103
disabled
disabled
disabled
disabled
disabled CCE-U-118
disabled
disabled
disabled
disabled
disabled CCE-U-122
enabled
root CCE-U-65
root CCE-U-66
700 CCE-U-67
disabled
enabled CCE-U-68
2 CCE-U-70
disabled
disabled
disabled
disabled
4096
1024
disabled
disabled
disabled
disabled
60000
60000
enabled
enabled
6112
enabled
enabled
disabled
disabled
disabled
disabled
enabled CCE-U-80
enabled CCE-U-113
root
600
root
enabled
enabled CCE-U-2
root
600
sys
enabled CCE-U-2
0 CCE-U-2
enabled CCE-U-38
root
root
600
enabled
sys
sys
600
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
root
root
600
at least 022
disabled CCE-U-170
all packages
enabled CCE-U-171
disabled CCE-U-155
disabled CCE-U-161
enabled CCE-U-132
disabled
5
0
yes
no
no
no
no
enabled
disabled CCE-U-28
disabled CCE-U-105
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
4 CCE-U-5
10 CCE-U-158
10
TRUE
root CCE-U-32
null CCE-U-47
root CCE-U-40
root CCE-U-41
400 CCE-U-36
400 CCE-U-51
root CCE-U-54
root CCE-U-55
disabled CCE-U-15
3 CCE-U-4
yes
command
enabled
Locked CCE-U-174
Locked CCE-U-175
/usr/bin/false
Locked CCE-U-180
/usr/bin/false
Locked CCE-U-181
/usr/bin/false
Locked CCE-U-182
/usr/bin/false
Locked
/usr/bin/false
Locked
/usr/bin/false
Locked CCE-U-183
/usr/bin/false
Locked CCE-U-184
/usr/bin/false
Locked CCE-U-185
/usr/bin/false
Non-login CCE-U-176
Non-login CCE-U-177
/usr/bin/false
Non-login CCE-U-178
/usr/bin/false
Non-login CCE-U-179
/usr/bin/false
Locked
7 days CCE-U-7
91 days CCE-U-8
28 days
8
yes
10 CCE-U-10
3
2
1
1
1
0
yes
/var/passwd
=/usr/share/lib/dict/words
None
None
GID 0
/root CCE-U-11
CCE-U-13
Exclude '.' and any writeable directories
IAW site policy CCE-U-162
IAW site policy
IAW site policy
dependent upon 6.4
77 CCE-U-31
77 CCE-U-115
enabled CCE-U-25
empty string, ""
mailer ready (string) CCE-U-97
Old v4 CCE
CCE ID CCE Description
CCE Id Parameters
The "reset account lockout
counter after" policy
should meet minimum (1) number of
CCE-2715-1 CCE-733 requirements. minutes
The "account lockout
duration" policy should
meet minimum (1) number of
CCE-2363-0 CCE-980 requirements. minutes
The "account lockout
threshold" policy should
meet minimum (1) number of
CCE-3177-3 CCE-658 requirements. attempts
Auditing of "account logon"
events on success should
be enabled or disabled as
CCE-2820-9 CCE-2628 appropriate.. enabled/disabled
Auditing of "account logon"
events on failure should be
enabled or disabled as
CCE-3089-0 CCE-2543 appropriate.. enabled/disabled
Auditing of "account
management" events on
success should be
enabled or disabled as
CCE-3234-2 CCE-2000 appropriate.. enabled/disabled
Auditing of "account
management" events on
failure should be enabled
CCE-3287-0 CCE-1646 or disabled as appropriate.. enabled/disabled
Auditing of "directory
service access" events on
success should be
enabled or disabled as
CCE-3041-1 CCE-2118 appropriate.. enabled/disabled
Auditing of "directory
service access" events on
failure should be enabled
CCE-3309-2 CCE-2390 or disabled as appropriate.. enabled/disabled
Auditing of "logon" events
on success should be
enabled or disabled as
CCE-3076-7 CCE-1686 appropriate.. enabled/disabled
Auditing of "logon" events
on failure should be
enabled or disabled as
CCE-2970-2 CCE-1744 appropriate.. enabled/disabled
Auditing of "object access"
events on success should
be enabled or disabled as
CCE-2724-3 CCE-2640 appropriate.. enabled/disabled
Auditing of "object access"
events on failure should be
enabled or disabled as
CCE-3243-3 CCE-1991 appropriate.. enabled/disabled
Auditing of "policy change"
events on success should
be enabled or disabled as
CCE-2746-6 CCE-2412 appropriate.. enabled/disabled
Auditing of "policy change"
events on failure should be
enabled or disabled as
CCE-2653-4 CCE-2347 appropriate.. enabled/disabled
Auditing of "privilege use"
events on success should
be enabled or disabled as
CCE-2322-6 CCE-2431 appropriate.. enabled/disabled
Auditing of "privilege use"
events on failure should be
enabled or disabled as
CCE-3257-3 CCE-2584 appropriate.. enabled/disabled
Auditing of "process
tracking" events on
success should be
enabled or disabled as
CCE-3024-7 CCE-2529 appropriate.. enabled/disabled
Auditing of "process
tracking" events on failure
should be enabled or
CCE-2927-2 CCE-2617 disabled as appropriate.. enabled/disabled
Auditing of "system"
events on success should
be enabled or disabled as
CCE-2953-8 CCE-2420 appropriate.. enabled/disabled
Auditing of "system"
events on failure should be
enabled or disabled as
CCE-3222-7 CCE-1680 appropriate.. enabled/disabled
The "restrict guest access
to application log" policy
CCE-3121-1 CCE-299 should be set correctly. (1) enabled/disabled
The application log
maximum size should be
CCE-3015-5 CCE-185 configured correctly.. (1) size of file
The "when maximum log
size is reached" property
should be set correctly for
CCE-2905-8 CCE-285 the Application log. type of retention
The "restrict guest access
to security log" policy
CCE-2659-1 CCE-462 should be set correctly. (1) enabled/disabled
The security log maximum
size should be configured
CCE-3302-7 CCE-757 correctly.. (1) size of file
The "when maximum log
size is reached" property
should be set correctly for
CCE-3196-3 CCE-523 the Security log. type of retention
The "restrict guest access
to system log" policy
CCE-2839-9 CCE-726 should be set correctly. (1) enabled/disabled
The system log maximum
size should be configured
CCE-3165-8 CCE-735 correctly.. (1) size of file
The "when maximum log
size is reached" property
should be set correctly for
CCE-2931-4 CCE-664 the System log. type of retention
The "maximum password
age" policy should meet
CCE-2967-8 CCE-871 minimum requirements. (1) number of days
The "minimum password
age" policy should meet
CCE-3240-9 CCE-324 minimum requirements. (1) number of days
The "minimum password
length" policy should meet
CCE-2883-7 CCE-100 minimum requirements. (1) number of days
The "password must meet
complexity requirments"
policy should be set
CCE-3033-8 CCE-633 correctly. (1) enabled/disabled
The "enforce password (1) number of
history" policy should meet passwords
CCE-2323-4 CCE-60 minimum requirements. remembered
The "store password using
reversible encryption for all
users in the domain" policy
CCE-3311-8 CCE-479 should be set correctly. (1) enabled/disabled
The startup type of the (1)
Messenger service should disabled/manual/aut
CCE-3316-7 CCE-729 be correct. omatic
The startup type of the
NetMeeting Remote (1)
Desktop Sharing service disabled/manual/aut
CCE-3082-5 CCE-232 should be correct. omatic
The behavior surrounding
Anonymous users' abiliity
to display lists of SAM (1)
accounts and shares restricted/unrestricte
CCE-3232-6 CCE-195 should be correct. d
The behavior surrounding
Anonymous users' abiliity
to display lists of SAM (1)
accounts should be restricted/unrestricte
CCE-3272-2 CCE-318 correct. d
The behavior surrounding
Anonymous SID/Name
translation should be
CCE-2339-0 CCE-953 correct. (1) enabled/disabled
Use of the built-in Guest
account should be enabled
CCE-3248-2 CCE-332 or disabled as appropriate. (1) enabled/disabled
Use of the built-in
Administrator account
should be enabled or
CCE-3032-0 CCE-499 disabled as appropriate. (1) enabled/disabled
The "Message title for
users attempting to log on"
policy should be set
CCE-3314-2 CCE-23 correctly. (1) text caption
The "Message text for
users attempting to log on"
policy should be set
CCE-3336-5 CCE-829 correctly. (1) text statement
Automatic Logon should
CCE-3072-6 CCE-283 be properly configured. (1) enabled/disabled
Autoplay on all Drive
Types should be properly
CCE-2719-3 CCE-44 configured. (1) enabled/disabled
ICMP Redirects should be
CCE-3239-1 CCE-150 properly configured. (1) enabled/ignored
IP Source Routing should
CCE-3261-5 CCE-564 be properly configured. (1) enabled/disabled
IRDP should be properly
CCE-3279-7 CCE-952 configured. (1) enabled/disabled
Display Last User Name in
Logon Screen should be
CCE-3173-2 CCE-65 properly configured. (1) enabled/disabled
System availability to
Master Browser should be
CCE-3067-6 CCE-139 properly configured. (1) available/hidden
TCP/IP Dead Gateway
Detection should be
CCE-3120-3 CCE-897 properly configured. (1) enabled/disabled
The TCP/IP KeepAlive
Time should be set (1) number of
CCE-3142-7 CCE-188 correctly . milliseconds
TCP/IP NetBIOS Name
Release on Request
Prevented should be
CCE-2785-4 CCE-817 properly configured. (1) enabled/disabled
TCP/IP SYN Flood Attack
Protection should be
CCE-2679-9 CCE-284 properly configured. (1) enabled/disabled
Security Audit log warning
level should be properly
CCE-3181-5 CCE-125 configured. (1) warning level
Safe DLL Search Mode
should be properly
CCE-3199-7 CCE-271 configured. (1) enabled/disabled
The built-in Administrator
account should be
CCE-2714-4 CCE-438 correctly named. (1) valid names
The built-in Guest account
CCE-2359-8 CCE-834 should be correctly named. (1) valid names
The amount of idle time
required before
disconnecting a session (1) number of
CCE-2519-7 CCE-222 should be set correctly. minutes
The "Audit the access of
global system objects"
policy should be set
CCE-3285-4 CCE-2 correctly. (1) enabled/disabled
The "Audit the use of
backup and restore
privilege" policy should be
CCE-3303-5 CCE-905 set correctly. (1) enabled/disabled
The "Disable
CTRL+ALT+Delete
Requirement for Logon"
policy should be set
CCE-3307-6 CCE-133 correctly. (1) enabled/disabled
The "Prevent Users from
Installing Printer Drivers"
policy should be set
CCE-3325-8 CCE-402 correctly. (1) enabled/disabled
The "Restrict CD-ROM
Access to Locally Logged-
On User Only" policy
CCE-2858-9 CCE-565 should be set correctly. (1) enabled/disabled
The "Restrict Floppy
Access to Locally Logged-
On User Only" policy
CCE-3168-2 CCE-463 should be set correctly. (1) enabled/disabled
The "Secure Channel:
Require Strong (Windows
2000 or later) Session
Key" policy should be set
CCE-3212-8 CCE-417 correctly. (1) enabled/disabled
The "Send Unencrypted
Password to Connect to
Third-Party SMB Servers"
policy should be set
CCE-2838-1 CCE-228 correctly. (1) enabled/disabled
The "Users Prompted to
Change Password Before
Expiration" policy should (1) number of days
CCE-3230-0 CCE-814 be set correctly. prior to expiration
The "Shut Down system
immediately if unable to
log security audits" policy
CCE-3001-5 CCE-92 should be set correctly. (1) enabled/disabled
The "Digitally Sign Client
Communication (Always)"
policy should be set
CCE-3252-4 CCE-576 correctly. (1) enabled/disabled
The "Digitally Sign Client
Communication (When
Possible)" policy should be
CCE-2380-4 CCE-519 set correctly. (1) enabled/disabled
The "Digitally Sign Server
Communication (Always)"
policy should be set
CCE-3023-9 CCE-171 correctly. (1) enabled/disabled
The "Digitally Sign Server
Communication (When
Possible)" policy should be
CCE-3164-1 CCE-104 set correctly. (1) enabled/disabled
The "Number of Previous
Logons to Cache" policy (1) number of
CCE-2376-2 CCE-773 should be set correctly. logons
The "Allowed to Format
and Eject Removable
NTFS Media" policy
CCE-3225-0 CCE-919 should be set correctly. (1) Group(s)
The "Secure Channel:
Digitally Encrypt or Sign
Secure Channel Data
(Always)" policy should be
CCE-3330-8 CCE-549 set correctly. (1) enabled/disabled
The "Secure Channel:
Digitally Encrypt Secure
Channel Data (When
Possible)" policy should be
CCE-2467-9 CCE-161 set correctly. (1) enabled/disabled
The "Secure Channel:
Digitally Sign Secure
Channel Data (When
Possible)" policy should be
CCE-3233-4 CCE-918 set correctly. (1) enabled/disabled
The "Smart Card Removal
Behavior" policy should be
CCE-3251-6 CCE-443 set correctly. (1) behavior
The "Prevent System
Maintenance of Computer
Account Password" policy
CCE-3255-7 CCE-831 should be set correctly. (1) enabled/disabled
The "Limit local account
user of blank passwords to
console logon only" policy
CCE-2398-6 CCE-533 should be set correctly. (1) enabled/disabled
The "Allow undock without
having to logon" policy
CCE-3326-6 CCE-186 should be set correctly. (1) enabled/disabled
The "Maximum machine
account password age"
policy should be set
CCE-3075-9 CCE-194 correctly. (1) enabled/disabled
The "Require Domain
Controller authentication to
unlock workstation" policy
CCE-3220-1 CCE-374 should be set correctly. (1) enabled/disabled
The "Disconnect clients
when logon hours expire"
policy should be set
CCE-3361-3 CCE-278 correctly. (1) enabled/disabled
The "Do not allow storage
of credentials or .NET
Passports" policy should
CCE-3379-5 CCE-542 be set correctly. (1) enabled/disabled
The "Let Everyone
permissions apply to
anonymous users" policy
CCE-2457-0 CCE-18 should be set correctly. (1) enabled/disabled
The "Named Pipes that
can be accessed
anonymously" policy
CCE-3380-3 CCE-136 should be set correctly. (1) enabled/disabled
The "Remotely accessible
registry paths" policy
CCE-2825-8 CCE-189 should be set correctly. (1) set of paths
The "Shares that can be
accessed anonymously"
policy should be set
CCE-3349-8 CCE-942 correctly. (1) set of shares
The "Sharing and security
model for local accounts"
policy should be set (1) Classic/Guest
CCE-3367-0 CCE-343 correctly. only
The "Do not store LAN
Manager hash value on
next password change"
policy should be set
CCE-3138-5 CCE-233 correctly. (1) enabled/disabled
The "Force logoff when
logon hours expire" policy
CCE-3283-9 CCE-775 should be set correctly. (1) enabled/disabled
The "Current user
screensaver timeout"
policy should be set
CCE-3050-2 CCE-830 correctly. (1) time in seconds
The "Always Prompt Client
for Password upon
Connection" policy should
be set correctly for
CCE-3429-8 CCE-855 Terminal Services. (1) enabled/disabled
The "Allow Solicited
Remote Assistance" policy
should be set correctly for
CCE-3323-3 CCE-859 Terminal Services. (1) enabled/disabled
The "Allow Unsolicited
Remote Assistance" policy
should be set correctly for
CCE-3217-7 CCE-434 Terminal Services. (1) enabled/disabled
The "Configure Automatic
Updates" should be set
CCE-3358-9 CCE-306 correctly
The "Do not adjust default
option to 'Install Updates
and Shut Down' in Shut
Down Windows dialog
CCE-3345-6 CCE-989 box" should be set correctly
The "Do not display 'Install
Updates and Shut Down'
option in Shut Down
Windows dialog box"
CCE-3363-9 CCE-1 should be set correctly
The "No auto-restart for
scheduled Automatic
CCE-2462-0 CCE-641 Updates installations
The "Reschedule
Automatic Updates
scheduled installations"
CCE-2852-2 CCE-804 should be set correctly
The "DCOM: Machine
access Restrictions in
Security Descriptor
Definition Language
(SDDL) syntax" setting
should be configured
CCE-3371-2 CCE-458 correctly.
The "DCOM: Machine
Launch Restrictions in the
Security Descriptor
Definition Language
(SDDL) syntax" security
option should be set
CCE-3266-4 CCE-740 correctly.
The "Display user
information when the
session is locked" setting
should be configured
CCE-3411-6 CCE-22 correctly.
The "Interactive logon:
Requre smart card" setting
should be configured
CCE-2772-2 CCE-828 correctly. enabled/disabled
The "Network access:
Restrict anonymous
access to named pipes
and shares" setting should
CCE-3292-0 CCE-638 be configured correctly.
MSS:(TCPMaxConnectRes
ponseRetransmission)
SYN-ACK retansmissions
when a connection request (1) number of
CCE-3459-5 CCE-577 is not acknowledged seconds
MSS:(TCPMaxDataRetran
smissions) How many
times unacknowledged (1) number of
CCE-3460-3 CCE-872 data is retransmitted seconds
MSS:
(NtfsDisable8dot3NameCr
eation) Enable the
computer to stop
generating 8.3 style
CCE-3244-1 CCE-511 filenames. (1) reg_dword
RPC Endpiont Mapper
Client Authentication (SP2
CCE-3394-4 CCE-145 only) (1) enabled/disabled
Restrictions for
Unauthenticated RPC
CCE-3160-9 CCE-423 clients (SP2 only) (1) enabled/disabled
Domain Profile: Protect all
network connections (SP2
CCE-3054-4 CCE-806 only) (1) enabled/disabled
Domain Profile: Do not
CCE-3187-2 CCE-969 allow exceptions (SP2 only) (1) enabled/disabled
Domain Profile: Allow local
CCE-3405-8 CCE-502 program exceptions (1) enabled/disabled
(1) enabled/disabled
Domain Profile: Allow (2) subnets for
CCE-3158-3 CCE-771 remote administration internal support only
Domain Profile: Allow file
and printer sharing
CCE-3431-4 CCE-555 exception (SP2 only) (1) enabled/disabled
Domain Profile: Allow (1) enabled/disabled
Remote Desktop (2) subnets for
CCE-3458-7 CCE-832 exception (SP2 only) internal support only
Domain Profile: Allow
UPnP framework
CCE-2964-5 CCE-590 exception (SP2 only) (1) enabled/disabled
The "Windows Firewall:
Prohibit notifications"
setting should be
configured correctly for the
CCE-3365-4 CCE-762 Domain Profile. (1) enabled/disabled
The "Log Dropped
Packets" option for the
Windows Firewall should
be configured correctly for
CCE-3260-7 CCE-251 the Domain Profile. (1) enabled/disabled
The log file path and name
for the Windows Firewall
should be configured
correctly for the Domain
CCE-2533-8 CCE-793 Profile. (1) File path
The log file size limit for
the Windows Firewall
should be configured
correctly for the Domain
CCE-3299-5 CCE-57 Profile. (1) Size limit (KB)
The "Log Successful
Connections" option for
the Windows Firewall
should be configured
correctly for the Domain
CCE-3414-0 CCE-617 Profile. (1) enabled/disabled
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the Domain
CCE-3436-3 CCE-696 Profile. (1) enabled/disabled
Domain Profile: Define
CCE-3202-9 CCE-114 port exceptions (SP2 only) (1) enabled/disabled
Domain Profile: Allow local
CCE-3180-7 CCE-370 port exceptions (SP2 only) (1) enabled/disabled
Standard Profile: Protect
all network connections
CCE-3329-0 CCE-273 (SP2 only) (1) enabled/disabled
Standard Profile: Do not
CCE-3347-2 CCE-440 allow exceptions (SP2 only) (1) enabled/disabled
Standard Profile: Allow
local program exceptions
CCE-3334-0 CCE-352 (SP2 only) (1) enabled/disabled
Standard Profile: Allow
remote administration
CCE-3352-2 CCE-467 exception (SP2 only) (1) enabled/disabled
Standard Profile: Allow file
and printer sharing
CCE-3369-6 CCE-626 exception (SP2 only) (1) enabled/disabled
Standard Profile: Allow
Remote Desktop
CCE-3387-8 CCE-354 exception (SP2 only) (1) enabled/disabled
Standard Profile: Allow
UPnP framework
CCE-3268-0 CCE-266 exception (SP2 only) (1) enabled/disabled
The "Windows Firewall:
Prohibit notifications"
setting should be
configured correctly for the
CCE-3409-0 CCE-901 Standard Profile. (1) enabled/disabled
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the
CCE-3440-5 CCE-632 Standard Profile. (1) enabled/disabled
Standard Profile: Define
CCE-3462-9 CCE-196 port exceptions (SP2 only) (1) enabled/disabled
Standard Profile: Allow
local port exceptions (SP2
CCE-3356-3 CCE-77 only) (1) enabled/disabled
Domain Profile - Inbound
CCE-2999-1 CCE-249 Connections
Domain Profile - Outbound
CCE-3439-7 CCE-485 Connections
Domain Profile - Apply
CCE-3457-9 CCE-400 Local Firewall Rules
Domain Profile - Apply
Local Connection Security
CCE-2977-7 CCE-584 Rules
Private Profile- Firewall
CCE-3373-8 CCE-7 State
Private Profile - Inbound
CCE-3395-1 CCE-29 Connections
Private Profile - Outbound
CCE-3166-6 CCE-32 Connections
User notifications when a
program is blocked from
receiving inbound
connections by Windows
Firewall should be enabled
or disabled as appropriate yes/no/not
CCE-3417-3 CCE-38 for the Private Profile. configured
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the Private
CCE-2924-9 CCE-70 Profile. enabled/disabled
Private Profile - Apply
CCE-3360-5 CCE-117 Local Firewall Rules
Private Profile - Apply
Local Connection Security
CCE-2854-8 CCE-199 Rules
Public Profile- Firewall
CCE-3246-6 CCE-295 State
Public Profile - Inbound
CCE-3263-1 CCE-338 Connections
Public Profile - Outbound
CCE-3351-4 CCE-342 Connections
User notifications when a
program is blocked from
receiving inbound
connections by Windows
Firewall should be enabled
or disabled as appropriate yes/no/not
CCE-2998-3 CCE-390 for the Public Profile. configured
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the Public
CCE-2641-9 CCE-414 Profile. enabled/disabled
Public Profile - Apply Local
CCE-2650-0 CCE-421 Firewall Rules
Public Profile - Apply Local
CCE-3426-4 CCE-437 Connection Security Rules
Logon - Do not process
CCE-3320-9 CCE-503 the legacy run list
Logon - Do not process
CCE-3086-6 CCE-583 the run once list
Group Policy - Registry
CCE-3452-0 CCE-584 policy processing
Turn off Internet download
for Web publishing and
CCE-3364-7 CCE-691 online ordering wizards
Turn off the Windows
Messenger Customer
Experience Improvement
CCE-3259-9 CCE-722 Program
Turn off Search
Companion content file
CCE-2778-9 CCE-818 updates
CCE-3421-5 CCE-852 Turn off printing over HTTP
Turn off downloading of
CCE-2754-0 CCE-887 print drivers over HTTP
Turn off Windows Update
CCE-3278-9 CCE-927 device driver searching
Enumerate administrator
CCE-2471-1 CCE-935 accounts on elevation
Require trusted path for
CCE-3310-0 CCE-255 credential entry
Deny all add-ons unless
specifically allowed in the
CCE-3327-4 CCE-466 Add-on List
The "Do not allow
passwords to be saved"
setting should be
configured correctly for
CCE-2975-1 CCE-976 Terminal Services.
The "Do not allow drive
redirection" setting should
be configured correctly for
CCE-2874-6 CCE-648 Terminal Services.
Access to registry editing
CCE-3415-7 CCE-405 tools is set correctly.
Prompt for password on
resume from
hibernate/suspend is set
CCE-3169-0 CCE-509 correctly.
Do not preserve zone
information in file
CCE-3437-1 CCE-12 attachments is set correcly.
Hide mechanisms to
remove zone information
CCE-2979-3 CCE-58 is set correcly.
Notify antivirus programs
when opening attachments
CCE-3300-1 CCE-372 is set correcly.
Outlook Express
attachment blocking is set
CCE-3305-0 CCE-886 correctly.
Audit: Force audit policy
subcategory settings are
CCE-3450-4 CCE-111 set correcly.
The "Log Access For
Setup Log" setting should
CCE-3102-1 CCE-1044 be configured correctly. enabled/disabled
The startup type of the
Windows Search service
should be configured
CCE-3388-6 CCE-84 correctly. enabled/disabled
The startup type of
Microsoft Peer-to-Peer
Networking Services
should be configured
CCE-3270-6 CCE-86 correctly. enabled/disabled
The "Prohibit Access of
the Windows Connect
Now Wizards" setting
should be configured
CCE-3045-2 CCE-629 correctly. enabled/disabled
The "Allow remote access
to the PnP interface"
setting should be
CCE-3331-6 CCE-593 configured correctly. enabled/disabled
The "Do not create system
restore point when new
device driver installed"
setting should be
CCE-3464-5 CCE-849 configured correctly. enabled/disabled
The "Do not send a
Windows Error Report
when a generic driver is
installed on a device"
setting should be
CCE-3468-6 CCE-571 configured correctly. enabled/disabled
The "Turn Off Access to
All Windows Update
Feature" setting should be
CCE-3362-1 CCE-91 configured correctly. enabled/disabled
The "Turn Off Automatic
Root Certificates Update"
setting should be
CCE-3454-6 CCE-858 configured correctly. enabled/disabled
The "Turn Off Event Views
'Events.asp' Links" setting
should be configured
CCE-3348-0 CCE-263 correctly. enabled/disabled
The "Turn Off Handwriting
Reconition Error
Reporting" setting should
CCE-2868-8 CCE-430 be configured correctly. enabled/disabled
The "Turn Off Help and
Support Center "Did You
Know?" Content" setting
should be configured
CCE-2877-9 CCE-756 correctly. enabled/disabled
The "Turn Off Help and
Support Center Microsoft
Knowledge Base Search"
setting should be
CCE-3406-6 CCE-1029 configured correctly. enabled/disabled
The "Turn Off Internet
Connection Wizard if URL
Connection is Referring to
Microsoft.com" setting
should be configured
CCE-3432-2 CCE-1055 correctly. enabled/disabled
The "Turn Off Internet File
Association Service"
setting should be
CCE-2697-1 CCE-1064 configured correctly. enabled/disabled
The "Turn Off Registration
if URL Connection is
Referring to
Microsoft.com" setting
should be configured
CCE-3093-2 CCE-88 correctly. enabled/disabled
The "Turn Off the 'Order
Prints' Picture Task"
setting should be
CCE-3115-3 CCE-375 configured correctly. enabled/disabled
The "Turn off the 'Publish
to Web' task for files and
folders" setting should be
CCE-2477-8 CCE-1009 configured correctly. enabled/disabled
The "Turn Off Windows
Movies Maker Automatic
Codec Downloads" setting
should be configured
CCE-3403-3 CCE-1040 correctly. enabled/disabled
The "Turn Off Windows
Movie Maker Online Web
Links" setting should be
CCE-3297-9 CCE-1062 configured correctly. enabled/disabled
The "Turn Off Windows
Movie Maker Saving to
Online Video Hosting
Provider" setting should be
CCE-3385-2 CCE-93 configured correctly. enabled/disabled
The "Don't Display the
Getting Started Welcome
Screen at Logon" setting
should be configured
CCE-2781-3 CCE-1020 correctly. enabled/disabled
The "Turn off Windows
Startup Sound" setting
should be configured
CCE-2922-3 CCE-681 correctly. enabled/disabled
The "Require a Password
when a Computer Wakes
(On Battery)" setting
should be configured
CCE-2821-7 CCE-346 correctly. enabled/disabled
The "Require a Password
when a Computer Wakes
(Plugged)" setting should
CCE-3469-4 CCE-1011 be configured correctly. enabled/disabled
The "Allow only Vista or
later connections" setting
should be configured
CCE-2742-5 CCE-1007 correctly. enabled/disabled
The "Customization
Warning Messages"
setting should be
CCE-2887-8 CCE-923 configured correctly. enabled/disabled
The "Turn on bandwidth
optimization" setting
should be configured
CCE-3407-4 CCE-1056 correctly. enabled/disabled
The "Turn on session
logging" setting should be
CCE-3271-4 CCE-835 configured correctly. enabled/disabled
The "Prevent IIS
Installation" setting should
CCE-3288-8 CCE-474 be configured correctly. enabled/disabled
The "Turn off Active Help"
setting should be
CCE-3434-8 CCE-557 configured correctly. enabled/disabled
The "Turn off Untrusted
Content" setting should be
CCE-3046-0 CCE-95 configured correctly. enabled/disabled
The "Turn off downloading
of enclosures" setting
should be configured
CCE-3477-7 CCE-767 correctly. enabled/disabled
The "Allow indexing of
encrypted files" setting
should be configured
CCE-3376-1 CCE-1049 correctly. enabled/disabled
The "Prevent indexing
uncached Exchange
folders" setting should be
CCE-3143-5 CCE-1058 configured correctly. enabled/disabled
The "Turn off Windows
Calendar" setting should
CCE-2914-0 CCE-441 be configured correctly. enabled/disabled
The "Allow Corporate
redirection of Customer
Experience Improvement
uploads" setting should be
CCE-3178-1 CCE-97 configured correctly. enabled/disabled
The "Turn off Windows
Defender" setting should
CCE-3209-4 CCE-728 be configured correctly. enabled/disabled
The "Turn off Heap
termination on corruption"
setting should be
CCE-2962-9 CCE-384 configured correctly. enabled/disabled
The "Turn off shell
protocol protected mode"
setting should be
CCE-3125-2 CCE-480 configured correctly. enabled/disabled
The "Prohibit non-
administrators from
applying vendor signed
updates" setting should be
CCE-3398-5 CCE-612 configured correctly. enabled/disabled
The "Report Logon Server
Not Available During User
logon" setting should be
CCE-3341-5 CCE-392 configured correctly. enabled/disabled
The "Turn off the
communitication features"
setting should be
CCE-2521-3 CCE-96 configured correctly. enabled/disabled
The "Turn off Windows
Mail application" setting
should be configured
CCE-2525-4 CCE-331 correctly. enabled/disabled
The "Prevent Windows
Media DRM Internet
Access" setting should be
CCE-3486-8 CCE-1089 configured correctly. enabled/disabled
The "Turn off Windows
Meeting Space" setting
should be configured
CCE-2557-7 CCE-992 correctly. enabled/disabled
The "Turn on Windows
Meeting Space audting"
setting should be
CCE-3328-2 CCE-105 configured correctly. enabled/disabled
The "Disable unpacking
and installation of gadgets
that are not digitally
signed" setting should be
CCE-3456-1 CCE-297 configured correctly. enabled/disabled
The "Override the More
Gadgets Link" setting
should be configured
CCE-3214-4 CCE-702 correctly. enabled/disabled
The "Turn Off User
Installed Windows Sidebar
Gadgets" setting should be
CCE-3500-6 CCE-644 configured correctly. enabled/disabled
The "Do not allow Digital
Locker to run" setting
should be configured
CCE-3482-7 CCE-1747 correctly. enabled/disabled
The "Turn Off
Downloading of Game
Information" setting should
CCE-2755-7 CCE-1778 be configured correctly. enabled/disabled
The "IPv6 Block of
Protocols 41" setting
should be configured
CCE-2865-4 CCE-1795 correctly. enabled/disabled
The "IPv6 Block of UDP
3544" setting should be
CCE-3508-9 CCE-1293 configured correctly. enabled/disabled
The "Enforce user logon
restrictions" policy should
CCE-4662-3 CCE-227 be set correctly. (1) enabled/disabled
The "Maximum Service
Ticket Litfetime" policy (1) number of
CCE-4666-4 CCE-6 should be set correctly. minutes
The "Maximum User
Ticket Lifetime" policy
CCE-3936-2 CCE-37 should be set correctly. (1) number of hours
The "Maximum User
Renewal Lifetime" policy
CCE-4755-5 CCE-33 should be set correctly. (1) number of days
The "Maximum tolerance
for computer clock
synchronization" policy (1) number of
CCE-4702-7 CCE-588 should be set correctly. minutes
TCP/IP PMTU Discovery
should be properly
CCE-3949-5 CCE-998 configured. (1) enabled/disabled
Kerberos and RSVP
Traffic Protected by IPSec
should be properly
CCE-4904-9 CCE-501 configured. (1) enabled/disabled
The "Remotely accessible
registry paths and
subpaths" policy should be
CCE-4781-1 CCE-1185 set correctly. set of paths
The "LAN Manager
Authentication Level"
policy should be set (1) authentication
CCE-4922-1 CCE-719 correctly. level
The "LDAP client signing
requirements" policy
CCE-4940-3 CCE-732 should be set correctly. (1) enabled/disabled
The "Minimum session
security for NTLM SSP
based clients" policy
CCE-4583-1 CCE-674 should be set correctly. (1) enabled/disabled
The "Minimum session
security for NTLM SSP
based servers" policy
CCE-4213-5 CCE-766 should be set correctly. (1) enabled/disabled
The "Recovery Console:
Allow Automatic
Administrative Logon"
policy should be set
CCE-4107-9 CCE-410 correctly. (1) enabled/disabled
The "Recovery Console:
Allow Floppy Copy and
Access to All Drives and
All Folders" policy should
CCE-3953-7 CCE-76 be set correctly. (1) enabled/disabled
The "Allow System to be
Shut Down Without Having
to Log On" policy should
CCE-3954-5 CCE-224 be set correctly. (1) enabled/disabled
The "Clear Virtual Memory
Pagefile at shutdown"
policy should be set
CCE-3969-3 CCE-422 correctly. (1) enabled/disabled
The "Use FIPS compliant
algorithms for encryption,
hashing, and signing"
policy should be set
CCE-4774-6 CCE-55 correctly. (1) enabled/disabled
The "Require Case
Insensitivity for Non-
Windows Sybsystems"
policy should be set
CCE-4841-3 CCE-300 correctly. (1) enabled/disabled
The "Strengthen Default
Permissions of Global
System Objects" policy
CCE-4011-3 CCE-508 should be set correctly. (1) enabled/disabled
The "User Account
Control: Admin Approval
Mode for the Built-in
Administrator account"
setting should be
CCE-4955-1 CCE-1078 configured correctly. enabled/disabled
The "Behavior of the
elevation prompt for
administrators in Admin Prompt for
Approval Mode" setting consent/Prompt for
should be configured credentials/Automati
CCE-4016-2 CCE-1063 correctly. cally deny
The "Behavior of the
elevation prompt for
standard users" setting Prompt for
should be configured credentials/Automati
CCE-4969-2 CCE-1067 correctly. cally deny
The "User Account
Control: Detect application
installations and prompt
for elevation" setting
should be configured
CCE-4612-8 CCE-1128 correctly. enabled/disabled
The "User Account
Control: Only elevate
executables that are
signed and validated"
setting should be
CCE-5004-7 CCE-1104 configured correctly. enabled/disabled
The "User Account
Control: Only elevate
UIAccess applications that
are installed in secure
locations" setting should
CCE-4020-4 CCE-986 be configured correctly. enabled/disabled
The "User Account
Control: Run all
administrators in Admin
Approval Mode" setting
should be configured
CCE-4907-2 CCE-1050 correctly. enabled/disabled
The "User Account
Control: Switch to the
secure desktop when
prompting for elevation"
setting should be
CCE-4925-4 CCE-230 configured correctly. enabled/disabled
The "User Account
Control: Virtualize file and
registry write failures to
per-user locations" setting
should be configured
CCE-4194-7 CCE-673 correctly. enabled/disabled
The "access this computer
from the network" user
right should be assigned to
CCE-4334-9 CCE-532 the correct accounts. (1) set of accounts
The "act as part of the
operating system" user
right should be assigned to
CCE-4088-1 CCE-162 the correct accounts. (1) set of accounts
The "adjust memory
quotas for a process" user
right should be assigned to
CCE-4854-6 CCE-807 the correct accounts. (1) set of accounts
The "log on locally" user
right should be assigned to
CCE-4872-8 CCE-965 the correct accounts. (1) set of accounts
The "allow logon through
Terminal Services" user
right should be assigned to
CCE-4264-8 CCE-883 the correct accounts. (1) set of accounts
The "back up files and
directories" user right
should be assigned to the
CCE-4827-2 CCE-931 correct accounts. (1) set of accounts
The "bypass traverse
checking" user right
should be assigned to the
CCE-4973-4 CCE-376 correct accounts. (1) set of accounts
The "change the system
time" user right should be
assigned to the correct
CCE-4863-7 CCE-799 accounts. (1) set of accounts
The "Change the time
zone" user right should be
assigned to the
CCE-5008-8 CCE-470 appropriate accounts. list of accounts
The "create a pagefile"
user right should be
assigned to the correct
CCE-4757-1 CCE-895 accounts. (1) set of accounts
The "Create a token
object" user right should
be assigned to the correct
CCE-4902-3 CCE-926 accounts. (1) set of accounts
The "Create global
objects" user right should
be assigned to the correct
CCE-4792-8 CCE-383 accounts. (1) set of accounts
The "create permanent
shared objects" user right
should be assigned to the
CCE-4184-8 CCE-335 correct accounts. (1) set of accounts
The "debug programs"
user right should be
assigned to the correct
CCE-4687-0 CCE-842 accounts. (1) set of accounts
The "deny access to this
computer from the
network" user right should
be assigned to the correct
CCE-4704-3 CCE-898 accounts. (1) set of accounts
The "deny logon as a
batch job" user right
should be assigned to the
CCE-4722-5 CCE-165 correct accounts. (1) set of accounts
The "deny logon as a
service" user right should
be assigned to the correct
CCE-4867-8 CCE-597 accounts. (1) set of accounts
The "deny logon locally"
user right should be
assigned to the correct
CCE-4889-2 CCE-64 accounts. (1) set of accounts
The "deny logon through
Terminal Services" user
right should be assigned to
CCE-4656-5 CCE-108 the correct accounts. (1) set of accounts
The "force shutdown from
a remote system" user
right should be assigned to
CCE-4673-0 CCE-754 the correct accounts. (1) set of accounts
The "generate security
audits" user right should
be assigned to the correct
CCE-4488-3 CCE-939 accounts. (1) set of accounts
The "Impersonate a client
after authentication" user
right should be assigned to
CCE-4382-8 CCE-304 the correct accounts. (1) set of accounts
The "Increase a Process
Working Set" setting
should be configured Set of users or
CCE-4651-6 CCE-1027 correctly. groups
The "increase scheduling
priority" user right should
be assigned to the correct
CCE-4796-9 CCE-349 accounts. (1) set of accounts
The "load and unload
device drivers" user right
should be assigned to the
CCE-4034-5 CCE-860 correct accounts. (1) set of accounts
The "lock pages in
memory" user right should
be assigned to the correct
CCE-4317-4 CCE-749 accounts. (1) set of accounts
The "log on as a batch job"
user right should be
assigned to the correct
CCE-4083-2 CCE-177 accounts. (1) set of accounts
The "log on as a service"
user right should be
assigned to the correct
CCE-4038-6 CCE-216 accounts. (1) set of accounts
The "manage auditing and
security log" user right
should be assigned to the
CCE-4046-9 CCE-850 correct accounts. (1) set of accounts
The "Modify an object
label" user right should be
assigned to the
CCE-4285-3 CCE-1023 appropriate accounts. list of accounts
The "modify firmware
environment values" user
right should be assigned to
CCE-4048-5 CCE-17 the correct accounts. (1) set of accounts
The "perform volume
maintenance tasks" user
right should be assigned to
CCE-4071-7 CCE-314 the correct accounts. (1) set of accounts
The "profile single
process" user right should
be assigned to the correct
CCE-4962-7 CCE-260 accounts. (1) set of accounts
The "profile system
performance" user right
should be assigned to the
CCE-4618-5 CCE-599 correct accounts. (1) set of accounts
The "remove computer
from docking station" user
right should be assigned to
CCE-4861-1 CCE-656 the correct accounts. (1) set of accounts
The "replace a process-
level token" user right
should be assigned to the
CCE-4372-9 CCE-667 correct accounts. (1) set of accounts
The "restore files and
directories" user right
should be assigned to the
CCE-4948-6 CCE-553 correct accounts. (1) set of accounts
The "shut down the
system" user right should
be assigned to the correct
CCE-4569-0 CCE-839 accounts. (1) set of accounts
The "synchronize directory
service data" user right
should be assigned to the
CCE-4970-0 CCE-381 correct accounts. (1) set of accounts
The "take ownership of
files or other objects" user
right should be assigned to
CCE-4988-2 CCE-492 the correct accounts. (1) set of accounts
The required permissions (1) set of accounts
for the WLAN AutoConfig (2) list of
service should be permissions (3)
CCE-4627-6 CCE-957 assigned. applicability
Internet Explorer
Processes (Zone Elevation
CCE-4992-4 CCE-347 Protection) enabled/disabled
The "Turn on Responder
(RSPNDR) driver" setting
should be configured
correctly for the domain
CCE-4077-4 CCE-1134 profile. enabled/disabled
Installation and
Configuration of Network
Bridge on the DNS
Domain Network should
CCE-4152-5 CCE-896 be properly configured. (1) enabled/disabled
The "Prohibit use of
Internet Connection
Firewall on your DNS
domain network" setting
should be configured
CCE-5020-3 CCE-241 correctly. enabled/disabled
The startup type of the
Internet Connection (1)
Sharing service should be disabled/manual/aut
CCE-4078-2 CCE-672 correct. omatic
The "Configuration of
wireless settings using
Windows Connect Now"
setting should be
configured correctly for
Wireless Connect Now
CCE-5061-7 CCE-734 over Ethernet (UPnP). enabled/disabled
The "Internet Explorer
Maintenance Policy
Processing - Allow
processing across a slow
network connection"
setting should be
CCE-4081-6 CCE-365 configured correctly. enabled/disabled
The "Enable Error
Reporting" policy should
CCE-4694-6 CCE-592 be set correctly. (1) enabled/disabled
Use Classic Logon should
CCE-4813-2 CCE-231 be properly configured. (1) logon type
The 'Approved Installation
Sites for ActiveX Controls'
security mechanism
should be enabled or
CCE-4579-9 CCE-836 disabled as appropriate. enabled/disabled
The setup log maximum
size should be configured
CCE-4086-5 CCE-262 correctly. (1) Size limit (KB)
The "Do not allow drive
redirection" setting should
be configured correctly for
CCE-4501-3 CCE-648 Terminal Services.
The "Set Client connection
Encryption Level" policy
should be set correctly for
CCE-4866-0 CCE-397 Terminal Services. (1) encryption level
The "Set time limit for
disconnected sessions"
policy should be set
correctly for Terminal (1) Time Limit
CCE-5007-0 CCE-920 Services. (minutes)
The "Set time limit for idle
sessions" policy should be
set correctly for Terminal (1) Time limit
CCE-4267-1 CCE-123 Services. (minutes)
Computer-wide, rather
than per-user, use of
Microsoft Spynet
Reporting for Windows
Defender should be
enabled or disabled as enabled, disabled,
CCE-4761-3 CCE-312 appropriate. or not configured
The "Disable Logging"
setting should be
CCE-4915-5 CCE-959 configured correctly. enabled/disabled
The "Disable Windows
Error Reporting" setting
should be configured
CCE-5034-4 CCE-803 correctly. enabled/disabled
The "Display Error
Notification" setting should
CCE-4919-7 CCE-259 be configured correctly. enabled/disabled
The "Do not send
additional data" setting
should be configured
CCE-4089-9 CCE-798 correctly. enabled/disabled
The "Set Safe for
Scripting" policy should be
CCE-4991-6 CCE-261 set correctly. (1) enabled/disabled
The "Enable User Control
Over Installs" policy should
CCE-4629-2 CCE-415 be set correctly. (1) enabled/disabled
The "Do Not Show First
Use Dialog Boxes" setting
for Windows Media Player
should be configured
CCE-4405-7 CCE-1140 correctly. enabled/disabled
The "Disable Media Player
for automatic updates"
policy should be set
CCE-4898-3 CCE-455 correctly. (1) enabled/disabled
The "Prevent Desktop
Shortcut Creation" setting
for Windows Media Player
should be configured
CCE-5052-6 CCE-313 correctly. enabled/disabled
The "Do Not Automatically
Start Windows
Messenger" policy should
CCE-4797-7 CCE-309 be set correctly. (1) enabled/disabled
The "Current user
screensaver secure" policy
CCE-4290-3 CCE-949 should be set correctly. (1) enabled/disabled
The "Prevent users from
sharing files within their
profile" setting should be
CCE-5070-8 CCE-1144 configured correctly. enabled/disabled
Auditing of "Account
Management: Application
Group Management"
events on success should
be enabled or disabled as
CCE-4938-7 CCE-801 appropriate. enabled/disabled
Auditing of "Account
Management: Application
Group Management"
events on failure should be
enabled or disabled as
CCE-4700-1 CCE-1016 appropriate. enabled/disabled
Auditing of "Account
Management: Computer
Account Management"
events on success should
be enabled or disabled as
CCE-4093-1 CCE-1070 appropriate. enabled/disabled
Auditing of "Account
Management: Computer
Account Management"
events on failure should be
enabled or disabled as
CCE-4228-3 CCE-840 appropriate. enabled/disabled
Auditing of "Account
Management: Distribution
Group Management"
events on success should
be enabled or disabled as
CCE-4115-2 CCE-515 appropriate. enabled/disabled
Auditing of "Account
Management: Distribution
Group Management"
events on failure should be
enabled or disabled as
CCE-4140-0 CCE-1048 appropriate. enabled/disabled
Auditing of "Account
Management: Other
Account Management
Events" events on success
should be enabled or
CCE-4916-3 CCE-206 disabled as appropriate. enabled/disabled
Auditing of "Account
Management: Other
Account Management
Events" events on failure
should be enabled or
CCE-4783-7 CCE-1202 disabled as appropriate. enabled/disabled
Auditing of "Account
Management: Security
Group Management"
events on success should
be enabled or disabled as
CCE-5048-4 CCE-1118 appropriate. enabled/disabled
Auditing of "Account
Management: Security
Group Management"
events on failure should be
enabled or disabled as
CCE-4142-6 CCE-369 appropriate. enabled/disabled
Auditing of "Account
Management: User
Account Management"
events on success should
be enabled or disabled as
CCE-4833-0 CCE-1043 appropriate. enabled/disabled
Auditing of "Account
Management: User
Account Management"
events on failure should be
enabled or disabled as
CCE-5097-1 CCE-924 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: DPAPI Activity"
events on success should
be enabled or disabled as
CCE-5000-5 CCE-1413 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: DPAPI Activity"
events on failure should be
enabled or disabled as
CCE-4493-3 CCE-699 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: Process
Creation" events on
success should be
enabled or disabled as
CCE-4166-5 CCE-913 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: Process
Creation" events on failure
should be enabled or
CCE-5094-8 CCE-1079 disabled as appropriate. enabled/disabled
Auditing of "Detailed
Tracking: Process
Termination" events on
success should be
enabled or disabled as
CCE-4869-4 CCE-416 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: Process
Termination" events on
failure should be enabled
CCE-4363-8 CCE-1250 or disabled as appropriate. enabled/disabled
Auditing of "Detailed
Tracking: RPC Events"
events on success should
be enabled or disabled as
CCE-4891-8 CCE-1219 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: RPC Events"
events on failure should be
enabled or disabled as
CCE-4759-7 CCE-1365 appropriate. enabled/disabled
Auditing of "DS Access:
Detailed Directory Service
Replication" events on
success should be
enabled or disabled as
CCE-5023-7 CCE-207 appropriate. enabled/disabled
Auditing of "DS Access:
Detailed Directory Service
Replication" events on
failure should be enabled
CCE-4658-1 CCE-1186 or disabled as appropriate. enabled/disabled
Auditing of "DS Access:
Directory Service Access"
events on success should
be enabled or disabled as
CCE-5028-6 CCE-1199 appropriate. enabled/disabled
Auditing of "DS Access:
Directory Service Access"
events on failure should be
enabled or disabled as
CCE-4931-2 CCE-459 appropriate. enabled/disabled
Auditing of "DS Access:
Directory Service
Changes" events on
success should be
enabled or disabled as
CCE-5067-4 CCE-317 appropriate. enabled/disabled
Auditing of "DS Access:
Directory Service
Changes" events on failure
should be enabled or
CCE-4808-2 CCE-982 disabled as appropriate. enabled/disabled
Auditing of "DS Access:
Directory Service
Replication" events on
success should be
enabled or disabled as
CCE-5089-8 CCE-881 appropriate. enabled/disabled
Auditing of "DS Access:
Directory Service
Replication" events on
failure should be enabled
CCE-4176-4 CCE-247 or disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Account Lockout" events
on success should be
enabled or disabled as
CCE-4342-2 CCE-1264 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Account Lockout" events
on failure should be
enabled or disabled as
CCE-4857-9 CCE-1282 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Extended Mode"
events on success should
be enabled or disabled as
CCE-5011-2 CCE-1028 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Extended Mode"
events on failure should be
enabled or disabled as
CCE-4505-4 CCE-362 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Main Mode" events
on success should be
enabled or disabled as
CCE-5016-1 CCE-1207 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Main Mode" events
on failure should be
enabled or disabled as
CCE-4650-8 CCE-351 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Quick Mode" events
on success should be
enabled or disabled as
CCE-5038-5 CCE-1257 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Quick Mode" events
on failure should be
enabled or disabled as
CCE-4928-8 CCE-1274 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logoff" events on success
should be enabled or
CCE-4703-5 CCE-493 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logoff" events on failure
should be enabled or
CCE-4183-0 CCE-996 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logon" events on success
should be enabled or
CCE-5018-7 CCE-1284 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logon" events on failure
should be enabled or
CCE-4423-0 CCE-1097 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Other Logon/Logoff
Events" events on success
should be enabled or
CCE-5163-1 CCE-378 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Other Logon/Logoff
Events" events on failure
should be enabled or
CCE-5066-6 CCE-1208 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Special Logon" events on
success should be
enabled or disabled as
CCE-4956-9 CCE-371 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Special Logon" events on
failure should be enabled
CCE-4824-9 CCE-1038 or disabled as appropriate. enabled/disabled
Auditing of "Object
Access: Application
Generated" events on
success should be
enabled or disabled as
CCE-5084-9 CCE-1322 appropriate. enabled/disabled
Auditing of "Object
Access: Application
Generated" events on
failure should be enabled
CCE-4829-8 CCE-379 or disabled as appropriate. enabled/disabled
Auditing of "Object
Access: Certification
Services" events on
success should be
enabled or disabled as
CCE-4714-2 CCE-1345 appropriate. enabled/disabled
Auditing of "Object
Access: Certification
Services" events on failure
should be enabled or
CCE-4868-6 CCE-1261 disabled as appropriate. enabled/disabled
Auditing of "Object
Access: File Share" events
on success should be
enabled or disabled as
CCE-4200-2 CCE-1372 appropriate. enabled/disabled
Auditing of "Object
Access: File Share" events
on failure should be
enabled or disabled as
CCE-5145-8 CCE-1033 appropriate. enabled/disabled
Auditing of "Object
Access: File System"
events on success should
be enabled or disabled as
CCE-4921-3 CCE-1085 appropriate. enabled/disabled
Auditing of "Object
Access: File System"
events on failure should be
enabled or disabled as
CCE-5039-3 CCE-1340 appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Connection" events on
success should be
enabled or disabled as
CCE-4568-2 CCE-717 appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Connection" events on
failure should be enabled
CCE-5079-9 CCE-744 or disabled as appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Packet Drop" events on
success should be
enabled or disabled as
CCE-4947-8 CCE-385 appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Packet Drop" events on
failure should be enabled
CCE-4335-6 CCE-589 or disabled as appropriate. enabled/disabled
Auditing of "Object
Access: Handle
Manipulation" events on
success should be
enabled or disabled as
CCE-4828-0 CCE-1363 appropriate. enabled/disabled
Auditing of "Object
Access: Handle
Manipulation" events on
failure should be enabled
CCE-4965-0 CCE-1244 or disabled as appropriate. enabled/disabled
Auditing of "Object
Access: Kernel Object"
events on success should
be enabled or disabled as
CCE-4996-5 CCE-1288 appropriate. enabled/disabled
Auditing of "Object
Access: Kernel Object"
events on failure should be
enabled or disabled as
CCE-4885-0 CCE-1305 appropriate. enabled/disabled
Auditing of "Object
Access: Other Object
Access Events" events on
success should be
enabled or disabled as
CCE-5132-6 CCE-642 appropriate. enabled/disabled
Auditing of "Object
Access: Other Object
Access Events" events on
failure should be enabled
CCE-4691-2 CCE-1026 or disabled as appropriate. enabled/disabled
Auditing of "Object
Access: Registry" events
on success should be
enabled or disabled as
CCE-4594-8 CCE-1138 appropriate. enabled/disabled
Auditing of "Object
Access: Registry" events
on failure should be
enabled or disabled as
CCE-5087-2 CCE-1283 appropriate. enabled/disabled
Auditing of "Object
Access: SAM" events on
success should be
enabled or disabled as
CCE-4616-9 CCE-446 appropriate. enabled/disabled
Auditing of "Object
Access: SAM" events on
failure should be enabled
CCE-4982-5 CCE-451 or disabled as appropriate. enabled/disabled
Auditing of "Policy
Change: Audit Policy
Change" events on
success should be
enabled or disabled as
CCE-4201-0 CCE-1110 appropriate. enabled/disabled
Auditing of "Policy
Change: Audit Policy
Change" events on failure
should be enabled or
CCE-5137-5 CCE-991 disabled as appropriate. enabled/disabled
Auditing of "Policy
Change: Authentication
Policy Change" events on
success should be
enabled or disabled as
CCE-4877-7 CCE-388 appropriate. enabled/disabled
Auditing of "Policy
Change: Authentication
Policy Change" events on
failure should be enabled
CCE-4516-1 CCE-180 or disabled as appropriate. enabled/disabled
Auditing of "Policy
Change: Authorization
Policy Change" events on
success should be
enabled or disabled as
CCE-5172-2 CCE-187 appropriate. enabled/disabled
Auditing of "Policy
Change: Authorization
Policy Change" events on
failure should be enabled
CCE-5058-3 CCE-448 or disabled as appropriate. enabled/disabled
Auditing of "Policy
Change: Filtering Platform
Policy Change" events on
success should be
enabled or disabled as
CCE-5177-1 CCE-1042 appropriate. enabled/disabled
Auditing of "Policy
Change: Filtering Platform
Policy Change" events on
failure should be enabled
CCE-4939-5 CCE-1112 or disabled as appropriate. enabled/disabled
Auditing of "Policy
Change: MPSSVC Rule-
Level Policy Change"
events on success should
be enabled or disabled as
CCE-5181-3 CCE-203 appropriate. enabled/disabled
Auditing of "Policy
Change: MPSSVC Rule-
Level Policy Change"
events on failure should be
enabled or disabled as
CCE-4204-4 CCE-879 appropriate. enabled/disabled
Auditing of "Policy
Change: Other Policy
Change Events" events on
success should be
enabled or disabled as
CCE-4479-2 CCE-205 appropriate. enabled/disabled
Auditing of "Policy
Change: Other Policy
Change Events" events on
failure should be enabled
CCE-4995-7 CCE-787 or disabled as appropriate. enabled/disabled
Auditing of "Privilege Use:
Non Sensitive Privilege
Use" events on success
should be enabled or
CCE-5114-4 CCE-391 disabled as appropriate. enabled/disabled
Auditing of "Privilege Use:
Non Sensitive Privilege
Use" events on failure
should be enabled or
CCE-4990-8 CCE-404 disabled as appropriate. enabled/disabled
Auditing of "Privilege Use:
Other Privilege Use
Events" events on success
should be enabled or
CCE-5131-8 CCE-1203 disabled as appropriate. enabled/disabled
Auditing of "Privilege Use:
Privilege Use: Other
Privilege Use Events"
events on failure should be
enabled or disabled as
CCE-4205-1 CCE-406 appropriate. enabled/disabled
Auditing of "Privilege Use:
Sensitive Privilege Use"
events on success should
be enabled or disabled as
CCE-4300-0 CCE-488 appropriate. enabled/disabled
Auditing of "Privilege Use:
Sensitive Privilege Use"
events on failure should be
enabled or disabled as
CCE-4734-0 CCE-1258 appropriate. enabled/disabled
Auditing of "System: Ipsec
Driver" events on success
should be enabled or
CCE-4976-7 CCE-1177 disabled as appropriate. enabled/disabled
Auditing of "System: Ipsec
Driver" events on failure
should be enabled or
CCE-4879-3 CCE-1314 disabled as appropriate. enabled/disabled
Auditing of "System: Other
System Events" events on
success should be
enabled or disabled as
CCE-4998-1 CCE-1332 appropriate. enabled/disabled
Auditing of "System: Other
System Events" events on
failure should be enabled
CCE-4883-5 CCE-337 or disabled as appropriate. enabled/disabled
Auditing of "System:
Security State Change"
events on success should
be enabled or disabled as
CCE-4535-1 CCE-1121 appropriate. enabled/disabled
Auditing of "System:
Security State Change"
events on failure should be
enabled or disabled as
CCE-5157-3 CCE-1139 appropriate. enabled/disabled
Auditing of "System:
Security System
Extension" events on
success should be
enabled or disabled as
CCE-5170-6 CCE-1270 appropriate. enabled/disabled
Auditing of "System:
Security System
Extension" events on
failure should be enabled
CCE-4910-6 CCE-1102 or disabled as appropriate. enabled/disabled
Auditing of "System:
System Integrity" events
on success should be
enabled or disabled as
CCE-5047-6 CCE-856 appropriate. enabled/disabled
Auditing of "System:
System Integrity" events
on failure should be
enabled or disabled as
CCE-4822-3 CCE-336 appropriate. enabled/disabled
User notifications when a
program is blocked from
receiving inbound
connections by Windows
Firewall should be enabled
or disabled as appropriate yes/no/not
CCE-4941-1 CCE-1047 for the Domain Profile. configured
The "Log Dropped
Packets" option for the
Windows Firewall should
be configured correctly for
CCE-4597-1 CCE-325 the Private Profile. (1) enabled/disabled
The "Log Successful
Connections" option for
the Windows Firewall
should be configured
correctly for the Private
CCE-4963-5 CCE-327 Profile. enable/disabled
The log file path and name
for the Windows Firewall
should be configured
correctly for the Private
CCE-4206-9 CCE-999 Profile. (1) File path
The log file size limit for
the Windows Firewall
should be configured
correctly for the Private
CCE-4207-7 CCE-1091 Profile. (1) Size limit (KB)
The "Log Dropped
Packets" option for the
Windows Firewall should
be configured correctly for
CCE-4507-0 CCE-1165 the Public Profile. (1) enabled/disabled
The "Log Successful
Connections" option for
the Windows Firewall
should be configured
correctly for the Public
CCE-5128-4 CCE-534 Profile. enable/disabled
The log file path and name
for the Windows Firewall
should be configured
correctly for the Public
CCE-4639-1 CCE-1263 Profile. (1) File path
The log file size limit for
the Windows Firewall
should be configured
correctly for the Public
CCE-4278-8 CCE-1313 Profile. (1) Size limit (KB)
The ISATAP tunneling
protocol for IPv6 should be
enabled or disabled as
CCE-5146-6 CCE-1227 appropriate. enabled/disabled
The 6to4 tunneling
protocol for IPv6 should be
enabled or disabled as
CCE-5036-9 CCE-1036 appropriate. enabled/disabled
The Teredo tunneling
protocol for IPv6 should be
enabled or disabled as
CCE-4811-6 CCE-1148 appropriate. enabled/disabled
The "Turn off Help
Experience Improvement
Program" setting should
CCE-5239-9 CCE-174 be configured correctly. enabled/disabled
The "Turn off Help
Ratings" setting should be
CCE-4851-2 CCE-1109 configured correctly. enabled/disabled
The "Create Symbolic
Links" user right should be
assigned to the
CCE-4294-5 CCE-1176 appropriate accounts. list of accounts
NIST SCAP Windows Vista
CCE Technical Mechanisms XCCDF (SCAP-WinVista-
XCCDF.xml rev 2007-02-06)
(1) defined by Local or Group Policy reset-account-lockout-counter
(1) defined by Local or Group Policy account-lockout-duration
(1) defined by Local or Group Policy account-lockout-threshold
(1) defined by Local or Group Policy audit-account-logon-events
(1) defined by Local or Group Policy audit-account-logon-events
(1) defined by Local or Group Policy audit-account-management
(1) defined by Local or Group Policy audit-account-management
(1) defined by Local or Group Policy audit-directory-services-access
(1) defined by Local or Group Policy audit-directory-services-access
(1) defined by Local or Group Policy audit-logon-events
(1) defined by Local or Group Policy audit-logon-events
(1) defined by Local or Group Policy audit-object-access
(1) defined by Local or Group Policy audit-object-access
(1) defined by Local or Group Policy audit-policy-change
(1) defined by Local or Group Policy audit-policy-change
(1) defined by Local or Group Policy audit-privilege-use
(1) defined by Local or Group Policy audit-privilege-use
(1) defined by Local or Group Policy audit-process-tracking
(1) defined by Local or Group Policy audit-process-tracking
(1) defined by Local or Group Policy audit-system-events
(1) defined by Local or Group Policy audit-system-events
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\RestrictGuestAccess (2) defined by
Group Policy Prevent-Guest-Application-Log-Access
(1) defined by the Windows Event Log (2) defined by Group
Policy (3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\MaxSize Maximum-Application-Log-Size
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\Retention (2) defined by Group Policy Retention-Method-For-Application-Log
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Security\RestrictGuestAccess (2) defined by
Group Policy Prevent-Guest-Security-Log-Access
(1) defined by the Windows Event Log (2) defined by Group
Policy (3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Security\MaxSize Maximum-Security-Log-Size
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\Retention (2) defined by Group Policy Retention-Method-For-Security-Log
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\System\RestrictGuestAccess (2) defined by
Group Policy Prevent-Guest-System-Log-Access
(1) defined by the Windows Event Log (2) defined by Group
Policy (3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\System\MaxSize Maximum-System-Log-Size
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\Retention (2) defined by Group Policy Retention-Method-For-System-Log
(1) defined by Local or Group Policy maximum-password-age
(1) defined by Local or Group Policy minimum-password-age
(1) defined by Local or Group Policy minimum-password-length
(1) defined by Local or Group Policy password-complexity
(1) defined by Local or Group Policy enforce-password-history
(1) defined by Local or Group Policy reversible-password-encryption
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Messenger\Start (2) defined by the Services Administrative
Tool (3) definied by Group Policy Do-not-allow-Windows-Messenger-to-be-run
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\mnmsrvc\Start (2) defined by the Services Administrative
Tool (3) definied by Group Policy Disable-remote-Desktop-Sharing
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro do-not-allow-anonymous-enumeration-sam-
l\Lsa\RestrictAnonymous (2) defined by Local or Group Policy accounts-shares
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro
l\Lsa\RestrictAnonymousSAM (2) defined by Local or Group
Policy do-not-allow-anonymous-enumeration-sam
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro
l\Lsa\AnonymousNameLookup (2) defined by Local or Group Anonymous-SID-Name-Translation
(1) Local Users and Groups MMC guest-account-status
(1) Local Users and Groups MMC administrator-account-status
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System\LegalNoticeCaption (2) defined by
Local or Group Policy message-title-users-attempting-logon
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System\LegalNoticeText (2) defined by
Local or Group Policy message-text-users-attempting-logon
(1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\AutoAdminLogon enable-automatic-logon
(1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Policies\Explorer\NoDriveTypeAutoRun Turn-off-Autoplay, no-drive-type-auto-run
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
esTcpip\Parameters\EnableICMPRedirect enable-icmp-redirect
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\DisableIPSourceRouting disable-ip-source-routing
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\PerformRouterDiscovery perform-router-discovery
(1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\DontDisplayLastUserName do-not-display-last-user-name
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Lanmanserver\Parameters\Hidden hide-system-from-browse-list
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\EnableDeadGWDetect enable-dead-gw-detect
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\KeepAliveTime keep-alive-time
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Netbt\Parameters\NoNameReleaseOnDemand no-name-release-on-demand
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\SynAttackProtect syn-attack-protect
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Eventlog\Security\WarningLevel warning-level
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Sessio
n Manager\SafeDllSearchMode safe-dll-search-mode
(1) defined by Local or Group Policy rename-administrator
(1) defined by Local or Group Policy rename-guest
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\AutoDisconnect (2) defined by amount-of-idle-time-required-before-
Local or Group Policy suspending-session
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\AuditBaseObjects (2) defined by Local or Group Policy audit-access-global-system-objects
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy audit-use-backup-restore-privilege
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System\DisableCAD (2) defined by Local or
Group Policy do-not-require-ctrlaltdel
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Print\Providers\LanMan Print
Services\Servers\AddPrinterDrivers (2) defined by Local or
Group Policy prevent-users-installing-printers
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by
Local or Group Policy restrict-cdrom-access-local-users-only
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by
Local or Group Policy restrict-floppy-access-local-users-only
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Netlogon\Parameters\RequireStrongKey (2) defined by Local
or Group Policy require-strong-session-key
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanmanWorkstation\Parameters\EnablePlainTextPassword send-unencrypted-password-to-third-party-
(2) defined by Local or Group Policy smb-servers
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) prompt-user-to-change-password-before-
defined by Local or Group Policy expiration
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\CrashOnAuditFail (2) defined by Local or Group Policy shutdown-system-unable-log-audits
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanmanWorkstation\Parameters\RequireSecuritySignature
(2) defined by Local or Group Policy digitally-sign-communications-client-always
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanmanWorkstation\Parameters\EnableSecuritySignature (2) digitally-sign-communications-client-server-
defined by Local or Group Policy agrees
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\RequireSecuritySignature (2)
defined by Local or Group Policy digitally-sign-communications-server-always
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\EnableSecuritySignature (2) digitally-sign-communications-server-client-
defined by Local or Group Policy agrees
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount (2)
defined by Local or Group Policy number-of-previous-logons-to-cache
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by
Local or Group Policy allow-format-eject-removable-media
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Netlogon\Parameters\RequireSignOrSeal (2) defined by digitally-encrypt-or-sign-secure-channel-data-
Local or Group Policy always
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Netlogon\Parameters\SealSecureChannel (2) defined by digitally-encrypt-secure-channel-data-when-
Local or Group Policy possible
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Netlogon\Parameters\SignSecureChannel (2) defined by digitally-sign-secure-channel-data-when-
Local or Group Policy possible
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by
Local or Group Policy smart-card-removal-behaviour
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Netlogon\Parameters\DisablePasswordChange (2) defined
by Local or Group Policy disable-machine-account-password-changes
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\LimitBlankPasswordUse (2) defined by Local or Group
Policy limit-blank-password-use
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System\UndockWithoutLogon (2) defined
by Local or Group Policy allow-undock-no-logon
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Netlogon\Parameters\MaximumPasswordAge (2) defined by
Local or Group Policy maximum-machine-account-password-age
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined require-domain-controller-authentication-to-
by Local or Group Policy unlock
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\EnableForcedLogoff (2) defined
by Local or Group Policy disconnect-client-when-logon-hours-expire
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ do-not-allow-storage-credentials-net-
Lsa\DisableDomainCreds (2) defined by Local or Group Policy passports-network-authn
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\EveryoneIncludesAnonymous (2) defined by Local or let-everyone-permissions-apply-to-
Group Policy anonymous-users
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\NullSessionPipes (2) defined by
Local or Group Policy named-pipes-accessed-anonymously
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Remotely-accessible-registry-paths,
SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined Remotely-accessible-registry-paths-and-sub-
by Local or Group Policy paths
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\NullSessionShares (2) defined by Shares-that-can-be-accessed-anonymously --
Local or Group Policy NOTE: COMMENTED OUT
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Sharing-and-security-model-for-local-
Lsa\ForceGuest (2) defined by Local or Group Policy accounts
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Do-not-store-LAN-Manager-hash-value-on-
Lsa\NoLMHash (2) defined by Local or Group Policy next-password-change
(1) defined by Local or Group Policy Force-logoff-when-logon-hours-expire
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaveTimeOut screen-saver-grace-period
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo Always-prompt-client-for-password-upon-
ws NT\Terminal Services\fPromptForPassword connection
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws NT\Terminal Services\fAllowToGetHelp Solicited-Remote-Assistance
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws NT\Terminal Services\fAllowUnsolicited Offer-Remote-Assistance
Configure-Automatic-Updates
Do-not-adjust-default-option-to-Install-
Updates-and-Shut-Down
Do-not-display-Install-Updates-and-Shut-
Down
No-auto-restart-for-scheduled-Automatic-
Updates-installations
Reschedule-Automatic-Updates-scheduled-
installations
MachineAccessRestrictions
MachineLaunchRestrictions
(1)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\S
ystem\SCForceOption
Require-Smart-Card
Restrict-anonymous-access-to-Named-Pipes-
and-Shares
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services tcp-max-connect-response-
\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions retransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\TcpMaxDataRetransmissions tcp-max-data-retransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
FileSystem\NtfsDisable8dot3NameCreation ntfs-disable-8dot3-name-creation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi
ndows NT\RPC\EnableAuthEpResolution RPC-Endpoint-Mapper-Client-Authentication
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi
ndows NT\RPC\RestrictRemoteClients Restrictions-for-Unauthenticated-RPC-clients
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\En Domain-Profile-Firewall-Protect-All-Network-
ableFirewall Connections, Domain-Profile-Firewall-State
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Do Domain-Profile-Firewall-Do-Not-Allow-
NotAllowExceptions Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Au Domain-Profile-Firewall-Allow-Local-Program-
thorizedApplications\AllowUserPrefMerge Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\En Domain-Profile-Firewall-Allow-Inbound-
abled Remote-Administration-Exception
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Se Domain-Profile-Firewall-Allow-Inbound-File-
rvices\FileAndPrint\Enabled And-Printer-Sharing-Exception
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Se Domain-Profile-Firewall-Allow-Inbound-
rvices\RemoteDesktop\Enabled Remote-Desktop-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Se Domain-Profile-Firewall-Allow-Inbound-UPnP-
rvices\UPnPFramework\Enabled Framework-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic Domain-Profile-Firewall-Prohibit-
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Di Notifications, Domain-Profile-Display-
sableNotifications Notification
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogDroppedPackets (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile\Windows
Firewall: Allow Logging - Log Dropped Packets
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogFilePath (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Domain Profile\Windows Firewall: Allow Logging -
Log file path and name (3) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile Tab\Logging\Name
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogFileSize (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Domain Profile\Windows Firewall: Allow Logging -
Size limit (KB)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogSuccessfulConnections (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile\Windows
Firewall: Allow Logging - Log successful connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic Domain-Profile-Firewall-Prohibit-Unicast-
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Di Response, Domain-Profile-Allow-Unicast-
sableUnicastResponsesToMulticastBroadcast Response
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Gl Domain-Profile-Firewall-Define-Inbound-Port-
oballyOpenPorts Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Gl Domain-Profile-Firewall-Allow-Local-Port-
oballyOpenPorts\AllowUserPrefMerge Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\E Standard-Profile-Firewall-Protect-All-Network-
nableFirewall Connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\D Standard-Profile-Firewall-Do-Not-Allow-
oNotAllowExceptions Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\A Standard-Profile-Firewall-Define-Inbound-
uthorizedApplications\AllowUserPrefMerge Program-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S Standard-Profile-Firewall-Allow-Inbound-
ervices\RemoteDesktop Remote-Administration-Exception
Standard-Profile-Firewall-Allow-Inbound-File-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic And-Printer-Sharing-Exception,Standard-
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S Profile-Firewall-Allow-Inbound-File-And-
ervices\RemoteDesktop\Enabled Printer-Sharing-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S Standard-Profile-Firewall-Allow-Inbound-
ervices\RemoteDesktop\Enabled Remote-Desktop-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S Standard-Profile-Firewall-Allow-Inbound-
ervices\UPnPFramework\Enabled UPnP-Framework-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\D Standard-Profile-Firewall-Prohibit-
isableNotifications Notifications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\D Standard-Profile-Firewall-Prohibit-Unicast-
isableUnicastResponsesToMulticastBroadcast Response
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ Standard-Profile-Firewall-Define-Inbound-
GloballyOpenPorts Port-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ Standard-Profile-Firewall-Allow-Local-Port-
GloballyOpenPorts\AllowUserPrefMerge Exceptions
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile\Inbound Connections
Tab\(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micro
soft\WindowsFirewall\DomainProfile\DefaultInboundAction Domain-Profile-Inbound-Connections
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile\DefaultOutboundAction Domain-Profile-Outbound-Connections
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Domain-Profile-Apply-Local-Firewall-
WindowsFirewall\DomainProfile\AllowLocalPolicyMerge Rules
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Domain-Profile-Apply-Local-Connection-
WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge Security-Rules
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PrivateProfile\EnableFirewall Private-Profile-Firewall-State
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PrivateProfile\DefaultInboundAction Private-Profile-Inbound-Connections
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PrivateProfile\DefaultOutboundAction Private-Profile-Outbound-Connections
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PrivateProfile\DisableNotifications Private-Profile-Display-Notification
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PrivateProfile\DisableUnicastResponsesToM
ulticastBroadcast Private-Profile-Allow-Unicast-Response
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge Private-Profile-Apply-Local-Firewall-Rules
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Private-Profile-Apply-Local-Connection-
WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge Security-Rules
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PublicProfile\EnableFirewall Public-Profile-Firewall-State
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PublicProfile\DefaultInboundAction Public-Profile-Inbound-Connections
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PublicProfile\DefaultOutboundAction Public-Profile-Outbound-Connections
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PublicProfile\DisableNotifications Public-Profile-Display-Notification
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PublicProfile\DisableUnicastResponsesToM
ulticastBroadcast Public-Profile-Allow-Unicast-Response
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\PublicProfile\AllowLocalPolicyMerge Public-Profile-Apply-Local-Firewall-Rules
(1)Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile\Customized Settings
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Public-Profile-Apply-Local-Connection-
WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge Security-Rules
(1) Computer Configuration\Administrative
Templates\System\Logon
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\Explorer\DisableLocalMachineRun Do-Not-Process-Legacy-Run-List
(1) Computer Configuration\Administrative
Templates\System\Logon
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOn
ce Do-Not-Process-Run-Once-List
(1) Computer Configuration\Administrative
Templates\System\Group Policy
(2)HKLM\Software\Policies\Microsoft\Windows\Group
Policy\{35378EAC-683F-11D2-A89A-
00C04FBBCFA2}!NoBackgroundPolicy,
HKLM\Software\Policies\Microsoft\Windows\Group
Policy\{35378EAC-683F-11D2-A89A-
00C04FBBCFA2}!NoGPOListChanges Registry-Policy-Processing
(1) Computer Configuration\Administrative
Templates\System\Internet Communication Settings
(2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies Turn-off-Internet-download-for-Web-
\Explorer!NoWebServices publishing-and-online-ordering-wizards
(1) Computer Configuration\Administrative Turn-off-the-Windows-Messenger-
Templates\System\Internet Communication Settings Customer-Experience-Improvement-
(2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP Program
(1) Computer Configuration\Administrative
Templates\System\Internet Communication Settings
(2)HKLM\Software\Policies\Microsoft\SearchCompanion!Disab Turn-off-Search-Companion-content-file-
leContentFileUpdates updates
(1) Computer Configuration\Administrative
Templates\System\Internet Communication Settings
(2)HKLM\Software\Policies\Microsoft\Windows
NT\Printers!DisableHTTPPrinting Turn-off-printing-over-HTTP
(1) Computer Configuration\Administrative
Templates\System\Internet Communication Settings
(2)HKLM\Software\Policies\Microsoft\Windows Turn-off-downloading-of-print-drivers-
NT\Printers!DisableWebPnPDownload over-HTTP
(1) Computer Configuration\Administrative
Templates\System\Internet Communication Settings
(2)HKLM\Software\Policies\Microsoft\Windows\DriverSearchin Turn-off-Windows-Update-device-driver-
g!DontSearchWindowsUpdate searching
(1) Computer Configuration\Administrative
Templates\System\Credential User Interface
(2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies Enumerate-administrator-accounts-on-
\CredUI\EnumerateAdministrators elevation
(1) Computer Configuration\Administrative
Templates\System\Credential User Interface
(2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
\CredUI\EnableSecureCredentialPrompting Require-trusted-path-for-credential-entry
(1) Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer\Security
Features\Add-on Management
(2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies Deny-all-add-ons-unless-specifically-
\Ext!RestrictToList allowed-in-the-Add-on-List
(1) Computer Configuration\Administrative
Templates\Windows Components\Terminal Services\Remote
Desktop Connection
(2)HKLM\SOFTWARE\Policies\Microsoft\Windows
NT\DisablePasswordSaving Do-not-allow-passwords-to-be-saved
(1) Computer Configuration\Administrative
Templates\Windows Components\Terminal
Services\Terminal Server\Device and Resource Redirection
(2)HKLM\SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services!fDisableCdm Do-not-allow-drive-redirection
(1) User Configuration\Administrative Templates\System
(2)HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur
rentVersion\Policies\System\DisableRegistryTools
(1) User Configuration\Administrative
Templates\System\Power Mangement
(2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind Prompt-for-password-on-resume-from-
ows\System\Power\PromptPasswordOnResume hibernate-suspend
(1) User Configuration\Administrative
Templates\System\Attachment Manager
(2)HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur Do-not-preserve-zone-information-in-file-
rentVersion\Policies\Attachments\SaveZoneInformation attachments
(1) User Configuration\Administrative
Templates\System\Attachment Manager
(2)HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur Hide-mechanisms-to-remove-zone-
rentVersion\Policies\Attachments\HideZoneInfoOnProperties information
(1) User Configuration\Administrative
Templates\System\Attachment Manager
(2)HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur Notify-antivirus-programs-when-opening-
rentVersion\Policies\Attachments\ScanWithAntiVirus attachments
(1) User Configuration\Administrative Templates\Windows
Components\Internet Explorer
(2)HKEY_CURRENT_USER\Software\Microsoft\Outlook
Express\BlockExeAttachments
(1) Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options
(2)HKEY_LOCAL_MACHINE\System\Currentcontrolset\Contro
l\Lsa\SCENoApplyLegacyAuditPolicy override-audit-policy-settings
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win
dows\EventLog\Setup\ChannelAccess Log-Access-For-Setup-Log
(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser
vices\Eventlog\Application\Windows Search Service\Start Windows-Search
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peer Turn-Off-Microsoft-Peer-to-Peer-
net\Disabled Networking-Services
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Prohibit-Access-of-the-Windows-
dows\WCN\UI\DisableWcnUi Connect-Now-Wizards
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Allow-remote-access-to-the-PnP-
dows\DeviceInstall\Settings\AllowRemoteRPC interface
Do-not-create-system-restore-
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo point-when-new-device-driver-
ws\DeviceInstall\Settings\DisableSystemRestore installed
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Do-not-send-Windows-Error-
dows\DeviceInstall\Settings\DisableSendGenericDriverNotFou Report-when-generic-driver-is-
ndToWER installed-on-device
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Turn-Off-Access-to-All-Windows-
dows\WindowsUpdate\DisableWindowsUpdateAccess Update-Feature
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Syst Turn-Off-Automatic-Root-
emCertificates\AuthRoot\DisableRootAutoUpdate Certificates-Update
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Even Turn-Off-Event-Views-Events.asp-
tViewer\MicrosoftEventVwrDisableLinks Links
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win
dows\HandwritingErrorReports\PreventHandwritingErrorRepor Turn-Off-Handwriting-Reconition-
ts Error-Reporting
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH Turn-Off-Help-and-Support-Center-
ealth\HelpSvc\Headlines Did-you-Know-Content
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH Turn-Off-Help-and-Support-Center-
ealth\HelpSvc\MicrosoftKBSearchs Microsoft-Knowledge-Base-Search
Turn-Off-Internet-Connection-
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Wizard-if-URL-Connection-is-
dows\Internet Connection Wizard\ExitOnMSICW Referring-to-Microsoft.com
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Turn-Off-Internet-File-Association-
rentVersion\Policies\Explorer\NoInternetOpenWith Service
Turn-Off-Registration-if-URL-
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Connection-is-Referring-to-
dows\Registration Wizard Control\NoRegistration Microsoft.com
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Turn-Off-the-Order-Prints-Picture-
rentVersion\Policies\Explorer\NoOnlinePrintsWizard Task
(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER]
\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Expl Turn-off-the-Publish-to-Web-task-
orer\NoPublishingWizard for-files-and-folders
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Turn-Off-Windows-Movies-Maker-
dowsMovieMaker\CodecDownload Automatic-Codec-Downloads
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Turn-Off-Windows-Movie-Maker-
dowsMovieMaker\WebHelp Online-Web-Links
Turn-Off-Windows-Movie-Maker-
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Saving-to-Online-Video-Hosting-
dowsMovieMaker\WebPublish Provider
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Do-Not-Display-the-Getting-
rentVersion\Policies\Explorer\NoWelcomeScreen Started-Welcome-Screen-at-Logon
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\System\DisableStartupSound Turn-off-Windows-Startup-Sound
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Pow
er\PowerSettings\0e796bdb-100d-47d6-a2d5- Require-a-Password-when-a-
f7d2daa51f51\DCSettingIndex Computer-Wakes-On-Battery
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Pow
er\PowerSettings\0e796bdb-100d-47d6-a2d5- Require-a-Password-when-a-
f7d2daa51f51\ACSettingIndex Computer-Wakes-Plugged
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind Allow-only-Vista-or-later-
ows NT\Terminal Services\CreateEncryptedOnlyTickets connections
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\UseCustomMessages Customization-Warning-Messages
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\UseBandwidthOptimization Turn-on-bandwidth-optimization
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\LoggingEnabled Turn-on-session-logging
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win
dows NT\IIS\PreventIISInstall Prevent-IIS-Installation
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assi
stance\Client\1.0\NoActiveHelp Turn-Off-Active-Help
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assi
stance\Client\1.0\NoUntrustedContent Turn-Off-Untrusted-Content
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Inter
net Explorer\Feeds\DisableEnclosureDownload Turn-off-downloading-enclosures
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows\Windows
Search\AllowIndexingEncryptedStoresOrItems Allow-indexing-of-encrypted-files
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows\Windows Prevent-indexing-uncached-
Search\PreventIndexingUncachedExchangeFolders Exchange-folders
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\TurnOffWinCal Turn-off-Windows-Calendar
Allow-Corporate-Redirection-
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQM Customer-Experience-
Client\CorporateSQMURL Improvement-Program-Uploads
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win
dows Defender\DisableAntiSpyware Turn-off-Windows-Defender
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Turn-off-heap-termination-
dows\Explorer\NoHeapTerminationOnCorruption corruption
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Turn-off-shell-protocol-protected-
rentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior mode
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win Prohibit-Non-Administrators-
dows\Installer\DisableLUAPatching applying-vendorpatches
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Report-logon-server-not-available-
rentVersion\Policies\System\ReportControllerMissing during-user-logon
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows Mail\DisableCommunities Turn-off-communication-features
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows Mail\ManualLaunchAllowed Turn-off-windows-mail-app
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WM Prevent-Windows-Media-DRM-
DRM\DisableOnline Internet-Access
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win
dows\Windows Collaboration\TurnOffWindowsCollaboration Turn-off-windows-meeting-space
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win
dows\Windows Turn-on-windows-meeting-space-
Collaboration\TurnOnWindowsCollaborationAuditing auditing
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadg Disable-unpacking-installation-
ets gadgets-not-digitally-signed
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsL
ink Override-more-gadgets-Lnk
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledG Turn-off-user-installed-windows-
adgets sidebar-gidgets
Computer Configuration\Administrative Templates\Windows do_not_allow_digital_locker_to_run
Components\Digital Locker _var
Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows turn_off_downloading_of_game_inf
Components\Game Explorer ormation
Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall with Advanced Security\Outbound Rules ipv6_block_protocols_41
Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall with Advanced Security\Outbound Rules ipv6_block_udp_3544
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\EnablePMTUDiscovery
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\IPSEC\NoDefaultExempt
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\Network access: Remotely accessible registry paths
and subpaths
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LDAP\LDAPClientIntegrity (2) defined by Local or Group
Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or
Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or
Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2)
defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System\ShutdownWithoutLogon (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Session Manager\Memory
Management\ClearPageFileAtShutdown (2) defined by Local
or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Session Manager\Kernel\ObCaseInsensitive (2) defined by
Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Session Manager\ProtectionMode (2) defined by Local or
Group Policy
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Admin Approval Mode for the
Built-in Administrator account
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Behavior of the elevation
prompt for administrators in Admin Approval Mode
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Behavior of the elevation
prompt for standard users
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Detect application installations
and prompt for elevation
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Only elevate executables that
are signed and validated
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Only elevate UIAccess
applications that are installed in secure locations
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Run all administrators in
Admin Approval Mode
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Switch to the secure desktop
when prompting for elevation
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security
Options\User Account Control: Virtualize file and registry write
failures to per-user locations
(1) defined by the SeNetworkLogonRight setting in Local or
Group Policy
(1) defined the SeTcbPrivilege setting in by Local or Group
Policy
(1) defined the SeIncreaseQuotaPrivilege setting in by Local
or Group Policy
(1) defined the SeInteractiveLogonRight setting in by Local or
Group Policy
(1) defined the SeRemoteInteractiveLogonRight setting in by
Local or Group Policy
(1) defined the SeBackupPrivilege setting in by Local or
Group Policy
(1) defined the SeChangeNotifyPrivilege setting in by Local or
Group Policy
(1) defined the SeSystemTimePrivilege setting in by Local or
Group Policy
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights
Assignment\Change the time zone
(1) defined the SeCreatePagefilePrivilege setting in by Local
or Group Policy
(1) defined the SeCreateTokenPrivilege setting in by Local or
Group Policy
(1) defined the SeCreatePermanentPrivilege setting in by
Local or Group Policy
(1) defined the SeDebugPrivilege setting in by Local or Group
Policy
(1) defined by the SeDenyNetworkLogonRight setting in
Local or Group Policy
(1) defined the SeDenyBatchLogonRight setting in by Local
or Group Policy
(1) defined the SeDenyServiceLogonRight setting in by Local
or Group Policy
(1) defined the SeDenyInteractiveLogonRight setting in by
Local or Group Policy
(1) defined the SeDenyRemoteInteractiveLogonRight setting
in by Local or Group Policy
(1) defined the SeRemoteShutdownPrivilege setting in by
Local or Group Policy
(1) defined the SeAuditPrivilege setting in by Local or Group
Policy
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights
Assignment\Increase a process working set
(1) defined the SeIncreaseBasePriorityPrivilege setting in by
Local or Group Policy
(1) defined the SeLoadDriverPrivilege setting in by Local or
Group Policy
(1) defined the SeLockMemoryPrivilege setting in by Local or
Group Policy
(1) defined the SeBatchLogonRight setting in by Local or
Group Policy
(1) defined the SeServiceLogonRight setting in by Local or
Group Policy
(1) defined the SeSecurityPrivilege setting in by Local or
Group Policy
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights
Assignment\Modify an object label
(1) defined the SeSystemEnvironmentPrivilege setting in by
Local or Group Policy
(1) defined the SeManageVolumePrivilege setting in by Local
or Group Policy
(1) defined the SeProfileSingleProcessPrivilege setting in by
Local or Group Policy
(1) defined the SeSystemProfilePrivilege setting in by Local
or Group Policy
(1) defined the SeUndockPrivilege setting in by Local or
Group Policy
(1) defined the SeAssignPrimaryTokenPrivilege setting in by
Local or Group Policy
(1) defined the SeRestorePrivilege setting in by Local or
Group Policy
(1) defined the SeShutdownPrivilege setting in by Local or
Group Policy
(1) defined the SeSynchAgentPrivilege setting in by Local or
Group Policy
(1) defined the SeTakeOwnershipPrivilege setting in by Local
or Group Policy
(1) defined by the object's DACL (2) defined through group
policy
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
!(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
!explorer.exe,
HKLM\Software\Policies\Microsoft\Internet,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Protection From Zone Elevation,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
\iexplore.exe
GPO Setting: Computer Configuration\Administrative
Templates\Network\Link-Layer Topology Discovery\Turn on
Responder (RSPNDR) driver
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\Network Connections\NC_AllowNetBridge_NLA
GPO Setting: Computer Configuration\Administrative
Templates\Network\Network Connections\Prohibit use of
Internet Connection Firewall on your DNS domain network
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
GPO Setting: Computer Configuration\Administrative
Templates\Network\Windows Connect Now\Configuration of
wireless settings using Windows Connect Now
GPO Setting: Computer Configuration\Administrative
Templates\System\Group Policy\Internet Explorer
Maintenance Policy Processing
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHeal
th\ErrorReporting\DoReport
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\system\LogonType
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\ActiveX Installer
Service\Approved Installation Sites for ActiveX Controls
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Event Log
Service\Setup\Maximum Log Size (KB)
(1) Computer Configuration\Administrative
Templates\Windows Components\Terminal
Services\Terminal Server\Device and Resource Redirection
(2)HKLM\SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services!fDisableCdm
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws NT\Terminal Services\MinEncryptionLevel
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws NT\Terminal Services\MaxDisconnectionTime
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws NT\Terminal Services\MaxIdleTime
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Windows
Defender\Configure Microsoft Spynet Reporting
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Windows Error
Reporting\Disable Logging
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Windows Error
Reporting\Disable Windows Error Reporting
GPO Settings: Computer Configuration\Administrative
Templates\System\Error Reporting\Display Error Notification,
Computer Configuration\Administrative Templates\Windows
Components\Windows Error Reporting\Display Error
Notification
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Windows Error
Reporting\Do not send additional data
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\Installer\SafeForScripting\
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\Installer\EnableUserControl
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Windows Media Player\Do
Not Show First Use Dialog Boxes
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
wsMediaPlayer\DisableAutoupdate
GPO Setting: Computer Configuration\Administrative
Templates\Windows Components\Windows Media
Player\Prevent Desktop Shortcut Creation
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messen
ger\Client\PreventAutoRun
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaverIsSecure
GPO Setting: User Configuration\Administrative
Templates\Windows Components\Network Sharing\Prevent
users from sharing files within their profiles
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile Tab\Settings\Firewall
settings\Display a notification
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogDroppedPackets (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Private Profile\Windows
Firewall: Allow Logging - Log Dropped Packets
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogSuccessfulConnections (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Private Profile\Windows
Firewall: Allow Logging - Log successful connections (3)
Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall with Advanced Security\Windows Firewall
Properties\Private Profile Tab\Logging\Logged successful
connections
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogFilePath (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Private Profile\Windows Firewall: Allow Logging - Log
file path and name (3) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile Tab\Logging\Name
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogFileSize (2) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile Tab\Logging\Size limit (KB)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Log
ging\LogDroppedPackets (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Public Profile\Windows
Firewall: Allow Logging - Log Dropped Packets
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Log
ging\LogSuccessfulConnections (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Public Profile\Windows
Firewall: Allow Logging - Log successful connections (3)
Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall with Advanced Security\Windows Firewall
Properties\Public Profile Tab\Logging\Logged successful
connections
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Log
ging\LogFilePath (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Public Profile\Windows Firewall: Allow Logging - Log
file path and name (3) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile Tab\Logging\Name
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Log
ging\LogFileSize (2) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile Tab\Logging\Size limit (KB)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\tcpip6\Parameters\DisableComponents
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\tcpip6\Parameters\DisableComponents
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\tcpip6\Parameters\DisableComponents
GPO Setting: User Configuration\Administrative
Templates\System\Internet Communication
Management\Internet Communication settings\Turn off Help
Experience Improvement Program
GPO Setting: User Configuration\Administrative
Templates\System\Internet Communication
Management\Internet Communication settings\Turn off Help
Ratings
GPO Setting: Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights
Assignment\Create Symbolic Links
NIST SCAP Windows Vista OVAL FDCC Windows Vista XCCDF (fdcc-
(SCAP-WinVista-OVAL.xml rev 2007- accepted-content-20080110\fdcc-
02-06) winvista-xccdf.xml)
oval:com.secure-elements.oval:def:6009 account_lockout_reset_counter
oval:com.secure-elements.oval:def:6007 account_lockout_duration
oval:com.secure-elements.oval:def:6008 account_lockout_threshold
oval:com.secure-elements.oval:def:6010 audit_account_logon_events
oval:com.secure-elements.oval:def:6010 audit_account_logon_events
oval:com.secure-elements.oval:def:6011 audit_account_management
oval:com.secure-elements.oval:def:6011 audit_account_management
oval:com.secure-elements.oval:def:6012 audit_directory_service_access
oval:com.secure-elements.oval:def:6012 audit_directory_service_access
oval:com.secure-elements.oval:def:6013 audit_logon_events
oval:com.secure-elements.oval:def:6013 audit_logon_events
oval:com.secure-elements.oval:def:6014 audit_object_access
oval:com.secure-elements.oval:def:6014 audit_object_access
oval:com.secure-elements.oval:def:6015 audit_policy_change
oval:com.secure-elements.oval:def:6015 audit_policy_change
oval:com.secure-elements.oval:def:6016 audit_privilege_use
oval:com.secure-elements.oval:def:6016 audit_privilege_use
oval:com.secure-elements.oval:def:6017 audit_process_tracking
oval:com.secure-elements.oval:def:6017 audit_process_tracking
oval:com.secure-elements.oval:def:6018 audit_system_events
oval:com.secure-elements.oval:def:6018 audit_system_events
oval:com.secure-elements.oval:def:6509
oval:com.secure-elements.oval:def:6506 maximum_application_log_size
oval:com.secure-elements.oval:def:6512
oval:com.secure-elements.oval:def:6511
oval:com.secure-elements.oval:def:6507 maximum_security_log_size
oval:com.secure-elements.oval:def:6513
oval:com.secure-elements.oval:def:6510
oval:com.secure-elements.oval:def:6508 maximum_system_log_size
oval:com.secure-elements.oval:def:6514
oval:com.secure-elements.oval:def:6002 password-maximum_age
oval:com.secure-elements.oval:def:6003 password-minimum-age
oval:com.secure-elements.oval:def:6006 password-minimum-length
oval:com.secure-elements.oval:def:6004 password_complexity
oval:com.secure-elements.oval:def:6001 password_enforce_history
oval:com.secure-elements.oval:def:6005 password_reversible_encryption
oval:com.secure-elements.oval:def:6601 do_not_allow_windows_messenger_to_be_run
oval:com.secure-elements.oval:def:6595 Disable-remote-Desktop-Sharing
do-not-allow-anonymous-enumeration-sam-
oval:com.secure-elements.oval:def:6071 accounts-shares
oval:com.secure-elements.oval:def:6070 do-not-allow-anonymous-enumeration-sam
anonymous_sid_name_translation
oval:com.secure-elements.oval:def:6020 guest-account-status
oval:com.secure-elements.oval:def:6019
oval:com.secure-elements.oval:def:6042 message-title-users-attempting-logon
oval:com.secure-elements.oval:def:6041 message-text-users-attempting-logon
oval:com.secure-elements.oval:def:6054 enable-automatic-logon
oval:com.secure-elements.oval:def:6574,
oval:com.secure-elements.oval:def:6060 turn_off_autoplay
oval:com.secure-elements.oval:def:6057 enable-icmp-redirect
oval:com.secure-elements.oval:def:6055 disable-ip-source-routing
oval:com.secure-elements.oval:def:6063 perform-router-discovery
oval:com.secure-elements.oval:def:6039 do-not-display-last-user-name
oval:com.secure-elements.oval:def:6058 hide-system-from-browse-list
oval:com.secure-elements.oval:def:6056 enable-dead-gw-detect
oval:com.secure-elements.oval:def:6059 keep-alive-time
oval:com.secure-elements.oval:def:6061 no-name-release-on-demand
oval:com.secure-elements.oval:def:6066 syn-attack-protect
oval:com.secure-elements.oval:def:6069 warning-level
oval:com.secure-elements.oval:def:6064 safe-dll-search-mode
oval:com.secure-elements.oval:def:6022 rename-administrator
oval:com.secure-elements.oval:def:6023 rename-guest
amount-of-idle-time-required-before-suspending-
oval:com.secure-elements.oval:def:6050 session
oval:com.secure-elements.oval:def:6024 audit-access-global-system-objects
oval:com.secure-elements.oval:def:6025 audit-use-backup-restore-privilege
oval:com.secure-elements.oval:def:6040 do-not-require-ctrlaltdel
oval:com.secure-elements.oval:def:6030 prevent-users-installing-printers
oval:com.secure-elements.oval:def:6031 restrict-cdrom-access-local-users-only
oval:com.secure-elements.oval:def:6032 restrict-floppy-access-local-users-only
oval:com.secure-elements.oval:def:6038 require-strong-session-key
send-unencrypted-password-to-third-party-smb-
oval:com.secure-elements.oval:def:6049 servers
prompt-user-to-change-password-before-
oval:com.secure-elements.oval:def:6044 expiration
oval:com.secure-elements.oval:def:6027 shutdown-system-unable-log-audits
oval:com.secure-elements.oval:def:6047 digitally-sign-communications-client-always
digitally-sign-communications-client-server-
oval:com.secure-elements.oval:def:6048 agrees
oval:com.secure-elements.oval:def:6051 digitally-sign-communications-server-always
digitally-sign-communications-server-client-
oval:com.secure-elements.oval:def:6052 agrees
oval:com.secure-elements.oval:def:6043 number-of-previous-logons-to-cache
oval:com.secure-elements.oval:def:6029 allow-format-eject-removable-media
digitally-encrypt-or-sign-secure-channel-data-
oval:com.secure-elements.oval:def:6034 always
digitally-encrypt-secure-channel-data-when-
oval:com.secure-elements.oval:def:6033 possible
oval:com.secure-elements.oval:def:6035 digitally-sign-secure-channel-data-when-possible
oval:com.secure-elements.oval:def:6046 smart-card-removal-behaviour
oval:com.secure-elements.oval:def:6036 disable-machine-account-password-changes
oval:com.secure-elements.oval:def:6021 limit-blank-password-use
oval:com.secure-elements.oval:def:6028 allow-undock-no-logon
oval:com.secure-elements.oval:def:6037 maximum_machine-account-password-age
oval:com.secure-elements.oval:def:6045 require-domain-controller-authentication-to-unlock
oval:com.secure-elements.oval:def:6053 disconnect-client-when-logon-hours-expire
do-not-allow-storage-credentials-net-passports-
oval:com.secure-elements.oval:def:6072 network-authn
let-everyone-permissions-apply-to-anonymous-
oval:com.secure-elements.oval:def:6073 users
oval:com.secure-elements.oval:def:6074 named-pipes-accessed-anonymously
oval:com.secure-
elements.oval:def:6075oval:com.secure-
elements.oval:def:6076 Remotely-accessible-registry-paths
Shares-that-can-be-accessed-anonymously
oval:com.secure-elements.oval:def:6079 Sharing-and-security-model-for-local-accounts
Do-not-store-LAN-Manager-hash-value-on-next-
oval:com.secure-elements.oval:def:6080 password-change
oval:com.secure-elements.oval:def:6081 Force-logoff-when-logon-hours-expire
oval:com.secure-elements.oval:def:6065 screen_save_timeout
Always-prompt-client-for-password-upon-
oval:com.secure-elements.oval:def:6599 connection
oval:com.secure-elements.oval:def:6564 solicited_remote_assistance
oval:com.secure-elements.oval:def:6563 offer_remote_assistance
oval:com.secure-elements.oval:def:6604
oval:com.secure-elements.oval:def:6603
oval:com.secure-elements.oval:def:6602
oval:com.secure-elements.oval:def:6605
oval:com.secure-elements.oval:def:6606
MachineAccessRestrictions
MachineLaunchRestrictions
oval:com.secure-elements.oval:def:6082
Restrict-anonymous-access-to-Named-Pipes-
oval:com.secure-elements.oval:def:6077 and-Shares
oval:com.secure-elements.oval:def:6067 tcp-max-connect-response-retransmissions
oval:com.secure-elements.oval:def:6068 tcp-max-data-retransmissions
oval:com.secure-elements.oval:def:6062 ntfs-disable-8dot3-name-creation
oval:com.secure-elements.oval:def:6566 rpc_endpoint_mapper_client_authentication
oval:com.secure-elements.oval:def:6565 restrictions_for_unauthenticated_rpc_clients
oval:com.secure-elements.oval:def:6547,
oval:com.secure-elements.oval:def:6515
oval:com.secure-elements.oval:def:6544
oval:com.secure-elements.oval:def:6541
oval:com.secure-elements.oval:def:6537
oval:com.secure-elements.oval:def:6536
oval:com.secure-elements.oval:def:6538
oval:com.secure-elements.oval:def:6539
oval:com.secure-elements.oval:def:6545,
oval:com.secure-elements.oval:def:6518
oval:com.secure-elements.oval:def:6546,
oval:com.secure-elements.oval:def:6519
oval:com.secure-elements.oval:def:6542
oval:com.secure-elements.oval:def:6540
oval:com.secure-elements.oval:def:6559
oval:com.secure-elements.oval:def:6556
oval:com.secure-elements.oval:def:6555
oval:com.secure-elements.oval:def:6549
oval:com.secure-
elements.oval:def:6548,oval:com.secure-
elements.oval:def:6553
oval:com.secure-elements.oval:def:6550
oval:com.secure-elements.oval:def:6551
oval:com.secure-elements.oval:def:6557
oval:com.secure-elements.oval:def:6558
oval:com.secure-elements.oval:def:6554
oval:com.secure-elements.oval:def:6552
oval:com.secure-elements.oval:def:6516
oval:com.secure-elements.oval:def:6517
oval:com.secure-elements.oval:def:6520
oval:com.secure-elements.oval:def:6521
oval:com.secure-elements.oval:def:6522
oval:com.secure-elements.oval:def:6523
oval:com.secure-elements.oval:def:6524
oval:com.secure-elements.oval:def:6525
oval:com.secure-elements.oval:def:6526
oval:com.secure-elements.oval:def:6527
oval:com.secure-elements.oval:def:6528
oval:com.secure-elements.oval:def:6529
oval:com.secure-elements.oval:def:6530
oval:com.secure-elements.oval:def:6531
oval:com.secure-elements.oval:def:6532
oval:com.secure-elements.oval:def:6533
oval:com.secure-elements.oval:def:6534
oval:com.secure-elements.oval:def:6535
oval:com.secure-elements.oval:def:6560
oval:com.secure-elements.oval:def:6561 do_not_process_run_once_list
oval:com.secure-elements.oval:def:6562
Turn-off-Internet-download-for-Web-publishing-
oval:com.secure-elements.oval:def:6568 and-online-ordering-wizards
Turn-off-the-Windows-Messenger-Customer-
oval:com.secure-elements.oval:def:6569 Experience-Improvement-Program
oval:com.secure-elements.oval:def:6570 Turn-off-Search-Companion-content-file-updates
oval:com.secure-elements.oval:def:6571 Turn-off-printing-over-HTTP
oval:com.secure-elements.oval:def:6572 turn_off_downloading_of_print_drivers_over_http
Turn-off-Windows-Update-device-driver-
oval:com.secure-elements.oval:def:6573 searching
oval:com.secure-elements.oval:def:6575 enumerate_administrator_accounts_on_elevation
oval:com.secure-elements.oval:def:6576
oval:com.secure-elements.oval:def:6594
oval:com.secure-elements.oval:def:6596 Do-not-allow-passwords-to-be-saved
oval:com.secure-elements.oval:def:6598
oval:com.secure-elements.oval:def:6500
prompt_for_password_on_resume_from_hibernat
oval:com.secure-elements.oval:def:6714 e_suspend
do_not_preserve_zone_information_in_file_attach
oval:com.secure-elements.oval:def:6502 ments
oval:com.secure-elements.oval:def:6503 hide_mechanisms_to_remove_zone_information
notify_antivirus_programs_when_opening_attach
oval:com.secure-elements.oval:def:6504 ments
oval:com.secure-elements.oval:def:6505
oval:com.secure-elements.oval:def:6026 override-audit-policy-settings
oval:com.secure-elements.oval:def:6701
oval:com.secure-elements.oval:def:6148
turn_off_microsoft_peer_to_peer_networking_ser
oval:com.secure-elements.oval:def:6662 vices
prohibit_access_of_the_windows_connect_now_
oval:com.secure-elements.oval:def:6665 wizards
oval:com.secure-elements.oval:def:6667 allow_remote_access_to_the_pnp_interface
do_not_create_system_restore_point_when_new
oval:com.secure-elements.oval:def:6668 _device_driver_installed
do_not_send_windows_error_report_when_gener
oval:com.secure-elements.oval:def:6669 ic_driver_is_installed_on_device
oval:com.secure-elements.oval:def:6673
oval:com.secure-elements.oval:def:6674 turn_off_automatic_root_certificates_update
oval:com.secure-elements.oval:def:6675 turn_off_event_views_events.asp_links
oval:com.secure-elements.oval:def:6676 turn_off_handwriting_reconition_error_reporting
oval:com.secure-elements.oval:def:6677
oval:com.secure-elements.oval:def:6678
turn_off_internet_connection_wizard_if_url_conne
oval:com.secure-elements.oval:def:6679 ction_is_referring_to_microsoft.com
oval:com.secure-elements.oval:def:6680 Turn-Off-Internet-File-Association-Service
Turn-Off-Registration-if-URL-Connection-is-
oval:com.secure-elements.oval:def:6681 Referring-to-Microsoft.com
oval:com.secure-elements.oval:def:6682 Turn-Off-the-Order-Prints-Picture-Task
Turn-off-the-Publish-to-Web-task-for-files-and-
oval:com.secure-elements.oval:def:6567 folders
Turn-Off-Windows-Movies-Maker-Automatic-
oval:com.secure-elements.oval:def:6696 Codec-Downloads
Turn-Off-Windows-Movie-Maker-Online-Web-
oval:com.secure-elements.oval:def:6684 Links
Turn-Off-Windows-Movie-Maker-Saving-to-
oval:com.secure-elements.oval:def:6697 Online-Video-Hosting-Provider
Do-Not-Display-the-Getting-Started-Welcome-
oval:com.secure-elements.oval:def:6687 Screen-at-Logon
oval:com.secure-elements.oval:def:6688 Turn-off-Windows-Startup-Sound
Require-a-Password-when-a-Computer-Wakes-
oval:com.secure-elements.oval:def:6689 On-Battery
Require-a-Password-when-a-Computer-Wakes-
oval:com.secure-elements.oval:def:6690 Plugged
oval:com.secure-elements.oval:def:6691
oval:com.secure-elements.oval:def:6692
oval:com.secure-elements.oval:def:6693
oval:com.secure-elements.oval:def:6694 turn_on_session_logging
oval:com.secure-elements.oval:def:6107 Prevent-IIS-Installation
oval:com.secure-elements.oval:def:6108
oval:com.secure-elements.oval:def:6109 turn_off_untrusted_content
oval:com.secure-elements.oval:def:6110 turn_off_downloading_enclosures
oval:com.secure-elements.oval:def:6704 Allow-indexing-of-encrypted-files
oval:com.secure-elements.oval:def:6705 Prevent-indexing-uncached-Exchange-folders
oval:com.secure-elements.oval:def:6111
oval:com.secure-elements.oval:def:6112
oval:com.secure-elements.oval:def:6113
oval:com.secure-elements.oval:def:6118 turn_off_heap_termination_corruption
oval:com.secure-elements.oval:def:6119 turn_off_shell_protocol_protected_mode
prohibit_non_administrators_install_signed_updat
oval:com.secure-elements.oval:def:6122 es
report_logon_server_not_available_during_user_l
oval:com.secure-elements.oval:def:6123 ogon
oval:com.secure-elements.oval:def:6124 turn_off_communities_features
oval:com.secure-elements.oval:def:6125 turn_off_windows_mail_app
oval:com.secure-elements.oval:def:6126 prevent_windows_media_drm_internet_access
oval:com.secure-elements.oval:def:6127 turn_off_windows_meeting_space
oval:com.secure-elements.oval:def:6128
disable_unpacking_installation_gadgets_not_digit
oval:com.secure-elements.oval:def:6129 ally_signed
oval:com.secure-elements.oval:def:6130 override_more_gadgets_lnk
oval:com.secure-elements.oval:def:6131 turn_off_user_installed_windows_sidebar_gidgets
oval:gov.nist.fdcc.vista:def:6698 do_not_allow_digital_locker_to_run
oval:gov.nist.fdcc.vista:def:6703 turn_off_downloading_of_game_information
oval:gov.nist.fdcc.vistafirewall:def:6491
oval:gov.nist.fdcc.vistafirewall:def:6492
kerberos-enforce-user-logon-restrictions
kerberos_maximum_lifetime_service_ticket
kerberos_maximum_lifetime_user_ticket
kerberos_maximum_lifetime_user_ticket_renewal
kerberos_maximum_tolerance_computer_clock_s
ynchronization
allow-automatic-detection-mtu-size
enable-nodefaultexempt-IPSec-Filtering
Remotely-accessible-registry-paths-and-sub-
paths
Lan-manager-authentication-level
LDAP-client-signing-requirements
minimum-session-security-ntlm-ssp-based-clients
minimum-session-security-ntlm-ssp-based-
servers
recovery-console-allow-administrative-logon
recovery-console-allow-floppy-copy-access-all-
drives-folders
shutdown-allow-system-shutdown-without-having-
logon
shutdown-clear-virtual-memory-page
system-cryptography-use-fips-compliant-alorithm
system-objects-require-case-insesitivity
system-objects-strengthen-default-permissions-
internal-system-objects
admin_approval_mode
behavior_elevation_prompt_administrators
behavior_elevation_prompt_standard_users
detect_application_installations_prompt_elevation
only_elevate_executables_signed_validated
only_elevate_uiaccess_applications
run_administrators_admin_approval_mode
switch_secure_desktop_prompting_elevation
virtualize_write_failures_per_user_locations
Access-Computer-From-Network-Administrators
Act-As-Part-Of-Operating-System-None
Adjust-Memory-Quotas-Administrators-
LocalService-NetworkService
Allow-Log-On-Locally-Administrators-Users
Allow-Log-On-Through-Terminal-Services-
Administrators-RemoteDesktopUsers
Back-Up-Files-And-Directories-Administrators
Bypass-Traverse-Checking-
Administrators_Users_LocalService_NetworkServ
ice
Change-System-Time-LocalService-
Administrators
Change-Time-Zone-
Administrators_Users_LocalService
Create-Pagefile-Administrators
Create-Token-Object-None
Create-Global-Objects-Administrators-SERVICE-
LocalService-NetworkService
Create-Permanent-Shared-Objects-None
Debug-Programs-None
Deny-Access-From-Network-Guests
Deny-Logon-As-Batch-Job-Guests
deny_logon_as_service_none
Deny-Logon-Locally-Guests
Deny-Logon-Through-Terminal-Services-Guest
Force-Shutdown-From-Remote-System-
Administrators
Generate-Security-Audits-LocalService-
NetworkService
Impersonate-Client-After-Authentication-
Administrators-SERVICE-LocalService-
NetworkService
Increase-Process-Working-Set-
Administrators_LocalService
Increase-Scheduling-Priority-Administrators
Load-And-Unload-Device-Drivers-Administrators
Lock-Pages-In-Memory-None
Log-On-As-Batch-Job-None
Log-On-As-Service-None
Manage-Auditing-And-Security-Log-
Administrators
Modify-Object-Label-None
Modify-Firmware-Environment-Values-
Administrators
Perform-Volume-Maintenance-Tasks-
Administrators
Profile-Single-Process-Administrators
Profile-System-Performance-Administrators
Remove-Computer-From-Docking-Station-
Administrators-Users
Replace-Process-Level-Token-NetworkService-
LocalService
Restore-Files-And-Directories-Administrators
Shut-Down-System-Administrators-Users
Synchronize-Directory-Service-Data-None
Take-Ownership-Of-Files-Administrators
wlan_autoconfig
turn_on_mapper_io_lltdio_driver
turn_on_responder_rspndr_driver
prohibit_installation_network_bridge
prohibit_internet_connection_firewall
prohibit_internet_connection_sharing
configuration_of_wireless_settings_using_window
s_connect_now
internet_explorer_maintenance_policy_processin
g_enabled
turn_off_windows_error_reporting
Always-Use-Classic-Logon
approved_installation_sites_for_activex_controls
maximum_setup_log_size
Do-not-allow-drive-redirection
Set-client-connection-encryption-level
set_timelimit_for_disconnected_sessions
set_timelimit_for_active_but_idle_terminal_servic
es_sessions
configure_ms_spynet_reporting
disable_logging
disable_windows_error_reporting
display_error_notification
do_not_send_additional_data
disable_ie_security_prompt_windows_installer_sc
ripts
enable_user_control_over_installs
do_not_show_first_use_dialog_boxes
prevent_automatic_updates
prevent_desktop_shortcut_creation
do_not_automatically_start_windows_messenger
_initially
password_protect_the_screen_saver
prevent_users_from_sharing_files_within_their_pr
ofile
application-group-management
application-group-management
computer-account-management
computer-account-management
distribution-group-management
distribution-group-management
other-account-management-events
other-account-management-events
security-group-management
security-group-management
user-account-management
user-account-management
dpapi-activity
dpapi-activity
process-creation
process-creation
process-termination
process-termination
rpc-events
rpc-events
detailed-directory-service-replication
detailed-directory-service-replication
directory-service-access
directory-service-access
directory-service-changes
directory-service-changes
directory-service-replication
directory-service-replication
account-lockout
account-lockout
ipsec-extended-mode
ipsec-extended-mode
ipsec-main-mode
ipsec-main-mode
ipsec-quick-mode
ipsec-quick-mode
logoff
logoff
logon
logon
other-logon-logoff-events
other-logon-logoff-events
special-logon
special-logon
application-generated
application-generated
certification-services
certification-services
file-share
file-share
file-system
file-system
filtering-platform-connection
filtering-platform-connection
filtering-platform-packet-drop
filtering-platform-packet-drop
handle-manipulation
handle-manipulation
kernel-object
kernel-object
other-object-access-events
other-object-access-events
registry
registry
sam
sam
policy_change_audit
policy_change_audit
authentication-policy-change
authentication-policy-change
authorization-policy-change
authorization-policy-change
filtering-platform-policy-change
filtering-platform-policy-change
mpssvc-rule-level-policy-change
mpssvc-rule-level-policy-change
other-policy-change-events
other-policy-change-events
non-sensitive-privilege-use
non-sensitive-privilege-use
other-privilege-use-events
other-privilege-use-events
sensitive-privilege-use
sensitive-privilege-use
ipsec-driver
ipsec-driver
other-system-events
other-system-events
security-state-change
security-state-change
security-system-extension
security-system-extension
system-integrity
system-integrity
disable_isatap_teredo_6to4_tunneling_protocols
disable_isatap_teredo_6to4_tunneling_protocols
disable_isatap_teredo_6to4_tunneling_protocols
turn_off_help_experience_improvement_program
turn_off_help_ratings
TBD
FDCC Windows Vista Firewall
FDCC Windows Vista OVAL (fdcc-
XCCDF (fdcc-accepted-content-
accepted-content-20080110\fdcc-
20080110\fdcc-vistafirewall-
winvista-oval.xml)
xccdf.xml)
oval:gov.nist.fdcc.vista:def:6009
oval:gov.nist.fdcc.vista:def:6007
oval:gov.nist.fdcc.vista:def:6008
oval:gov.nist.fdcc.vista:def:27
oval:gov.nist.fdcc.vista:def:27
oval:gov.nist.fdcc.vista:def:29
oval:gov.nist.fdcc.vista:def:29
oval:gov.nist.fdcc.vista:def:30
oval:gov.nist.fdcc.vista:def:30
oval:gov.nist.fdcc.vista:def:32
oval:gov.nist.fdcc.vista:def:32
oval:gov.nist.fdcc.vista:def:34
oval:gov.nist.fdcc.vista:def:34
oval:gov.nist.fdcc.vista:def:35
oval:gov.nist.fdcc.vista:def:35
oval:gov.nist.fdcc.vista:def:36
oval:gov.nist.fdcc.vista:def:36
oval:gov.nist.fdcc.vista:def:40
oval:gov.nist.fdcc.vista:def:40
oval:gov.nist.fdcc.vista:def:37
oval:gov.nist.fdcc.vista:def:37
oval:gov.nist.fdcc.vista:def:197
oval:gov.nist.fdcc.vista:def:198
oval:gov.nist.fdcc.vista:def:199
oval:gov.nist.fdcc.vista:def:6002
oval:gov.nist.fdcc.vista:def:6003
oval:gov.nist.fdcc.vista:def:6006
oval:gov.nist.fdcc.vista:def:6004
oval:gov.nist.fdcc.vista:def:6001
oval:gov.nist.fdcc.vista:def:6005
oval:gov.nist.fdcc.vista:def:6601
oval:gov.nist.fdcc.vista:def:6595
oval:gov.nist.fdcc.vista:def:6071
oval:gov.nist.fdcc.vista:def:6070
oval:gov.nist.fdcc.vista:def:6106
oval:gov.nist.fdcc.vista:def:6020
oval:gov.nist.fdcc.vista:def:6042
oval:gov.nist.fdcc.vista:def:6041
oval:gov.nist.fdcc.vista:def:6054
oval:gov.nist.fdcc.vista:def:6574
oval:gov.nist.fdcc.vista:def:6057
oval:gov.nist.fdcc.vista:def:6055
oval:gov.nist.fdcc.vista:def:6063
oval:gov.nist.fdcc.vista:def:6039
oval:gov.nist.fdcc.vista:def:6058
oval:gov.nist.fdcc.vista:def:6056
oval:gov.nist.fdcc.vista:def:6059
oval:gov.nist.fdcc.vista:def:6061
oval:gov.nist.fdcc.vista:def:6066
oval:gov.nist.fdcc.vista:def:6069
oval:gov.nist.fdcc.vista:def:6064
oval:gov.nist.fdcc.vista:def:6022
oval:gov.nist.fdcc.vista:def:6023
oval:gov.nist.fdcc.vista:def:6050
oval:gov.nist.fdcc.vista:def:6024
oval:gov.nist.fdcc.vista:def:6025
oval:gov.nist.fdcc.vista:def:6040
oval:gov.nist.fdcc.vista:def:6030
oval:gov.nist.fdcc.vista:def:6031
oval:gov.nist.fdcc.vista:def:6032
oval:gov.nist.fdcc.vista:def:6038
oval:gov.nist.fdcc.vista:def:6049
oval:gov.nist.fdcc.vista:def:6044
oval:gov.nist.fdcc.vista:def:6027
oval:gov.nist.fdcc.vista:def:6047
oval:gov.nist.fdcc.vista:def:6048
oval:gov.nist.fdcc.vista:def:6051
oval:gov.nist.fdcc.vista:def:6052
oval:gov.nist.fdcc.vista:def:6043
oval:gov.nist.fdcc.vista:def:6029
oval:gov.nist.fdcc.vista:def:6034
oval:gov.nist.fdcc.vista:def:6033
oval:gov.nist.fdcc.vista:def:6035
oval:gov.nist.fdcc.vista:def:6046
oval:gov.nist.fdcc.vista:def:6036
oval:gov.nist.fdcc.vista:def:6021
oval:gov.nist.fdcc.vista:def:6028
oval:gov.nist.fdcc.vista:def:6037
oval:gov.nist.fdcc.vista:def:6045
oval:gov.nist.fdcc.vista:def:6053
oval:gov.nist.fdcc.vista:def:6072
oval:gov.nist.fdcc.vista:def:6073
oval:gov.nist.fdcc.vista:def:6074
oval:gov.nist.fdcc.vista:def:6075
oval:gov.nist.fdcc.vista:def:60771
oval:gov.nist.fdcc.vista:def:6079
oval:gov.nist.fdcc.vista:def:6080
oval:gov.nist.fdcc.vista:def:6081
oval:gov.nist.fdcc.vista:def:6708
oval:gov.nist.fdcc.vista:def:6599
oval:gov.nist.fdcc.vista:def:6564
oval:gov.nist.fdcc.vista:def:6563
oval:gov.nist.fdcc.vista:def:608243
oval:gov.nist.fdcc.vista:def:608244
oval:gov.nist.fdcc.vista:def:6077
oval:gov.nist.fdcc.vista:def:6067
oval:gov.nist.fdcc.vista:def:6068
oval:gov.nist.fdcc.vista:def:6062
oval:gov.nist.fdcc.vista:def:6566
oval:gov.nist.fdcc.vista:def:6565
domain_profile_firewall_state
domain_profile_log_dropped_packets
domain_profile_name
domain_profile_size_limit
domain_profile_logged_successful_connect
ions
domain_profile_allow_unicast_response
domain_profile_inbound_connections
domain_profile_outbound_connections
domain_profile_apply_local_firewall_rules
private_profile_firewall_state
private_profile_inbound_connections
private_profile_outbound_connections
private_profile_display_notification
private_profile_allow_unicast_response
private_profile_apply_local_firewall_rules
private_profile_apply_local_connection_sec
urity_rules
public_profile_firewall_state
public_profile_inbound_connections
public_profile_outbound_connections
public_profile_display_notification
public_profile_allow_unicast_response
public_profile_apply_local_firewall_rules
public_profile_apply_local_connection_sec
urity_rules
oval:gov.nist.fdcc.vista:def:6561
oval:gov.nist.fdcc.vista:def:6568
oval:gov.nist.fdcc.vista:def:6569
oval:gov.nist.fdcc.vista:def:6570
oval:gov.nist.fdcc.vista:def:6571
oval:gov.nist.fdcc.vista:def:6572
oval:gov.nist.fdcc.vista:def:6573
oval:gov.nist.fdcc.vista:def:6575
oval:gov.nist.fdcc.vista:def:6596
oval:gov.nist.fdcc.vista:def:6714
oval:gov.nist.fdcc.vista:def:6502
oval:gov.nist.fdcc.vista:def:6503
oval:gov.nist.fdcc.vista:def:6504
oval:gov.nist.fdcc.vista:def:6026
oval:gov.nist.fdcc.vista:def:6662
oval:gov.nist.fdcc.vista:def:6666
oval:gov.nist.fdcc.vista:def:6667
oval:gov.nist.fdcc.vista:def:6668
oval:gov.nist.fdcc.vista:def:6669
oval:gov.nist.fdcc.vista:def:6674
oval:gov.nist.fdcc.vista:def:6675
oval:gov.nist.fdcc.vista:def:6676
oval:gov.nist.fdcc.vista:def:6679
oval:gov.nist.fdcc.vista:def:6680
oval:gov.nist.fdcc.vista:def:6681
oval:gov.nist.fdcc.vista:def:6682
oval:gov.nist.fdcc.vista:def:6567
oval:gov.nist.fdcc.vista:def:6696
oval:gov.nist.fdcc.vista:def:6684
oval:gov.nist.fdcc.vista:def:6697
oval:gov.nist.fdcc.vista:def:6687
oval:gov.nist.fdcc.vista:def:6688
oval:gov.nist.fdcc.vista:def:6689
oval:gov.nist.fdcc.vista:def:6690
oval:gov.nist.fdcc.vista:def:6694
oval:gov.nist.fdcc.vista:def:6107
oval:gov.nist.fdcc.vista:def:6109
oval:gov.nist.fdcc.vista:def:6110
oval:gov.nist.fdcc.vista:def:6704
oval:gov.nist.fdcc.vista:def:6705
oval:gov.nist.fdcc.vista:def:6118
oval:gov.nist.fdcc.vista:def:6119
oval:gov.nist.fdcc.vista:def:6122
oval:gov.nist.fdcc.vista:def:6123
oval:gov.nist.fdcc.vista:def:6124
oval:gov.nist.fdcc.vista:def:6125
oval:gov.nist.fdcc.vista:def:6126
oval:gov.nist.fdcc.vista:def:6127
oval:gov.nist.fdcc.vista:def:6129
oval:gov.nist.fdcc.vista:def:6130
oval:gov.nist.fdcc.vista:def:6131
oval:gov.nist.fdcc.vista:def:6698
oval:gov.nist.fdcc.vista:def:6703
ipv6_block_protocols_41
ipv6_block_udp_3544
oval:gov.nist.fdcc.vista:def:987651
oval:gov.nist.fdcc.vista:def:987652
oval:gov.nist.fdcc.vista:def:987653
oval:gov.nist.fdcc.vista:def:987654
oval:gov.nist.fdcc.vista:def:987655
oval:gov.nist.fdcc.vista:def:407
oval:gov.nist.fdcc.vista:def:116
oval:gov.nist.fdcc.vista:def:6076
oval:gov.nist.fdcc.vista:def:6094
oval:gov.nist.fdcc.vista:def:6095
oval:gov.nist.fdcc.vista:def:6096
oval:gov.nist.fdcc.vista:def:6097
oval:gov.nist.fdcc.vista:def:6098
oval:gov.nist.fdcc.vista:def:6099
oval:gov.nist.fdcc.vista:def:6100
oval:gov.nist.fdcc.vista:def:6101
oval:gov.nist.fdcc.vista:def:6102
oval:gov.nist.fdcc.vista:def:6104
oval:gov.nist.fdcc.vista:def:6105
oval:gov.nist.fdcc.vista:def:8081
oval:gov.nist.fdcc.vista:def:8082
oval:gov.nist.fdcc.vista:def:8083
oval:gov.nist.fdcc.vista:def:8084
oval:gov.nist.fdcc.vista:def:8085
oval:gov.nist.fdcc.vista:def:8086
oval:gov.nist.fdcc.vista:def:8087
oval:gov.nist.fdcc.vista:def:8088
oval:gov.nist.fdcc.vista:def:8089
oval:gov.nist.fdcc.vista:def:6607
oval:gov.nist.fdcc.vista:def:6609
oval:gov.nist.fdcc.vista:def:6612
oval:gov.nist.fdcc.vista:def:6613
oval:gov.nist.fdcc.vista:def:6616
oval:gov.nist.fdcc.vista:def:6617
oval:gov.nist.fdcc.vista:def:6621
oval:gov.nist.fdcc.vista:def:6623
oval:gov.nist.fdcc.vista:def:662381
oval:gov.nist.fdcc.vista:def:6624
oval:gov.nist.fdcc.vista:def:6625
oval:gov.nist.fdcc.vista:def:6626
oval:gov.nist.fdcc.vista:def:6627
oval:gov.nist.fdcc.vista:def:6628
oval:gov.nist.fdcc.vista:def:6630
oval:gov.nist.fdcc.vista:def:6631
oval:gov.nist.fdcc.vista:def:6633
oval:gov.nist.fdcc.vista:def:6634
oval:gov.nist.fdcc.vista:def:6636
oval:gov.nist.fdcc.vista:def:6638
oval:gov.nist.fdcc.vista:def:6639
oval:gov.nist.fdcc.vista:def:6640
oval:gov.nist.fdcc.vista:def:662391
oval:gov.nist.fdcc.vista:def:6641
oval:gov.nist.fdcc.vista:def:6642
oval:gov.nist.fdcc.vista:def:6643
oval:gov.nist.fdcc.vista:def:6644
oval:gov.nist.fdcc.vista:def:6647
oval:gov.nist.fdcc.vista:def:6648
oval:gov.nist.fdcc.vista:def:662371
oval:gov.nist.fdcc.vista:def:6649
oval:gov.nist.fdcc.vista:def:6650
oval:gov.nist.fdcc.vista:def:6651
oval:gov.nist.fdcc.vista:def:6652
oval:gov.nist.fdcc.vista:def:6653
oval:gov.nist.fdcc.vista:def:6654
oval:gov.nist.fdcc.vista:def:6655
oval:gov.nist.fdcc.vista:def:6657
oval:gov.nist.fdcc.vista:def:6658
oval:gov.nist.fdcc.vista:def:6659
oval:gov.nist.fdcc.vista:def:61481
oval:gov.nist.fdcc.vista:def:6660
oval:gov.nist.fdcc.vista:def:6661
oval:gov.nist.fdcc.vista:def:3366991
oval:gov.nist.fdcc.vista:def:3366992
oval:gov.nist.fdcc.vista:def:3366993
oval:gov.nist.fdcc.vista:def:6665
oval:gov.nist.fdcc.vista:def:6671
oval:gov.nist.fdcc.vista:def:6683
oval:gov.nist.fdcc.vista:def:6686
oval:gov.nist.fdcc.vista:def:6695
oval:gov.nist.fdcc.vista:def:19898
oval:gov.nist.fdcc.vista:def:6598
oval:gov.nist.fdcc.vista:def:6600
oval:gov.nist.fdcc.vista:def:6726
oval:gov.nist.fdcc.vista:def:6725
oval:gov.nist.fdcc.vista:def:6727
oval:gov.nist.fdcc.vista:def:6114
oval:gov.nist.fdcc.vista:def:6115
oval:gov.nist.fdcc.vista:def:3366994
oval:gov.nist.fdcc.vista:def:6117
oval:gov.nist.fdcc.vista:def:6120
oval:gov.nist.fdcc.vista:def:6121
oval:gov.nist.fdcc.vista:def:612261221
oval:gov.nist.fdcc.vista:def:612261222
oval:gov.nist.fdcc.vista:def:612261223
oval:gov.nist.fdcc.vista:def:612261224
oval:gov.nist.fdcc.vista:def:6707
oval:gov.nist.fdcc.vista:def:6715
oval:gov.nist.fdcc.vista:def:8001
oval:gov.nist.fdcc.vista:def:8001
oval:gov.nist.fdcc.vista:def:8002
oval:gov.nist.fdcc.vista:def:8002
oval:gov.nist.fdcc.vista:def:8003
oval:gov.nist.fdcc.vista:def:8003
oval:gov.nist.fdcc.vista:def:8004
oval:gov.nist.fdcc.vista:def:8004
oval:gov.nist.fdcc.vista:def:8005
oval:gov.nist.fdcc.vista:def:8005
oval:gov.nist.fdcc.vista:def:8006
oval:gov.nist.fdcc.vista:def:8006
oval:gov.nist.fdcc.vista:def:8007
oval:gov.nist.fdcc.vista:def:8007
oval:gov.nist.fdcc.vista:def:8008
oval:gov.nist.fdcc.vista:def:8008
oval:gov.nist.fdcc.vista:def:8009
oval:gov.nist.fdcc.vista:def:8009
oval:gov.nist.fdcc.vista:def:8010
oval:gov.nist.fdcc.vista:def:8010
oval:gov.nist.fdcc.vista:def:8011
oval:gov.nist.fdcc.vista:def:8011
oval:gov.nist.fdcc.vista:def:8012
oval:gov.nist.fdcc.vista:def:8012
oval:gov.nist.fdcc.vista:def:8013
oval:gov.nist.fdcc.vista:def:8013
oval:gov.nist.fdcc.vista:def:8014
oval:gov.nist.fdcc.vista:def:8014
oval:gov.nist.fdcc.vista:def:8015
oval:gov.nist.fdcc.vista:def:8015
oval:gov.nist.fdcc.vista:def:8016
oval:gov.nist.fdcc.vista:def:8016
oval:gov.nist.fdcc.vista:def:8017
oval:gov.nist.fdcc.vista:def:8017
oval:gov.nist.fdcc.vista:def:8018
oval:gov.nist.fdcc.vista:def:8018
oval:gov.nist.fdcc.vista:def:8019
oval:gov.nist.fdcc.vista:def:8019
oval:gov.nist.fdcc.vista:def:8020
oval:gov.nist.fdcc.vista:def:8020
oval:gov.nist.fdcc.vista:def:8021
oval:gov.nist.fdcc.vista:def:8021
oval:gov.nist.fdcc.vista:def:8022
oval:gov.nist.fdcc.vista:def:8022
oval:gov.nist.fdcc.vista:def:8023
oval:gov.nist.fdcc.vista:def:8023
oval:gov.nist.fdcc.vista:def:8024
oval:gov.nist.fdcc.vista:def:8024
oval:gov.nist.fdcc.vista:def:8025
oval:gov.nist.fdcc.vista:def:8025
oval:gov.nist.fdcc.vista:def:8026
oval:gov.nist.fdcc.vista:def:8026
oval:gov.nist.fdcc.vista:def:8027
oval:gov.nist.fdcc.vista:def:8027
oval:gov.nist.fdcc.vista:def:8028
oval:gov.nist.fdcc.vista:def:8028
oval:gov.nist.fdcc.vista:def:8029
oval:gov.nist.fdcc.vista:def:8029
oval:gov.nist.fdcc.vista:def:8030
oval:gov.nist.fdcc.vista:def:8030
oval:gov.nist.fdcc.vista:def:8031
oval:gov.nist.fdcc.vista:def:8031
oval:gov.nist.fdcc.vista:def:8032
oval:gov.nist.fdcc.vista:def:8032
oval:gov.nist.fdcc.vista:def:8033
oval:gov.nist.fdcc.vista:def:8033
oval:gov.nist.fdcc.vista:def:8034
oval:gov.nist.fdcc.vista:def:8034
oval:gov.nist.fdcc.vista:def:8035
oval:gov.nist.fdcc.vista:def:8035
oval:gov.nist.fdcc.vista:def:8036
oval:gov.nist.fdcc.vista:def:8036
oval:gov.nist.fdcc.vista:def:8037
oval:gov.nist.fdcc.vista:def:8037
oval:gov.nist.fdcc.vista:def:8038
oval:gov.nist.fdcc.vista:def:8038
oval:gov.nist.fdcc.vista:def:8039
oval:gov.nist.fdcc.vista:def:8039
oval:gov.nist.fdcc.vista:def:8040
oval:gov.nist.fdcc.vista:def:8040
oval:gov.nist.fdcc.vista:def:8041
oval:gov.nist.fdcc.vista:def:8041
oval:gov.nist.fdcc.vista:def:8042
oval:gov.nist.fdcc.vista:def:8042
oval:gov.nist.fdcc.vista:def:8043
oval:gov.nist.fdcc.vista:def:8043
oval:gov.nist.fdcc.vista:def:8044
oval:gov.nist.fdcc.vista:def:8044
oval:gov.nist.fdcc.vista:def:8045
oval:gov.nist.fdcc.vista:def:8045
oval:gov.nist.fdcc.vista:def:8046
oval:gov.nist.fdcc.vista:def:8046
oval:gov.nist.fdcc.vista:def:8047
oval:gov.nist.fdcc.vista:def:8047
domain_profile_display_notification
private_profile_log_dropped_packets
private_profile_logged_successful_connecti
ons
private_profile_name
private_profile_size_limit
public_profile_log_dropped_packets
public_profile_logged_successful_connecti
ons
public_profile_name
public_profile_size_limit
oval:gov.nist.fdcc.vista:def:6566666
oval:gov.nist.fdcc.vista:def:6566666
oval:gov.nist.fdcc.vista:def:6566666
oval:gov.nist.fdcc.vista:def:8091
oval:gov.nist.fdcc.vista:def:8090
TBD
FDCC Windows Vista Firewall
OVAL (fdcc-accepted-content-
20080110\fdcc-vistafirewall-
oval.xml)
oval:gov.nist.fdcc.vistafirewall:def:6515
oval:gov.nist.fdcc.vistafirewall:def:6401
oval:gov.nist.fdcc.vistafirewall:def:6403
oval:gov.nist.fdcc.vistafirewall:def:6404
oval:gov.nist.fdcc.vistafirewall:def:6402
oval:gov.nist.fdcc.vistafirewall:def:6519
oval:gov.nist.fdcc.vistafirewall:def:6516
oval:gov.nist.fdcc.vistafirewall:def:6517
oval:gov.nist.fdcc.vistafirewall:def:6520
oval:gov.nist.fdcc.vistafirewall:def:6522
oval:gov.nist.fdcc.vistafirewall:def:6523
oval:gov.nist.fdcc.vistafirewall:def:6524
oval:gov.nist.fdcc.vistafirewall:def:6525
oval:gov.nist.fdcc.vistafirewall:def:6526
oval:gov.nist.fdcc.vistafirewall:def:6527
oval:gov.nist.fdcc.vistafirewall:def:6528
oval:gov.nist.fdcc.vistafirewall:def:6529
oval:gov.nist.fdcc.vistafirewall:def:6530
oval:gov.nist.fdcc.vistafirewall:def:6531
oval:gov.nist.fdcc.vistafirewall:def:6532
oval:gov.nist.fdcc.vistafirewall:def:6533
oval:gov.nist.fdcc.vistafirewall:def:6534
oval:gov.nist.fdcc.vistafirewall:def:6535
oval:gov.nist.fdcc.vistafirewall:def:6491
oval:gov.nist.fdcc.vistafirewall:def:6492
oval:gov.nist.fdcc.vistafirewall:def:6518
oval:gov.nist.fdcc.vistafirewall:def:6411
oval:gov.nist.fdcc.vistafirewall:def:6412
oval:gov.nist.fdcc.vistafirewall:def:6413
oval:gov.nist.fdcc.vistafirewall:def:6414
oval:gov.nist.fdcc.vistafirewall:def:6421
oval:gov.nist.fdcc.vistafirewall:def:6422
oval:gov.nist.fdcc.vistafirewall:def:6423
oval:gov.nist.fdcc.vistafirewall:def:6424
Old v4 CCE
CCE ID CCE Description
CCE Id Parameters
The "deny access to this
computer from the
network" user right should
be assigned to the correct
CCE-3062-7 CCE-898 accounts. (1) set of accounts
The "access this computer
from the network" user
right should be assigned to
CCE-3322-5 CCE-532 the correct accounts. (1) set of accounts
The "act as part of the
operating system" user
right should be assigned to
CCE-3490-0 CCE-162 the correct accounts. (1) set of accounts
The "back up files and
directories" user right
should be assigned to the
CCE-2869-6 CCE-931 correct accounts. (1) set of accounts
The "bypass traverse
checking" user right
should be assigned to the
CCE-3375-3 CCE-376 correct accounts. (1) set of accounts
The "change the system
time" user right should be
assigned to the correct
CCE-3397-7 CCE-799 accounts. (1) set of accounts
The "create a pagefile"
user right should be
assigned to the correct
CCE-3538-6 CCE-895 accounts. (1) set of accounts
The "Create a token
object" user right should
be assigned to the correct
CCE-3498-3 CCE-926 accounts. (1) set of accounts
The "create permanent
shared objects" user right
should be assigned to the
CCE-3269-8 CCE-335 correct accounts. (1) set of accounts
The "debug programs"
user right should be
assigned to the correct
CCE-2576-7 CCE-842 accounts. (1) set of accounts
The "force shutdown from
a remote system" user
right should be assigned to
CCE-3359-7 CCE-754 the correct accounts. (1) set of accounts
The "generate security
audits" user right should
be assigned to the correct
CCE-3491-8 CCE-939 accounts. (1) set of accounts
The "adjust memory
quotas for a process" user
right should be assigned to
CCE-3147-6 CCE-807 the correct accounts. (1) set of accounts
The "increase scheduling
priority" user right should
be assigned to the correct
CCE-3539-4 CCE-349 accounts. (1) set of accounts
The "load and unload
device drivers" user right
should be assigned to the
CCE-3293-8 CCE-860 correct accounts. (1) set of accounts
The "lock pages in
memory" user right should
be assigned to the correct
CCE-2936-3 CCE-749 accounts. (1) set of accounts
The "log on as a batch job"
user right should be
assigned to the correct
CCE-3191-4 CCE-177 accounts. (1) set of accounts
The "log on as a service"
user right should be
assigned to the correct
CCE-3332-4 CCE-216 accounts. (1) set of accounts
The "log on locally" user
right should be assigned to
CCE-3557-6 CCE-965 the correct accounts. (1) set of accounts
The "manage auditing and
security log" user right
should be assigned to the
CCE-3575-8 CCE-850 correct accounts. (1) set of accounts
The "modify firmware
environment values" user
right should be assigned to
CCE-3218-5 CCE-17 the correct accounts. (1) set of accounts
The "profile single
process" user right should
be assigned to the correct
CCE-2861-3 CCE-260 accounts. (1) set of accounts
The "profile system
performance" user right
should be assigned to the
CCE-3002-3 CCE-599 correct accounts. (1) set of accounts
The "remove computer
from docking station" user
right should be assigned to
CCE-2663-3 CCE-656 the correct accounts. (1) set of accounts
The "replace a process-
level token" user right
should be assigned to the
CCE-3447-0 CCE-667 correct accounts. (1) set of accounts
The "restore files and
directories" user right
should be assigned to the
CCE-3465-2 CCE-553 correct accounts. (1) set of accounts
The "shut down the
system" user right should
be assigned to the correct
CCE-3346-4 CCE-839 accounts. (1) set of accounts
The "take ownership of
files or other objects" user
right should be assigned to
CCE-2848-0 CCE-492 the correct accounts. (1) set of accounts
The "synchronize directory
service data" user right
should be assigned to the
CCE-3368-8 CCE-381 correct accounts. (1) set of accounts
The "deny logon locally"
user right should be
assigned to the correct
CCE-3531-1 CCE-64 accounts. (1) set of accounts
The "enable computer and
user accounts to be
trusted for delegation"
user right should be
assigned to the correct
CCE-3473-6 CCE-15 accounts. (1) set of accounts
The "add workstations to
domain" user right should
be assigned to the correct
CCE-3354-8 CCE-183 accounts. (1) set of accounts
The "allow logon through
Terminal Services" user
right should be assigned to
CCE-3499-1 CCE-883 the correct accounts. (1) set of accounts
The "deny logon as a
batch job" user right
should be assigned to the
CCE-2649-2 CCE-165 correct accounts. (1) set of accounts
The "deny logon as a
service" user right should
be assigned to the correct
CCE-3543-6 CCE-597 accounts. (1) set of accounts
The "deny logon through
Terminal Services" user
right should be assigned to
CCE-3438-9 CCE-108 the correct accounts. (1) set of accounts
The "perform volume
maintenance tasks" user
right should be assigned to
CCE-3319-1 CCE-314 the correct accounts. (1) set of accounts
The "reset account lockout
counter after" policy
should meet minimum (1) number of
CCE-3574-1 CCE-733 requirements. minutes
The "account lockout
duration" policy should
meet minimum (1) number of
CCE-2627-8 CCE-980 requirements. minutes
The "account lockout
threshold" policy should
meet minimum (1) number of
CCE-3551-9 CCE-658 requirements. attempts
Auditing of "account logon"
events on success should
be enabled or disabled as
CCE-3321-7 CCE-2628 appropriate.. enabled/disabled
Auditing of "account logon"
events on failure should be
enabled or disabled as
CCE-3467-8 CCE-2543 appropriate.. enabled/disabled
Auditing of "account
management" events on
success should be
enabled or disabled as
CCE-3427-2 CCE-2000 appropriate.. enabled/disabled
Auditing of "account
management" events on
failure should be enabled
CCE-3449-6 CCE-1646 or disabled as appropriate.. enabled/disabled
Auditing of "directory
service access" events on
success should be
enabled or disabled as
CCE-2827-4 CCE-2118 appropriate.. enabled/disabled
Auditing of "directory
service access" events on
failure should be enabled
CCE-3101-3 CCE-2390 or disabled as appropriate.. enabled/disabled
Auditing of "logon" events
on success should be
enabled or disabled as
CCE-3603-8 CCE-1686 appropriate.. enabled/disabled
Auditing of "logon" events
on failure should be
enabled or disabled as
CCE-3391-0 CCE-1744 appropriate.. enabled/disabled
Auditing of "object access"
events on success should
be enabled or disabled as
CCE-3286-2 CCE-2640 appropriate.. enabled/disabled
Auditing of "object access"
events on failure should be
enabled or disabled as
CCE-3290-4 CCE-1991 appropriate.. enabled/disabled
Auditing of "policy change"
events on success should
be enabled or disabled as
CCE-3546-9 CCE-2412 appropriate.. enabled/disabled
Auditing of "policy change"
events on failure should be
enabled or disabled as
CCE-3312-6 CCE-2347 appropriate.. enabled/disabled
Auditing of "privilege use"
events on success should
be enabled or disabled as
CCE-3211-0 CCE-2431 appropriate.. enabled/disabled
Auditing of "privilege use"
events on failure should be
enabled or disabled as
CCE-3383-7 CCE-2584 appropriate.. enabled/disabled
Auditing of "process
tracking" events on
success should be
enabled or disabled as
CCE-3510-5 CCE-2529 appropriate.. enabled/disabled
Auditing of "process
tracking" events on failure
should be enabled or
CCE-3453-8 CCE-2617 disabled as appropriate.. enabled/disabled
Auditing of "system"
events on success should
be enabled or disabled as
CCE-3594-9 CCE-2420 appropriate.. enabled/disabled
Auditing of "system"
events on failure should be
enabled or disabled as
CCE-3611-1 CCE-1680 appropriate.. enabled/disabled
The "Allow System to be
Shut Down Without Having
to Log On" policy should
CCE-2884-5 CCE-396 be set correctly. (1) enabled/disabled
The "restrict guest access
to application log" policy
CCE-3281-3 CCE-299 should be set correctly. (1) enabled/disabled
The application log
maximum size should be
CCE-3550-1 CCE-185 configured correctly.. (1) size of file
If the Application log's
retention method is set to
"Overwrite events by
days," an appropriate
value should be set for the
number of days' logs to
CCE-3567-5 CCE-951 keep. (1) number of days
The "restrict guest access
to security log" policy
CCE-2946-2 CCE-462 should be set correctly. (1) enabled/disabled
The security log maximum
size should be configured
CCE-3343-1 CCE-757 correctly.. (1) size of file
The "when maximum log
size is reached" property
should be set correctly for
CCE-3484-3 CCE-523 the Security log. type of retention
If the Security log's
retention method is set to
"Overwrite events by
days," an appropriate
value should be set for the
number of days' logs to
CCE-3127-8 CCE-682 keep. (1) number of days
The "restrict guest access
to system log" policy
CCE-3488-4 CCE-726 should be set correctly. (1) enabled/disabled
The system log maximum
size should be configured
CCE-3506-3 CCE-735 correctly.. (1) size of file
The "when maximum log
size is reached" property
should be set correctly for
CCE-3422-3 CCE-664 the System log. type of retention
If the System log's
retention method is set to
"Overwrite events by
days," an appropriate
value should be set for the
number of days' logs to
CCE-3512-1 CCE-210 keep. (1) number of days
The "maximum password
age" policy should meet
CCE-3530-3 CCE-871 minimum requirements. (1) number of days
The "minimum password
age" policy should meet
CCE-3548-5 CCE-324 minimum requirements. (1) number of days
The "minimum password
length" policy should meet
CCE-3424-9 CCE-100 minimum requirements. (1) number of days
The "password must meet
complexity requirments"
policy should be set
CCE-3442-1 CCE-633 correctly. (1) enabled/disabled
The "enforce password (1) number of
history" policy should meet passwords
CCE-3446-2 CCE-60 minimum requirements. remembered
The "store password using
reversible encryption for all
users in the domain" policy
CCE-2644-3 CCE-479 should be set correctly. (1) enabled/disabled
The startup type of the (1)
Alerter service should be disabled/manual/aut
CCE-3635-0 CCE-487 correct. omatic
The startup type of the (1)
Automatic Update service disabled/manual/aut
CCE-2671-6 CCE-496 should be correct. omatic
The startup type of the
Background Intelligent (1)
Transfer Service (BITS) disabled/manual/aut
CCE-3200-3 CCE-148 service should be correct. omatic
The startup type of the (1)
ClipBook service should disabled/manual/aut
CCE-3350-6 CCE-954 be correct. omatic
(1)
The startup type of the Fax disabled/manual/aut
CCE-3565-9 CCE-78 service should be correct. omatic
The startup type of the (1)
FTP Publishing service disabled/manual/aut
CCE-3582-4 CCE-712 should be correct. omatic
The startup type of the IIS (1)
Admin service should be disabled/manual/aut
CCE-3353-0 CCE-311 correct. omatic
The startup type of the (1)
Indexing service should be disabled/manual/aut
CCE-3618-6 CCE-738 correct. omatic
The startup type of the (1)
Messenger service should disabled/manual/aut
CCE-3494-2 CCE-729 be correct. omatic
The startup type of the (1)
.NET Framework service disabled/manual/aut
CCE-3640-0 CCE-650 should be correct. omatic
The startup type of the
NetMeeting Remote (1)
Desktop Sharing service disabled/manual/aut
CCE-2909-0 CCE-232 should be correct. omatic
The startup type of the (1)
Print Services for Unix disabled/manual/aut
CCE-3552-7 CCE-857 service should be correct. omatic
The startup type of the
Remote Access Auto (1)
connection Manager disabled/manual/aut
CCE-3428-0 CCE-267 service should be correct. omatic
The startup type of the
Remote Desktop Help (1)
Session Manager service disabled/manual/aut
CCE-3556-8 CCE-663 should be correct. omatic
The startup type of the
Internet Connection (1)
Sharing service should be disabled/manual/aut
CCE-2678-1 CCE-672 correct. omatic
The startup type of the (1)
Remote Registry service disabled/manual/aut
CCE-3612-9 CCE-73 should be correct. omatic
The startup type of the
Routing and Remote (1)
Access service should be disabled/manual/aut
CCE-3621-0 CCE-223 correct. omatic
The startup type of the (1)
Remote Shell service disabled/manual/aut
CCE-3602-0 CCE-522 should be correct. omatic
The startup type of the (1)
Simple TCP/IP service disabled/manual/aut
CCE-3497-5 CCE-531 should be correct. omatic
The startup type of the
Simple Mail Transport (1)
Protocol (SMTP) service disabled/manual/aut
CCE-3386-0 CCE-870 should be correct. omatic
The startup type of the (1)
SNMP Service service disabled/manual/aut
CCE-3532-9 CCE-975 should be correct. omatic
The startup type of the (1)
SNMP Trap Service disabled/manual/aut
CCE-3536-0 CCE-892 service should be correct. omatic
The startup type of the (1)
SSDP Discovery service disabled/manual/aut
CCE-3541-0 CCE-940 should be correct. omatic
The startup type of the (1)
Task Scheduler service disabled/manual/aut
CCE-3558-4 CCE-40 should be correct. omatic
The startup type of the (1)
Telnet service should be disabled/manual/aut
CCE-3078-3 CCE-75 correct. omatic
The startup type of the (1)
Terminal Services service disabled/manual/aut
CCE-2832-4 CCE-974 should be correct. omatic
The startup type of the
Universal Plug and Play (1)
Device Host (UPnP) disabled/manual/aut
CCE-3475-1 CCE-608 service should be correct. omatic
The startup type of the
World Wide Web (1)
Publishing service should disabled/manual/aut
CCE-3492-6 CCE-758 be correct. omatic
The startup type of the (1)
Automatic Update service disabled/manual/aut
CCE-3633-5 CCE-559 should be correct. omatic
The startup type of the
Background Intelligent (1)
Transfer Service (BITS) disabled/manual/aut
CCE-3638-4 CCE-445 service should be correct. omatic
The startup type of the (1)
Print Services for Unix disabled/manual/aut
CCE-3175-7 CCE-115 service should be correct. omatic
The correct service
permissions for the Alerter (1) set of accounts
service should be (2) list of
CCE-2695-5 CCE-669 assigned. permissions
The correct service
permissions for the (1) set of accounts
Automatic Updates service (2) list of
CCE-3637-6 CCE-889 should be assigned. permissions
The correct service
permissions for the (1) set of accounts
ClipBook service should (2) list of
CCE-3642-6 CCE-476 be assigned. permissions
The correct service
permissions for the Fax (1) set of accounts
service should be (2) list of
CCE-3664-0 CCE-87 assigned. permissions
The correct service
permissions for the FTP (1) set of accounts
Publishing service should (2) list of
CCE-3435-5 CCE-4 be assigned. permissions
The correct service
permissions for the IIS (1) set of accounts
Admin service should be (2) list of
CCE-3580-8 CCE-792 assigned. permissions
The correct service
permissions for the (1) set of accounts
Indexing service should be (2) list of
CCE-3474-4 CCE-444 assigned. permissions
The correct service
permissions for the (1) set of accounts
Messenger service should (2) list of
CCE-3496-7 CCE-79 be assigned. permissions
The correct service
permissions for the (1) set of accounts
NetMeeting service should (2) list of
CCE-3483-5 CCE-21 be assigned. permissions
The correct service
permissions for the Printer (1) set of accounts
service should be (2) list of
CCE-3254-0 CCE-109 assigned. permissions
The startup type of the
Remote Access Auto (1)
connection Manager disabled/manual/aut
CCE-3523-8 CCE-157 service should be correct. omatic
The correct service
permissions for the
Remote Desktop Help (1) set of accounts
Session Manager service (2) list of
CCE-3673-1 CCE-915 should be assigned. permissions
The correct service
permissions for the (1) set of accounts
Remote Registry service (2) list of
CCE-3193-0 CCE-219 should be assigned. permissions
The correct service
permissions for the SMTP (1) set of accounts
service should be (2) list of
CCE-3461-1 CCE-426 assigned. permissions
The correct service
permissions for the SNMP (1) set of accounts
service should be (2) list of
CCE-3355-5 CCE-56 assigned. permissions
The correct service
permissions for the SNMP (1) set of accounts
Trap service should be (2) list of
CCE-2687-2 CCE-521 assigned. permissions
The correct service
permissions for the Telnet (1) set of accounts
service should be (2) list of
CCE-3583-2 CCE-944 assigned. permissions
The correct service
permissions for the (1) set of accounts
Terminal Services service (2) list of
CCE-3226-8 CCE-605 should be assigned. permissions
The correct service
permissions for the WWW (1) set of accounts
Publishing service should (2) list of
CCE-3569-1 CCE-143 be assigned. permissions
The behavior surrounding
Anonymous users' abiliity
to display lists of SAM (1)
accounts and shares restricted/unrestricte
CCE-3591-5 CCE-195 should be correct. d
The behavior surrounding
Anonymous users' abiliity
to display lists of SAM (1)
accounts should be restricted/unrestricte
CCE-3631-9 CCE-318 correct. d
The behavior surrounding
Anonymous SID/Name
translation should be
CCE-3402-5 CCE-953 correct. (1) enabled/disabled
The "Anonymous access
to the security event log"
policy should be set (1) exist/not exist
CCE-3525-3 CCE-653 correctly. (2) enabled/disabled
Use of the built-in Guest
account should be enabled
CCE-2908-2 CCE-332 or disabled as appropriate. (1) enabled/disabled
The "Message title for
users attempting to log on"
policy should be set
CCE-2790-4 CCE-23 correctly. (1) text caption
The "Message text for
users attempting to log on"
policy should be set
CCE-3672-3 CCE-829 correctly. (1) text statement
Automatic Logon should
CCE-3690-5 CCE-283 be properly configured. (1) enabled/disabled
Autoplay on all Drive
Types should be properly
CCE-3597-2 CCE-44 configured. (1) enabled/disabled
ICMP Redirects should be
CCE-3725-9 CCE-150 properly configured. (1) enabled/ignored
IP Source Routing should
CCE-3227-6 CCE-564 be properly configured. (1) enabled/disabled
IRDP should be properly
CCE-3509-7 CCE-952 configured. (1) enabled/disabled
Display Last User Name in
Logon Screen should be
CCE-3527-9 CCE-65 properly configured. (1) enabled/disabled
TCP/IP Dead Gateway
Detection should be
CCE-2919-9 CCE-897 properly configured. (1) enabled/disabled
The TCP/IP KeepAlive
Time should be set (1) number of
CCE-2812-6 CCE-188 correctly . milliseconds
TCP/IP NetBIOS Name
Release on Request
Prevented should be
CCE-2817-5 CCE-817 properly configured. (1) enabled/disabled
TCP/IP PMTU Discovery
should be properly
CCE-3739-0 CCE-998 configured. (1) enabled/disabled
TCP/IP SYN Flood Attack
Protection should be
CCE-3616-0 CCE-284 properly configured. (1) enabled/disabled
Disable saving of dial-up
passwords should be
CCE-3757-2 CCE-156 properly configured. (1) enabled/disabled
The "Secure Channel:
Digitally Encrypt Secure
Channel Data (When
Possible)" policy should be
CCE-3796-0 CCE-601 set correctly. (1) enabled/disabled
The "Secure Channel:
Digitally Sign Secure
Channel Data (When
Possible)" policy should be
CCE-3514-7 CCE-614 set correctly. (1) enabled/disabled
Safe DLL Search Mode
should be properly
CCE-3778-8 CCE-271 configured. (1) enabled/disabled
Always Wait for the
Network at Computer
Startup and Logon should
CCE-3549-3 CCE-707 be properly configured. (1) enabled/disabled
Background Refresh of
Group Policy should be
CCE-3298-7 CCE-50 properly configured. (1) enabled/disabled
Installation and
Configuration of Network
Bridge on the DNS
Domain Network should
CCE-3443-9 CCE-896 be properly configured. (1) enabled/disabled
Disallow Installation of
Printers Using Kernel-
mode Drivers should be
CCE-3708-5 CCE-574 properly configured. (1) enabled/disabled
The "Allow Server
Operators to Schedule
Tasks" policy should be
CCE-3479-3 CCE-257 set correctly. (1) enabled/disabled
The built-in Administrator
account should be
CCE-2853-0 CCE-438 correctly named. (1) valid names
The built-in Guest account
CCE-3743-2 CCE-834 should be correctly named. (1) valid names
The amount of idle time
required before
disconnecting a session (1) number of
CCE-3761-4 CCE-222 should be set correctly. minutes
The "Audit the access of
global system objects"
policy should be set
CCE-3774-7 CCE-2 correctly. (1) enabled/disabled
The "Audit the use of
backup and restore
privilege" policy should be
CCE-3814-1 CCE-905 set correctly. (1) enabled/disabled
The "Disable
CTRL+ALT+Delete
Requirement for Logon"
policy should be set
CCE-3060-1 CCE-133 correctly. (1) enabled/disabled
The "LAN Manager
Authentication Level"
policy should be set (1) authentication
CCE-3703-6 CCE-719 correctly. level
The "Prevent Users from
Installing Printer Drivers"
policy should be set
CCE-3769-7 CCE-402 correctly. (1) enabled/disabled
The "Recovery Console:
Allow Automatic
Administrative Logon"
policy should be set
CCE-3659-0 CCE-410 correctly. (1) enabled/disabled
The "Recovery Console:
Allow Floppy Copy and
Access to All Drives and
All Folders" policy should
CCE-3676-4 CCE-76 be set correctly. (1) enabled/disabled
The "Restrict CD-ROM
Access to Locally Logged-
On User Only" policy
CCE-3694-7 CCE-565 should be set correctly. (1) enabled/disabled
The "Restrict Floppy
Access to Locally Logged-
On User Only" policy
CCE-2822-5 CCE-463 should be set correctly. (1) enabled/disabled
The "Strengthen Default
Permissions of Global
System Objects" policy
CCE-2963-7 CCE-508 should be set correctly. (1) enabled/disabled
The "Secure Channel:
Require Strong (Windows
2000 or later) Session
Key" policy should be set
CCE-3478-5 CCE-417 correctly. (1) enabled/disabled
The "Send Unencrypted
Password to Connect to
Third-Party SMB Servers"
policy should be set
CCE-2870-4 CCE-228 correctly. (1) enabled/disabled
The "Unsigned Driver
Installation Behavior"
policy should be set
CCE-3787-9 CCE-413 correctly. (1) behavior
The "Users Prompted to
Change Password Before
Expiration" policy should (1) number of days
CCE-3804-2 CCE-814 be set correctly. prior to expiration
The "Shut Down system
immediately if unable to
log security audits" policy
CCE-3430-6 CCE-92 should be set correctly. (1) enabled/disabled
The "Allow System to be
Shut Down Without Having
to Log On" policy should
CCE-3448-8 CCE-224 be set correctly. (1) enabled/disabled
The "Clear Virtual Memory
Pagefile at shutdown"
policy should be set
CCE-3593-1 CCE-422 correctly. (1) enabled/disabled
The "Digitally Sign Client
Communication (Always)"
policy should be set
CCE-3652-5 CCE-576 correctly. (1) enabled/disabled
The "Digitally Sign Server
Communication (Always)"
policy should be set
CCE-3295-3 CCE-171 correctly. (1) enabled/disabled
The "Digitally Sign Server
Communication (When
Possible)" policy should be
CCE-3189-8 CCE-104 set correctly. (1) enabled/disabled
The "Number of Previous
Logons to Cache" policy (1) number of
CCE-3709-3 CCE-773 should be set correctly. logons
The "Allowed to Format
and Eject Removable
NTFS Media" policy
CCE-3586-5 CCE-919 should be set correctly. (1) Group(s)
The "Secure Channel:
Digitally Encrypt or Sign
Secure Channel Data
(Always)" policy should be
CCE-3731-7 CCE-549 set correctly. (1) enabled/disabled
The "Secure Channel:
Digitally Encrypt Secure
Channel Data (When
Possible)" policy should be
CCE-3370-4 CCE-161 set correctly. (1) enabled/disabled
The "Secure Channel:
Digitally Sign Secure
Channel Data (When
Possible)" policy should be
CCE-3511-3 CCE-918 set correctly. (1) enabled/disabled
The "Smart Card Removal
Behavior" policy should be
CCE-3674-9 CCE-443 set correctly. (1) behavior
The "Use FIPS compliant
algorithms for encryption,
hashing, and signing"
policy should be set
CCE-3441-3 CCE-55 correctly. (1) enabled/disabled
The "Default owner for
objects created by
members of the
Administrators group"
policy should be set
CCE-2947-0 CCE-575 correctly. (1) enabled/disabled
The "Require Case
Insensitivity for Non-
Windows Sybsystems"
policy should be set
CCE-3714-3 CCE-300 correctly. (1) enabled/disabled
The "Limit local account
user of blank passwords to
console logon only" policy
CCE-3357-1 CCE-533 should be set correctly. (1) enabled/disabled
The "Allow undock without
having to logon" policy
CCE-3613-7 CCE-186 should be set correctly. (1) enabled/disabled
The "LDAP server signing
requirements" policy
CCE-3801-8 CCE-710 should be set correctly. (1) enabled/disabled
The "LDAP client signing
requirements" policy
CCE-2819-1 CCE-732 should be set correctly. (1) enabled/disabled
The "Refuse machine
account password
change" policy should be
CCE-3605-3 CCE-490 set correctly. (1) enabled/disabled
The "Maximum machine
account password age"
policy should be set
CCE-2984-3 CCE-194 correctly. (1) enabled/disabled
The "Require Domain
Controller authentication to
unlock workstation" policy
CCE-3504-8 CCE-374 should be set correctly. (1) enabled/disabled
The "Disconnect clients
when logon hours expire"
policy should be set
CCE-3773-9 CCE-278 correctly. (1) enabled/disabled
The "Do not allow storage
of credentials or .NET
Passports" policy should
CCE-3420-7 CCE-542 be set correctly. (1) enabled/disabled
The "Let Everyone
permissions apply to
anonymous users" policy
CCE-3817-4 CCE-18 should be set correctly. (1) enabled/disabled
The "Named Pipes that
can be accessed
anonymously" policy
CCE-3711-9 CCE-136 should be set correctly. (1) enabled/disabled
The "Remotely accessible
registry paths" policy
CCE-3729-1 CCE-189 should be set correctly. (1) set of paths
The "Shares that can be
accessed anonymously"
policy should be set
CCE-3592-3 CCE-942 correctly. (1) set of shares
The "Sharing and security
model for local accounts"
policy should be set (1) Classic/Guest
CCE-3112-0 CCE-343 correctly. only
The "Do not store LAN
Manager hash value on
next password change"
policy should be set
CCE-3632-7 CCE-233 correctly. (1) enabled/disabled
The "Force logoff when
logon hours expire" policy
CCE-3719-2 CCE-775 should be set correctly. (1) enabled/disabled
The "Minimum session
security for NTLM SSP
based clients" policy
CCE-3614-5 CCE-674 should be set correctly. (1) enabled/disabled
The "Minimum session
security for NTLM SSP
based servers" policy
CCE-3759-8 CCE-766 should be set correctly. (1) enabled/disabled
The "Current user
screensaver" policy should
CCE-3526-1 CCE-764 be set correctly. (1) enabled/disabled
The "Current user
screensaver timeout"
policy should be set
CCE-3764-8 CCE-830 correctly. (1) time in seconds
The "Current user
screensaver secure" policy
CCE-3781-2 CCE-949 should be set correctly. (1) enabled/disabled
The "Current user
screensaver active" policy
CCE-3799-4 CCE-742 should be set correctly. (1) enabled/disabled
The "Default user
screensaver timeout"
policy should be set
CCE-3693-9 CCE-517 correctly. (1) time in seconds
The "Default user
screensaver secure" policy
CCE-3698-8 CCE-433 should be set correctly. (1) enabled/disabled
The "Default user
screensaver active" policy
CCE-3715-0 CCE-103 should be set correctly. (1) enabled/disabled
The "Current user
screensaver" policy should
CCE-3609-5 CCE-54 be set correctly. (1) enabled/disabled
The "Current user
screensaver timeout"
policy should be set
CCE-3253-2 CCE-221 correctly. (1) time in seconds
The "Current user
screensaver secure" policy
CCE-2900-9 CCE-235 should be set correctly. (1) enabled/disabled
The "Current user
screensaver active" policy
CCE-3671-5 CCE-287 should be set correctly. (1) enabled/disabled
The "password protect the
screen saver" setting
should be configured
CCE-3182-3 CCE-442 correctly (1) enabled/disabled
The "Screen Saver (1) enabled/disabled
timeout" should be set (2) number of
CCE-3534-5 CCE-481 correctly. seconds
The "Always Install with
Elevated Privileges" policy
CCE-3794-5 CCE-736 should be set correctly. (1) enabled/disabled
The "Enable User Control
Over Installs" policy should
CCE-3547-7 CCE-415 be set correctly. (1) enabled/disabled
The "Enable User to
Browser for Source While
Elevated" policy should be
CCE-3190-6 CCE-794 set correctly. (1) enabled/disabled
The "Enable User to Use
Media Source While
Elevated" policy should be
CCE-3587-3 CCE-107 set correctly. (1) enabled/disabled
The "Allow Administrator
to Install from Terminal
Services Session" policy
CCE-2837-3 CCE-256 should be set correctly. (1) enabled/disabled
The "Enable User to Patch
Elevated Products" policy
CCE-3803-4 CCE-662 should be set correctly. (1) enabled/disabled
The "Cache Transforms in
Secure Location" policy
CCE-3702-8 CCE-424 should be set correctly. (1) enabled/disabled
The "Disable Media Player
for automatic updates"
policy should be set
CCE-3720-0 CCE-455 correctly. (1) enabled/disabled
The "Prevent Codec
Download" policy should
be set correctly for
CCE-2863-9 CCE-124 Windows MediaPlayer. (1) enabled/disabled
Internet access for
Windows Messenger
should be configured
CCE-3636-8 CCE-525 correctly. (1) enabled/disabled
The "Do Not Allow
Windows Messenger to be
Run" policy should be set
CCE-3658-2 CCE-802 correctly. (1) enabled/disabled
The "Do Not Automatically
Start Windows
Messenger" policy should
CCE-3306-8 CCE-309 be set correctly. (1) enabled/disabled
The "Hide Property Pages"
policy should be set
correctly for the Task
CCE-3728-3 CCE-785 Scheduler. (1) enabled/disabled
The "Prohibit New Task
Creation" policy should be
set correctly for the Task
CCE-3746-5 CCE-578 Scheduler. (1) enabled/disabled
The "Limit Users to One
Remote Session" policy
should be set correctly for
CCE-3654-1 CCE-507 Terminal Services. (1) enabled/disabled
The "Limit Number of
Connections" policy should (1) Maximum
be set correctly for number of
CCE-3786-1 CCE-80 Terminal Services. connections allowed
The "Do Not Allow New
Client Connections" policy
should be set correctly for
CCE-3790-3 CCE-401 Terminal Services. (1) enabled/disabled
The "Do Not Allow Local
Administrators to
Customize Permissions"
policy should be set
correctly for Terminal
CCE-3808-3 CCE-824 Services. (1) enabled/disabled
The "Remote Control
Settings" policy should be
set correctly for Terminal
CCE-3848-9 CCE-190 Services. (1) enabled/disabled
The "Always Prompt Client
for Password upon
Connection" policy should
be set correctly for
CCE-3666-5 CCE-855 Terminal Services. (1) enabled/disabled
The "Set Client connection
Encryption Level" policy
should be set correctly for
CCE-3812-5 CCE-397 Terminal Services. (1) encryption level
The "Do not Use Temp
folders per Session" policy
should be set correctly for
CCE-3710-1 CCE-670 Terminal Services. (1) enabled/disabled
The "Do not Delete Temp
folder on exit" policy
should be set correctly for
CCE-3627-7 CCE-961 Terminal Services. (1) enabled/disabled
The "Set time limit for
disconnected sessions"
policy should be set
correctly for Terminal (1) Time Limit
CCE-2875-3 CCE-920 Services. (minutes)
The "Set time limit for idle
sessions" policy should be
set correctly for Terminal (1) Time limit
CCE-3665-7 CCE-123 Services. (minutes)
The "Allow Reconnection
from Original Client Only"
policy should be set
correctly for Terminal
CCE-3683-0 CCE-524 Services. (1) enabled/disabled
The "Terminate session
when time limits are
reached" policy should be
set correctly for Terminal
CCE-3577-4 CCE-568 Services. (1) enabled/disabled
The "Enable Keep-Alive
Messages" policy should
be set correctly for
CCE-3828-1 CCE-705 Terminal Services. (1) enabled/disabled
The "Allow Solicited
Remote Assistance" policy
should be set correctly for
CCE-3599-8 CCE-859 Terminal Services. (1) enabled/disabled
The "Allow Unsolicited
Remote Assistance" policy
should be set correctly for
CCE-3617-8 CCE-434 Terminal Services. (1) enabled/disabled
The "Enable Error
Reporting" policy should
CCE-3758-0 CCE-592 be set correctly. (1) enabled/disabled
The "Enforce user logon
restrictions" policy should
CCE-3700-2 CCE-227 be set correctly. (1) enabled/disabled
The "Maximum Service
Ticket Litfetime" policy (1) number of
CCE-3237-5 CCE-6 should be set correctly. minutes
The "Maximum User
Ticket Lifetime" policy
CCE-3625-1 CCE-37 should be set correctly. (1) number of hours
The "Maximum tolerance
for computer clock
synchronization" policy (1) number of
CCE-3396-9 CCE-588 should be set correctly. minutes
Removable storage should
have correct permissions
CCE-3788-7 CCE-420 set
The "Allow automatic
updates immediate
installation" should be set
CCE-3806-7 CCE-861 correctly
The "Automatic Updates
detection frequency"
CCE-3608-7 CCE-244 should be set correctly
The "Configure Automatic
Updates" should be set
CCE-3740-8 CCE-306 correctly
The "No auto-restart for
scheduled Automatic
CCE-3277-1 CCE-641 Updates installations
The "Reschedule
Automatic Updates
scheduled installations"
CCE-3661-6 CCE-804 should be set correctly
The "Specify intranet
Microsoft update service
location" should be set
CCE-3730-9 CCE-932 correctly
MSS:
TCPMaxPortsExhausted,
How many dropped
connect requests to initiate
CCE-3250-8 CCE-418 SYN attack protection.
The "Security Zones: Use
Only Machine Settings"
setting should be
CCE-3413-2 CCE-5 configured correctly. (1) enabled/disabled
The "Security Zones: Do
Not Allow Users to
Add/Delete Sites" setting
should be configured
CCE-3039-5 CCE-146 correctly. (1) enabled/disabled
The "Disable Periodic
Check For Internet
Explorer Software
Updates" setting should be
CCE-3810-9 CCE-212 configured correctly. (1) enabled/disabled
The "Disable Software
Update Shell Notifications
on Program Launch"
setting should be
CCE-3832-3 CCE-622 configured correctly. (1) enabled/disabled
The "Disable Automatic
Install of Internet Explorer
Components" setting
should be configured
CCE-3598-0 CCE-684 correctly. (1) enabled/disabled
The "Make Proxy Settings
Per-Machine (Rather Then
Per-User)" setting should (1) number of proxy
CCE-3713-5 CCE-693 be configured correctly. settings
The "Security Zones: Do
Not Allow Users to
Change Policies" setting
should be configured
CCE-3480-1 CCE-833 correctly. (1) enabled/disabled
Microsoft Security
CCE Technical Mechanisms Guide for Windows
Server 2003
Table 3.28 Deny access to this
computer from the network:
ANONYMOUS LOGON; Built-in
Administrator, Guests;
Support_388945a0; Guest; all
NON-Operating System service
accounts (Legacy Client,
(1) defined by the SeDenyNetworkLogonRight setting in Enterprise Client, and High
Local or Group Policy Security)
Table 4.2 Access this computer
from the network:
Administrators, Authenticated
Users, Enterprise Domain
Controllers (High Security);
(1) defined by the SeNetworkLogonRight setting in Local or Legacy Client and Enterprise
Group Policy Client are not defined
Table 3.21 Act as part of the
operating system: Not defined
(Legacy Client and Enterprise
Client); revoke all security
(1) defined the SeTcbPrivilege setting in by Local or Group groups and accounts (High
Policy Security)
(1) defined the SeBackupPrivilege setting in by Local or
Group Policy ….
(1) defined the SeChangeNotifyPrivilege setting in by Local
or Group Policy ….
Table 3.26 Change the system
time: Administrators and Power
Users (default); Administrators
(High Security); Legacy client
(1) defined the SeSystemTimePrivilege setting in by Local or and Enterprise Client are not
Group Policy defined
(1) defined the SeCreatePagefilePrivilege setting in by Local
or Group Policy ….
(1) defined the SeCreateTokenPrivilege setting in by Local or
Group Policy ….
(1) defined the SeCreatePermanentPrivilege setting in by
Local or Group Policy ….
Table 3.27 Debug programs:
Administrators (default); Revoke
all security groups and accounts
(1) defined the SeDebugPrivilege setting in by Local or Group (Legacy Client, Enterprise client
Policy and High Security)
Table 3.32 Force shutdown from
a remote system: Administrators
(High Security): Legacy client
(1) defined the SeRemoteShutdownPrivilege setting in by and Enterprise Client are not
Local or Group Policy defined
Table 3.33 Generate security
audits: Network Service, Local
Service (High Security): Legacy
(1) defined the SeAuditPrivilege setting in by Local or Group Client and Enterprise Client are
Policy not defined
Table 3.23 Adjust memory
quotas for a process:
Administrators, Network Service,
Local Service (High Security);
(1) defined the SeIncreaseQuotaPrivilege setting in by Local Legacy client and Enterprise
or Group Policy Client are not defined
Table 3.35 Increase scheduling
priority: Administrators (High
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Security): Legacy Client and
Local or Group Policy Enterprise Client are not defined
Table 3.36 Load and unload
device drivers: Administrators
(High Security): Legacy Client
(1) defined the SeLoadDriverPrivilege setting in by Local or and Enterprise Client are not
Group Policy defined
Table 3.37 Lock pages in
memory: Administrators (High
(1) defined the SeLockMemoryPrivilege setting in by Local or Security): Legacy Client and
Group Policy Enterprise Client are not defined
Table 3.38 Log on as a batch
job: Support_388945a0, Local
Service (Default); Revoke all
security groups and accounts
(High Security); Legacy Client
(1) defined the SeBatchLogonRight setting in by Local or and Enterprise Client are not
Group Policy defined
(1) defined the SeServiceLogonRight setting in by Local or
Group Policy ….
Table 4.4 Allow log on locally:
Administrators (Legacy client,
(1) defined the SeInteractiveLogonRight setting in by Local or Enterprise Client, and High
Group Policy Security)
Table 3.39 Manage auditing and
security log: Administrators
(High Security); Legacy Client
(1) defined the SeSecurityPrivilege setting in by Local or and Enterprise Client are not
Group Policy defined
Table 3.40 Modify firmware
environment values:
Administrators (High Security);
(1) defined the SeSystemEnvironmentPrivilege setting in by Legacy client and Enterprise
Local or Group Policy Client are not defined
Table 3.42 Profile single
process: Administrators (High
(1) defined the SeProfileSingleProcessPrivilege setting in by Security); Legacy Client and
Local or Group Policy Enterprise Client are not defined
Table 3.43 Profile system
performance: Administrators
(High Security); Legacy client
(1) defined the SeSystemProfilePrivilege setting in by Local and Enterprise Client are not
or Group Policy defined
Table 3.44 Remove computer
from docking station:
Administrators, Power Users
(Default)/Administrators (High
(1) defined the SeUndockPrivilege setting in by Local or Security); Legacy client and
Group Policy Enterprise Client are not defined
Table 3.45 Replace a process
level token: Local Service,
Network Service (High Security);
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Legacy Client and Enterprise
Local or Group Policy Client are not defined
Table 3.46 Restore files and
directories: Administrators and
Backup Operators
(Default)/Administrators (High
(1) defined the SeRestorePrivilege setting in by Local or Security); Legacy Client and
Group Policy Enterprise Client are not defined
Table 3.47 Shut down the
system: Backup Operators,
Power Users and Administrators
(Default)/Administrators (High
(1) defined the SeShutdownPrivilege setting in by Local or Security); Legacy Client and
Group Policy Enterprise Client are not defined
Table 3.49 Take ownership of
files or other objects:
Administrators (High Security);
(1) defined the SeTakeOwnershipPrivilege setting in by Local Legacy Client and Enterprise
or Group Policy Client are not defined
Table 3.48 Synchronize
directory service data: Revoke
all security groups and accounts
(High Security); legacy client
(1) defined the SeSynchAgentPrivilege setting in by Local or and Enterprise Client are not
Group Policy defined
(1) defined the SeDenyInteractiveLogonRight setting in by
Local or Group Policy ….
Table 4.7 Enable computer and
user accounts to be trusted for
delegation: Administrators (High
(1) defined the SeEnableDelegationPrivilege setting in by Security); Legacy client and
Local or Group Policy Enterprise Client are not defined
Table 3.22 Add workstations to
domain: Administrators (High
(1) defined the SeMachineAccountPrivilege setting in by Security); Legacy Client and
Local or Group Policy Enterprise Client are not defined
Table 3.25 Allow log on
through Terminal Services:
Administrators (High
Security); Administrators and
Remote Desktop Users
(1) defined the SeRemoteInteractiveLogonRight setting in by (Legacy Client and Enterprise
Local or Group Policy Client)
Table 4.18 Deny log on as a
batch job: Support_388945a0
and Guest (Legacy Client,
(1) defined the SeDenyBatchLogonRight setting in by Local Enterprise Client, and High
or Group Policy Security)
(1) defined the SeDenyServiceLogonRight setting in by Local
or Group Policy ….
Table 4.18 Deny log on through
Terminal Services: Built-in
Administrator; all NON-operating
system service accounts
(1) defined the SeDenyRemoteInteractiveLogonRight setting (Legacy Client, Enterprise
in by Local or Group Policy Client, and High Security)
Table 3.41 Perform volume
maintenance tasks:
Administrators (High Security);
(1) defined the SeManageVolumePrivilege setting in by Local Legacy client and Enterprise
or Group Policy Client are not defined
Table 2.11 Reset account
lockout counter after: 30
minutes; 15 minutes (High
Security); 30 minutes (Legacy
(1) defined by Local or Group Policy Client and Enterprise Client)
Table 2.9 Account lockout
duration: 15 minutes (High
Security); 30 minutes (Legacy
(1) defined by Local or Group Policy Client and Enterprise Client)
Table 2.10 Account lockout
threshold: 50 invalid login
attempts (Legacy Client and
Enterprise Client); 10 invalid
(1) defined by Local or Group Policy login attempts (High Security)
Table 3.2 Audit account logon
events: Success/Failure (Legacy
Client, Enterprise Client, and
(1) defined by Local or Group Policy High Security)
Table 3.2 Audit account logon
events: Success/Failure (Legacy
Client, Enterprise Client, and
(1) defined by Local or Group Policy High Security)
Table 3.4 Audit account
management: Success/Failure
(Legacy Client, Enterprise
(1) defined by Local or Group Policy Client, and High Security)
Table 3.4 Audit account
management: Success/Failure
(Legacy Client, Enterprise
(1) defined by Local or Group Policy Client, and High Security)
Table 3.6 Audit directory service
access: Success/Failure
(Legacy Client, Enterprise
(1) defined by Local or Group Policy Client, and High Security)
Table 3.6 Audit directory service
access: Success/Failure
(Legacy Client, Enterprise
(1) defined by Local or Group Policy Client, and High Security)
Table 3.8 Audit logon events:
Success/Failure (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.8 Audit logon events:
Success/Failure (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.10 Audit object access:
Success/Failure (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.10 Audit object access:
Success/Failure (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.12 Audit policy change:
Success (legacy client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.12 Audit policy change:
Success (legacy client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.14 Audit privilege use:
Success/Failure (High Security);
No Auditing (Legacy Client);
(1) defined by Local or Group Policy Failure (Enterprise Client)
Table 3.14 Audit privilege use:
Success/Failure (High Security);
No Auditing (Legacy Client);
(1) defined by Local or Group Policy Failure (Enterprise Client)
(1) defined by Local or Group Policy ….
(1) defined by Local or Group Policy ….
Table 3.18 Audit system events:
Success (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.18 Audit system events:
Success (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.102 Shutdown: Allow
system to be shut down without
having to log on: Disabled
(Legacy Client, Enterprise
(1) defined by Local or Group Policy Client, and High Security)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\RestrictGuestAccess (2) defined by
Group Policy ….
(1) defined by the Windows Event Log (2) defined by Group
Table 3.110 Maximum
Policy (3)
application log size: 16,384 KB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic (Legacy Client, Enterprise
es\EventLog\Application\MaxSize Client, and High Security)
Table 3.116 Retention method
for application log: As needed
(Legacy Client, Enterprise
Client, and High Security)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Security\RestrictGuestAccess (2) defined by
Group Policy ….
(1) defined by the Windows Event Log (2) defined by Group
Table 3.111 Maximum security
Policy (3)
log size: 81,920 KB (Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic Client, Enterprise Client, and
es\EventLog\Security\MaxSize High Security)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\Retention (2) defined by Group Policy
Table 3.117 Retention method
for security log: As needed
(Legacy Client, Enterprise
Client, and High Security)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\System\RestrictGuestAccess (2) defined by
Group Policy
(1) defined by the Windows Event Log (2) defined by Group
Table 3.112 Maximum system
Policy (3)
log size: 16,384 KB (Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic Client, Enterprise Client, and
es\EventLog\System\MaxSize High Security)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Application\Retention (2) defined by Group Policy
3.118 Retention method for
system log: As needed
(Legacy Client, Enterprise
Client, and High Security)
Table 2.4 Maximum password
age: 42 days (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 2.5 Minimum password
age: 2 days (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 2.6 Minimum password
length: 12 characters (High
Security); 8 characters (Legacy
(1) defined by Local or Group Policy Client and Enterprise Client)
Table 2.7 Password must meet
complexity requirements:
Enabled (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 2.3 Enforce password
history: 24 passwords
remembered (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 2.8 Store password using
reversible encryption: Disabled
(Legacy Client, Enterprise
(1) defined by Local or Group Policy Client, and High Security)
(1)
Table 3.119 Alerter Service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\Alerter\Start (2) defined by the Services Administrative Enterprise Client, and High
Tool (3) definied by Group Policy Security)
(1)
Table 3.123 Automatic updates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
service: Automatic (Legacy
s\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Client, Enterprise Client, and
Services Administrative Tool (3) definied by Group Policy High Security)
(1) Table 3.124 Background
Intelligent Transfer Service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Manual (Legacy Client,
es\BITS\Start (2) defined by the Services Administrative Tool Enterprise Client, and High
(3) definied by Group Policy Security)
(1)
Table 3.127 Clipbook service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\ClipSrv\Start (2) defined by the Services Administrative Enterprise Client, and High
Tool (3) definied by Group Policy Security)
(1)
Table 3.143 Fax Service: Not
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
installed (default); Disabled
es\Fax\Start (2) defined by the Services Administrative Tool (Legacy Client, Enterprise
(3) definied by Group Policy s Client, and High Security)
(1) Table 3.146 FTP Publishing
Service: Not installed (default);
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\MSFTPSVC\Start (2) defined by the Services Enterprise Client, and High
Administrative Tool (3) definied by Group Policy Security)
(1)
Table 3.151 IIS Admin Service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Not installed (default); Disabled
es\IISADMIN\Start (2) defined by the Services Administrative (Legacy Client, Enterprise
Tool (3) definied by Group Policy Client, and High Security)
(1)
Table 3.153 Indexing Service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\CiSvc\Start (2) defined by the Services Administrative Tool Enterprise Client, and High
(3) definied by Group Policy Security)
(1)
Table 3.167 Messenger Service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\Messenger\Start (2) defined by the Services Administrative Enterprise Client, and High
Tool (3) definied by Group Policy Security)
Table 3.172 .NET Framework
Support Service: Not installed
(default); Disabled (Legacy
(1) defined by the Services Administrative Tool (2) definied Client, Enterprise Client, and
by Group Policy High Security)
(1)
Table 3.174 NetMeeting Remote
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Desktop Sharing: Disabled
es\mnmsrvc\Start (2) defined by the Services Administrative (Legacy Client, Enterprise
Tool (3) definied by Group Policy Client, and High Security)
(1) defined by the Services Administrative Tool (2) definied
by Group Policy ….
Table 3.187 Remote Access
Auto Connection Manager:
Manual (default); Disabled
(1) defined by the Services Administrative Tool (2) definied (Legacy Client, Enterprise
by Group Policy Client, and High Security)
(1) Table 3.190 Remote Desktop
Help Session Manager: Manual
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
(default); Disabled (Legacy
es\RDSessMgr\Start (2) defined by the Services Client, Enterprise Client, and
Administrative Tool (3) definied by Group Policy High Security)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy ….
(1)
Table 3.194 Remote Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Service: Automatic (Legacy
es\RemoteRegistry\Start (2) defined by the Services Client, Enterprise Client, and
Administrative Tool (3) definied by Group Policy High Security)
(1) Table 3.201 Routing and
Remote Access Service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\RemoteAccess\Start (2) defined by the Services Enterprise Client, and High
Administrative Tool (3) definied by Group Policy Security)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\RshSvc\Start (2) defined by the Services Administrative
Tool (3) definied by Group Policy ….
(1) Table 3.208 Simple TCP/IP
Services: Not installed (default);
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\SIMPTCP\Start (2) defined by the Services Administrative Enterprise Client, and High
Tool (3) definied by Group Policy Security)
(1) Table 3.207 Simple Mail
Transport Protocol (SMTP): Not
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
installed (default); Disabled
es\SMTPSVC\Start (2) defined by the Services Administrative (Legacy Client, Enterprise
Tool (3) definied by Group Policy Client, and High Security)
(1)
Table 3.211 SNMP Service: Not
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
installed (default); Disabled
es\SNMP\Start (2) defined by the Services Administrative (Legacy Client, Enterprise
Tool (3) definied by Group Policy Client, and High Security)
(1) Table 3.212 SNMP Trap
Service: Not installed (default);
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\SNMPTRAP\Start (2) defined by the Services Enterprise Client, and High
Administrative Tool (3) definied by Group Policy Security)
(1) defined by the Services Administrative Tool (2) definied
by Group Policy ….
(1)
Table 3.216 Task Scheduler:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Automatic (default); Disabled
es\Schedule\Start (2) defined by the Services Administrative (Legacy Client, Enterprise
Tool (3) definied by Group Policy Client, and High Security)
(1)
Table 3.220 Telnet Service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Disabled (Legacy Client,
es\TlntSvr\Start (2) defined by the Services Administrative Enterprise Client, and High
Tool (3) definied by Group Policy Security)
(1)
Table 3.221 Terminal Services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Manual (default); Automatic
es\TermService\Start (2) defined by the Services (Legacy Client, Enterprise
Administrative Tool (3) definied by Group Policy Client, and High Security)
(1)
Table 3.182 Plug and Play:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Automatic (Legacy Client,
es\upnphost\Start (2) defined by the Services Administrative Enterprise Client, and High
Tool (3) definied by Group Policy Security)
(1) Table 3.245 World Wide Web
Publishing Service: Not installed
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
(default); Disabled (Legacy
es\W3SVC\Start (2) defined by the Services Administrative Client, Enterprise Client, and
Tool (3) definied by Group Policy High Security)
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Table 11.3 Automatic Update
Services Administrative Tool (3) definied by Group Policy Service: Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
Table 11.4 Background
es\BITS\Start (2) defined by the Services Administrative Tool Intelligent Transfer Service:
(3) definied by Group Policy Disabled
(1) defined by the Services Administrative Tool (2) definied
by Group Policy ….
Table 3.119 Alerter Service:
Disabled (Legacy Client,
Enterprise Client, and High
(1) set via Security Templates (2) definied by Group Policy Security)
Table 3.123 Automatic Updates
Service: Automatic (Legacy
Client, Enterprise Client, and
(1) set via Security Templates (2) definied by Group Policy High Security)
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) defined by the Services Administrative Tool (2) definied
by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
(1) set via Security Templates (2) definied by Group Policy ….
3.86 Network Access: Do not
allow anonymous enumeration
of SAM accounts and shares:
(1)
Enabled (Legacy Client,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro Enterprise Client, and High
l\Lsa\RestrictAnonymous (2) defined by Local or Group Policy Security)
(1) 3.85 Network Access: Do not
allow anonymous enumeration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro
of SAM accounts: Enabled
l\Lsa\RestrictAnonymousSAM (2) defined by Local or Group (Legacy Client, Enterprise
Policy Client, and High Security)
(1)
Table 2.13 Network Access:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro Allow anonymous SID/NAME
l\Lsa\AnonymousNameLookup (2) defined by Local or Group translation: Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\EventLog\Security ….
(1) Local Users and Groups MMC ….
Table 3.73 Interactive logon:
Message title for users
(1) attempting to log on: "It is an
offense to continue without
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
proper authorization" (Legacy
ntVersion\Policies\System\LegalNoticeCaption (2) defined by Client, Enterprise Client, and
Local or Group Policy High Security)
Table 3.72 Interactive logon:
Message text for users
attempting to log on: "This
system is restricted to
authorized users. Individuals
attempting unauthorized access
will be prosecuted. If
unauthorized, terminate access
(1) now! Clicking on OK indicates
your acceptance of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
information in the background.
ntVersion\Policies\System\LegalNoticeText (2) defined by (Legacy Client, Enterprise
Local or Group Policy Client, and High Security)
(1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\AutoAdminLogon ….
(1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Policies\Explorer\NoDriveTypeAutoRun ….
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
esTcpip\Parameters\EnableICMPRedirect ….
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\DisableIPSourceRouting ….
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Tcpip\Parameters\PerformRouterDiscovery ….
Table 3.70 Interactive logon: Do
not display last user name:
(1)
Disabled (default); Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows (Legacy Client, Enterprise
NT\CurrentVersion\Winlogon\DontDisplayLastUserName Client, and High Security)
Table. 3.246 Security
Consideration for Network
(1)
Attack: EnableDeadGWDetect =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic 0 (Legacy Client, Enterprise
es\Tcpip\Parameters\EnableDeadGWDetect Client, and High Security)
Table 3.246 Security
Consideration for Network
Attacks: KeepAliveTime =
(1)
300,000 (Legacy Client,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic Enterprise Client, and High
es\Tcpip\Parameters\KeepAliveTime Security)
Table 3.248 Configure NetBIOS
Name Release Security: Allow
the computer to ignore NetBIOS
name release requests except
from WINS server:
(1)
NoNameReleaseOnDemand = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic (Legacy Client, Enterprise
es\Netbt\Parameters\NoNameReleaseOnDemand Client, and High Security)
Table 3.246 Security
Consideration for Network
(1)
Attacks: EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic = 0 (Legacy Client, Enterprise
es\Tcpip\Parameters\EnablePMTUDiscovery Client, and High Security)
Table 3.246 Security
Consideration for Network
(1)
Attacks: SynAttackProtect = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic (Legacy Client, Enterprise
es\Tcpip\Parameters\SynAttackProtect Client, and High Security)
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Rasman\Parameters\DisableSavePassword ….
Table 3.64 Domain member:
(1) Digitally encrypt or sign secure
channel data (always): Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
(High Security); Disabled
\Netlogon\Parameters\SealSecureChannel (2) defined by (Legacy Client and Enterprise
Local or Group Policy Client)
Table 3.65 Domain member:
(1) Digitally encrypt or sign secure
channel data (when possible):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Enabled (Legacy Client,
\Netlogon\Parameters\SignSecureChannel (2) defined by Enterprise Client, and High
Local or Group Policy Security)
Table 3.253 Enable Safe DLL
Search Order: Enable Safe DLL
search mode (recommended):
(1)
SafeDllSearchMode = 1 (Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Sessio Client, Enterprise Client, and
n Manager\SafeDllSearchMode High Security)
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\CurrentVersion\Winlogon\SyncForegroundPolicy ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\CurrentVersion\Policies\system\DisableBkGndGroupPolicy ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Network Connections\NC_AllowNetBridge_NLA ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Printers\KMPrintersAreBlocked ….
Table 3.61 Domain controller:
Allow server operators to
schedule tasks: Not Defined
(default); Disabled (Legacy
Client, Enterprise Client, and
(1) defined by Local or Group Policy High Security)
(1) defined by Local or Group Policy ….
(1) defined by Local or Group Policy ….
Table 3.81 Microsoft network
(1) server: Amount of idle time
required before suspending
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
session: 15 minutes (Legacy
\LanManServer\Parameters\AutoDisconnect (2) defined by Client, Enterprise Client, and
Local or Group Policy High Security)
Table 3.52 Audit: Audit the
access of global system objects:
(1)
Disabled (Legacy Client,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Enterprise Client, and High
Lsa\AuditBaseObjects (2) defined by Local or Group Policy Security)
Table 3.53 Audit: Audit the use
of backup and restore privilege:
(1)
Disabled (Legacy Client,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Enterprise Client, and High
Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy Security)
(1) Table 3.71 Interactive logon: Do
not require CRTL+ALT+DEL:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
Disabled (Legacy Client,
ntVersion\Policies\System\DisableCAD (2) defined by Local or Enterprise Client, and High
Group Policy Security)
Table 3.96 Network security:
LAN Manager authentication
level: Send NTLM response only
(default); Send NTLMv2
response only\refuse LM &
NTLM (High Security); Send
(1)
NTLMv2 responses only
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ (Legacy Client and Enterprise
Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy Client)
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Table 3.57 Devices: Prevent
users from installing printer
Print\Providers\LanMan Print
drivers: Enabled (Legacy Client,
Services\Servers\AddPrinterDrivers (2) defined by Local or Enterprise Client, and High
Group Policy Security)
Table 3.100 Recovery console:
Allow automatic administrative
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
logon: Disabled (Legacy Client,
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) Enterprise Client, and High
defined by Local or Group Policy Security)
Table 3.101 Recovery console:
Allow floppy copy and access to
all drives and all folders:
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
Disabled (High Security);
NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) Enabled (Legacy Client and
defined by Local or Group Policy Enterprise Client)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by
Local or Group Policy ….
Table 10.2 Devices: Restrict
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
floppy access to locally logged-
NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by on user only: Enabled
Local or Group Policy (Enterprise Client)
Table 3.108 System ojects:
(1) Strengthen default permissions
of internal system objects:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Enabled (Legacy Client,
Session Manager\ProtectionMode (2) defined by Local or Enterprise Client, and High
Group Policy Security)
Table 3.69 Domain member:
(1) Require strong (W2K or later)
session key: Disabled (default);
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Enabled (Legacy Client,
\Netlogon\Parameters\RequireStrongKey (2) defined by Local Enterprise Client, and High
or Group Policy Security)
Table 3.80 Microsoft network
(1) client: Send unencrypted
password to third-party SMB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
servers: Disabled (Legacy
\LanmanWorkstation\Parameters\EnablePlainTextPassword Client, Enterprise Client, and
(2) defined by Local or Group Policy High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver
Signing\Policy (2) defined by Local or Group Policy ….
Table 3.75 Interactive logon:
Prompt user to change
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
password before expiration: 14
NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) days (Legacy Client, Enterprise
defined by Local or Group Policy Client, and High Security)
Table 3.54 Audit: Shut down
system immediately if unable to
(1)
log security audits: Disabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ (Legacy Client and Enterprise
Lsa\CrashOnAuditFail (2) defined by Local or Group Policy Client); Enabled (High Security)
(1) Table 3.102 Shutdown: Allow
system to be shut down without
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
having to log on: Disabled
ntVersion\Policies\System\ShutdownWithoutLogon (2) defined (Legacy Client, Enterprise
by Local or Group Policy Client, and High Security)
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Table 3.103 Shutdown: Clear
virtual memory page file:
Session Manager\Memory
Disabled (Legacy Client and
Management\ClearPageFileAtShutdown (2) defined by Local Enterprise Client); Enabled
or Group Policy (High Security)
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanmanWorkstation\Parameters\RequireSecuritySignature
(2) defined by Local or Group Policy ….
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\RequireSecuritySignature (2)
defined by Local or Group Policy ….
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\LanManServer\Parameters\EnableSecuritySignature (2)
defined by Local or Group Policy ….
Table 3.74 Interactive logon:
Number of previous logons to
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
cache: 1 (Legacy Client); 0
NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined (Enterprise Client and High
by Local or Group Policy Security)
Table 3.56 Devices: Allowed to
format and eject removable
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
media: Administrators (Legacy
NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Client, Enterprise Client, and
Local or Group Policy High Security)
(1) Table 3.64 Domain member:
Digitally encrypt or sign secure
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
channel data: Enabled (High
\Netlogon\Parameters\RequireSignOrSeal (2) defined by Security); disabled (Legacy
Local or Group Policy Client and Enterprise Client)
(1) Table 3.65 Domain member:
Digitally encrypt secure channel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
data (when possible): Enabled
\Netlogon\Parameters\SealSecureChannel (2) defined by (Legacy Client, Enterprise
Local or Group Policy Client, and High Security)
(1) Table 3.66 Domain member:
Digitally sign secure channel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
data (when possible): Enabled
\Netlogon\Parameters\SignSecureChannel (2) defined by (Legacy Client, Enterprise
Local or Group Policy Client, and High Security)
Table 3.77 Interactive logon:
Smart card removal behavior:
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
Lock Workstation (Enterprise
NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Client and High Security);
Local or Group Policy Legacy Client is not defined
Table 3.105 System
cryptography: Use FIPS
compliant algorithms for
encryption, hashing, and
(1)
signing: Disabled (Legacy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Client, Enterprise Client, and
Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy High Security)
Table 3.106 System objects:
Default owner for objects
created by members of the
(1) Administrators group:
Administrators group (default);
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Object creator (Legacy Client,
Lsa\NoDefaultAdminOwner (2) defined by Local or Group Enterprise Client, and High
Policy Security)
Table 3.107 System objects:
(1) Require case insensitivity for
non-Windows subsystems:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Enabled (Legacy Client,
Session Manager\Kernel\ObCaseInsensitive (2) defined by Enterprise Client, and High
Local or Group Policy Security)
(1) Table 3.51 Accounts: Limit local
account use of blank passwords
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
to console logon only: Enabled
Lsa\LimitBlankPasswordUse (2) defined by Local or Group (Legacy Client, Enterprise
Policy Client, and High Security)
(1) Table 3.55 Devices: Allow
undock without having to log on:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
Enabled (default); Disabled
ntVersion\Policies\System\UndockWithoutLogon (2) defined (Legacy Client, Enterprise
by Local or Group Policy Client, and High Security)
Table 3.62 Domain controller:
LDAP server signing
requirements: Not Defined
(Legacy Client and Enterprise
Client); Require signing (High
(1) defined by Local or Group Policy Security)
(1) Table 3.97 Network security:
LDAP client signing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
requirements: Negotiate signing
\LDAP\LDAPClientIntegrity (2) defined by Local or Group (Legacy Client, Enterprise
Policy Client, and High Security)
Table 3.63 Domain controller:
Refuse machine account
password changes: Not Defined
(default); Disabled (Legacy
Client, Enterprise Client, and
(1) defined by Local or Group Policy High Security)
(1) Table 3.68 Domain member:
Maximum machine account
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
password age: 30 days (Legacy
\Netlogon\Parameters\MaximumPasswordAge (2) defined by Client, Enterprise Client, and
Local or Group Policy High Security)
Table 3.76 Interactive logon:
Require domain controller
authentication to unlock
workstation: Disabled (default);
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
Enabled (Legacy Client,
NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined Enterprise Client, and High
by Local or Group Policy Security)
(1) Table 3.84 Microsoft network
server: Disconnect clients when
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
logon hours expire: Enabled
\LanManServer\Parameters\EnableForcedLogoff (2) defined (Legacy Client, Enterprise
by Local or Group Policy Client, and High Security)
Table 3.87 Network access: Do
not allow storage of credentials
or .NET Passports for network
authentications: Disabled
(1)
(default); Enabled (Legacy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Client, Enterprise Client, and
Lsa\DisableDomainCreds (2) defined by Local or Group Policy High Security)
(1) Table 3.88 Network access: Let
Everyone permissions apply to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
anonymous users: Disabled
Lsa\EveryoneIncludesAnonymous (2) defined by Local or (Legacy Client, Enterprise
Group Policy Client, and High Security)
(1) Table 3.89 Network access:
Named Pipes that can be
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
accessed anonymously: None
\LanManServer\Parameters\NullSessionPipes (2) defined by (Legacy Client, Enterprise
Local or Group Policy Client, and High Security)
Table 3.90 Network access:
Remotely accessible registry
paths:
System\currentControlSet\Contro
l\Products Options;
System\CurrentControlSet\Contr
(1) ol\server Applications;
Software\Microsoft\Windows
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
NT\CurrentVersion (Legacy
SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined Client, Enterprise Client, and
by Local or Group Policy High Security)
(1) Table 3.93 Network Access:
Shares that can be accessed
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
anonymously: None (Legacy
\LanManServer\Parameters\NullSessionShares (2) defined by Client, Enterprise Client, and
Local or Group Policy High Security)
Table 3.94 Network Access:
Sharing and security model for
local accounts: Classic - local
users authenticate as
(1)
themselves (Legacy Client,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Enterprise Client, and High
Lsa\ForceGuest (2) defined by Local or Group Policy Security)
Table 3.95 Network Security: Do
not store LAN Manager hash
value on next password change:
(1)
Enabled (Legacy Client,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Enterprise Client, and High
Lsa\NoLMHash (2) defined by Local or Group Policy Security)
Table 2.14 Network Security:
Force Logoff when logon hours
expire: Disabled (default);
Enabled (Legacy Client,
Enterprise Client, and High
(1) defined by Local or Group Policy Security)
Table 3.98 Network Security:
(1) Minimum session security for
NTLM SSP based clients: No
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
minimum (Legacy Client);
Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Enabled all settings (Enterprise
Group Policy Client and High Security)
Table 3.99 Network Security:
(1) Minimum session security for
NTLM SSP based servers: No
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
minimum (Legacy Client);
Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Enabled all settings (Enterprise
Group Policy Client and High Security)
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\SCRNSAVE.EXE ….
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaveTimeOut ….
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaverIsSecure ….
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaveActive ….
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\ScreenSaveTimeOut ….
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\ScreenSaverIsSecure ….
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\ScreenSaveActive ….
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\SCRNSAVE.EXE ….
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaveTimeOut ….
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaverIsSecure ….
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaveActive ….
Table 3.251 Make screensaver
password protection immediate:
the time in seconds before the
screen saver grace period
GPO path: User Configuration\Administrative expires: 0 (Legacy Client,
Templates\Control Panel\Display\Password protect the Enterprise Client, and High
screen saver Security)
GPO path: User Configuration\Administrative
Templates\Control Panel\Display\Screen Saver timeout ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Installer\AlwaysInstallElevated ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Installer\EnableUserControl ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Installer\AllowLockDownBrowse ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Installer\AllowLockDownMedia ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Installer\EnableAdminTSRemote ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Installer\AllowLockDownPatch ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\Installer\TransformSecure ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
sMediaPlayer\DisableAutoupdate ….
(1)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Window
sMediaPlayer\PreventCodecDownload ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messen
ger\Client\{9b017612-c9f1-11d2-8d9f-
0000f875c541}\Disabled (2)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messen
gerService ….
Table 3.167 Messenger:
(1)
Disabled (Legacy Client,
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messen Enterprise Client, and High
ger\Client\PreventRun Security)
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messen
ger\Client\PreventAutoRun ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\Task Scheduler5.0\Property Pages ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\Task Scheduler5.0\Task Creation
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fSingleSessionPerUser ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\MaxInstanceCount ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fDenyTSConnections ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fWritableTSCCPermTab ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws NT\Terminal Services\Shadow ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fPromptForPassword ….
Table 3.255 Set client
(1)
connection encryption level:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window High (Legacy Client, Enterprise
s NT\Terminal Services\MinEncryptionLevel Client, and High Security)
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\PerSessionTempDir ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\DeleteTempDirsOnExit ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\MaxDisconnectionTime ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\MaxIdleTime ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fReconnectSame ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fResetBroken ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\KeepAliveEnable ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fAllowToGetHelp ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\fAllowUnsolicited ….
Table 3.257 Error Reporting:
(1)
Disabled (Legacy Client,
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHeal Enterprise Client, and High
th\ErrorReporting\DoReport Security)
….
….
….
….
Table 3.199 Removale
Storage: Disabled (Legacy
Client, Enterprise Client, and
High Security)
Table 11.3 Automatic
Updates: Disabled
Table 11.3 Automatic
Updates: Disabled
Table 11.3 Automatic
Updates: Disabled
Table 11.3 Automatic
Updates: Disabled
Table 11.3 Automatic
Updates: Disabled
….
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\TCPMaxPortsExhausted
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\CurrentVersion\Internet Settings\Use_HKLM_only Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_HKLM_only ….
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\CurrentVersion\Internet Settings\Security_Zones_Map_Edit
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Explorer,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_zones_map_edit ….
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local
Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoUpdateCheck ….
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Loc
al Internet Options: GPO Settings:[Computer Configuration |
User Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict File Download, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILED
OWNLOAD\iexplore.exe ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoJITSetup ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet
Settings\ProxySettingsPerUser,Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\ProxySettingsPerUser ….
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windo
ws\CurrentVersion\Internet
Settings\Security_options_edit,Local Internet Options: GPO
Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry
Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings\Security_options_edit ….
Center for Internet
Security Windows DISA Stig for Windows 2003
Server 2003
4.2.15 Deny access to this
computer from the network
(minimum): Not Defined ….
4.2.1 Access this computer from the
network: Not Defined; 5.1 User Rights: (4.015: CAT I) Built-in Guest
Administrators, Authenticated account, Everyone group, guests group, and
Users, Enterprise Domain Domain Guests group DO NOT have the right to
Controllers (Specialized Security) "access this computer from the network"
5.1 User Rights: (4.009: CAT I) Individual and
4.2.2 Act as part of the operating group accounts DO NOT have the right to "act
system: none as part of the operating system"
4.2.36 Backup files and directories:
Administrators (Specialized Security) ….
4.2.8 Bypass traverse checking: Not
Defined ….
4.2.9 Change the system time:
Administrators ….
4.2.10 Create a pagefile:
Administrators (Specialized Security) ….
4.2.11 Create a token object: None ….
4.2.13 Create permanent shared
objects: None ….
4.2.14 Debug Programs: None ….
4.2.21 Force shutdown from a
remote system: Administrators
(Specialized Security) ….
4.2.22 Generate security audits:
Local Service, Network Service
(Specialized Security) ….
4.2.4 Adjust memory quotas for a
process: Network Service, Local
Service, Administrators (Specialized
Security) ….
4.2.24 Increase scheduling priority:
Administrators (Specialized Security) ….
4.2.25 Load and unload device
drivers: Administrators ….
4.2.26 Lock pages in memory:
Administrators (Specialized Security) ….
4.2.27 Log on as a batch job: None ….
4.2.28 Log on as a service: Not
Defined ….
5.1 User rights: (4.026: CAT II) Built-in Guest
account, guests group, and Domain guests
4.2.5 Allow log on locally: group, HelpAssistant, and Suppor_388945a0
Administrators are assigned the right to DENY log on locally
4.2.29 Manage auditing and
security log: Administrators
(Specialized Security) ….
4.2.30 Modify firmware environment
values: Administrators (Specialized
Security) ….
4.2.32 Profile single process:
Administrators (Specialized Security) ….
4.2.33 Profile system performance:
Administrators (Specialized Security) ….
4.2.34 Remove computer from
docking station: Administrators
(Specialized Security) ….
4.2.35 Replace a process level
token: Network Service, Local
Service ….
4.2.36 Restore files and directories:
Administrators (Specialized Security) ….
4.2.37 Shut down the system:
Administrators (Enterprise,
Specialized Security) ….
4.2.39 Take ownership of file or
other objects: Administrators ….
4.2.38 Synchronize directory
service data: None ….
5.1 User rights: (4.026: CAT II) Built-in Guest
account, guests group, and Domain guests
4.2.18 Deny logon locally: Not group, HelpAssistant, and Suppor_388945a0
Defined are assigned the right to DENY log on locally
4.2.20 enable computer and user
accounts to be trusted for
delegation: None ….
4.2.3 Add workstations to domain:
Not Defined; None (Specialized
Security) ….
5.1 User Rights: (4.040: CAT I) No one has
the right to allow logn through Terminal
4.2.6 Allow logon through Services unless the machine is performing
terminal services: Administrators the role of a Terminal Server
4.2.16 Deny logon as a batch job:
Not Defined ….
4.2.17 Deny logon as a service: Not
Defined ….
5.1 User Rights: (4.041: CAT II) The Everyone
group is assigned the right to deny logon
through Terminal Services unless the machine
4.2.19 Deny logon through Terminal is performing the roale of a Terminal Server,
Services: Not Defined then the Guests group is assigned
4.2.31 Perform volume
maintenance tasks: Administrators 5.4.5.1 [AP] User Rights Assignments: Perform
(Specialized Security) Volume Maintenance Tasks: Administrators
2.2.3.3 Reset Account Lockout 5.4.2.2 [A] Bad Logon Counter Reset: 15
After: 15 minutes minutes
4.5.3 Password Policy (4.004: CAT II) The
2.2.3.1 Account Lockout Duration: Account Lockout duration set to 15 minutes or
15 minutes more
2.2.3.2 Account Lockout Threshold: 4.5.3 Password Policy (4.002: CAT II) The
15 attempts; 10 attempts Account Lockout Threshold will be set to 3 or
(Specialized Security) less
2.2.1.1 Audit Account Logon
Events: Success/Failure ….
2.2.1.1 Audit Account Logon
Events: Success/Failure ….
2.2.1.2 Audit Account Management:
Success/Failure ….
2.2.1.2 Audit Account Management:
Success/Failure ….
2.2.1.3 Audit Directory Service 6.4 System Audit Settings: Audit directory
Access: Not Defined service access: Not Defined
2.2.1.3 Audit Directory Service 6.4 System Audit Settings: Audit directory
Access: Not Defined service access: Not Defined
2.2.1.4 Audit Logon Events: 6.4 System Audit Settings: Audit logon events:
Success and Failure Success, Failure
2.2.1.4 Audit Logon Events: 6.4 System Audit Settings: Audit logon events:
Success and Failure Success, Failure
2.2.1.5 Audit Object Access:
Success/Failure ….
2.2.1.5 Audit Object Access:
Success/Failure ….
2.2.1.6 Audit Policy Change: 6.4 System Audit Settings: Audit policy change:
Success Success, Failure
2.2.1.6 Audit Policy Change: 6.4 System Audit Settings: Audit policy change:
Success Success, Failure
2.2.1.7 Audit Privilege Use: Not 6.4 System Audit Settings: Audit privilege use:
Defined Failure
2.2.1.7 Audit Privilege Use: Not 6.4 System Audit Settings: Audit privilege use:
Defined Failure
6.4 System Audit Settings: Audit process
…. tracking: Not Defined
6.4 System Audit Settings: Audit process
…. tracking: Not Defined
2.2.1.9 Audit System Events: 6.4 System Audit Settings: Audit system events:
Success Success, Failure
2.2.1.9 Audit System Events: 6.4 System Audit Settings: Audit system events:
Success Success, Failure
…. ….
2.2.4.1.2 Restrict Guest Access:
Enabled ….
2.2.4.1.1 Maximum Event Log Size: 5.4.7.1 [A] Event Log Sizes: Maximum
16MB application log size: 16384 kilobytes
5.4.7.3 [AP] Preserving Security Events:
2.2.4.1.3 Log Retention Method: Retention method for application log: Do not
Not Defined overwrite events (clear log manually)
2.2.4.2.2 Restrict Guest Access:
Enabled 3.5 [M] Access to Security Event Log: Auditors
5.4.7.1 [A] Event Log Sizes: Maximum security
log size: 16384 kilobytes
6.2 Audit Log Requirements: (5.002: CAT II)
…. minimum of 81920KB
2.2.4.2.3 Log Retention Method:
Not Defined ….
5.4.7.2 [A] Restrict Event Log Access Over
2.2.4.3.2 Restrict Guest Access: Network: Prevent local guests group from
Enabled accessing security log: Enabled
2.2.4.3.1 Maximum Event Log Size: 5.4.7.1 [A] Even Log Sizes: Maximum system
16MB log size: 16384 kilobytes
6.2 Audit Log Requirements: (5.002: CAT II)
…. minimum of 81920KB
…. ….
2.1.2 Maximum Password Age: 90 4.5.3 Password Policy: (4.011: CAT II)
Days Maximum password age is set to 90 days or less
2.2.2.1 Minimum Password Age: 1 4.5.3 Password Policy: (4.012: CAT II) Minimum
day password age is set to 1 day or more
2.2.2.3 Minimum Password Length:
8 characters; 12 characters 5.4.1.3 [AP] Minimum Password Length: 8
(Specialized Security) characters
5.4.1.5 [M] Enable strong Password Filtering:
2.2.2.4 Password Complexity: Password must meet complexity requirements:
Enabled Enabled
2.2.2.5 Password History: 24 5.4.1.4 [A] Password Uniqueness: Enforce
passwords remembered password history: 24 passwords
2.2.2.6 Store Passwords Using 5.4.1.6 [M] Disable Reversible Password
Reversible Encryption: Disabled Encryption: Disabled
4.1.1 Alerter: Disabled ….
7.6.1 Automatic Updates Service: Disable if not
…. needed
7.6.2 Background Intelligent Transfer Service
…. (BITs): Disable if not needed
4.1.3 Clipbook: Disabled ….
4.1.4 Fax Service: Disabled ….
4.1.7 FTP Publishing Service:
Disabled 7.6.3 FTP Service: Disabled
4.1.10 IIS Admin Service: Disabled ….
4.1.11 Indexing Service: Disabled ….
4.1.13 Messenger: Disabled 8.3.4 Windows Messenger: Disabled
8.4.3 .NET Framework: (5.069: CAT II) the
.NET Framwork is not active on the system
unless it only supports locally developed .NET
…. applications
4.1.15 NetMeeting Remote Desktop 7.6.4 NetMeeting Remote Desktop Sharing
Sharing: Disabled Service: (5.063: CAT II) Disabled
7.6.5 Print Services for Unix: (5.026: CAT II)
…. Remove if not required
4.1.20 Remote Access Auto 7.6.7 Remote Access Auto Connection
Connection Manager: Disabled Manager Service: (5.064: CAT II) Disabled
4.1.23 Remote Desktop Help 7.6.8 Remote Desktop Help Session Manager:
Session Manager: Disabled (5.065: CAT II) Disabled
8.3.9.1 Internet Connection Sharing: (3.085:
CAT II) Prohibit use of Internet Connection
Sharing on your DNS domain networks is
…. Enabled
4.1.26 Remote Registry Service:
Disabled (Specialized Security) 7.6.9 Remote Registry Service: Disabled
7.6.11 Routing and Remote Access Service:
…. (5.067: CAT II) Disabled if not required
7.6.10 Remote Shell Service: (5.008: CAT II)
Service is removed by typing instsrv rshsvc
…. remove at the command prompt
7.6.16 Telnet Servers: (5.010: CAT II) Simple
…. TCP/IP services are disabled
4.1.31 Simple Mail Transfer
Protocol: Disabled ….
4.1.32 Simple Network
Management Protocol Service: 7.6.13 SNMP Service: (5.026: CAT II) SNMP is
Disabled disabled if not required
4.1.33 Simple Network
Management Protocol Trap:
Disabled ….
7.6.14 Simple Service Discovery Protocol
…. (SSDP) Service: 5.019: CAT I) Disabled
7.6.15 Task Scheduler Service: (5.009: CAT II)
…. Disabled
4.1.35 Telnet: Disabled ….
7.6.17 Terminal Services: (5.020: CAT I)
4.1.36 Terminal Services: Disabled Disabled on machines that are not performing
(Specialized Security) as Terminal Servers
…. ….
4.1.39 World Wide Web Publishing
Services: Disabled ….
7.6.1 Automatic Updates Service: Disable if not
…. needed
7.6.2 Background Intelligent Transfer Service
…. (BITs): Disable if not needed
7.6.5 Print Services for Unix: (5.026: CAT II)
…. Remove if not required
4.1.1. Alerter: Disabled ….
…. ….
4.1.3 Clipbook: Disabled ….
4.1.4 Fax Service: Disabled ….
4.1.7 FTP Publishing Service:
Disabled ….
4.1.10 IIS Admin Service: Disabled ….
4.1.11 Indexing Service: Disabled ….
4.1.13 Messenger: Disabled ….
4.1.15 NetMeeting Remote Desktop
Sharing: Disabled ….
4.1.19 Print Spooler: Disabled
(Specialized Security) ….
4.1.20 Remote Access Auto 7.6.7 Remote Access Auto Connection
Connection Manager: Disabled Manager Service: (5.064: CAT II) Disabled
4.1.23 Remote Desktop Help
Session Manager: Disabled ….
4.1.26 Remote Registry Service:
Disabled (Specialized Security) ….
4.1.31 Simple Mail Transfer
Protocol: Disabled ….
4.1.32 Simple Network
Management Protocol Service:
Disabled ….
4.1.33 Simple Network
Management Protocol Trap:
Disabled ….
4.1.35 Telnet: Disabled ….
4.1.36 Terminal Services: Disabled
(Specialized Security) ….
4.1.39 World Wide Web Publishing
Services: Disabled ….
3.1.3 Network Access: Do not
allow anonymous enumeration 5.4.6.53 [AP] Restrict Anonymous Network
of SAM accounts and shares: Shares: Network Access: Do not allow
Enabled (Enterprise and anonymous enumeration of SAM accounts:
Specialized Security) Enabled
…. ….
3.1.1 Network Access: Allow
Anonymous SID/Name Translation: 5/4/6/52 Network Access: Allow anonymous
Disabled (Specialized Security) SID/Name translation: Disabled
…. 3.5 [M] Access to Security Event Log: Auditors
5.2 Windows Server 2003 Built-in Accounts:
…. (4.048: CAT II) Disabled
3.2.1.27 Interactive Logon: 5.4.6.22 [AP] Display Legal Notice: Interactive
Message Title for Users Attmpting Logon: Message title for users attempting to log
to Log On: <Custom or DoJ on: US Deparment of Defense Warning
Approved> Statement
3.2.1.26 Interactive Logon:
Message Text for Users Attempting
to Log On: <Custom or DoJ 5.4.6.22 Interactive Logon: Message text for
Approved> users attempting to log on
5.4.6.38 [A] Disable Administrator Automatic
…. Logon: Disabled
5.4.6.47 [A] Disable Media Autoplay: MSS:
Disable Autorun on all drives: 255, disable
…. Autorun for all drives
5.4.6.41 [A] ICMP Redirects: MSS:
(EnablEICMPRedirect) Allow ICMP redirects to
…. override OSPF generated routes: Disabled
3.2.1.69 MSS: IP Source Routing
protection level: Highest Protection, 5.4.6.39 MISS: DisableIPSourceRouting, IP
source routing is automatically source routing packet spoofing: Highest
disabled protection, source routing is completely disabled
3.2.1.74 MSS: Allow IRDP to detect
and configure DefaultGateway
addresses: Disabled ….
3.2.1.24 Interactive Logon: Do Not
Display Last User Name: Enabled ….
3.2.1.70 MSS: Allow automatic 5.4.6.40 [A] Detection of Dead Gateways: MSS:
detection of dead network (EnableDeadGWDetect) Allow automatic
gateways: Disabled detection of dead network gateways: Disabled
3.2.1.82 MSS: How often keepalive
packets are sent in milliseconds: 5.4.6.49 MSS: How often keepalive packets are
300000 sent in milliseconds: 300000
3.2.1.73 MSS: Allow the computer 5.4.6.42 [A] NetBIOS Name Release: MSS:
to ignore NetBIOS name release (NoNameReleaseOnDemand) Allow computer
requestions except from WINS to ignore NetBIOS name release requests
servers: Enabled except from WINS Servers: Enabled
3.2.1.72 MSS:
EnablePMTUDiscovery, Allow
automatic detection of MTU size:
Enabled (Specialized Security) ….
5.4.6.44 MSS (SynAttackProtect) Syn attack
protection level: Connections time out sooner if
a SYN attack is detected
5.4.6.6 ConGp: Prevent the dial-up password
…. from being saved: Enabled
3.2.1.19 Domain Member: Digitally 5.4.6.16 [A] Encryption of Secure Channel
Encrypt Secure Channel Data Traffic: Domain Member: Digitally encrypt
(When Possible): Enabled secure channel data (when possible): Enabled
3.2.1.20 Domain Member: Digitally 5.4.6.17: [A] Signing of Secure Channel Traffic:
Sign Secure Channel Data (When Domain Membore: Digitally sign secure channel
Possible): Enabled data (when possible): Enabled
3.2.1.80 MSS: Enable Safe DLL 5.4.6.48 [A] Safe DLL Search Mode: MSS:
search mode: Enabled Enable Safe DLL search mode: Enabled
8.3.5 Always wait for the network at computer
…. startup: Enabled
8.3.6 Group Policy: (3.080: CAT II) Turn off
backroung refresh of Group Policy is set to
…. Disabled
8.3.9.2 Network Bridge: (3.086: CAT II) The
setting Prohibit installation and configuration of
network Bridge on your DNS doman network is
…. set to Enabled
8.3.10 Installation of Printers Using Kernel-
mode Drivers: (3.087: CAT II) the setting
Disallow installation of printers using kernel-
…. mode drivers is set to Enabled
3.2.1.15 Domain Controller: Allow 5.4.6.12 [A] Server Operators Scheduling
Server Operators to Schedule Tasks: Domain Controller: Allo server operators
Tasks: Disabled to schedule tasks: Disabled
5.4.6.3 Accounts: Rename administrator
…. account: Should not be Administrator
5.4.6.4 Account: Rename guest account: Any
…. value other than „Guest‟
5.4.6.30[A] Idle Time Before Suspending a
Session: Microsoft Network Server: Amount of
idle time required before suspending a session:
` 15 minutes
5.4.7.76 [A] Global System Object Permission
3.2.1.6 Audit: Audit the access of Strength: System objects: Strengthen default
global system objects: Not Defined permissions of internal system objects: Enabled
3.2.1.7 Audit: Audit the use of
backup and restore privilege: Not
Defined ….
5.4.6.21 [A] CTRL+ALT+DEL Security Attention
Sequence: Interactive Logon: Do not require
…. CTRL+ALT+DEL: Disabled
3.2.1.50 Network Security: LAN
Manager Authentication Level:
Send NTLMv2 (Legacy), Send 5.4.6.64 [AP] LanMan Compatible Password
NTLMv2, refuse LM (Enterprise), Option Not Properly Set: Network Security: LAN
Send NTLMv2, refuse LM and Manager authentication level: Send NTLMv2
NTLM (Specialized Security) response only/refuse LM & NTLM
3.2.1.11 Devices: Prevent users 5.4.6.9 [A] Secure Print Driver Installation:
from installing printer drivers: Devices: Prevent users from installing printer
Enabled drivers: Enabled
3.2.1.54 Recovery Console: Allow 5.4.6.68 [A] Recovery Console - Automatic
Automatic Administrative Logon: Logon: Allow automatic administrative logon:
Disabled Disabled
3.2.1.55 Recovery Console: Allow 5.4.6.69 [A] Recovery Console - Set Command:
Floppy Copy and Access to All Recovery console: Allow floppy copy and
Drives and All Folders: Not Defined access to all drives and folders: Disabled
3.2.1.12 Devices: Restrict CD-ROM
Access to Locally Logged-On User
Only: Not Defined ….
3.2.1.13 Devices: Restrict Floppy 5.4.6.10 [A] Secure Removable Media: Devices:
Access to Locally Logged-On User Restrict floppy access to locally logged-on user
only: Not Defined only: Enabled
3.2.1.62 System Objects: 5.4.6.76 [A] Global System Object Permission
Strengthen default permissions of Strength: System Objects: Strengthen default
internal system objects: Enabled permissions of internal system objects: Enabled
5.4.6.20 [AP] Strong Session Key
3.2.1.23 Domain Member: Require (WIN2K/W2K3 Native Domains): Domain
Strong (Windows 2000 or later) Member: Require Strong (Windows 2000 or
Session Key: Not Defined later) Session Key: Enabled
3.2.1.35 Microsoft Network Client:
Send Unencrypted Password to
Connect to Third-Party SMB Server: 5.4.6.29 [A] Unencrypted Passwords to 3rd
Disabled party SMB Servers: Disabled
3.2.1.14 Devices: Unsigned driver
installation behavior: "Warn, but