Windows 10 Report

521
2157
2682
80.43
31
0

Hardening Settings

Table Of Contents

Click the link(s) below for quick access to a report section.

Benchmark Details

CIS Benchmarks-

This section contains the CIS Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1.1.6(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'CompliantTrue
2.3.1.2(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'CompliantTrue
2.3.1.4(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'CompliantTrue
2.3.2.1(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
2.3.2.2(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
2.3.4.1(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'CompliantTrue
2.3.4.2(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'CompliantTrue
2.3.6.1(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'CompliantTrue
2.3.6.2(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.3(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.4(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'CompliantTrue
2.3.6.5(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'CompliantTrue
2.3.6.6(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'CompliantTrue
2.3.7.1(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'CompliantTrue
2.3.7.2(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'CompliantTrue
2.3.7.3(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'CompliantTrue
2.3.7.4(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'CompliantTrue
2.3.7.5(L1) Configure 'Interactive logon: Message text for users attempting to log on'CompliantTrue
2.3.7.6(L1) Configure 'Interactive logon: Message title for users attempting to log on'CompliantTrue
2.3.7.7(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'CompliantTrue
2.3.7.8(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'CompliantTrue
2.3.7.9(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higherCompliantTrue
2.3.8.1(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
2.3.8.2(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'CompliantTrue
2.3.8.3(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'CompliantTrue
2.3.9.1(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'CompliantTrue
2.3.9.2(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
2.3.9.3(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'CompliantTrue
2.3.9.4(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'CompliantTrue
2.3.9.5(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higherCompliantTrue
2.3.10.1(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'Registry value not found.False
2.3.10.2(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'CompliantTrue
2.3.10.3(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'CompliantTrue
2.3.10.4(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'CompliantTrue
2.3.10.5(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'CompliantTrue
2.3.10.6(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'CompliantTrue
2.3.10.7(L1) Ensure 'Network access: Remotely accessible registry paths' is configuredCompliantTrue
2.3.10.8(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configuredCompliantTrue
2.3.10.9(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'CompliantTrue
2.3.10.10(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'CompliantTrue
2.3.10.11(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'CompliantTrue
2.3.10.12(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'CompliantTrue
2.3.11.1(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'CompliantTrue
2.3.11.2(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'CompliantTrue
2.3.11.3(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'CompliantTrue
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'CompliantTrue
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'CompliantTrue
2.3.11.7(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'CompliantTrue
2.3.11.8(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higherCompliantTrue
2.3.11.9(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
2.3.11.10(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
2.3.14.1(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherCompliantTrue
2.3.15.1(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'CompliantTrue
2.3.15.2(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'CompliantTrue
2.3.17.1(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'CompliantTrue
2.3.17.2(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'CompliantTrue
2.3.17.3(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'Registry value is '3'. Expected: 0False
2.3.17.4(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'CompliantTrue
2.3.17.5(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'CompliantTrue
2.3.17.6(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'CompliantTrue
2.3.17.7(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'CompliantTrue
2.3.17.8(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'CompliantTrue
5.1(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'Registry value is '3'. Expected: 4False
5.2(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'Registry value is '3'. Expected: 4False
5.3(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.4(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'CompliantTrue
5.5(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'CompliantTrue
5.6(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.7(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.8(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'CompliantTrue
5.9(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'CompliantTrue
5.10(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.11(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.12(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'CompliantTrue
5.13(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.14(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'CompliantTrue
5.15(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'CompliantTrue
5.16(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'CompliantTrue
5.17(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'CompliantTrue
5.18(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'Registry value is '2'. Expected: 4False
5.19(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'CompliantTrue
5.20(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'CompliantTrue
5.21(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'CompliantTrue
5.22(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'CompliantTrue
5.23(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'CompliantTrue
5.24(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'CompliantTrue
5.25(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'CompliantTrue
5.26(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'CompliantTrue
5.27(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'CompliantTrue
5.28(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.29(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.30(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.31(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'CompliantTrue
5.32(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'CompliantTrue
5.33(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.34(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'CompliantTrue
5.35(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'CompliantTrue
5.36(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.37(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'CompliantTrue
5.38(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'CompliantTrue
5.39(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'CompliantTrue
5.40(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'Registry value is '2'. Expected: 4False
5.41(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.42(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'CompliantTrue
5.43(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'CompliantTrue
5.44(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'CompliantTrue
5.45(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'CompliantTrue
9.1.1(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'CompliantTrue
9.1.2(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'CompliantTrue
9.1.3(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.1.4(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'CompliantTrue
9.1.5(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
9.1.6(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.2.1(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'CompliantTrue
9.2.2(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'CompliantTrue
9.2.3(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.2.4(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'CompliantTrue
9.2.5(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
9.2.6(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.2.7(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.2.8(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.3.1(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'CompliantTrue
9.3.2(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'CompliantTrue
9.3.3(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.3.4(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'CompliantTrue
9.3.5(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
9.3.6(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
9.3.7(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
9.3.8(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
9.3.9(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
9.3.10(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'CompliantTrue
18.1.1.1(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'CompliantTrue
18.1.1.2(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'CompliantTrue
18.1.2.2(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'CompliantTrue
18.1.3(L2) Ensure 'Allow Online Tips' is set to 'Disabled'CompliantTrue
18.2.2(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'CompliantTrue
18.2.3(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled'CompliantTrue
18.2.4(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'CompliantTrue
18.2.5(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'CompliantTrue
18.2.6(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'CompliantTrue
18.3.1(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'CompliantTrue
18.3.2(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'CompliantTrue
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'CompliantTrue
18.3.4(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'CompliantTrue
18.3.5(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)CompliantTrue
18.3.6(L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')CompliantTrue
18.3.7(L1) Ensure 'WDigest Authentication' is set to 'Disabled'CompliantTrue
18.4.1(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'CompliantTrue
18.4.2(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'CompliantTrue
18.4.3(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'CompliantTrue
18.4.4(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'CompliantTrue
18.4.5(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'CompliantTrue
18.4.6(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'CompliantTrue
18.4.7(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'CompliantTrue
18.4.8(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'CompliantTrue
18.4.9(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'CompliantTrue
18.4.10(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18.4.11(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'CompliantTrue
18.4.12(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'CompliantTrue
18.4.13(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
18.5.4.1(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higherCompliantTrue
18.5.4.2(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'CompliantTrue
18.5.5.1(L2) Ensure 'Enable Font Providers' is set to 'Disabled'CompliantTrue
18.5.8.1(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'CompliantTrue
18.5.9.1 A(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain)CompliantTrue
18.5.9.1 B(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public)CompliantTrue
18.5.9.1 C(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO),CompliantTrue
18.5.9.1 D(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private)CompliantTrue
18.5.9.2 A(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnDomain)CompliantTrue
18.5.9.2 B(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnPublicNet)CompliantTrue
18.5.9.2 C(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)CompliantTrue
18.5.9.2 D(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (ProhibitRspndrOnPrivateNet)CompliantTrue
18.5.10.2(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
18.5.11.2(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'CompliantTrue
18.5.11.3(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'CompliantTrue
18.5.11.4(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'CompliantTrue
18.5.14.1 A(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'CompliantTrue
18.5.14.1 B(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'CompliantTrue
18.5.19.2.1(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')CompliantTrue
18.5.20.1(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'CompliantTrue
18.5.20.2(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'CompliantTrue
18.5.21.1(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'Registry value not found.False
18.5.21.2(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'CompliantTrue
18.5.23.2.1(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'CompliantTrue
18.6.1(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'CompliantTrue
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'CompliantTrue
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'CompliantTrue
18.7.1.1(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'CompliantTrue
18.8.3.1(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'CompliantTrue
18.8.4.1(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'CompliantTrue
18.8.4.2(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'CompliantTrue
18.8.5.1(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
18.8.5.2(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'CompliantTrue
18.8.5.3(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'CompliantTrue
18.8.5.4(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'CompliantTrue
18.8.5.5(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'CompliantTrue
18.8.5.6(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'CompliantTrue
18.8.7.1.1(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
18.8.7.1.2(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'CompliantTrue
18.8.7.1.3(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)Registry value not found.False
18.8.7.1.4(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
18.8.7.1.5(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'CompliantTrue
18.8.7.1.6(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)CompliantTrue
18.8.7.2(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated)CompliantTrue
18.8.14.1(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'CompliantTrue
18.8.21.2(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'CompliantTrue
18.8.21.3(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'CompliantTrue
18.8.21.4(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'CompliantTrue
18.8.21.5(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'CompliantTrue
18.8.22.1.1(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'CompliantTrue
18.8.22.1.2(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'CompliantTrue
18.8.22.1.3(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'CompliantTrue
18.8.22.1.4(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'CompliantTrue
18.8.22.1.5(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'CompliantTrue
18.8.22.1.6(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'CompliantTrue
18.8.22.1.7(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'CompliantTrue
18.8.22.1.8(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'CompliantTrue
18.8.22.1.9(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'CompliantTrue
18.8.22.1.10(L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'CompliantTrue
18.8.22.1.11(L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'CompliantTrue
18.8.22.1.12(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'CompliantTrue
18.8.22.1.13(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'CompliantTrue
18.8.22.1.14 A(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'CompliantTrue
18.8.22.1.14 B(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'Registry value is '0'. Expected: x == 1False
18.8.25.1 A(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)CompliantTrue
18.8.25.1 B(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)CompliantTrue
18.8.26.1(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'CompliantTrue
18.8.27.1(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'CompliantTrue
18.8.28.1(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'CompliantTrue
18.8.28.2(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'CompliantTrue
18.8.28.3(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'CompliantTrue
18.8.28.4(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'CompliantTrue
18.8.28.5(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'CompliantTrue
18.8.28.6(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'CompliantTrue
18.8.28.7(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'CompliantTrue
18.8.31.1(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'CompliantTrue
18.8.31.2(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'CompliantTrue
18.8.34.6.1(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'CompliantTrue
18.8.34.6.2(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'CompliantTrue
18.8.34.6.3(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'CompliantTrue
18.8.34.6.4(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'CompliantTrue
18.8.34.6.5(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'CompliantTrue
18.8.34.6.6(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'CompliantTrue
18.8.36.1(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'CompliantTrue
18.8.36.2(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'CompliantTrue
18.8.37.1(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'CompliantTrue
18.8.37.2(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'CompliantTrue
18.8.48.5.1(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'CompliantTrue
18.8.48.11.1(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'CompliantTrue
18.8.50.1(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'CompliantTrue
18.8.53.1.1(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
18.8.53.1.2(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled'CompliantTrue
18.9.4.1(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'CompliantTrue
18.9.4.2(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'CompliantTrue
18.9.5.1(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'CompliantTrue
18.9.6.1(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'CompliantTrue
18.9.6.2(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'CompliantTrue
18.9.8.1(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
18.9.8.2(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'CompliantTrue
18.9.8.3(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'CompliantTrue
18.9.10.1.1(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'CompliantTrue
18.9.11.1.1(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'CompliantTrue
18.9.11.1.2(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
18.9.11.1.3(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'CompliantTrue
18.9.11.1.4(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'CompliantTrue
18.9.11.1.5(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'CompliantTrue
18.9.11.1.6(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.1.7(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.1.8(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'CompliantTrue
18.9.11.1.9(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.1.10(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'CompliantTrue
18.9.11.1.11(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'CompliantTrue
18.9.11.1.12(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'CompliantTrue
18.9.11.1.13(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.1(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'CompliantTrue
18.9.11.2.2(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'CompliantTrue
18.9.11.2.3(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
18.9.11.2.4(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'CompliantTrue
18.9.11.2.5(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'CompliantTrue
18.9.11.2.6(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'CompliantTrue
18.9.11.2.7(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.2.8(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.9(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'CompliantTrue
18.9.11.2.10(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.11(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'CompliantTrue
18.9.11.2.12(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'CompliantTrue
18.9.11.2.13(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'CompliantTrue
18.9.11.2.14(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'CompliantTrue
18.9.11.3.1(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'CompliantTrue
18.9.11.3.2(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
18.9.11.3.3(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'CompliantTrue
18.9.11.3.4(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'Registry value not found.False
18.9.11.3.5(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'CompliantTrue
18.9.11.3.6(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.3.7(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.3.8(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'CompliantTrue
18.9.11.3.9(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.3.10(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'CompliantTrue
18.9.11.3.11(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'Registry value not found.False
18.9.11.3.12(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'CompliantTrue
18.9.11.3.13(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'CompliantTrue
18.9.11.3.14(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'CompliantTrue
18.9.11.3.15(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'CompliantTrue
18.9.11.4(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'CompliantTrue
18.9.12.1(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'Registry value is '1'. Expected: 0False
18.9.14.1(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'CompliantTrue
18.9.14.2(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'CompliantTrue
18.9.14.3(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'CompliantTrue
18.9.15.1(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'CompliantTrue
18.9.16.1(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'CompliantTrue
18.9.16.2(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'CompliantTrue
18.9.16.3(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'CompliantTrue
18.9.17.1(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'CompliantTrue
18.9.17.2(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'CompliantTrue
18.9.17.3(L1) Ensure 'Disable OneSettings Downloads' is enabled.CompliantTrue
18.9.17.4(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'CompliantTrue
18.9.17.5(L1) Ensure 'Enable OneSettings Auditing' is set to 'EnabledCompliantTrue
18.9.17.6(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'CompliantTrue
18.9.17.7(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'CompliantTrue
18.9.17.8(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'CompliantTrue
18.9.18.1(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'CompliantTrue
18.9.27.1.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.1.2(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.27.2.1(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.2.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
18.9.27.3.1(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.3.2(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.27.4.1(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.4.2(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.31.2(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'CompliantTrue
18.9.31.3(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'CompliantTrue
18.9.31.4(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'CompliantTrue
18.9.36.1(L1) Ensure 'Prevent the computer from joining a homegroup' set to 'Enabled'.CompliantTrue
18.9.41.1(L2) Ensure 'Turn off location' is set to 'Enabled'CompliantTrue
18.9.45.1(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'CompliantTrue
18.9.46.1(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'CompliantTrue
18.9.47.4.1(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'CompliantTrue
18.9.47.4.2(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'CompliantTrue
18.9.47.5.1.1(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'CompliantTrue
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
18.9.47.5.3.1(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'CompliantTrue
18.9.47.6.1(L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'CompliantTrue
18.9.47.9.1(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'CompliantTrue
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'CompliantTrue
18.9.47.9.3(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'CompliantTrue
18.9.47.9.4(L1) Ensure 'Turn on script scanning' is set to 'Enabled'CompliantTrue
18.9.47.11.1(L2) Ensure 'Configure Watson events' is set to 'Disabled'CompliantTrue
18.9.47.12.1(L1) Ensure 'Scan removable drives' is set to 'Enabled'CompliantTrue
18.9.47.12.2(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'CompliantTrue
18.9.47.15(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'CompliantTrue
18.9.47.16(L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'CompliantTrue
18.9.48.1(NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled'CompliantTrue
18.9.48.2(NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.3(NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.4(NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.5(NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'CompliantTrue
18.9.48.6(NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1'CompliantTrue
18.9.57.1(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'CompliantTrue
18.9.58.1(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'Registry key not found.False
18.9.64.1(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'CompliantTrue
18.9.65.2.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'CompliantTrue
18.9.65.3.2.1(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
18.9.65.3.3.1(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'CompliantTrue
18.9.65.3.3.2(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.4(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.5(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.6(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.9.1(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'CompliantTrue
18.9.65.3.9.2(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'CompliantTrue
18.9.65.3.9.3(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'CompliantTrue
18.9.65.3.9.4(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'CompliantTrue
18.9.65.3.9.5(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'CompliantTrue
18.9.65.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'CompliantTrue
18.9.65.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'CompliantTrue
18.9.65.3.11.1(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'CompliantTrue
18.9.66.1(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'CompliantTrue
18.9.67.2(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'CompliantTrue
18.9.67.3(L1) Ensure 'Allow Cortana' is set to 'Disabled'CompliantTrue
18.9.67.4(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'CompliantTrue
18.9.67.5(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'CompliantTrue
18.9.67.6(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'CompliantTrue
18.9.72.1(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'CompliantTrue
18.9.75.1(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'Registry value not found.False
18.9.75.2(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'CompliantTrue
18.9.75.3(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'CompliantTrue
18.9.75.4(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'CompliantTrue
18.9.75.5(L2) Ensure 'Turn off the Store application' is set to 'Enabled'CompliantTrue
18.9.81.1(L1) Ensure 'Allow widgets' is set to 'Disabled'CompliantTrue
18.9.85.1.1 A(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'CompliantTrue
18.9.85.1.1 B(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)CompliantTrue
18.9.85.2.1(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
18.9.85.2.2(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' (PreventOverride).CompliantTrue
18.9.87.1(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'CompliantTrue
18.9.89.1(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'CompliantTrue
18.9.89.2(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'CompliantTrue
18.9.90.1(L1) Ensure 'Allow user control over installs' is set to 'Disabled'CompliantTrue
18.9.90.2(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (LocalMachine)CompliantTrue
18.9.90.3(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'CompliantTrue
18.9.91.1(L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'CompliantTrue
18.9.100.1(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.CompliantTrue
18.9.100.2(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue
18.9.102.1.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
18.9.102.1.2(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
18.9.102.1.3(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'CompliantTrue
18.9.102.2.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
18.9.102.2.2(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'Registry value not found.False
18.9.102.2.3(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
18.9.102.2.4(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'CompliantTrue
18.9.103.1(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'Registry value is '1'. Expected: 0False
18.9.104.1(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'CompliantTrue
18.9.104.2(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'CompliantTrue
18.9.105.2.1(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'CompliantTrue
18.9.108.1.1(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'CompliantTrue
18.9.108.2.1(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
18.9.108.2.2(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'CompliantTrue
18.9.108.2.3(L1) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'CompliantTrue
18.9.108.4.1(L1) Ensure 'Manage preview builds' is set to 'Disabled' (Automated)Registry value is '0'. Expected: 1False
18.9.108.4.2 A(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'CompliantTrue
18.9.108.4.2 B(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays)CompliantTrue
18.9.108.4.3 A(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'. (DeferQualityUpdates)CompliantTrue
18.9.108.4.3 B(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)CompliantTrue
19.7.8.5(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
2.2.1(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'CompliantTrue
2.2.2(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
2.2.3(L1) Ensure 'Act as part of the operating system' is set to 'No One'CompliantTrue
2.2.4(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.5(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'CompliantTrue
2.2.6(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'CompliantTrue
2.2.7(L1) Ensure 'Back up files and directories' is set to 'Administrators'CompliantTrue
2.2.8(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'CompliantTrue
2.2.9(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'CompliantTrue
2.2.10(L1) Ensure 'Create a pagefile' is set to 'Administrators'CompliantTrue
2.2.11(L1) Ensure 'Create a token object' is set to 'No One'CompliantTrue
2.2.12(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
2.2.13(L1) Ensure 'Create permanent shared objects' is set to 'No One'CompliantTrue
2.2.14 A(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed]The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: NT VIRTUAL MACHINE\Virtual MachinesFalse
2.2.14 B(L1) Configure 'Create symbolic links' (when Hyper-V feature is NOT installed)Hyper-V installed. Please refer to the corresponding benchmark when Hyper-V is installed.None
2.2.15(L1) Ensure 'Debug programs' is set to 'Administrators'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
2.2.16(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'CompliantTrue
2.2.17(L1) Ensure 'Deny log on as a batch job' to include 'Guests'CompliantTrue
2.2.18(L1) Ensure 'Deny log on as a service' to include 'Guests'CompliantTrue
2.2.19(L1) Ensure 'Deny log on locally' to include 'Guests'CompliantTrue
2.2.20(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'CompliantTrue
2.2.21(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'CompliantTrue
2.2.22(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'CompliantTrue
2.2.23(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]CompliantTrue
2.2.24(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed]CompliantTrue
2.2.25(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'CompliantTrue
2.2.26(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'CompliantTrue
2.2.27(L1) Ensure 'Lock pages in memory' is set to 'No One'CompliantTrue
2.2.28(L2) Ensure 'Log on as a batch job' is set to 'Administrators'CompliantTrue
2.2.29(L2) Configure 'Log on as a service' [Hyper-V-Feature NOT installed]The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
2.2.30(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'CompliantTrue
2.2.31(L1) Ensure 'Modify an object label' is set to 'No One'CompliantTrue
2.2.32(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'CompliantTrue
2.2.33(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'CompliantTrue
2.2.34(L1) Ensure 'Profile single process' is set to 'Administrators'CompliantTrue
2.2.35(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'CompliantTrue
2.2.36(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.37(L1) Ensure 'Restore files and directories' is set to 'Administrators'CompliantTrue
2.2.38(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'CompliantTrue
2.2.39(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'CompliantTrue

Account Policies-

IdTaskMessageStatus
1.1.1(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'CompliantTrue
1.1.2(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'CompliantTrue
1.1.3(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'CompliantTrue
1.1.4(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'CompliantTrue
1.1.5(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'CompliantTrue
1.2.1(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
1.2.2(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'CompliantTrue
1.2.3(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
17.1.1(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
17.2.1(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
17.2.2(L1) Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
17.2.3(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
17.3.1(L1) Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
17.3.2(L1) Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
17.5.1(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
17.5.2(L1) Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
17.5.3(L1) Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
17.5.4(L1) Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
17.5.5(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
17.5.6(L1) Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
17.6.1(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
17.6.2(L1) Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
17.6.3(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
17.6.4(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
17.7.1(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
17.7.2(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
17.7.3(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
17.7.4(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
17.7.5(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
17.8.1(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue
17.9.1(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'CompliantTrue
17.9.2(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
17.9.3(L1) Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
17.9.4(L1) Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
17.9.5(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue

DISA Recommendations-

This section contains the DISA STIG results.

Registry Settings/Group Policies-

IdTaskMessageStatus
WN10-CC-000310Users must be prevented from changing installation options.CompliantTrue
WN10-CC-000315The Windows Installer Always install with elevated privileges must be disabled.CompliantTrue
WN10-CC-000320Users must be notified if a web-based program attempts to install software.CompliantTrue
WN10-CC-000325Automatically signing in the last interactive user after a system-initiated restart must be disabled.CompliantTrue
WN10-CC-000330The Windows Remote Management (WinRM) client must not use Basic authentication.CompliantTrue
WN10-CC-000335The Windows Remote Management (WinRM) client must not allow unencrypted traffic.CompliantTrue
WN10-CC-000340The Windows Remote Management (WinRM) client must not use Digest authentication.CompliantTrue
WN10-CC-000345The Windows Remote Management (WinRM) service must not use Basic authentication.CompliantTrue
WN10-CC-000350The Windows Remote Management (WinRM) service must not allow unencrypted traffic.CompliantTrue
WN10-CC-000355The Windows Remote Management (WinRM) service must not store RunAs credentials.CompliantTrue
WN10-AU-000500The Application event log size must be configured to 32768 KB or greater.CompliantTrue
WN10-AU-000505The Security event log size must be configured to 1024000 KB or greater.Registry value is '196608'. Expected: 1024000False
WN10-AU-000510The System event log size must be configured to 32768 KB or greater.CompliantTrue
WN10-CC-000005Camera access from the lock screen must be disabled.CompliantTrue
WN10-CC-000010The display of slide shows on the lock screen must be disabled.CompliantTrue
WN10-CC-000020IPv6 source routing must be configured to highest protection.CompliantTrue
WN10-CC-000025The system must be configured to prevent IP source routing.CompliantTrue
WN10-CC-000030The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.CompliantTrue
WN10-CC-000035The system must be configured to ignore NetBIOS name release requests except from WINS servers.CompliantTrue
WN10-CC-000040Insecure logons to an SMB server must be disabled.CompliantTrue
WN10-CC-000055Simultaneous connections to the Internet or a Windows domain must be limited.Registry value not found.False
WN10-CC-000060Connections to non-domain networks when connected to a domain authenticated network must be blocked.CompliantTrue
WN10-CC-000065Wi-Fi Sense must be disabled.CompliantTrue
WN10-CC-000037Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.CompliantTrue
WN10-CC-000085Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.Registry value is '3'. Expected: 8False
WN10-CC-000090Group Policy objects must be reprocessed even if they have not changed.CompliantTrue
WN10-CC-000100Downloading print driver packages over HTTP must be prevented.CompliantTrue
WN10-SO-000015Local accounts with blank passwords must be restricted to prevent access from the network.CompliantTrue
WN10-CC-000105Web publishing and online ordering wizards must be prevented from downloading a list of providers.CompliantTrue
WN10-CC-000110Printing over HTTP must be prevented.CompliantTrue
WN10-CC-000115Systems must at least attempt device authentication using certificates.CompliantTrue
WN10-CC-000120The network selection user interface (UI) must not be displayed on the logon screen.CompliantTrue
WN10-CC-000130Local users on domain-joined computers must not be enumerated.CompliantTrue
WN10-SO-000030Audit policy using subcategories must be enabled.CompliantTrue
WN10-SO-000035Outgoing secure channel traffic must be encrypted or signed.CompliantTrue
WN10-SO-000040Outgoing secure channel traffic must be encrypted when possible.CompliantTrue
WN10-CC-000145Users must be prompted for a password on resume from sleep (on battery).CompliantTrue
WN10-SO-000045Outgoing secure channel traffic must be signed when possible.CompliantTrue
WN10-CC-000150The user must be prompted for a password on resume from sleep (plugged in).CompliantTrue
WN10-CC-000155Solicited Remote Assistance must not be allowed.CompliantTrue
WN10-SO-000050The computer account password must not be prevented from being reset.CompliantTrue
WN10-CC-000165Unauthenticated RPC clients must be restricted from connecting to the RPC server.CompliantTrue
WN10-CC-000170The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.CompliantTrue
WN10-CC-000175The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.Registry key not found.False
WN10-SO-000060The system must be configured to require a strong session key.CompliantTrue
WN10-CC-000180Autoplay must be turned off for non-volume devices.CompliantTrue
WN10-SO-000070The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.CompliantTrue
WN10-CC-000185The default autorun behavior must be configured to prevent autorun commands.CompliantTrue
WN10-CC-000190Autoplay must be disabled for all drives.CompliantTrue
WN10-CC-000195Enhanced anti-spoofing for facial recognition must be enabled on Window 10.CompliantTrue
WN10-CC-000200Administrator accounts must not be enumerated during elevation.CompliantTrue
WN10-CC-000215Explorer Data Execution Prevention must be enabled.CompliantTrue
WN10-CC-000220Turning off File Explorer heap termination on corruption must be disabled.CompliantTrue
WN10-CC-000225File Explorer shell protocol must run in protected mode.CompliantTrue
WN10-SO-000095The Smart Card removal option must be configured to Force Logoff or Lock Workstation.CompliantTrue
WN10-CC-000230Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.CompliantTrue
WN10-CC-000235Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.CompliantTrue
WN10-SO-000100The Windows SMB client must be configured to always perform SMB packet signing.CompliantTrue
WN10-CC-000240InPrivate browsing in Microsoft Edge must be disabled.CompliantTrue
WN10-SO-000105The Windows SMB client must be enabled to perform SMB packet signing when possible.CompliantTrue
WN10-SO-000110Unencrypted passwords must not be sent to third-party SMB Servers.CompliantTrue
WN10-CC-000250The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.CompliantTrue
WN10-CC-000255The use of a hardware security device with Windows Hello for Business must be enabled.Registry key not found.False
WN10-SO-000120The Windows SMB server must be configured to always perform SMB packet signing.CompliantTrue
WN10-CC-000260Windows 10 must be configured to require a minimum pin length of six characters or greater.Registry key not found.False
WN10-SO-000125The Windows SMB server must perform SMB packet signing when possible.CompliantTrue
WN10-CC-000270Passwords must not be saved in the Remote Desktop Client.CompliantTrue
WN10-CC-000275Local drives must be prevented from sharing with Remote Desktop Session Hosts.CompliantTrue
WN10-CC-000280Remote Desktop Services must always prompt a client for passwords upon connection.CompliantTrue
WN10-CC-000285The Remote Desktop Session Host must require secure RPC communications.CompliantTrue
WN10-CC-000290Remote Desktop Services must be configured with the client connection encryption set to the required level.CompliantTrue
WN10-CC-000295Attachments must be prevented from being downloaded from RSS feeds.CompliantTrue
WN10-SO-000145Anonymous enumeration of SAM accounts must not be allowed.CompliantTrue
WN10-CC-000300Basic authentication for RSS feeds over HTTP must not be used.CompliantTrue
WN10-SO-000150Anonymous enumeration of shares must be restricted.CompliantTrue
WN10-CC-000305Indexing of encrypted files must be turned off.CompliantTrue
WN10-SO-000160The system must be configured to prevent anonymous users from having the same rights as the Everyone group.CompliantTrue
WN10-SO-000165Anonymous access to Named Pipes and Shares must be restricted.CompliantTrue
WN10-SO-000175Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.CompliantTrue
WN10-SO-000180NTLM must be prevented from falling back to a Null session.CompliantTrue
WN10-SO-000185PKU2U authentication using online identities must be prevented.CompliantTrue
WN10-SO-000190Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.CompliantTrue
WN10-SO-000195The system must be configured to prevent the storage of the LAN Manager hash of passwords.CompliantTrue
WN10-SO-000205The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.CompliantTrue
WN10-SO-000210The system must be configured to the required LDAP client signing level.CompliantTrue
WN10-SO-000215The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.CompliantTrue
WN10-SO-000220The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.CompliantTrue
WN10-SO-000230The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.Registry value is '0'. Expected: 1False
WN10-SO-000240The default permissions of global system objects must be increased.CompliantTrue
WN10-SO-000245User Account Control approval mode for the built-in Administrator must be enabled.CompliantTrue
WN10-SO-000250User Account Control must, at minimum, prompt administrators for consent on the secure desktop.CompliantTrue
WN10-SO-000255User Account Control must automatically deny elevation requests for standard users.Registry value is '3'. Expected: 0False
WN10-SO-000260User Account Control must be configured to detect application installations and prompt for elevation.CompliantTrue
WN10-SO-000265User Account Control must only elevate UIAccess applications that are installed in secure locations.CompliantTrue
WN10-SO-000270User Account Control must run all administrators in Admin Approval Mode, enabling UAC.CompliantTrue
WN10-SO-000275User Account Control must virtualize file and registry write failures to per-user locations.CompliantTrue
WN10-UC-000015Toast notifications to the lock screen must be turned off.Registry key not found.False
WN10-UC-000020Zone information must be preserved when saving attachments.Registry key not found.False
WN10-CC-000066Command line data must be included in process creation events.CompliantTrue
WN10-CC-000326PowerShell script block logging must be enabled.CompliantTrue
WN10-00-000150Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.CompliantTrue
WN10-CC-000038WDigest Authentication must be disabled.CompliantTrue
WN10-CC-000044Internet connection sharing must be disabled.CompliantTrue
WN10-CC-000197Microsoft consumer experiences must be turned off.CompliantTrue
WN10-CC-000228Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit.Registry key not found.False
WN10-CC-000252Windows 10 must be configured to disable Windows Game Recording and Broadcasting.CompliantTrue
WN10-CC-000068Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.CompliantTrue
WN10-00-000165The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.CompliantTrue
WN10-UC-000005The use of personal accounts for OneDrive synchronization must be disabled.Registry key not found.False
WN10-CC-000238Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.CompliantTrue
WN10-CC-000204If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
WN10-UR-000005The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000010The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
WN10-UR-000015The Act as part of the operating system user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000025The Allow log on locally user right must only be assigned to the Administrators and Users groups.CompliantTrue
WN10-UR-000030The Back up files and directories user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000035The Change the system time user right must only be assigned to Administrators and Local Service.CompliantTrue
WN10-UR-000040The Create a pagefile user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000045The Create a token object user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000050The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.CompliantTrue
WN10-UR-000055The Create permanent shared objects user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000065The Debug programs user right must only be assigned to the Administrators group.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
WN10-UR-000070 MWThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyNetworkLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000070 SWThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000075 MWThe Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.The user 'SeDenyBatchLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000080 MWThe Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.The user 'SeDenyServiceLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000085 MWThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000085 SWThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000090 MWThe Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000090 SWThe Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000100The Force shutdown from a remote system user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000105The Generate security audits user right must only be assigned to Local Service and Network Service.CompliantTrue
WN10-UR-000110The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.CompliantTrue
WN10-UR-000115The Increase scheduling priority user right must only be assigned to the Administrators group.The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
WN10-UR-000120The Load and unload device drivers user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000125The Lock pages in memory user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000130The Manage auditing and security log user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000140The Modify firmware environment values user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000145The Perform volume maintenance tasks user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000150The Profile single process user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000160The Restore files and directories user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000165The Take ownership of files or other objects user right must only be assigned to the Administrators group.CompliantTrue

Account Policies-

IdTaskMessageStatus
WN10-AC-000005Windows 10 account lockout duration must be configured to 15 minutes or greater.CompliantTrue
WN10-AC-000010The number of allowed bad logon attempts must be configured to 3 or less.'LockoutBadCount' currently set to: 5. Expected: x <= 3 and x != 0False
WN10-AC-000015The period of time before the bad logon counter is reset must be configured to 15 minutes.CompliantTrue
WN10-AC-000020The password history must be configured to 24 passwords remembered.CompliantTrue
WN10-AC-000025The maximum password age must be configured to 60 days or less.'MaximumPasswordAge' currently set to: 120. Expected: x <= 60False
WN10-AC-000030The minimum password age must be configured to at least 1 day.CompliantTrue
WN10-AC-000035Passwords must, at a minimum, be 14 characters.CompliantTrue
WN10-AC-000040The built-in Microsoft password complexity filter must be enabled.CompliantTrue
WN10-AC-000045Reversible password encryption must be disabled.CompliantTrue

Windows Features-

IdTaskMessageStatus
WN10-00-000100Internet Information System (IIS) or its subcomponents must not be installed on a workstation.CompliantTrue
WN10-00-000110Simple TCP/IP Services must not be installed on the system.CompliantTrue
WN10-00-000115The Telnet Client must not be installed on the system.CompliantTrue
WN10-00-000120The TFTP Client must not be installed on the system.CompliantTrue

File System Permissions-

IdTaskMessageStatus
WN10-AU-000515Permissions for the Application event log must prevent access by non-privileged accounts.CompliantTrue
WN10-AU-000520Permissions for the Security event log must prevent access by non-privileged accounts.CompliantTrue
WN10-AU-000525Permissions for the System event log must prevent access by non-privileged accounts.CompliantTrue

Registry Permissions-

IdTaskMessageStatus
WN10-RG-000005 ADefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.CompliantTrue
WN10-RG-000005 BDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey'False
WN10-RG-000005 CDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey'False

CyberGovAu Benchmarks-

This section contains the CyberGovAu Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1909.01Ensure 'Deploy Windows Defender Application Control' is set to 'Enabled'Registry value not found.False
1909.02.1Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.02.2Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.03.1Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'CompliantTrue
1909.03.2Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
1909.03.3Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
1909.03.4Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
1909.03.5Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
1909.03.6Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
1909.03.7Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
1909.03.8Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
1909.03.9Ensure 'Configure Attack Surface Reduction rules' is configured (Block executable files from running unless they meet a prevalence, age, or trusted list criterion).Registry value not found.False
1909.03.10Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware).Registry value is '0'. Expected: 1False
1909.03.11Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
1909.03.12Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block process creations originating from PSExec and WMI commands)Registry value not found.False
1909.03.13Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
1909.03.14Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
1909.03.15Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
1909.03.16Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
1909.04Ensure 'WDigest Authentication' is set to 'Disabled'Registry value is '0'. Expected: 1False
1909.05.1Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.05.2Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.05.3Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.06.1Ensure 'Configure allowed applications' is set to 'Enabled'Registry key not found.False
1909.06.2Ensure 'Configure allowed applications' is set to 'Enabled'Registry key not found.False
1909.07.1Ensure 'Configure Controlled folder access' is set to 'Enabled'Registry key not found.False
1909.07.2Ensure 'Configure Controlled folder access' is set to 'Enabled'Registry key not found.False
1909.08.1Ensure 'Configure protected folders' is set to 'Enabled'Registry key not found.False
1909.08.2Ensure 'Configure protected folders' is set to 'Enabled'Registry key not found.False
1909.09Ensure 'Do not display network selection UI' is set to 'Enabled'CompliantTrue
1909.10Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'CompliantTrue
1909.11Ensure 'Do not display the password reveal button' is set to 'Enabled'CompliantTrue
1909.12Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'Registry value not found.False
1909.13Ensure 'Require trusted path for credential entry' is set to 'Enabled'Registry value not found.False
1909.14Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'CompliantTrue
1909.15Ensure 'Disable or enable software Secure Attention Sequence' is set to 'Disabled'Registry value not found.False
1909.16Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'CompliantTrue
1909.17Ensure 'Require Ctrl-Alt-Del' is set to 'Disabled'Registry key not found.False
1909.18.1Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'Registry value is '3'. Expected: 1False
1909.19.1Ensure 'Use a common set of exploit protection settings' is set to 'Enabled'Registry key not found.False
1909.20Ensure 'Prevent users from modifying settings' is set to 'Enabled'CompliantTrue
1909.21Ensure 'Turn off Data Execution Prevention' is set to 'Disabled'Registry value not found.False
1909.22Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'CompliantTrue
1909.23Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'CompliantTrue
1909.24Ensure 'Allow Adobe Flash' is set to 'Disabled'CompliantTrue
1909.25Ensure 'Allow Developer Tools' is set to 'Disabled'Registry key not found.False
1909.27Ensure 'Configure Password Manager' is set to 'Disabled'CompliantTrue
1909.28Ensure 'Configure Pop-up Blocker' is set to 'Enabled'CompliantTrue
1909.30Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'CompliantTrue
1909.31Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'CompliantTrue
1909.34Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled'CompliantTrue
1909.36Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'CompliantTrue
1909.37Ensure 'Allow Automatic Updates immediate installation' is set to 'Enabled'Registry value not found.False
1909.38.1Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
1909.38.2Ensure 'Configure Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.38.3Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
1909.38.4Ensure 'Configure Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.39Ensure 'Do not include drivers with Windows Updates' is set to 'Disabled'Registry value not found.False
1909.40Ensure 'Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates' is set to 'Enabled'Registry value not found.False
1909.41Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'CompliantTrue
1909.42Ensure 'Remove access to use all Windows Update features' is set to 'Disabled'Registry key not found.False
1909.43Ensure 'Turn on recommended updates via Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.44.1Ensure 'Specify intranet Microsoft update service location' is set to 'Enabled'Registry value not found.False
1909.44.2Ensure 'Specify intranet Microsoft update service location' is set to 'Enabled'Registry value not found.False
1909.45Ensure 'Turn off picture password sign-in' is set to 'Enabled'CompliantTrue
1909.46Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'CompliantTrue
1909.47Ensure 'Maximum configurable password age' is set to '365 days'Registry value not found.False
1909.48Ensure 'Minimum password length' is set to '14 characters'Registry key not found.False
1909.49Ensure 'Password must meet complexity requirements' is set to 'Enabled'Registry key not found.False
1909.50Ensure 'Standard User Lockout Duration' is set to '0'Registry value not found.False
1909.51Ensure 'Standard User Individual Lockout Threshold' is set to '5'Registry value not found.False
1909.52Ensure 'Enable insecure guest logons' is set to 'Disabled'CompliantTrue
1909.53Ensure 'Turn off Microsoft Defender Antivirus' is set to 'Disabled'CompliantTrue
1909.54Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'CompliantTrue
1909.55Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'Registry value not found.False
1909.56.2Ensure 'Join Microsoft MAPS' is set to 'Enabled'Registry value is '0'. Expected: 2False
1909.57Ensure 'Send file samples when further analysis is required' is set to 'Enabled'Registry value is '2'. Expected: 1False
1909.58Ensure 'Configure extended cloud check' is set to 'Enabled' and set to '50'Registry value not found.False
1909.59Ensure 'Select cloud protection level' is set to 'Enabled'Registry value not found.False
1909.60Ensure 'Configure removal of items from Quarantine folder' is set to 'Disabled'Registry key not found.False
1909.61Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'Registry key not found.False
1909.63Ensure 'Turn on behavior monitoring' is set to 'Enabled'CompliantTrue
1909.64Ensure 'Turn on process scanning whenever real-time protection is enabled' is set to 'Enabled'Registry key not found.False
1909.65Ensure 'Allow users to pause scan' is set to 'Disabled'Registry key not found.False
1909.66Ensure 'Check for the latest virus and spyware definitions before running a scheduled scan' is set to 'Enabled'Registry key not found.False
1909.67Ensure 'Scan archive files' is set to 'Enabled'Registry value not found.False
1909.68Ensure 'Scan packed executables' is set to 'Enabled'Registry key not found.False
1909.69Ensure 'Scan removable drives' is set to 'Enabled'CompliantTrue
1909.70Ensure 'Turn on e-mail scanning' is set to 'Enabled'CompliantTrue
1909.71Ensure 'Turn on heuristics' is set to 'Enabled'Registry key not found.False
1909.72Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'Registry key not found.False
1909.73Ensure 'Hide mechanisms to remove zone information' is set to 'Enabled'Registry key not found.False
1909.74Ensure 'Include command line in process creation events' is set to 'Enabled'CompliantTrue
1909.75Ensure 'Specify the maximum log file size (KB)' is set to '65536'Registry value is '32768'. Expected: 65536False
1909.76Ensure 'Specify the maximum log file size (KB)' is set to '2097152'Registry value is '196608'. Expected: 2097152False
1909.77Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
1909.78Ensure 'Set the default behavior for AutoRun' is set to 'Enabled'CompliantTrue
1909.79Ensure 'Turn off Autoplay' is set to 'Enabled'CompliantTrue
1909.80Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'CompliantTrue
1909.81Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'CompliantTrue
1909.82Ensure 'Route all traffic through the internal network' is set to 'Enabled'Registry key not found.False
1909.83Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'CompliantTrue
1909.84Ensure 'Remove CD Burning features' is set to 'Enabled'Registry key not found.False
1909.85Ensure 'Prevent access to the command prompt' is set to 'Enabled'Registry key not found.False
1909.86.1Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.2Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.3Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.4Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.87.1Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
1909.87.2Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'Registry value not found.False
1909.87.3Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
1909.88Ensure 'All Removable Storage classes: Deny all access' is set to 'Enabled'Registry key not found.False
1909.89Ensure 'CD and DVD: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.90Ensure 'CD and DVD: Deny write access' is set to 'Enabled'Registry key not found.False
1909.91Ensure 'Custom Classes: Deny read access' is set to 'Disabled'Registry key not found.False
1909.92Ensure 'Custom Classes: Deny write access' is set to 'Enabled'Registry key not found.False
1909.93Ensure 'Floppy Drives: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.94Ensure 'Floppy Drives: Deny read access' is set to 'Disabled'Registry key not found.False
1909.95Ensure 'Floppy Drives: Deny write access' is set to 'Enabled'Registry key not found.False
1909.96Ensure 'Removable Disks: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.97Ensure 'Removable Disks: Deny read access' is set to 'Disabled'Registry key not found.False
1909.98Ensure 'Removable Disks: Deny write access' is set to 'Enabled'Registry key not found.False
1909.99Ensure 'Tape Drives: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.100Ensure 'Tape Drives: Deny read access' is set to 'Disabled'Registry key not found.False
1909.101Ensure 'Tape Drives: Deny write access' is set to 'Enabled'Registry key not found.False
1909.102Ensure 'WPD Devices: Deny read access' is set to 'Disabled'Registry key not found.False
1909.103Ensure 'WPD Devices: Deny write access' is set to 'Enabled'Registry key not found.False
1909.104Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'CompliantTrue
1909.105Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'Registry key not found.False
1909.106.1Ensure 'Hardened UNC Paths' is set to 'Enabled'Registry value not found.False
1909.106.2Ensure 'Hardened UNC Paths' is set to 'Enabled'Registry value not found.False
1909.107Ensure 'Configure registry policy processing' is set to 'Enabled'Registry key not found.False
1909.108Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'CompliantTrue
1909.109Ensure 'Turn off Local Group Policy Objects processing' is set to 'Enabled'Registry value not found.False
1909.110.1Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.110.2Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.110.3Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.111Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'CompliantTrue
1909.112.1Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.2Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.3Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.4Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.112.5Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.6Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.113.1Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.113.2Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.113.3Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.113.4Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.114Ensure 'Deny write access to fixed drives not protected by BitLocker' is set to 'Enabled'Registry value not found.False
1909.115Ensure 'Enforce drive encryption type on fixed data drives' is set to 'Enabled' and 'Full encryption'Registry value not found.False
1909.116Ensure 'Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.' is set to 'Disabled'Registry value not found.False
1909.117Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'CompliantTrue
1909.118Ensure 'Allow network unlock at startup' is set to 'Enabled'Registry value not found.False
1909.119Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'CompliantTrue
1909.120.1Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.2Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.120.3Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.4Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.5Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.6Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.121Ensure 'Configure minimum PIN length for startup' is set to 'Enabled'Registry value not found.False
1909.122.1Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.122.2Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value not found.False
1909.122.3Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value not found.False
1909.123Ensure 'Disallow standard users from changing the PIN or password' is set to 'Disabled'Registry value not found.False
1909.124Ensure 'Enforce drive encryption type on operating system drives' is set to 'Enabled'Registry value not found.False
1909.125.1Ensure 'Require additional authentication at startup' is set to 'Enabled'CompliantTrue
1909.125.2Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.125.3Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.4Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.5Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.6Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.126Ensure 'Reset platform validation data after BitLocker recovery' is set to 'Enabled'Registry value not found.False
1909.127.1Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
1909.127.2Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.3Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
1909.127.4Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 2False
1909.127.5Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.6Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.127.7Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.8Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.128.1Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.2Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.3Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.4Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.129.1Ensure 'Control use of BitLocker on removable drives' is set to 'Enabled'Registry value not found.False
1909.129.2Ensure 'Control use of BitLocker on removable drives' is set to 'Enabled'Registry value not found.False
1909.130Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'Registry value not found.False
1909.131Ensure 'Enforce drive encryption type on removable data drives' is set to 'Enabled'Registry value not found.False
1909.132.1Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
1909.132.2Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
1909.133Ensure 'Allow user control over installs' is set to 'Disabled'CompliantTrue
1909.135Ensure 'Always install with elevated privileges' is set to 'Disabled'CompliantTrue
1909.136Ensure 'Do not process the legacy run list' is set to 'Enabled'Registry value not found.False
1909.137Ensure 'Do not process the run once list' is set to 'Enabled'Registry value not found.False
1909.138Ensure 'Run these programs at user logon' is set to 'Disabled'Registry key not found.False
1909.139Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'CompliantTrue
1909.140Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'Registry key not found.False
1909.141Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled'CompliantTrue
1909.142Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled'CompliantTrue
1909.143Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'CompliantTrue
1909.144Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'CompliantTrue
1909.145Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'Registry value not found.False
1909.145Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'Registry key not found.False
1909.146Ensure 'Require a Password When a Computer Wakes (On Battery)' is set to 'Enabled'Registry key not found.False
1909.147Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'Registry key not found.False
1909.148Ensure 'Specify the system hibernate timeout (on battery)' is set to 'Enabled'Registry key not found.False
1909.149Ensure 'Specify the system hibernate timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.150Ensure 'Specify the system sleep timeout (on battery)' is set to 'Enabled'Registry key not found.False
1909.151Ensure 'Specify the system sleep timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.152Ensure 'Specify the unattended sleep timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.153Ensure 'Specify the unattended sleep timeout (plugged in)' is set to 'Enabled' and '0 seconds'Registry key not found.False
1909.154Ensure 'Turn off hybrid sleep (on battery)' is set to 'Enabled'Registry key not found.False
1909.155Ensure 'Turn off hybrid sleep (plugged in)' is set to 'Enabled'Registry key not found.False
1909.156Ensure 'Show hibernate in the power options menu' is set to 'Disabled'Registry value not found.False
1909.157Ensure 'Show sleep in the power options menu' is set to 'Disabled'Registry value not found.False
1909.158Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'CompliantTrue
1909.159.1Ensure 'Turn on Script Execution' is set to 'Enabled'Registry value not found.False
1909.159.2Ensure 'Turn on Script Execution' is set to 'Enabled'Registry value not found.False
1909.160Ensure 'Prevent access to registry editing tools' is set to 'Enabled'Registry key not found.False
1909.161Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'CompliantTrue
1909.162Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'CompliantTrue
1909.163Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'CompliantTrue
1909.164Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'CompliantTrue
1909.165Ensure 'Configure server authentication for client' is set to 'Enabled'Registry value not found.False
1909.166Ensure 'Do not allow passwords to be saved' is set to 'Enabled'CompliantTrue
1909.168Ensure 'Deny logoff of an administrator logged in to the console session' is set to 'Enabled'Registry value not found.False
1909.169Ensure 'Do not allow Clipboard redirection' is set to 'Enabled'Registry value not found.False
1909.170Ensure 'Do not allow drive redirection' is set to 'Enabled'CompliantTrue
1909.171Ensure 'Always prompt for password upon connection' is set to 'Enabled'CompliantTrue
1909.172Ensure 'Do not allow local administrators to customize permissions' is set to 'Enabled'Registry value not found.False
1909.173Ensure 'Require secure RPC communication' is set to 'Enabled'CompliantTrue
1909.174Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled'CompliantTrue
1909.175Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'CompliantTrue
1909.176Ensure 'Set client connection encryption level' is set to 'Enabled'CompliantTrue
1909.177Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled'CompliantTrue
1909.178Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'CompliantTrue
1909.179Ensure 'Turn off Inventory Collector' is set to 'Enabled'Registry key not found.False
1909.180Ensure 'Turn off Steps Recorder' is set to 'Enabled'Registry key not found.False
1909.181Ensure 'Allow Telemetry' is set to 'Enabled'CompliantTrue
1909.182.1Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.182.2Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.182.3Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.183Ensure 'Turn off multicast name resolution' is set to 'Enabled'CompliantTrue
1909.184Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'CompliantTrue
1909.185Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'CompliantTrue
1909.186Ensure 'Turn off heap termination on corruption' is set to 'Disabled'CompliantTrue
1909.187Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'CompliantTrue
1909.188Ensure 'Prevent downloading of enclosures' is set to 'Enabled'CompliantTrue
1909.189Ensure 'Allow indexing of encrypted files' is set to 'Disabled'CompliantTrue
1909.190Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'CompliantTrue
1909.191Ensure 'Configure SMB v1 client driver' is set to 'Enabled'CompliantTrue
1909.192Ensure 'Configure SMB v1 server' is set to 'Disabled'CompliantTrue
1909.193Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'CompliantTrue
1909.194Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'CompliantTrue
1909.195Ensure 'Allow users to select when a password is required when resuming from connected standby' is set to 'Disabled'Registry value not found.False
1909.196Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'CompliantTrue
1909.197Ensure 'Show lock in the user tile menu' is set to 'Enabled'Registry value not found.False
1909.198Ensure 'Allow Windows Ink Workspace' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.199Ensure 'Enable screen saver' is set to 'Enabled'Registry key not found.False
1909.199Ensure 'Password protect the screen saver' is set to 'Enabled'Registry key not found.False
1909.200Ensure 'Screen saver timeout' is set to 'Enabled'Registry key not found.False
1909.201Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'Registry key not found.False
1909.202Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'Registry value not found.False
1909.203Ensure 'Do not allow Sound Recorder to run' is set to 'Enabled'Registry key not found.False
1909.204Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
1909.205Ensure 'Disallow Digest authentication' is set to 'Enabled'CompliantTrue
1909.206Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
1909.207Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
1909.208Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'CompliantTrue
1909.209Ensure 'Allow Remote Shell Access' is set to 'Disabled'Registry value is '1'. Expected: 0False
1909.210Ensure 'Allow Cortana' is set to 'Disabled'CompliantTrue
1909.211Ensure 'Don't search the web or display web results in Search' is set to 'Enabled'Registry value not found.False
1909.212Ensure 'Windows To Go Default Startup Options' is set to 'Disabled'Registry key not found.False
1909.213Ensure 'Remove Security tab' is set to 'Enabled'Registry key not found.False
1909.214Ensure 'Turn off location scripting' is set to 'Enabled'Registry value not found.False
1909.215Ensure 'Turn off location' is set to 'Enabled'Registry key not found.False
1909.216Ensure 'Turn off Windows Location Provider' is set to 'Enabled'Registry value not found.False
1909.217Ensure 'Turn off access to the Store' is set to 'Enabled'CompliantTrue
1909.218Ensure 'Turn off the Store application' is set to 'Enabled'CompliantTrue
1909.219Ensure 'Determine if interactive users can generate Resultant Set of Policy data' is set to 'Enabled'Registry value not found.False
1909.220Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'CompliantTrue
1909.222Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'CompliantTrue
1909.223Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'CompliantTrue
1909.224(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'CompliantTrue
1909.225(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'Registry value is '3'. Expected: 0False
1909.226(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'CompliantTrue
1909.227Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'CompliantTrue
1909.228Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'CompliantTrue
1909.229Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'CompliantTrue
1909.230Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'CompliantTrue
1909.231Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'CompliantTrue
1909.233Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'Registry value not found.False
1909.234Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'CompliantTrue
1909.235Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'CompliantTrue
1909.236Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'CompliantTrue
1909.237Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'CompliantTrue
1909.238Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'CompliantTrue
1909.239Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'CompliantTrue
1909.240Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'CompliantTrue
1909.243Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 65536 or less'CompliantTrue
1909.260Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
1909.262Ensure 'CD and DVD: Deny read access' is set to 'Disabled'Registry key not found.False
1909.263Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'CompliantTrue
1909.264Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'CompliantTrue
1909.265Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'CompliantTrue
1909.266Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'CompliantTrue
1909.267Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'CompliantTrue
1909.268Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
1909.269Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
1909.270Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'CompliantTrue
1909.275Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'CompliantTrue
1909.276Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'CompliantTrue
1909.277Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'CompliantTrue
1909.278Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'CompliantTrue
1909.279Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'CompliantTrue
1909.280Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'CompliantTrue
1909.281Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'CompliantTrue
1909.282Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'CompliantTrue
1909.283Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higherCompliantTrue
1909.284Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'CompliantTrue
1909.285Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'CompliantTrue
1909.288Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'CompliantTrue
1909.289Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'CompliantTrue
1909.290Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'CompliantTrue
1909.291Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
1909.292Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'CompliantTrue
1909.293Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'CompliantTrue
1909.296Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherCompliantTrue
1909.314Ensure 'Allow download restrictions' is set to 'Enabled'Registry value is '1'. Expected: 2False
1909.315Ensure 'Configure Do Not Track' is set to 'Enabled'Registry value not found.False
1909.316Ensure 'Control the mode of DNS-over-HTTPS' is set to 'Enabled'Registry value not found.False
1909.317Ensure 'Control where Developer Tools can be used' is set to 'Enabled'Registry value not found.False
1909.318Ensure 'DNS interception checks enabled' is set to 'Disabled'Registry value not found.False
1909.319Ensure 'Default pop-up window setting' is set to 'Enabled'Registry value not found.False
1909.320Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'Registry value not found.False
1909.321Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'CompliantTrue
1909.322Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled'CompliantTrue
1909.323Ensure 'Use the Enterprise Mode IE website list' is set to 'Enabled'Registry key not found.False
1909.324Ensure 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.' is set to 'Enabled'Registry key not found.False

User Rights Assignment-

IdTaskMessageStatus
1909.241Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
1909.242Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'The user 'SeDenyNetworkLogonRight' setting does not contain the following users: LOCALFalse
1909.244Ensure 'Manage auditing and security log' is set to 'Administrators'CompliantTrue
1909.271Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'CompliantTrue
1909.273(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop Users'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse
1909.274Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'CompliantTrue
1909.294Ensure 'Back up files and directories' is set to 'Administrators'CompliantTrue
1909.295Ensure 'Restore files and directories' is set to 'Administrators'CompliantTrue
1909.297Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'CompliantTrue
1909.298Ensure 'Act as part of the operating system' is set to 'No One'CompliantTrue
1909.299Ensure 'Allow log on locally' is set to 'Administrators, Users'CompliantTrue
1909.300Ensure 'Create a pagefile' is set to 'Administrators'CompliantTrue
1909.301Ensure 'Create a token object' is set to 'No One'CompliantTrue
1909.302Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
1909.303Ensure 'Create permanent shared objects' is set to 'No One'CompliantTrue
1909.304Ensure 'Debug programs' is set to 'Administrators'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
1909.305Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'CompliantTrue
1909.306Ensure 'Force shutdown from a remote system' is set to 'Administrators'CompliantTrue
1909.307Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
1909.308Ensure 'Load and unload device drivers' is set to 'Administrators'CompliantTrue
1909.309Ensure 'Lock pages in memory' is set to 'No One'CompliantTrue
1909.310Ensure 'Modify firmware environment values' is set to 'Administrators'CompliantTrue
1909.311Ensure 'Perform volume maintenance tasks' is set to 'Administrators'CompliantTrue
1909.312Ensure 'Profile single process' is set to 'Administrators'CompliantTrue
1909.313Ensure 'Take ownership of files or other objects' is set to 'Administrators'CompliantTrue

Account Policies-

IdTaskMessageStatus
1909.232Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
1909.245Ensure 'Audit Computer Account Management' is set to 'Success and Failure'Set to: No AuditingFalse
1909.246Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
1909.247Ensure 'Audit Security Group Management' is set to 'Success and Failure'Set to: SuccessFalse
1909.248Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
1909.249Ensure 'Audit Process Creation' is set to 'Success'CompliantTrue
1909.250Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
1909.251Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
1909.252Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
1909.253Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
1909.254Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
1909.255Ensure 'Audit Special Logon' is set to include 'Success and Failure'Set to: SuccessFalse
1909.256Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
1909.257Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
1909.258Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
1909.259Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue

Microsoft Benchmarks-

This section contains the Microsoft Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
Registry-001Set registry value 'PUAProtection' to 1.CompliantTrue
Registry-002Set registry value 'MpCloudBlockLevel' to 2.Registry value not found.False
Registry-003Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'.CompliantTrue
Registry-004Ensure 'Turn off real-time protection' is set to 'Disabled'.CompliantTrue
Registry-005Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
Registry-006Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'.Registry value is '2'. Expected: 1False
Registry-007Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'.Registry value is '0'. Expected: 2False
Registry-008Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'.Registry value not found.False
Registry-009Set registry value 'ExploitGuard_ASR_Rules' to 1.CompliantTrue
Registry-010Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
Registry-011Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
Registry-012Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
Registry-013Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
Registry-014Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
Registry-015Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
Registry-016Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
Registry-017Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
Registry-018Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
Registry-019Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
Registry-020Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
Registry-021Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)Registry value is '0'. Expected: 1False
Registry-022Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
Registry-023Set registry value 'EnableNetworkProtection' to 1.CompliantTrue
Registry-024Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.CompliantTrue
Registry-025Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.CompliantTrue
Registry-026Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.CompliantTrue
Registry-027Set registry value 'HVCIMATRequired' to 1.CompliantTrue
Registry-028Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.CompliantTrue
Registry-029Set registry value 'ConfigureSystemGuardLaunch' to 1.CompliantTrue
Registry-031Set registry value 'UseEnhancedPin' to 1.CompliantTrue
Registry-032Set registry value 'RDVDenyCrossOrg' to 0.CompliantTrue
Registry-033Set registry value 'DisableExternalDMAUnderLock' to 1.CompliantTrue
Registry-034Set registry value 'DCSettingIndex' to 0.CompliantTrue
Registry-035Set registry value 'ACSettingIndex' to 0.CompliantTrue
Registry-036Set registry value 'DenyDeviceClasses' to 1.CompliantTrue
Registry-037Set registry value 'DenyDeviceClassesRetroactive' to 1.CompliantTrue
Registry-038Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}.CompliantTrue
Registry-039Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'.CompliantTrue
Registry-040Set registry value 'AutoConnectAllowedOEM' to 0.CompliantTrue
Registry-041Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
Registry-042Ensure 'Turn off Autoplay' is set to 'All drives'.CompliantTrue
Registry-043Set registry value 'NoWebServices' to 1.CompliantTrue
Registry-044Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.CompliantTrue
Registry-045Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
Registry-046Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.CompliantTrue
Registry-047Set registry value 'LocalAccountTokenFilterPolicy' to 0.CompliantTrue
Registry-048Set registry value 'AllowEncryptionOracle' to 0.CompliantTrue
Registry-049Set registry value 'EnhancedAntiSpoofing' to 1.CompliantTrue
Registry-050Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
Registry-051Set registry value 'PreventCertErrorOverrides' to 1.CompliantTrue
Registry-052Set registry value 'FormSuggest Passwords' to no.CompliantTrue
Registry-053Set registry value 'EnabledV9' to 1.CompliantTrue
Registry-054Set registry value 'PreventOverride' to 1.CompliantTrue
Registry-055Set registry value 'PreventOverrideAppRepUnknown' to 1.CompliantTrue
Registry-056Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'.CompliantTrue
Registry-057Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
Registry-058Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2.CompliantTrue
Registry-059Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
Registry-060Set registry value 'AllowProtectedCreds' to 1.CompliantTrue
Registry-061Ensure 'Specify the maximum log file size (KB)' is set to '32768'.CompliantTrue
Registry-062Ensure 'Specify the maximum log file size (KB)' is set to '196608'.CompliantTrue
Registry-063Ensure 'Specify the maximum log file size (KB)' is set to '32768'.CompliantTrue
Registry-064Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.CompliantTrue
Registry-065Set registry value 'AllowGameDVR' to 0.CompliantTrue
Registry-066Ensure 'Configure registry policy processing' is set to '0'.CompliantTrue
Registry-067Ensure 'Configure registry policy processing' is set to '0'.CompliantTrue
Registry-068Set registry value 'AlwaysInstallElevated' to 0.CompliantTrue
Registry-069Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
Registry-070Set registry value 'DeviceEnumerationPolicy' to 0.CompliantTrue
Registry-071Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
Registry-072Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
Registry-073Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1.CompliantTrue
Registry-074Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1.CompliantTrue
Registry-075Set registry value 'NoLockScreenCamera' to 1.CompliantTrue
Registry-076Set registry value 'NoLockScreenSlideshow' to 1.CompliantTrue
Registry-077Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging)CompliantTrue
Registry-078Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging)Registry value not found.False
Registry-079Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
Registry-080Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
Registry-081Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.CompliantTrue
Registry-082Set registry value 'ShellSmartScreenLevel' to Block.CompliantTrue
Registry-083Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'.CompliantTrue
Registry-084Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.CompliantTrue
Registry-085Ensure 'Disallow Digest authentication' is set to 'Enabled'.CompliantTrue
Registry-086Ensure 'Allow unencrypted traffic' is set to 'Disabled'.CompliantTrue
Registry-087Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
Registry-088Ensure 'Allow unencrypted traffic' is set to 'Disabled'.CompliantTrue
Registry-089Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
Registry-090Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
Registry-091Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
Registry-092Set registry value 'DisableWebPnPDownload' to 1.CompliantTrue
Registry-093Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'.CompliantTrue
Registry-094Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI'Compliant. Registry value not found.True
Registry-095Configure Solicited Remote Assistance to disabled.CompliantTrue
Registry-096Configure Solicited Remote Assistance - Allow helpers to only view the computer.Compliant. Registry value not found.True
Registry-097Set registry value 'MaxTicketExpiry' to .Compliant. Registry value not found.True
Registry-098Set registry value 'MaxTicketExpiryUnits' to .Compliant. Registry value not found.True
Registry-099Set registry value 'MinEncryptionLevel' to 3.CompliantTrue
Registry-100Set registry value 'fPromptForPassword' to 1.CompliantTrue
Registry-101Set registry value 'fDisableCdm' to 1.CompliantTrue
Registry-102Set registry value 'DisablePasswordSaving' to 1.CompliantTrue
Registry-103Set registry value 'fEncryptRPCTraffic' to 1.CompliantTrue
Registry-104Set registry value 'PolicyVersion' to 538.Registry value not found.False
Registry-105Domain: Set registry value 'DefaultOutboundAction' to 0.CompliantTrue
Registry-106Domain: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-107Domain: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-108Domain: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-109Domain: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-110Domain: Set registry value 'LogFileSize' to 16384.CompliantTrue
Registry-111Domain: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-112Private: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-113Private: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-114Private: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-115Private: Set registry value 'DefaultOutboundAction' to 0.Registry value is '0'. Expected: 1False
Registry-116Private: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-117Private: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-118Private: Set registry value 'LogFileSize' to 16384.CompliantTrue
Registry-119Public: Set registry value 'DefaultOutboundAction' to 0.Registry value is '0'. Expected: 1False
Registry-120Public: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-121Public: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-122Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0.CompliantTrue
Registry-123Public: Set registry value 'AllowLocalPolicyMerge' to 0.CompliantTrue
Registry-124Public: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-125Public: Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-126Public: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-127Public: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-128Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.Registry value is '0'. Expected: 1False
Registry-129Set registry value 'AdmPwdEnabled' to 1.CompliantTrue
Registry-130Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.CompliantTrue
Registry-131Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
Registry-132Set registry value 'DriverLoadPolicy' to 3.CompliantTrue
Registry-133Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
Registry-134Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.CompliantTrue
Registry-135Set registry value 'NoNameReleaseOnDemand' to 1.CompliantTrue
Registry-136Set registry value 'NodeType' to 2.CompliantTrue
Registry-137Set registry value 'EnableICMPRedirect' to 0.CompliantTrue
Registry-138Set registry value 'DisableIPSourceRouting' to 2.CompliantTrue
Registry-139Set registry value 'DisableIPSourceRouting' to 2.CompliantTrue
Registry-140Set registry value 'ScRemoveOption' to 1.CompliantTrue
Registry-141Set registry value 'InactivityTimeoutSecs' to 900.CompliantTrue
Registry-142Set registry value 'NoLMHash' to 1.CompliantTrue
Registry-143Set registry value 'EnablePlainTextPassword' to 0.CompliantTrue
Registry-144Set registry value 'LimitBlankPasswordUse' to 1.CompliantTrue
Registry-145Set registry value 'RestrictAnonymousSAM' to 1.CompliantTrue
Registry-146Set registry value 'RestrictAnonymous' to 1.CompliantTrue
Registry-147Set registry value 'RestrictNullSessAccess' to 1.CompliantTrue
Registry-148Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.CompliantTrue
Registry-149Set registry value 'NTLMMinClientSec' to 537395200.CompliantTrue
Registry-150Set registry value 'LmCompatibilityLevel' to 5.CompliantTrue
Registry-151Set registry value 'allownullsessionfallback' to 0.CompliantTrue
Registry-152Set registry value 'NTLMMinServerSec' to 537395200.CompliantTrue
Registry-153Set registry value 'requirestrongkey' to 1.CompliantTrue
Registry-154Set registry value 'RequireSecuritySignature' to 1.CompliantTrue
Registry-155Set registry value 'sealsecurechannel' to 1.CompliantTrue
Registry-156Set registry value 'requiresignorseal' to 1.CompliantTrue
Registry-157Set registry value 'signsecurechannel' to 1.CompliantTrue
Registry-158Set registry value 'requiresecuritysignature' to 1.CompliantTrue
Registry-159Set registry value 'ProtectionMode' to 1.CompliantTrue
Registry-160Set registry value 'ConsentPromptBehaviorAdmin' to 2.CompliantTrue
Registry-161Set registry value 'EnableSecureUIAPaths' to 1.CompliantTrue
Registry-162Set registry value 'EnableLUA' to 1.CompliantTrue
Registry-163Set registry value 'ConsentPromptBehaviorUser' to 0.Registry value is '3'. Expected: 0False
Registry-164Set registry value 'EnableInstallerDetection' to 1.CompliantTrue
Registry-165Set registry value 'FilterAdministratorToken' to 1.CompliantTrue
Registry-166Set registry value 'EnableVirtualization' to 1.CompliantTrue
Registry-167Set registry value 'LDAPClientIntegrity' to 1.CompliantTrue
Registry-168Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA).CompliantTrue
Registry-223Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
Registry-224Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1.Registry key not found.False
Registry-225Set registry value 'FormSuggest Passwords' to 1.Registry key not found.False
Registry-226Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'.Registry key not found.False
Registry-227Set registry value 'FormSuggest Passwords' to no.Registry key not found.False
Registry-228Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'.Registry value not found.False
Registry-229Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'.Registry value not found.False
Registry-230Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'.CompliantTrue
Registry-231Set registry value 'CheckExeSignatures' to yes.CompliantTrue
Registry-232Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'.CompliantTrue
Registry-233Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'.CompliantTrue
Registry-234Set registry value 'Isolation' to PMEM.CompliantTrue
Registry-235Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-236Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-237Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-238Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-239Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-240Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-241Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-242Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-243Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-244Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-245Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-246Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-247Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-248Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-249Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-250Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-251Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-252Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-253Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-254Set registry value '(Reserved)' to 1.CompliantTrue
Registry-255Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-256Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-257Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-258Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-259Set registry value 'PreventOverrideAppRepUnknown' to 1.CompliantTrue
Registry-260Set registry value 'PreventOverride' to 1.CompliantTrue
Registry-261Ensure 'Prevent managing SmartScreen Filter' is set to 'On'.Registry value not found.False
Registry-262Set registry value 'NoCrashDetection' to 1.CompliantTrue
Registry-263Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'.CompliantTrue
Registry-264Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'.CompliantTrue
Registry-265Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'.CompliantTrue
Registry-266Set registry value 'Security_zones_map_edit' to 1.CompliantTrue
Registry-267Set registry value 'Security_options_edit' to 1.CompliantTrue
Registry-268Set registry value 'Security_HKLM_only' to 1.CompliantTrue
Registry-269Ensure 'Check for server certificate revocation' is set to 'Enabled'.CompliantTrue
Registry-270Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'.CompliantTrue
Registry-271Set registry value 'WarnOnBadCertRecving' to 1.CompliantTrue
Registry-272Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'.Registry value not found.False
Registry-273Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'.CompliantTrue
Registry-274Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-275Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-276Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-277Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-278Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-279Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-280Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'.CompliantTrue
Registry-281Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-282Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-283Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-284Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-285Ensure 'Java permissions' is set to 'High safety'.CompliantTrue
Registry-286Ensure 'Java permissions' is set to 'High safety'.CompliantTrue
Registry-287Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-288Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-289Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-290Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.CompliantTrue
Registry-291Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.CompliantTrue
Registry-292Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.CompliantTrue
Registry-293Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-294Ensure 'Access data sources across domains' is set to 'Disable'.CompliantTrue
Registry-295Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.CompliantTrue
Registry-296Ensure 'Automatic prompting for file downloads' is set to 'Disable'.CompliantTrue
Registry-297Ensure 'Allow scriptlets' is set to 'Disable'.CompliantTrue
Registry-298Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.CompliantTrue
Registry-299Ensure 'Use Pop-up Blocker' is set to 'Enable'.CompliantTrue
Registry-300Ensure 'Turn on Protected Mode' is set to 'Enable'.CompliantTrue
Registry-301Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry value is '0'. Expected: 3False
Registry-302Ensure 'Userdata persistence' is set to 'Disable'.CompliantTrue
Registry-303Ensure 'Allow loading of XAML files' is set to 'Disable'.CompliantTrue
Registry-304Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-305Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-306Ensure 'Download signed ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-307Ensure 'Logon options' is set to 'Prompt for user name and password'.CompliantTrue
Registry-308Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.CompliantTrue
Registry-309Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-310Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.CompliantTrue
Registry-311Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.CompliantTrue
Registry-312Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.CompliantTrue
Registry-313Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-314Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.CompliantTrue
Registry-315Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.CompliantTrue
Registry-316Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.CompliantTrue
Registry-317Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry value not found.False
Registry-318Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'.Registry value is '3'. Expected: 1False
Registry-319Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry value not found.False
Registry-320Set registry value '140C' to 3. (Zones\3)Registry value not found.False
Registry-321Ensure 'Allow META REFRESH' is set to 'Disable'.CompliantTrue
Registry-322Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-323Ensure 'Download signed ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-324Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.CompliantTrue
Registry-325Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.CompliantTrue
Registry-326Ensure 'Use Pop-up Blocker' is set to 'Enable'.CompliantTrue
Registry-327Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-328Ensure 'Userdata persistence' is set to 'Disable'.CompliantTrue
Registry-329Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.CompliantTrue
Registry-330Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.CompliantTrue
Registry-331Ensure 'Access data sources across domains' is set to 'Disable'.CompliantTrue
Registry-332Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.CompliantTrue
Registry-333Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-334Ensure 'Automatic prompting for file downloads' is set to 'Disable'.CompliantTrue
Registry-335Ensure 'Allow binary and script behaviors' is set to 'Disable'.CompliantTrue
Registry-336Ensure 'Scripting of Java applets' is set to 'Disable'.CompliantTrue
Registry-337Ensure 'Allow file downloads' is set to 'Disable'.CompliantTrue
Registry-338Ensure 'Allow loading of XAML files' is set to 'Disable'.CompliantTrue
Registry-339Ensure 'Allow active scripting' is set to 'Disable'.CompliantTrue
Registry-340Ensure 'Logon options' is set to 'Anonymous logon'.CompliantTrue
Registry-341Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-342Ensure 'Turn on Protected Mode' is set to 'Enable'.CompliantTrue
Registry-343Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.CompliantTrue
Registry-344Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-345Ensure 'Allow scriptlets' is set to 'Disable'.CompliantTrue
Registry-346Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-347Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.CompliantTrue
Registry-348Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.CompliantTrue
Registry-349Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.CompliantTrue
Registry-350Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry value is '0'. Expected: 3False
Registry-351Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.CompliantTrue
Registry-352Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'.CompliantTrue
Registry-353Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.CompliantTrue
Registry-354Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-355Ensure 'Run ActiveX controls and plugins' is set to 'Disable'.CompliantTrue
Registry-356Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.CompliantTrue
Registry-357Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'.Registry value is '1'. Expected: 3False
Registry-358Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry value not found.False
Registry-359Set registry value '140C' to 3. (Zones\4)Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
UserRight-170Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-171Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-172Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-173Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-174Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'CompliantTrue
UserRight-175Ensure 'SeCreatePermanentPrivilege' is set to ''CompliantTrue
UserRight-176Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-177Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-178Ensure 'SeLockMemoryPrivilege' is set to ''CompliantTrue
UserRight-179Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113'CompliantTrue
UserRight-180Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-32-555'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
UserRight-181Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'CompliantTrue
UserRight-182Ensure 'SeCreateTokenPrivilege' is set to ''CompliantTrue
UserRight-183Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'CompliantTrue
UserRight-184Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-185Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-186Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545'CompliantTrue
UserRight-187Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-188Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
UserRight-189Ensure 'SeTrustedCredManAccessPrivilege' is set to ''CompliantTrue
UserRight-190Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-191Ensure 'SeTcbPrivilege' is set to ''CompliantTrue
UserRight-192Ensure 'SeEnableDelegationPrivilege' is set to ''CompliantTrue

Account Policies-

IdTaskMessageStatus
AccountPolicy-216Ensure 'MinimumPasswordLength' is set to '14'.CompliantTrue
AccountPolicy-217Ensure 'PasswordComplexity' is set to '1'.CompliantTrue
AccountPolicy-218Ensure 'PasswordHistorySize' is set to '24'.CompliantTrue
AccountPolicy-219Ensure 'LockoutBadCount' is set to '10'.CompliantTrue
AccountPolicy-220Ensure 'ResetLockoutCount' is set to '15'.CompliantTrue
AccountPolicy-221Ensure 'LockoutDuration' is set to '15'.CompliantTrue
AccountPolicy-222Ensure 'ClearTextPassword' is set to '0'.CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
AuditPolicy-193Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-194Ensure 'Security Group Management' is set to 'Success'.CompliantTrue
AuditPolicy-195Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-196Ensure 'Plug and Play Events' is set to 'Success'.CompliantTrue
AuditPolicy-197Ensure 'Process Creation' is set to 'Success'.CompliantTrue
AuditPolicy-198Ensure 'Account Lockout' is set to 'Failure'.CompliantTrue
AuditPolicy-199Ensure 'Group Membership' is set to 'Success'.CompliantTrue
AuditPolicy-200Ensure 'Logon' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-201Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-202Ensure 'Special Logon' is set to 'Success'.CompliantTrue
AuditPolicy-203Ensure 'Detailed File Share' is set to 'Failure'.CompliantTrue
AuditPolicy-204Ensure 'File Share' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-205Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-206Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-207Ensure 'Audit Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-208Ensure 'Authentication Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-209Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-210Ensure 'Other Policy Change Events' is set to 'Failure'.CompliantTrue
AuditPolicy-211Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-212Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-213Ensure 'Security State Change' is set to 'Success'.CompliantTrue
AuditPolicy-214Ensure 'Security System Extension' is set to 'Success'.CompliantTrue
AuditPolicy-215Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'.CompliantTrue

BSI Benchmarks SiSyPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
4.1.1Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
4.1.2Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
4.2.1.1Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
4.2.1.2Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.1.3Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
4.2.1.4Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.2.1Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
4.2.2.2Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.2.3Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.2.4Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.3.1Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
4.2.3.2Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
4.2.3.3Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
4.2.3.4Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.3.1.1Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
4.3.2.1.1Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.1.2Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.2.1Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.2.2Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.3.1Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
4.3.2.3.2Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.4.1Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.4.2Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.3.1Ensure 'Include command line in process creation events' is set to 'Disabled'Registry value is '1'. Expected: 0False
4.3.4.2Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'Registry value is '1'. Expected: 0False
4.3.4.3Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
5.1.1.1Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
5.1.1.2Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
5.1.1.3Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
5.1.1.4Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
5.1.1.5Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
5.1.1.6Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
5.1.1.7Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
5.1.1.8Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
5.2.1.1Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
5.2.1.2Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
5.2.1.3Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
5.2.1.4Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue
5.2.1.5Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
5.2.1.6Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
5.2.1.7Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
5.2.1.8Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
5.2.1.9Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
5.3.1.1Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
5.3.1.2Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
5.3.1.3Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
5.3.1.4Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
5.3.1.5Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
5.3.1.6Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
5.5.1.1Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
5.5.1.2Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue

BSI Benchmarks SiSyPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
11(HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
13(HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
15(HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18(HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.CompliantTrue
19(HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
23(HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
28(HD) Ensure 'Enable Font Providers' is set to 'Disabled'. CompliantTrue
29(HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'.CompliantTrue
30(HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. CompliantTrue
31(HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
32(HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
36(HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
38(HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'.Registry key not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
47(HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'.CompliantTrue
48(HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'.CompliantTrue
49(HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
58(HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
66(HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'.CompliantTrue
67(HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
69(HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'.CompliantTrue
70(HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'.Registry key not found.False
71(HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'.CompliantTrue
72(HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. CompliantTrue
73(HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
75(HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. CompliantTrue
76(HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
77(HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
78(HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
79(HD) Ensure 'Turn off access to the Store' is set to 'Enabled'.CompliantTrue
80(HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
82(HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' .CompliantTrue
83(HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
91(HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found.False
92(HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'.Registry key not found.False
93(HD) Ensure 'Allow Online Tips' is set to 'Disabled'.CompliantTrue
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
104(HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. CompliantTrue
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
108(HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
110(HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry value not found.False
111(HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'.Registry value not found.False
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
122(HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. CompliantTrue
123(HD) Ensure 'Allow Use of Camera' is set to 'Disabled'.Registry value is '1'. Expected: 0False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
125(HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
128(HD) Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
129(HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'.CompliantTrue
130(HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'.CompliantTrue
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
132(HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'.CompliantTrue
133(HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
140(HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. CompliantTrue
141(HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'.CompliantTrue
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
144(HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
150(HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. CompliantTrue
151(HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'.Registry value not found.False
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
154(HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'.CompliantTrue
155(HD) Ensure 'Turn off the Store application' is set to 'Enabled'.CompliantTrue
156(HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
166(HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
176(HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
179(HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
182(HD) Ensure 'Prevent Codec Download' is set to 'Enabled'.Registry key not found.False
184(HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
190(HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'.Registry value is '1'. Expected: 0False
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
195(HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'.Registry value not found.False
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
225(HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
228(HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
250(HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'.Registry value not found.False
251(HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'.Registry value not found.False
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
273(HD) Ensure 'System settings: Optional subsystems' is set to 'None'. CompliantTrue
274(HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'.CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
316(HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
318(HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
319(HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
322(HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
325(HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
327(HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
329(HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.CompliantTrue
330(HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
332(HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'.CompliantTrue
333(HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'.CompliantTrue
334(HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.CompliantTrue
335(HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. CompliantTrue
336(HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.CompliantTrue
337(HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
340(HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
342(HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
344(HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
346(HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'.CompliantTrue
347(HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'.CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
350(HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
352(HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. CompliantTrue
353(HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.CompliantTrue
354(HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. CompliantTrue
355(HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.Registry value is '2'. Expected: 4False
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
281(HD) Configure 'Log on as a service'. [Hyper-V-Feature NOT installed]The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
283(HD) Ensure 'Log on as a batch job' is set to 'Administrators'.CompliantTrue
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue

BSI Benchmarks SiSyPHus-BSI-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
3.1.1 AConfiguration of the lowest possible telemetry-level (Enterprise Windows 10)CompliantTrue
3.1.1 BConfiguration of the lowest possible telemetry-level (Non-Enterprise Windows 10)Registry value is '0'. Expected: 1False
3.1.2.1Deactivation of the telemetry service and ETW-sessions - disable service DiagTrackCompliantTrue
3.1.2.2Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diatrack-ListenerCompliantTrue
3.1.3.1.1Deactivation of telemetry according to Microsoft - Disable Windows Update ServiceRegistry value is '3'. Expected: 4False
3.1.3.1.2Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPSCompliantTrue
3.1.3.1.3Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample filesCompliantTrue

BSI Benchmarks SiSyPHus-BSI Bundespolizei-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
0003 Ensure 'Configure Automatic Updates' is set to 4Registry value not found.False
0004 Ensure 'Configure Automatic Updates' is set to 'Every Day'CompliantTrue
0005 Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
0006 Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768'CompliantTrue
0032Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768.Registry key not found.False
0037Ensure 'Allow enhanced PINs for startup' is set 'Enabled'.CompliantTrue
0038Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.CompliantTrue
0039Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.Registry value not found.False
0040Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'.CompliantTrue
0041Ensure 'Allow user control over installs' is set 'Disabled'.CompliantTrue
0043Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
0065Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'.Registry value not found.False
0101 Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled'CompliantTrue
0109Ensure 'Allow Telemetry' is set to 0.CompliantTrue
0110Ensure 'Do not show feedback notifications' is set to 1.CompliantTrue
0111Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'.CompliantTrue
0112Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
0113Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.CompliantTrue
0114Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
0115Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
0116Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
0117Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'.Registry value is '0'. Expected: 1False
0118Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'.CompliantTrue
0119Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
0121Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
0122Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
0123Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'.CompliantTrue
0131Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'.CompliantTrue
0132Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
0133Ensure 'Allow InPrivate browsing' is set to 'Disabled'.CompliantTrue
0135Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'.CompliantTrue
0136Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'.CompliantTrue
0137Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
0138Ensure 'Always install with elevated privileges ' is set to 'Disabled'.CompliantTrue
0139Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
0140Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'.Registry value is '3'. Expected: 1False
0141Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
0142Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
0143Ensure 'Configure Password Manager' is set to 'Disabled'.Registry value not found.False
0144Ensure 'Configure Pop-up Blocker' is set to 'Enabled'.CompliantTrue
0145Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'.CompliantTrue
0146Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'.Registry value is '0'. Expected: 1False
0147Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
0148Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.CompliantTrue
0149Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'.CompliantTrue
0150Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.CompliantTrue
0151Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
0152Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'.CompliantTrue
0153Ensure 'Do not delete temp folders upon exit' set to 'Disabled'.Registry value is '1'. Expected: 0False
0154Ensure 'Do not display network selection UI' set to 'Enabled'.CompliantTrue
0155Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'.CompliantTrue
0156Ensure 'Enable insecure guest logons' set to 'Disabled'.CompliantTrue
0157Ensure 'Enable local admin password management' set to 'Enabled'.CompliantTrue
0158Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'.CompliantTrue
0159Ensure 'Enable screen saver' set to 'Enabled'.Registry key not found.False
0160Ensure 'Enable Windows NTP Server' set to 'Disabled'.CompliantTrue
0161Ensure 'Enable/Disable PerfTrack' set to 'Disabled'.CompliantTrue
0163Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'.CompliantTrue
0164Ensure 'Include command line in process creation events' set to 'Disabled'.Registry key not found.False
0165Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'.Registry value not found.False
0166Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'.Registry value not found.False
0167Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'.Registry value not found.False
0168Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'.Registry value not found.False
0169Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'.Registry value not found.False
0170Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'.Registry value not found.False
0171Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'.Registry value not found.False
0172Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'.Registry value not found.False
0173Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'.Registry value not found.False
0174Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'.Registry value not found.False
0175Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'.Registry value not found.False
0176Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'.Registry value not found.False
0177Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'.Registry value not found.False
0178Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'.Registry value not found.False
0179Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'.Registry value not found.False
0185Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'.Registry value not found.False
0209Ensure 'Prevent downloading of enclosures' set to 'Enabled'.CompliantTrue
0210Ensure 'Prevent enabling lock screen camera' set to 'Enabled'.CompliantTrue
0211Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'.CompliantTrue
0212Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'.Registry value not found.False
0213Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'.CompliantTrue
0214Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'.CompliantTrue
0215Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'.CompliantTrue
0216Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'.CompliantTrue
0217Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'.CompliantTrue
0218Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'.Registry value is '0'. Expected: 1False
0220Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'.CompliantTrue
0221Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'.CompliantTrue
0222Ensure 'Require additional authentication at startup' set to 'Enalbed'.CompliantTrue
0223Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'.CompliantTrue
0224Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'.CompliantTrue
0225Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'.CompliantTrue
0229Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'.CompliantTrue
0230Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'.CompliantTrue
0231Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'.CompliantTrue
0232Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'.CompliantTrue
0233Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'.CompliantTrue
0234Ensure 'Turn off heap termination on corruption' set to 'Disabled'.CompliantTrue
0235Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0236Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'.CompliantTrue
0237Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'.CompliantTrue
0238Ensure 'Turn off picture password sign-in' set to 'Enabled'.CompliantTrue
0239Ensure 'Turn off printing over HTTP' set to 'Enabled'.CompliantTrue
0240Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0241Ensure 'Turn off Search Companion content file updates' set to 'Enabled'.CompliantTrue
0242Ensure 'Turn off shell protocol protected mode' set to 'Disabled'.CompliantTrue
0243Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'.CompliantTrue
0244Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'.CompliantTrue
0245Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'.CompliantTrue
0246Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'.CompliantTrue
0247Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'.CompliantTrue
0248Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'.CompliantTrue
0249Ensure 'Untrusted Font Blocking' set to 'Enabled'.Registry key not found.False
0250Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'.CompliantTrue
0251Ensure 'WDigest Authentication' set to 'Enabled'.Registry value is '0'. Expected: 1False
0253Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'.CompliantTrue
0254Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'.CompliantTrue
0279Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'.CompliantTrue
0280Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'.Registry key not found.False
0281Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'.Registry value is '0'. Expected: 1False
0282Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'.CompliantTrue
0283Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'.CompliantTrue
0284Ensure 'Do not display the password reveal button' set to 'Enabled'.CompliantTrue
0285Ensure 'Join Microsoft MAPS' set to 'Disabled'.Registry value not found.False
0286Ensure 'Configure search suggestions in Address bar' set to 'Disabled'.CompliantTrue
0287Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'.Registry value is '1'. Expected: 2False
0288Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'.CompliantTrue
0289Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'.CompliantTrue
0290Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.Registry value not found.False
0291Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.CompliantTrue
0292Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'.CompliantTrue
0293Ensure 'Allow Cortana' set to 'Disabled'.CompliantTrue
0294Ensure 'Allow search and Cortana to use location' set to 'Disabled'.CompliantTrue
0295Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'.Registry value not found.False
0296Ensure 'Disable pre-release features or settings' set to 'Disabled'.Registry value not found.False
0297Ensure 'Turn off access to the Store' set to 'Enabled'.CompliantTrue
0298Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'.Registry value is '4'. Expected: 2False
0299Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'.CompliantTrue
0300Ensure 'Turn off the Store application' set to 'Enabled'.CompliantTrue
0301Ensure 'Allow Basic authentication' set to 'Disabled'.CompliantTrue
0302Ensure 'Allow unencrypted traffic' set to 'Disabled'.CompliantTrue
0304Ensure 'Allow Remote Shell Access' set to 'Disabled'.Registry value is '1'. Expected: 0False
0306Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
0307Ensure 'Disallow Digest authentication' set to 'Enabled'.CompliantTrue
0308Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'.CompliantTrue
0309Ensure 'Do not allow COM port redirection' set to 'Enabled'.CompliantTrue
0310Ensure 'Do not allow drive redirection' set to 'Enabled'.CompliantTrue
0311Ensure 'Do not allow LPT port redirection' set to 'Enabled'.CompliantTrue
0312Ensure 'Do not use temporary folders per session' set to 'Disabled'.Registry value not found.False
0313Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'.CompliantTrue
0323Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0324Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0325Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'.Registry value not found.False
0328Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'.CompliantTrue
0329Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'.CompliantTrue
0330Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'.Registry value not found.False
0331Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10.Registry value not found.False
0332Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0333Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0334Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0335Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'.CompliantTrue
0336Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'.CompliantTrue
0337Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'.Registry value not found.False
0338Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'.CompliantTrue
0339Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'.CompliantTrue
0340Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'.CompliantTrue
0342Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'.CompliantTrue
0343Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'.CompliantTrue
0344Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'.CompliantTrue
0345Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'.Registry value not found.False
0346Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0347Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0348Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0349Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0350Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0351Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0352Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'.CompliantTrue
0353Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'.CompliantTrue
0354Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'.Registry value is '0'. Expected: 1False
0355Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'.CompliantTrue
0358Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'.CompliantTrue
0359Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'.CompliantTrue
0360Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'.CompliantTrue
0361Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'.CompliantTrue
0362Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'.Registry value not found.False
0363Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'.CompliantTrue
0364Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '.Registry value is '2'. Expected: 1False
0365Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'.Registry value not found.False
0366Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'.CompliantTrue
0367Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0368Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0369Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15.CompliantTrue
0370Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '.Registry value not found.False
0371Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '.CompliantTrue
0372Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'.Registry value not found.False
0373Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'.CompliantTrue
0374Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'.CompliantTrue
0375Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0376Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'.CompliantTrue
0377Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0378Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0380Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0384Ensure 'Password Age' set to less or equal 42.Registry value is '10'. Expected: 42False
0385Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'.Registry value not found.False
0386Ensure 'Turn on PowerShell Transcription' set to 'Disabled'.CompliantTrue
0387Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'.CompliantTrue
0388Ensure 'Require secure RPC communication' set to 'Enabled'.CompliantTrue
0389Ensure 'Set client connection encryption level' set to 'Enabled: High Level'.CompliantTrue
0390Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'.Registry value is '900000'. Expected: 300000False
0391Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
0044 Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled'The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SIDFalse
0045 Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0046 Ensure 'SeTcbPrivilege' is set to 'None'The user 'SeTcbPrivilege' setting does not contain the following users: NULL SIDFalse
0047 Ensure 'Adjust memory quotas for a process' set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0048 Ensure 'Allow log on locally' set to 'Administrators, Users'CompliantTrue
0049 Ensure 'SeBackupPrivilege' is set to 'Administrator'CompliantTrue
0050 Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE'CompliantTrue
0051 Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE'The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\UsersFalse
0052 Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE'The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICEFalse
0053 Ensure 'SeCreateTokenPrivilege' is set to 'None'The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SIDFalse
0054 Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0055 Ensure 'SeCreatePermanentPrivilege' is set to 'None'The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SIDFalse
0056 Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator'CompliantTrue
0057 Ensure 'SeDebugPrivilege' is set to 'Administrator'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
0064 Ensure 'SeEnableDelegationPrivilege' is set to 'None'The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SIDFalse
0066 Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator'CompliantTrue
0067 Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0068 Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE'The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICEFalse
0069 Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator'The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
0085 Ensure 'SeRelabelPrivilege' is set to 'None'The user 'SeRelabelPrivilege' setting does not contain the following users: NULL SIDFalse
0086 Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator'CompliantTrue
0087 Ensure 'SeManageVolumePrivilege' is set to 'Administrator'CompliantTrue
0088 Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator'CompliantTrue
0089 Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost'CompliantTrue
0090 Ensure 'SeRestorePrivilege' is set to 'Administrator'CompliantTrue
0091 Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users'CompliantTrue
0094 Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator'CompliantTrue
0104 Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest'CompliantTrue
0105 Ensure 'SeDenyBatchLogonRight' is set to 'Guest'CompliantTrue
0106 Ensure 'SeDenyServiceLogonRight' is set to 'Guest'CompliantTrue
0107 Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest'CompliantTrue
0108 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest'CompliantTrue
0180 Ensure 'Load and unload device drivers' is set to 'Administrator'CompliantTrue
0181 Ensure 'Lock pages in memory' is set to 'No one'The user 'SeLockMemoryPrivilege' setting does not contain the following users: NULL SIDFalse
0182 Ensure 'Log on as a batch job' is set to 'Administrator'CompliantTrue
0183 Ensure 'Log on as a service' is set to 'No one'The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines The user 'SeServiceLogonRight' setting does not contain the following users: NULL SIDFalse
0184 Ensure 'Manage auditing and security log' is set to 'Administrator'CompliantTrue
0219 Ensure 'Replace a process level token' is set to 'Local Service, Network Service'CompliantTrue
0303 Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse

Account Policies-

IdTaskMessageStatus
0001 Ensure 'Maximum password age' is set to between 1 and 42'MaximumPasswordAge' currently set to: 120. Expected: x <= 42 and x >= 1False
0002 Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
0100 Ensure 'Reset account lockout counter after' is set greater or equal 15CompliantTrue
0102 Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
0103Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10CompliantTrue
0162 Ensure 'Enforce password history' is set greater or equal 24CompliantTrue
0186 Ensure 'Minimum password age' is set to greater or equal 1CompliantTrue
0187 Ensure 'Minimum password length' is set to greater or equal 14CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
0008 Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
0011 Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
0012 Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure'Set to: SuccessFalse
0013 Ensure 'Audit account management' is set to 'SuccessAndFailure'CompliantTrue
0014 Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0015 Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0016 Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure'CompliantTrue
0017 Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure'Set to: FailureFalse
0018 Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure'CompliantTrue
0019 Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure'CompliantTrue
0020 Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled'CompliantTrue
0021 Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure'CompliantTrue
0022 Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0023 Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0025 Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure'CompliantTrue
0026 Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure'CompliantTrue
0027 Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0028 Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure'Set to: SuccessFalse
0029 Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure'CompliantTrue

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package.

Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15
  • DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25
  • CYBERGOVAU Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2020, Date 2020-10-01
  • Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18
  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 12/07/2022 10:37:18 on DESKTOP-UTMU75K.fb-pro.com with ATAPHtmlReport version 1.8.

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 2682 tests have been executed.

  1. True 2157 test(s) ≙ 80.43%
  2. False 521 test(s) ≙ 19.43%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 4 test(s) ≙ 0.15%
  5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 512 tests have been executed in section CIS Benchmarks.

  1. True 478 test(s) ≙ 93.36%
  2. False 33 test(s) ≙ 6.45%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 0.20%
  5. Error 0 test(s) ≙ 0.00%

DISA Recommendations

A total of 161 tests have been executed in section DISA Recommendations.

  1. True 133 test(s) ≙ 82.61%
  2. False 25 test(s) ≙ 15.53%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 3 test(s) ≙ 1.86%
  5. Error 0 test(s) ≙ 0.00%

CyberGovAu Benchmarks

A total of 381 tests have been executed in section CyberGovAu Benchmarks.

  1. True 196 test(s) ≙ 51.44%
  2. False 185 test(s) ≙ 48.56%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 357 tests have been executed in section Microsoft Benchmarks.

  1. True 306 test(s) ≙ 85.71%
  2. False 51 test(s) ≙ 14.29%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.

  1. True 48 test(s) ≙ 94.12%
  2. False 3 test(s) ≙ 5.88%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS HD

A total of 384 tests have been executed in section BSI Benchmarks SiSyPHuS HD.

  1. True 327 test(s) ≙ 85.16%
  2. False 57 test(s) ≙ 14.84%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS ND

A total of 292 tests have been executed in section BSI Benchmarks SiSyPHuS ND.

  1. True 252 test(s) ≙ 86.30%
  2. False 40 test(s) ≙ 13.70%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS NE

A total of 262 tests have been executed in section BSI Benchmarks SiSyPHuS NE.

  1. True 223 test(s) ≙ 85.11%
  2. False 39 test(s) ≙ 14.89%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHus-BSI

A total of 7 tests have been executed in section BSI Benchmarks SiSyPHus-BSI.

  1. True 5 test(s) ≙ 71.43%
  2. False 2 test(s) ≙ 28.57%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHus-BSI Bundespolizei

A total of 275 tests have been executed in section BSI Benchmarks SiSyPHus-BSI Bundespolizei.

  1. True 189 test(s) ≙ 68.73%
  2. False 86 test(s) ≙ 31.27%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Security Base Data

System information

HostnameDESKTOP-UTMU75K.fb-pro.com
Domain roleMember Workstation
Operating SystemMicrosoft Windows 10 Pro
Build NumberVersion 21H2 (Build 19044.2251)
Installation LanguageEnglish (United States)
System Uptime0:02:03:14
Free disk space40.4 GB
Free physical memory24.8% (5.1 GB / 20.7 GB)

Table Of Contents

Click the link(s) below for quick access to a report section.

Security Base Data Details

Security Base Data-

Platform Security-

IdTaskMessageStatus
SBD-001Ensure the system is booting in 'UEFI' mode.CompliantTrue
SBD-002Ensure the system is using SecureBoot.CompliantTrue
SBD-003Ensure the TPM Chip is 'present'.CompliantTrue
SBD-004Ensure the TPM Chip is 'ready'.CompliantTrue
SBD-005Ensure the TPM Chip is 'enabled'.CompliantTrue
SBD-006Ensure the TPM Chip is 'activated'.CompliantTrue
SBD-007Ensure the TPM Chip is 'owned'.CompliantTrue
SBD-008Ensure the TPM Chip is implementing specification version 2.0 or higher.CompliantTrue

Windows Base Security-

IdTaskMessageStatus
SBD-009Get amount of active local users on system.CompliantTrue
SBD-010Get amount of users and groups in administrators group on system.Amount of entries: 2; True
SBD-011Ensure the status of the Bitlocker service is 'Running'.CompliantTrue
SBD-012Ensure that Bitlocker is activated on all volumes.Bitlocker is not activated on all volumes.False
SBD-013Ensure the status of the Windows Defender service is 'Running'.CompliantTrue
SBD-014Ensure Windows Defender Application Guard is enabled.Windows Defender Application Guard is not enabled.False
SBD-015Ensure the Windows Firewall is enabled on all profiles.CompliantTrue
SBD-016Check if the last successful search for updates was in the past 24 hours.CompliantTrue
SBD-017Check if the last successful installation of updates was in the past 5 days.CompliantTrue
SBD-018Ensure Virtualization Based Security is enabled and running.CompliantTrue
SBD-019Ensure Hypervisor-protected Code Integrity (HVCI) is running.CompliantTrue
SBD-020Ensure Credential Guard is running.CompliantTrue
SBD-021Ensure Attack Surface Reduction (ASR) rules are enabled.Compliant (12 rules enabled). For more information on ASR rules, check corresponding benchmarks.True

PowerShell Security-

IdTaskMessageStatus
SBD-022Ensure PowerShell Version is set to version 5 or higher.CompliantTrue
SBD-023Ensure PowerShell Version 2 is uninstalled.PowerShell Version 2 is supported.False
SBD-024Ensure PowerShell is set to configured to use Constrained Language.Language Mode is not set to 'Constrained Language'. Current configuration: FullLanguageFalse
SBD-025Ensure Execution policy is set to set to AllSigned / RemoteSigned.CompliantTrue
SBD-026Ensure PowerShell Commandline Audting is set to 'Enabled'.CompliantTrue
SBD-027Ensure PowerShell Module Logging is set to 'Enabled'.PowerShell Module Logging is not set to 'Enabled'.False
SBD-028Ensure PowerShell ScriptBlockLogging is set to 'Enabled'.CompliantTrue
SBD-029Ensure PowerShell ScriptBlockInvocationLogging is set to 'Enabled'.PowerShell ScriptBlockInvocationLogging is not set to 'Enabled'.False
SBD-030Ensure PowerShell Transcripting is set to 'Enabled'.PowerShell Transcripting is not set to 'Enabled'.False
SBD-031Ensure PowerShell InvocationHeader is set to 'Enabled'.PowerShell InvocationHeader is not set to 'Enabled'.False
SBD-032Ensure PowerShell ProtectedEventLogging is set to set to 'Enabled'.PowerShell ProtectedEventLogging is not set to 'Enabled'.False
SBD-033Ensure .NET Framework version supports PowerShell Version 2 is uninstalled.CompliantTrue

Connectivity Security-

IdTaskMessageStatus
SBD-034Ensure system is configured to deny remote access via Terminal Services.CompliantTrue
SBD-035Ensure system is configured to prevent RDP service.CompliantTrue
SBD-036Ensure NTLM Session Server Security settings are configured.CompliantTrue
SBD-037Ensure WinFW Service is running.CompliantTrue
SBD-038Ensure NetBios is set to 'Disabled'.NetBios is 'Enabled'.False
SBD-039Ensure SMBv1 is set to 'Disabled'.CompliantTrue

Application Control-

IdTaskMessageStatus
SBD-040Ensure Windows Defender Application Control (WDAC) is available.Only supported on Windows 10 Enterprise.None
SBD-041Ensure Windows Defender Application ID Service is running.AppLocker is not running. Currently: StoppedFalse

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity)Risk Assessment
More than 80%Low
Between 65% and 80%Medium
Between 50% and 65%High
Less than 50%Critical
Compliance to Benchmarks (Severity)Risk Assessment
All critical settings compliantLow
1 or more incompliant setting(s)Critical

Table Of Severity Rules

-
IdTaskStatusSeverity
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'True

Critical

2.2.38(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)None

Critical

2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)None

Critical

2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'True

Critical

2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'True

Critical

7.9 A(L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128)True

Critical

7.9 B(L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128)True

Critical

7.9 C(L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128)True

Critical

7.9 D(L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128)True

Critical

9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'True

Critical

9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'True

Critical

18.3.3(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'True

Critical

18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'True

Critical

18.3.6(L1) Ensure 'WDigest Authentication' is set to 'Disabled'True

Critical

18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'True

Critical

18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'True

Critical

18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'True

Critical

18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)True

Critical

18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)True

Critical

18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)True

Critical

18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configuredTrue

Critical

18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)True

Critical

18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)True

Critical

18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))True

Critical

18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)True

Critical

18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)True

Critical

18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)True

Critical

18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)True

Critical

18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)True

Critical

18.9.58.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'True

Critical

18.9.58.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'True

Critical

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How do we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here