This report was generated on 01/17/2022 14:01:24 on DESKTOP-UTMU75K.fb-pro.com with TAPHtmlReport version 1.8.
| Hostname | DESKTOP-UTMU75K.fb-pro.com |
|---|---|
| Build Number | 19043 |
| Free disk space(GB) | 100.1 |
| Free physical memory (GB) | 4.972 |
| Operating System | Microsoft Windows 10 Pro |
| Installation Language | English (United States) |
Summary
A total of 1250 tests have been executed.
- True 994 test(s) ≙ 79.52%
- False 256 test(s) ≙ 20.48%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS Logging
A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.
- True 51 test(s) ≙ 100.00%
- False 0 test(s) ≙ 0.00%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS HD
A total of 379 tests have been executed in section BSI Benchmarks SiSyPHuS HD.
- True 313 test(s) ≙ 82.59%
- False 66 test(s) ≙ 17.41%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS ND
A total of 287 tests have been executed in section BSI Benchmarks SiSyPHuS ND.
- True 240 test(s) ≙ 83.62%
- False 47 test(s) ≙ 16.38%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS NE
A total of 258 tests have been executed in section BSI Benchmarks SiSyPHuS NE.
- True 212 test(s) ≙ 82.17%
- False 46 test(s) ≙ 17.83%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiM-08202 - BPOL
A total of 275 tests have been executed in section BSI Benchmarks SiM-08202 - BPOL.
- True 178 test(s) ≙ 64.73%
- False 97 test(s) ≙ 35.27%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Table of Contents
Click the link(s) below for quick access to a report section.
- BSI Benchmarks SiSyPHuS Logging
- BSI Benchmarks SiSyPHuS HD
- BSI Benchmarks SiSyPHuS ND
- BSI Benchmarks SiSyPHuS NE
- BSI Benchmarks SiM-08202 - BPOL
BSI Benchmarks SiSyPHuS Logging-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 4.1.1 | Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | Compliant | True |
| 4.1.2 | Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | Compliant | True |
| 4.2.1.1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' | Compliant | True |
| 4.2.1.2 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
| 4.2.1.3 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
| 4.2.1.4 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
| 4.2.2.1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | Compliant | True |
| 4.2.2.2 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
| 4.2.2.3 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
| 4.2.2.4 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
| 4.2.3.1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | Compliant | True |
| 4.2.3.2 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | Compliant | True |
| 4.2.3.3 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' | Compliant | True |
| 4.2.3.4 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
| 4.3.1.1 | Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | Compliant | True |
| 4.3.2.1.1 | Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
| 4.3.2.1.2 | Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.2.2.1 | Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
| 4.3.2.2.2 | Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.2.3.1 | Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' | Compliant | True |
| 4.3.2.3.2 | Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.2.4.1 | Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
| 4.3.2.4.2 | Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.3.1 | Ensure 'Include command line in process creation events' is set to 'Disabled' | Compliant | True |
| 4.3.4.2 | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' | Compliant | True |
| 4.3.4.3 | Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | Compliant | True |
Advanced Audit Policy Configuration-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 5.1.1.1 | Ensure 'Audit Credential Validation' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.2 | Ensure 'Audit User Account Management' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.3 | Ensure 'Audit Account Lockout' is set to include 'Failure' | Compliant | True |
| 5.1.1.4 | Ensure 'Audit Group Membership' is set to include 'Success' | Compliant | True |
| 5.1.1.5 | Ensure 'Audit Logoff' is set to include 'Success' | Compliant | True |
| 5.1.1.6 | Ensure 'Audit Logon' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.7 | Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.8 | Ensure 'Audit Special Logon' is set to include 'Success' | Compliant | True |
| 5.2.1.1 | Ensure 'Audit Other System Events' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.2 | Ensure 'Audit Security State Change' is set to include 'Success' | Compliant | True |
| 5.2.1.3 | Ensure 'Audit Security System Extension' is set to include 'Success' | Compliant | True |
| 5.2.1.4 | Ensure 'Audit System Integrity' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.5 | Ensure 'Audit File Share' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.6 | Ensure 'Audit Detailed File Share' is set to include 'Failure' | Compliant | True |
| 5.2.1.7 | Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.8 | Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.9 | Ensure 'Audit PNP Activity' is set to include 'Success' | Compliant | True |
| 5.3.1.1 | Ensure 'Audit Security Group Management' is set to include 'Success' | Compliant | True |
| 5.3.1.2 | Ensure 'Audit Audit Policy Change' is set to include 'Success' | Compliant | True |
| 5.3.1.3 | Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Compliant | True |
| 5.3.1.4 | Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Compliant | True |
| 5.3.1.5 | Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' | Compliant | True |
| 5.3.1.6 | Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Compliant | True |
| 5.5.1.1 | Ensure 'Audit Process Creation' is set to include 'Success' | Compliant | True |
| 5.5.1.2 | Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Compliant | True |
BSI Benchmarks SiSyPHuS HD-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
| 2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
| 3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
| 4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Compliant | True |
| 5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
| 7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
| 8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
| 9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 11 | (HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'. | Compliant | True |
| 12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Compliant | True |
| 13 | (HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. | Compliant | True |
| 14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
| 15 | (HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. | Compliant | True |
| 16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
| 17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | Compliant | True |
| 18 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. | Compliant | True |
| 19 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3. | Compliant | True |
| 20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
| 21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
| 22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
| 23 | (HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | Compliant | True |
| 24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Compliant | True |
| 26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 28 | (HD) Ensure 'Enable Font Providers' is set to 'Disabled'. | Compliant | True |
| 29 | (HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. | Compliant | True |
| 30 | (HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. | Compliant | True |
| 31 | (HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. | Compliant | True |
| 32 | (HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. | Compliant | True |
| 33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
| 34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
| 35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 36 | (HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'. | Compliant | True |
| 37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
| 38 | (HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. | Registry key not found. | False |
| 39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
| 40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
| 42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Compliant | True |
| 43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Compliant | True |
| 44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
| 45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Compliant | True |
| 46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
| 47 | (HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'. | Compliant | True |
| 48 | (HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'. | Compliant | True |
| 49 | (HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'. | Compliant | True |
| 50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
| 51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Compliant | True |
| 52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
| 53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
| 54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
| 55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
| 56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
| 57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
| 58 | (HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. | Compliant | True |
| 59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
| 60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
| 61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
| 62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant | True |
| 63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Compliant | True |
| 64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Compliant | True |
| 65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
| 66 | (HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. | Compliant | True |
| 67 | (HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. | Compliant | True |
| 68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
| 69 | (HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. | Compliant | True |
| 70 | (HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. | Registry key not found. | False |
| 71 | (HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. | Compliant | True |
| 72 | (HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. | Compliant | True |
| 73 | (HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. | Compliant | True |
| 74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
| 75 | (HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
| 76 | (HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
| 77 | (HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Compliant | True |
| 78 | (HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Compliant | True |
| 79 | (HD) Ensure 'Turn off access to the Store' is set to 'Enabled'. | Compliant | True |
| 80 | (HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. | Compliant | True |
| 81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
| 82 | (HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' . | Compliant | True |
| 83 | (HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. | Compliant | True |
| 84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
| 85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
| 86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
| 89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
| 90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
| 91 | (HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. | Registry key not found. | False |
| 92 | (HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'. | Registry key not found. | False |
| 93 | (HD) Ensure 'Allow Online Tips' is set to 'Disabled'. | Compliant | True |
| 94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
| 95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
| 96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
| 97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
| 100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'. | Registry value not found. | False |
| 100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'. | Registry value not found. | False |
| 101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
| 102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
| 103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
| 104 | (HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. | Compliant | True |
| 105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
| 106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
| 107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
| 108 | (HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. | Compliant | True |
| 109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
| 110 | (HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. | Registry value not found. | False |
| 111 | (HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. | Registry value not found. | False |
| 112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
| 113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
| 115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
| 116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
| 117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
| 118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
| 120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
| 121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
| 122 | (HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. | Compliant | True |
| 123 | (HD) Ensure 'Allow Use of Camera' is set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
| 125 | (HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. | Compliant | True |
| 126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
| 127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 128 | (HD) Ensure 'Turn off location' is set to 'Enabled'. | Compliant | True |
| 129 | (HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'. | Compliant | True |
| 130 | (HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. | Compliant | True |
| 131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
| 132 | (HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. | Compliant | True |
| 133 | (HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. | Compliant | True |
| 134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
| 136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
| 137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
| 138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
| 139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
| 140 | (HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. | Compliant | True |
| 141 | (HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. | Compliant | True |
| 142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
| 143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
| 144 | (HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. | Compliant | True |
| 145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | Compliant | True |
| 147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
| 148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
| 149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
| 150 | (HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. | Compliant | True |
| 151 | (HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'. | Registry value not found. | False |
| 152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
| 153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
| 154 | (HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'. | Compliant | True |
| 155 | (HD) Ensure 'Turn off the Store application' is set to 'Enabled'. | Compliant | True |
| 156 | (HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. | Compliant | True |
| 157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
| 158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
| 160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '1'. Expected: 99 | False |
| 161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
| 162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
| 163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
| 164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
| 165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
| 166 | (HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
| 169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
| 170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
| 171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Compliant | True |
| 172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
| 174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
| 175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
| 176 | (HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. | Compliant | True |
| 177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
| 178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
| 179 | (HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. | Compliant | True |
| 180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'. | Compliant | True |
| 181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'. | Registry key not found. | False |
| 182 | (HD) Ensure 'Prevent Codec Download' is set to 'Enabled'. | Registry key not found. | False |
| 184 | (HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. | Registry key not found. | False |
| 185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
| 186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
| 187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
| 188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
| 189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
| 190 | (HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
| 193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 195 | (HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. | Registry value not found. | False |
| 196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
| 197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
| 199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
| 210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
| 211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
| 212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
| 213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
| 214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
| 215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
| 216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
| 217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
| 218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
| 219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
| 220 | (ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
| 221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
| 222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
| 223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
| 224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
| 225 | (HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. | Compliant | True |
| 226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
| 227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
| 228 | (HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'. | Compliant | True |
| 229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
| 230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
| 231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
| 232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Compliant | True |
| 233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Compliant | True |
| 234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
| 239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
| 240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
| 241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
| 243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
| 244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
| 245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
| 248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Compliant | True |
| 250 | (HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'. | Registry value not found. | False |
| 251 | (HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'. | Registry value not found. | False |
| 252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
| 253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
| 254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
| 255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
| 256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
| 257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
| 260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
| 261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
| 262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
| 263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
| 264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
| 265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
| 266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
| 267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
| 269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
| 271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
| 272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
| 273 | (HD) Ensure 'System settings: Optional subsystems' is set to 'None'. | Registry value is ''. Expected: | False |
| 274 | (HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'. | Compliant | True |
| 275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
| 276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
| 316 | (HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. | Compliant | True |
| 317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
| 318 | (HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
| 319 | (HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
| 320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
| 322 | (HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'. | Compliant | True |
| 323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
| 325 | (HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. | Compliant | True |
| 326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 327 | (HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'. | Compliant | True |
| 328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 329 | (HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'. | Compliant | True |
| 330 | (HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
| 331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 332 | (HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'. | Compliant | True |
| 333 | (HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'. | Compliant | True |
| 334 | (HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. | Compliant | True |
| 335 | (HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. | Compliant | True |
| 336 | (HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. | Compliant | True |
| 337 | (HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'. | Compliant | True |
| 338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
| 339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
| 340 | (HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'. | Compliant | True |
| 341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 342 | (HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
| 344 | (HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'. | Compliant | True |
| 345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
| 346 | (HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'. | Compliant | True |
| 347 | (HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'. | Compliant | True |
| 348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
| 350 | (HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'. | Compliant | True |
| 351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
| 352 | (HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. | Compliant | True |
| 353 | (HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. | Compliant | True |
| 354 | (HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. | Compliant | True |
| 355 | (HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. | Registry value is '2'. Expected: 4 | False |
| 356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
| 358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
| 359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
| 360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
| 361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
| 366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
| 370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
| 371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
| 278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
| 279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
| 280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 281 | (HD) Configure 'Log on as a service'. | The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines | False |
| 282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 283 | (HD) Ensure 'Log on as a batch job' is set to 'Administrators'. | The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users | False |
| 284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCAL | False |
| 285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
| 286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
| 289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
| 290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
| 291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
| 292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
| 293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
| 294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
| 296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
| 297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
| 298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
| 299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
| 302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
| 303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
| 304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
| 306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
| 310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
| 311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
| 312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
| 313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
| 314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
| 201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
| 202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
| 203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
| 204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
| 205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
| 206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
| 207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | Compliant | True |
| 208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. | Compliant | True |
BSI Benchmarks SiSyPHuS ND-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
| 2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
| 3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
| 4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Compliant | True |
| 5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
| 6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
| 7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
| 8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
| 9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'. | Compliant | True |
| 14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
| 16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
| 17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Compliant | True |
| 20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
| 21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
| 22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
| 24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Compliant | True |
| 26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
| 34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
| 35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
| 39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
| 40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
| 42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Compliant | True |
| 43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Compliant | True |
| 44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
| 45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Compliant | True |
| 46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
| 50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
| 51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Compliant | True |
| 52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
| 53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
| 54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
| 55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
| 56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
| 57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
| 59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
| 60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
| 61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
| 62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant | True |
| 63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Compliant | True |
| 64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Compliant | True |
| 65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
| 68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
| 74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
| 81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
| 84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
| 85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
| 86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
| 89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
| 90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
| 94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
| 95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
| 96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
| 97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
| 100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'. | Registry value not found. | False |
| 100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'. | Registry value not found. | False |
| 101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
| 102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
| 103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
| 105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
| 106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
| 107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
| 109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
| 112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
| 113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
| 115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
| 116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
| 117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
| 118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
| 120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
| 121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
| 124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
| 126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
| 127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
| 134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
| 136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
| 137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
| 138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
| 139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
| 142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
| 143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
| 145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Compliant | True |
| 147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
| 148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
| 149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
| 152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
| 153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
| 157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
| 158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
| 160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '1'. Expected: 99 | False |
| 161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
| 162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
| 163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
| 164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
| 165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
| 167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
| 169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
| 170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
| 171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Compliant | True |
| 172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
| 174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
| 175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
| 177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
| 178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
| 180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'. | Compliant | True |
| 181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'. | Registry key not found. | False |
| 183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
| 185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
| 186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
| 187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
| 188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
| 189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
| 191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
| 193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
| 197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
| 199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
| 210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
| 211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
| 212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
| 213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
| 214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
| 215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
| 216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
| 217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
| 218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
| 219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
| 220 | (ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'. | Compliant | True |
| 221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
| 222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
| 223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
| 224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
| 226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
| 227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
| 229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
| 230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
| 231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
| 232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Compliant | True |
| 233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Compliant | True |
| 234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
| 239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
| 240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
| 241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
| 243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
| 244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
| 245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
| 248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Compliant | True |
| 252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
| 253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
| 254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
| 255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
| 256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
| 257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
| 260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
| 261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
| 262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
| 263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
| 264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
| 265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
| 266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
| 267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
| 269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
| 271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
| 272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
| 275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
| 276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
| 317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
| 320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
| 323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
| 326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
| 339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
| 341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
| 345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
| 348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
| 351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
| 356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
| 358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
| 359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
| 360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
| 361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
| 366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
| 370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
| 371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
| 278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
| 279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
| 280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCAL | False |
| 285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
| 286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
| 289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
| 290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
| 291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
| 292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
| 293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
| 294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
| 296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
| 297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
| 298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
| 299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
| 302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
| 303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
| 304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
| 306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
| 310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
| 311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
| 312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
| 313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
| 314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
| 201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
| 202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
| 203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
| 204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
| 205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
| 206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
| 207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | Compliant | True |
| 208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. | Compliant | True |
BSI Benchmarks SiSyPHuS NE-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
| 2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
| 3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
| 4 | (ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. | Compliant | True |
| 5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
| 6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
| 7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
| 8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
| 9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Compliant | True |
| 10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Compliant | True |
| 12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Compliant | True |
| 14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
| 16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
| 17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Compliant | True |
| 20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
| 21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
| 22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
| 24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
| 34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
| 35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
| 39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
| 40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
| 44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
| 46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
| 50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
| 52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
| 53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
| 54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
| 55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
| 56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
| 57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
| 59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
| 60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
| 61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
| 68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
| 74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
| 81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
| 84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
| 85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
| 86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
| 89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
| 90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
| 94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
| 95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
| 96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
| 97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
| 100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'. | Registry value not found. | False |
| 100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'. | Registry value not found. | False |
| 101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
| 102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
| 103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
| 106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
| 107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
| 109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
| 112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
| 113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
| 115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
| 116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
| 117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
| 118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
| 120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
| 121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
| 124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
| 126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
| 127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
| 134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
| 136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
| 137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
| 138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
| 139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
| 142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
| 143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
| 145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Compliant | True |
| 147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
| 148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
| 149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
| 152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
| 153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
| 157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
| 158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
| 160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '1'. Expected: 99 | False |
| 161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
| 162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
| 163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
| 164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
| 165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
| 167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
| 169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
| 170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
| 171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Compliant | True |
| 172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
| 174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
| 175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
| 177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
| 178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
| 180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'. | Compliant | True |
| 181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'. | Registry key not found. | False |
| 183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
| 185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
| 186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
| 187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
| 188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
| 189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
| 191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
| 193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
| 197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
| 199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
| 210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
| 211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
| 212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
| 213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
| 214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
| 215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
| 216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
| 217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
| 218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
| 226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
| 227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
| 229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
| 230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
| 231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
| 234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
| 239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
| 240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
| 241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
| 243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
| 244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
| 245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
| 252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
| 253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
| 254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
| 255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
| 256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
| 257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
| 260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
| 261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
| 262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
| 263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
| 264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
| 265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
| 266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
| 267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
| 269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
| 271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
| 272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
| 275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
| 276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
| 317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
| 320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
| 323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
| 326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
| 339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
| 341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
| 345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
| 348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
| 351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
| 356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
| 358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
| 359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
| 360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
| 365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
| 366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
| 370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
| 371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
| 278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
| 279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
| 280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCAL | False |
| 285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
| 286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
| 289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
| 290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
| 291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
| 292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
| 294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
| 296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
| 297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
| 298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
| 299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
| 302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
| 303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
| 304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
| 306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
| 310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
| 311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
| 312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
| 313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
| 314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
| 201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
| 202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
| 203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
| 204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
| 205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
BSI Benchmarks SiM-08202 - BPOL-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0003 | Ensure 'Configure Automatic Updates' is set to 4 | Registry value not found. | False |
| 0004 | Ensure 'Configure Automatic Updates' is set to 'Every Day' | Compliant | True |
| 0005 | Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 0006 | Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768' | Compliant | True |
| 0032 | Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768. | Registry key not found. | False |
| 0037 | Ensure 'Allow enhanced PINs for startup' is set 'Enabled'. | Compliant | True |
| 0038 | Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'. | Compliant | True |
| 0039 | Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'. | Registry value not found. | False |
| 0040 | Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'. | Compliant | True |
| 0041 | Ensure 'Allow user control over installs' is set 'Disabled'. | Compliant | True |
| 0043 | Ensure 'Enable Windows NTP Client' is set to 'Enabled' | Compliant | True |
| 0065 | Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'. | Registry value not found. | False |
| 0101 | Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled' | Compliant | True |
| 0109 | Ensure 'Allow Telemetry' is set to 0. | Registry value is '1'. Expected: 0 | False |
| 0110 | Ensure 'Do not show feedback notifications' is set to 1. | Compliant | True |
| 0111 | Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'. | Compliant | True |
| 0112 | Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 0113 | Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 0114 | Ensure 'Turn off location' is set to 'Enabled'. | Compliant | True |
| 0115 | Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 0116 | Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
| 0117 | Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 0118 | Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'. | Compliant | True |
| 0119 | Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 82020121 | Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
| 0122 | Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 0123 | Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'. | Compliant | True |
| 0131 | Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. | Compliant | True |
| 0132 | Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 0133 | Ensure 'Allow InPrivate browsing' is set to 'Disabled'. | Compliant | True |
| 0135 | Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'. | Compliant | True |
| 0136 | Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'. | Compliant | True |
| 0137 | Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 0138 | Ensure 'Always install with elevated privileges ' is set to 'Disabled'. | Compliant | True |
| 0139 | Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 0140 | Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'. | Registry value is '3'. Expected: 1 | False |
| 0141 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. | Compliant | True |
| 0142 | Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 0143 | Ensure 'Configure Password Manager' is set to 'Disabled'. | Registry value not found. | False |
| 0144 | Ensure 'Configure Pop-up Blocker' is set to 'Enabled'. | Compliant | True |
| 0145 | Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'. | Compliant | True |
| 0146 | Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'. | Registry value is '0'. Expected: 1 | False |
| 0147 | Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 0148 | Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. | Registry value is '1'. Expected: 0 | False |
| 0149 | Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'. | Compliant | True |
| 0150 | Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'. | Compliant | True |
| 0151 | Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 0152 | Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. | Compliant | True |
| 0153 | Ensure 'Do not delete temp folders upon exit' set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 0154 | Ensure 'Do not display network selection UI' set to 'Enabled'. | Compliant | True |
| 0155 | Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'. | Compliant | True |
| 0156 | Ensure 'Enable insecure guest logons' set to 'Disabled'. | Compliant | True |
| 0157 | Ensure 'Enable local admin password management' set to 'Enabled'. | Compliant | True |
| 0158 | Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'. | Compliant | True |
| 0159 | Ensure 'Enable screen saver' set to 'Enabled'. | Registry key not found. | False |
| 0160 | Ensure 'Enable Windows NTP Server' set to 'Disabled'. | Compliant | True |
| 0161 | Ensure 'Enable/Disable PerfTrack' set to 'Disabled'. | Compliant | True |
| 0163 | Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'. | Compliant | True |
| 0164 | Ensure 'Include command line in process creation events' set to 'Disabled'. | Registry key not found. | False |
| 0165 | Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0166 | Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0167 | Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0168 | Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0169 | Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0170 | Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0171 | Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0172 | Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0173 | Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0174 | Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0175 | Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0176 | Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0177 | Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0178 | Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0179 | Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0185 | Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'. | Registry value not found. | False |
| 0209 | Ensure 'Prevent downloading of enclosures' set to 'Enabled'. | Compliant | True |
| 0210 | Ensure 'Prevent enabling lock screen camera' set to 'Enabled'. | Compliant | True |
| 0211 | Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'. | Compliant | True |
| 0212 | Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'. | Registry value not found. | False |
| 0213 | Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'. | Compliant | True |
| 0214 | Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'. | Compliant | True |
| 0215 | Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'. | Compliant | True |
| 0216 | Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'. | Compliant | True |
| 0217 | Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'. | Compliant | True |
| 0218 | Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'. | Registry value is '0'. Expected: 1 | False |
| 0220 | Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'. | Compliant | True |
| 0221 | Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'. | Compliant | True |
| 0222 | Ensure 'Require additional authentication at startup' set to 'Enalbed'. | Compliant | True |
| 0223 | Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'. | Compliant | True |
| 0224 | Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'. | Compliant | True |
| 0225 | Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'. | Compliant | True |
| 0229 | Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'. | Compliant | True |
| 0230 | Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'. | Compliant | True |
| 0231 | Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'. | Compliant | True |
| 0232 | Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'. | Compliant | True |
| 0233 | Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'. | Compliant | True |
| 0234 | Ensure 'Turn off heap termination on corruption' set to 'Disabled'. | Compliant | True |
| 0235 | Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'. | Compliant | True |
| 0236 | Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'. | Compliant | True |
| 0237 | Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'. | Compliant | True |
| 0238 | Ensure 'Turn off picture password sign-in' set to 'Enabled'. | Compliant | True |
| 0239 | Ensure 'Turn off printing over HTTP' set to 'Enabled'. | Compliant | True |
| 0240 | Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'. | Compliant | True |
| 0241 | Ensure 'Turn off Search Companion content file updates' set to 'Enabled'. | Compliant | True |
| 0242 | Ensure 'Turn off shell protocol protected mode' set to 'Disabled'. | Compliant | True |
| 0243 | Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'. | Compliant | True |
| 0244 | Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'. | Compliant | True |
| 0245 | Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'. | Compliant | True |
| 0246 | Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'. | Compliant | True |
| 0247 | Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'. | Compliant | True |
| 0248 | Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'. | Compliant | True |
| 0249 | Ensure 'Untrusted Font Blocking' set to 'Enabled'. | Registry key not found. | False |
| 0250 | Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'. | Compliant | True |
| 0251 | Ensure 'WDigest Authentication' set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 0253 | Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'. | Registry value not found. | False |
| 0254 | Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 0279 | Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'. | Registry value is '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. Expected: %windir%\system32\logfiles\firewall\domainfirewall.log | False |
| 0280 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'. | Compliant | True |
| 0281 | Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'. | Registry value is '0'. Expected: 1 | False |
| 0282 | Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'. | Compliant | True |
| 0283 | Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'. | Compliant | True |
| 0284 | Ensure 'Do not display the password reveal button' set to 'Enabled'. | Compliant | True |
| 0285 | Ensure 'Join Microsoft MAPS' set to 'Disabled'. | Registry value not found. | False |
| 0286 | Ensure 'Configure search suggestions in Address bar' set to 'Disabled'. | Compliant | True |
| 0287 | Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'. | Registry value is '1'. Expected: 2 | False |
| 0288 | Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'. | Compliant | True |
| 0289 | Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'. | Compliant | True |
| 0290 | Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'. | Registry value not found. | False |
| 0291 | Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'. | Compliant | True |
| 0292 | Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'. | Compliant | True |
| 0293 | Ensure 'Allow Cortana' set to 'Disabled'. | Compliant | True |
| 0294 | Ensure 'Allow search and Cortana to use location' set to 'Disabled'. | Compliant | True |
| 0295 | Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'. | Registry value not found. | False |
| 0296 | Ensure 'Disable pre-release features or settings' set to 'Disabled'. | Registry value not found. | False |
| 0297 | Ensure 'Turn off access to the Store' set to 'Enabled'. | Compliant | True |
| 0298 | Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'. | Registry value is '4'. Expected: 2 | False |
| 0299 | Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'. | Compliant | True |
| 0300 | Ensure 'Turn off the Store application' set to 'Enabled'. | Compliant | True |
| 0301 | Ensure 'Allow Basic authentication' set to 'Disabled'. | Compliant | True |
| 0302 | Ensure 'Allow unencrypted traffic' set to 'Disabled'. | Compliant | True |
| 0304 | Ensure 'Allow Remote Shell Access' set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 0306 | Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'. | Compliant | True |
| 0307 | Ensure 'Disallow Digest authentication' set to 'Enabled'. | Compliant | True |
| 0308 | Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'. | Compliant | True |
| 0309 | Ensure 'Do not allow COM port redirection' set to 'Enabled'. | Compliant | True |
| 0310 | Ensure 'Do not allow drive redirection' set to 'Enabled'. | Compliant | True |
| 0311 | Ensure 'Do not allow LPT port redirection' set to 'Enabled'. | Compliant | True |
| 0312 | Ensure 'Do not use temporary folders per session' set to 'Disabled'. | Registry value not found. | False |
| 0313 | Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'. | Compliant | True |
| 0323 | Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'. | Registry value is ' | False |
| 0324 | Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'. | Registry value is ' | False |
| 0325 | Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'. | Registry value not found. | False |
| 0328 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'. | Compliant | True |
| 0329 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'. | Compliant | True |
| 0330 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'. | Registry value not found. | False |
| 0331 | Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10. | Registry value not found. | False |
| 0332 | Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'. | Compliant | True |
| 0333 | Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'. | Compliant | True |
| 0334 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'. | Compliant | True |
| 0335 | Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'. | Compliant | True |
| 0336 | Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'. | Compliant | True |
| 0337 | Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'. | Registry value not found. | False |
| 0338 | Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'. | Compliant | True |
| 0339 | Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'. | Compliant | True |
| 0340 | Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'. | Compliant | True |
| 82020342 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'. | Compliant | True |
| 0343 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'. | Compliant | True |
| 0344 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'. | Compliant | True |
| 0345 | Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'. | Registry value not found. | False |
| 0346 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'. | Compliant | True |
| 0347 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'. | Compliant | True |
| 0348 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'. | Compliant | True |
| 0349 | Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'. | Compliant | True |
| 0350 | Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'. | Compliant | True |
| 0351 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'. | Compliant | True |
| 0352 | Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'. | Compliant | True |
| 0353 | Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'. | Compliant | True |
| 0354 | Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'. | Registry value is '0'. Expected: 1 | False |
| 0355 | Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'. | Compliant | True |
| 0358 | Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'. | Compliant | True |
| 0359 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'. | Compliant | True |
| 0360 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'. | Compliant | True |
| 0361 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'. | Compliant | True |
| 0362 | Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'. | Registry value not found. | False |
| 0363 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'. | Compliant | True |
| 0364 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '. | Registry value is '2'. Expected: 1 | False |
| 0365 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'. | Registry value not found. | False |
| 0366 | Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'. | Compliant | True |
| 0367 | Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'. | Compliant | True |
| 0368 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'. | Compliant | True |
| 0369 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15. | Registry value is '14'. Expected: x >= 15 | False |
| 0370 | Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '. | Registry value not found. | False |
| 0371 | Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '. | Compliant | True |
| 0372 | Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'. | Registry value not found. | False |
| 0373 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'. | Compliant | True |
| 0374 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'. | Compliant | True |
| 0375 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'. | Compliant | True |
| 0376 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'. | Compliant | True |
| 0377 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'. | Compliant | True |
| 0378 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'. | Compliant | True |
| 0380 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'. | Compliant | True |
| 0384 | Ensure 'Password Age' set to less or equal 42. | Registry value is '20'. Expected: 42 | False |
| 0385 | Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'. | Registry value not found. | False |
| 0386 | Ensure 'Turn on PowerShell Transcription' set to 'Disabled'. | Compliant | True |
| 0387 | Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 0388 | Ensure 'Require secure RPC communication' set to 'Enabled'. | Compliant | True |
| 0389 | Ensure 'Set client connection encryption level' set to 'Enabled: High Level'. | Compliant | True |
| 0390 | Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'. | Registry value is '900000'. Expected: 300000 | False |
| 0391 | Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0044 | Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled' | The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SID | False |
| 0045 | Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users' | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0046 | Ensure 'SeTcbPrivilege' is set to 'None' | The user 'SeTcbPrivilege' setting does not contain the following users: NULL SID | False |
| 0047 | Ensure ’Adjust memory quotas for a process’ set to ’Administrators, LOCAL SERVICE, NETWORK SERVICE’ | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 0048 | Ensure 'Allow log on locally' set to 'Administrators, Users' | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 0049 | Ensure 'SeBackupPrivilege' is set to 'Administrator' | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0050 | Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE' | Compliant | True |
| 0051 | Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE' | The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\Users | False |
| 0052 | Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE' | The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICE | False |
| 0053 | Ensure 'SeCreateTokenPrivilege' is set to 'None' | The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SID | False |
| 0054 | Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
| 0055 | Ensure 'SeCreatePermanentPrivilege' is set to 'None' | The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SID | False |
| 0056 | Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator' | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 0057 | Ensure 'SeDebugPrivilege' is set to 'Administrator' | Compliant | True |
| 0064 | Ensure 'SeEnableDelegationPrivilege' is set to 'None' | The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SID | False |
| 0066 | Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator' | Compliant | True |
| 0067 | Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
| 0068 | Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE' | The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICE | False |
| 0069 | Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator' | The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager Group | False |
| 0085 | Ensure 'SeRelabelPrivilege' is set to 'None' | The user 'SeRelabelPrivilege' setting does not contain the following users: NULL SID | False |
| 0086 | Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator' | Compliant | True |
| 0087 | Ensure 'SeManageVolumePrivilege' is set to 'Administrator' | Compliant | True |
| 0088 | Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator' | Compliant | True |
| 0089 | Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost' | Compliant | True |
| 0090 | Ensure 'SeRestorePrivilege' is set to 'Administrator' | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0091 | Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users' | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0094 | Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator' | Compliant | True |
| 0104 | Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest' | The user right 'SeDenyNetworkLogonRight' contains following unexpected users: LOCAL The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local account | False |
| 0105 | Ensure 'SeDenyBatchLogonRight' is set to 'Guest' | Compliant | True |
| 0106 | Ensure 'SeDenyServiceLogonRight' is set to 'Guest' | Compliant | True |
| 0107 | Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest' | Compliant | True |
| 0108 | Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest' | Compliant | True |
| 0180 | Ensure 'Load and unload device drivers' is set to 'Administrator' | Compliant | True |
| 0181 | Ensure 'Lock pages in memory' is set to 'No one' | The user 'SeLockMemoryPrivilege' setting does not contain the following users: NULL SID | False |
| 0182 | Ensure 'Log on as a batch job' is set to 'Administrator' | The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users | False |
| 0183 | Ensure 'Log on as a service' is set to 'No one' | The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines The user 'SeServiceLogonRight' setting does not contain the following users: NULL SID | False |
| 0184 | Ensure 'Manage auditing and security log' is set to 'Administrator' | Compliant | True |
| 0219 | Ensure 'Replace a process level token' is set to 'Local Service, Network Service' | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 0303 | Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User' | The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\Administrators | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0001 | Ensure 'Maximum password age' is set to between 1 and 42 | 'MaximumPasswordAge' currently set to: 60. Expected: x <= 42 and x >= 1 | False |
| 0002 | Ensure 'Password must meet complexity requirements' is set to 'Enabled' | Compliant | True |
| 0100 | Ensure 'Reset account lockout counter after' is set greater or equal 15 | Compliant | True |
| 0102 | Ensure 'Account lockout duration' is set to '15 or more minute(s)' | Compliant | True |
| 0103 | Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10 | Compliant | True |
| 0162 | Ensure 'Enforce password history' is set greater or equal 24 | Compliant | True |
| 0186 | Ensure 'Minimum password age' is set to greater or equal 1 | Compliant | True |
| 0187 | Ensure 'Minimum password length' is set to greater or equal 14 | Compliant | True |
Advanced Audit Policy Configuration-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0008 | Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Compliant | True |
| 0011 | Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' | Set to: No Auditing | False |
| 0012 | Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0013 | Ensure 'Audit account management' is set to 'SuccessAndFailure' | Compliant | True |
| 0014 | Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure' | Set to: Success | False |
| 0015 | Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure' | Set to: Success | False |
| 0016 | Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure' | Compliant | True |
| 0017 | Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure' | Set to: Failure | False |
| 0018 | Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure' | Compliant | True |
| 0019 | Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure' | Compliant | True |
| 0020 | Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled' | Compliant | True |
| 0021 | Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure' | Compliant | True |
| 0022 | Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0023 | Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0025 | Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure' | Compliant | True |
| 0026 | Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure' | Compliant | True |
| 0027 | Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0028 | Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0029 | Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure' | Compliant | True |