Settings Overview
Table Of Content
Click the link(s) below for quick access to a report section.
CIS Recommendations-↑
This section contains all CIS recommendations
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1.1.1 | (L1) Ensure 'Enable curtaining of remote access hosts' is set to 'Disabled' | Compliant | True |
| 1.1.2 | (L1) Ensure 'Allow gnubby authentication for remote access hosts' is set to 'Disabled'. | Compliant | True |
| 1.1.3 | (L1) Ensure 'Allow remote users to interact with elevated windows in remote assistance sessions' is set to 'Disabled' | Compliant | True |
| 1.2 | (L1) Ensure 'Continue running background apps when Google Chrome is closed' is set to 'Disabled' | Compliant | True |
| 1.3 | (L1) Ensure 'Ask where to save each file before downloading' is set to 'Enabled' | Compliant | True |
| 1.4 | (L1) Ensure 'Disable saving browser history' is set to 'Disabled' | Compliant | True |
| 1.5 | (L1) Ensure 'Enable HTTP/0.9 support on non-default ports' is set to 'Disabled' | Compliant | True |
| 1.6 | (L1) Ensure 'Enable component updates in Google Chrome' is set to 'Enabled' | Compliant | True |
| 1.7 | (L1) Ensure 'Enable deprecated web platform features for a limited time' is set to 'Disabled' | Compliant. Registry key not found. | True |
| 1.8 | (L1) Ensure 'Enable third party software injection blocking' is set to 'Enabled' | Compliant | True |
| 1.9 | (L1) Ensure 'Extend Flash content setting to all content' is set to 'Disabled' | Compliant | True |
| 1.10 | (L1) Ensure 'Suppress the unsupported OS warning' is set to 'Disabled' | Compliant | True |
| 1.11 | (L1) Ensure 'Whether online OCSP/CRL checks are performed' is set to 'Disabled' | Compliant | True |
| 1.12 | (L1) Ensure 'Allow WebDriver to Override Incompatible Policies' is set to 'Disabled' | Compliant | True |
| 1.13 | (L1) Ensure 'Control SafeSites adult content filtering' is set to 'Enabled' with value 'Do not filter sites for adult content' specified | Compliant | True |
| 1.14 | (L1) Ensure 'Origins or hostname patterns for which restrictions on insecure origins should not apply' is set to 'Disabled' | Compliant. Registry key not found. | True |
| 1.15 | (L1) Ensure 'Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities' is set to 'Disabled' | Compliant. Registry key not found. | True |
| 1.16 | (L1) Ensure 'Disable Certificate Transparency enforcement for a list of URLs' is set to 'Disabled' | Compliant. Registry key not found. | True |
| 1.17 | (L1) Ensure 'Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes' is set to 'Disabled' | Compliant. Registry key not found. | True |
| 2.1 | (L1) Ensure 'Default Flash Setting' is set to 'Enabled' (Click to Play) | Compliant | True |
| 2.2 | (L2) Ensure 'Default notification setting' is set to 'Enabled' with 'Do not allow any site to show desktop notifications' | Compliant | True |
| 2.3 | (L2) Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled' with 'Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API' | Compliant | True |
| 2.4 | (L2) Ensure 'Control use of the WebUSB API' is set to 'Enabled' with 'Do not allow any site to request access to USB devices via the WebUSB API' | Compliant | True |
| 2.5 | (L1) Ensure 'Configure extension installation blacklist' is set to 'Enabled' ("*" for all extensions) | Compliant | True |
| 2.6.1 | (L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the values 'extension' specified | Compliant | True |
| 2.6.2 | (L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'hosted_app'specified | Compliant | True |
| 2.6.3 | (L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'platform_app' specified | Compliant | True |
| 2.6.4 | (L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'theme'specified | Compliant | True |
| 2.7 | (L2) Ensure 'Configure native messaging blacklist' is set to 'Enabled' ("*" for all messaging applications) | Compliant | True |
| 2.8 | (L1) Ensure 'Enable saving passwords to the password manager' is Configured | Compliant | True |
| 2.9 | (L1) Ensure 'Supported authentication schemes' is set to 'Enabled' (ntlm, negotiate) | Compliant | True |
| 2.10 | (L1) Ensure 'Choose how to specify proxy server settings' is not set to 'Enabled' with 'Auto detect proxy settings' | Compliant | True |
| 2.11 | (L1) Ensure 'Allow running plugins that are outdated' is set to 'Disabled' | Compliant | True |
| 2.12 | (L1) Ensure 'Enable Google Cloud Print Proxy' is set to 'Disabled' | Compliant | True |
| 2.13 | (L1) Ensure 'Enable Site Isolation for every site' is set to 'Enabled' | Compliant | True |
| 2.14 | (L1) Ensure 'Allow download restrictions' is set to 'Enabled' with 'Block dangerous downloads' specified. | Compliant | True |
| 2.15 | (L1) Ensure 'Disable proceeding from the Safe Browsing warning page' is set to 'Enabled' | Compliant | True |
| 2.16 | (L1) Ensure 'Notify a user that a browser relaunch or device restart is recommended or required' is set to 'Enabled' with 'Show a recurring prompt to the user indication that a relaunch is required' specified | Compliant | True |
| 2.17 | (L1) Ensure 'Set the time period for update notifications' is set to 'Enabled' with '86400000' (1 day) specified | Compliant | True |
| 2.18 | (L2) Ensure 'Whether online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled' | Compliant | True |
| 2.19 | (L1) Ensure 'Enable Chrome Cleanup on Windows' is Configured | Compliant | True |
| 2.20 | (L2) Ensure 'Use built-in DNS client' is set to 'Disabled' | Compliant | True |
| 2.21 | (L1) Ensure 'Update policy override' is set to 'Enabled' with 'Always allow updates (recommended)' or 'Automatic silent updates' specified | Compliant | True |
| 3.1 | (L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep cookies for the duration of the session) | Compliant | True |
| 3.2 | (L1) Ensure 'Default geolocation setting' is set to 'Enabled' with 'Do not allow any site to track the users' physical location' | Compliant | True |
| 3.3 | (L1) Ensure 'Enable Google Cast' is set to 'Disabled' | Compliant | True |
| 3.4 | (L1) Ensure 'Block third party cookies' is set to 'Enabled' | Compliant | True |
| 3.5 | (L1) Ensure 'Enable reporting of usage and crash-related data' is set to 'Disabled' | Compliant | True |
| 3.6 | (L1) Ensure 'Control how Chrome Cleanup reports data to Google' is set to 'Disabled' | Compliant | True |
| 3.7 | (L1) Ensure 'Browser sign in settings' is set to 'Enabled' with 'Disabled browser sign-in' specified | Compliant | True |
| 3.8 | (L1) Ensure 'Enable Translate' is set to 'Disabled' | Compliant | True |
| 3.9 | (L1) Ensure 'Enable network prediction' is set to 'Enabled' with 'Do not predict actions on any network connection' selected | Compliant | True |
| 3.10 | (L1) Ensure 'Enable search suggestions' is set to 'Disabled' | Compliant | True |
| 3.11 | (L1) Ensure 'Enable or disable spell checking web service' is set to 'Disabled' | Compliant | True |
| 3.12 | (L1) Ensure 'Enable alternate error pages' is set to 'Disabled' | Compliant | True |
| 3.13 | (L1) Ensure 'Disable synchronization of data with Google' is set to 'Enabled' | Compliant | True |
| 3.14 | (L1) Ensure 'Enable Safe Browsing for trusted sources' is set to 'Disabled' | Compliant | True |
| 3.15 | (L1) Ensure 'Enable URL-keyed anonymized data collection' is set to 'Disabled' | Compliant | True |
| 3.16 | (L1) Ensure 'Enable deleting browser and download history' is set to 'Disabled' | Compliant | True |
| 4.1.1 | (L1) Ensure 'Enable firewall traversal from remote access host' is set to 'Disabled' | Compliant | True |
| 4.1.2 | (L1) Ensure 'Enable or disable PIN-less authentication for remote access hosts' is set to 'Disabled' | Compliant | True |
| 4.1.3 | (L1) Ensure 'Enable the use of relay servers by the remote access host' is set to 'Disabled'. | Compliant | True |
| 4.1.4 | (L1) Ensure 'Configure the required domain names for remote access clients' is set to 'Enabled' with a domain defined | Compliant | True |
| 5.1 | (L1) Ensure 'Enable submission of documents to Google Cloud print' is set to 'Disabled' | Compliant | True |
| 5.2 | (L1) Ensure 'Import saved passwords from default browser on first run' is set to 'Disabled' | Compliant | True |
| 5.3 | (L1) Ensure 'Enable AutoFill for credit cards' is set to 'Disabled' | Compliant | True |
| 5.4 | (L1) Ensure 'Enable AutoFill for addresses' is set to 'Disabled' | Compliant | True |
DISA Recommendations-↑
This section contains all DISA recommendations
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| DTBC-0001 | Firewall traversal from remote host must be disabled. | Compliant | True |
| DTBC-0003 | Sites ability for showing desktop notifications must be disabled. | Compliant | True |
| DTBC-0004 | Sites ability to show pop-ups must be disabled. | Registry value not found. | False |
| DTBC-0002 | Site tracking users location must be disabled. | Compliant | True |
| DTBC-0005 | Extensions installation must be blacklisted by default. | Compliant | True |
| DTBC-0006 | Extensions that are approved for use must be whitelisted. | Registry key not found. | False |
| DTBC-0009 | Default search provider must be enabled. | Registry value not found. | False |
| DTBC-0011 | The Password Manager must be disabled. | Registry value is '1'. Expected: 0 | False |
| DTBC-0013 | The running of outdated plugins must be disabled. | Compliant | True |
| DTBC-0015 | Third party cookies must be blocked. | Compliant | True |
| DTBC-0017 | Background processing must be disabled. | Compliant | True |
| DTBC-0019 | 3D Graphics APIs must be disabled. (Note: If 3D APIs are required by mission, this is not a finding.) | Registry value not found. | False |
| DTBC-0020 | Google Data Synchronization must be disabled. | Compliant | True |
| DTBC-0021 | The URL protocol schema javascript must be disabled. | Registry key not found. | False |
| DTBC-0023 | Cloud print sharing must be disabled. | Compliant | True |
| DTBC-0025 | Network prediction must be disabled. | Compliant | True |
| DTBC-0026 | Metrics reporting to Google must be disabled. (Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.) | Compliant | True |
| DTBC-0027 | Search suggestions must be disabled. | Compliant | True |
| DTBC-0029 | Importing of saved passwords must be disabled. | Compliant | True |
| DTBC-0030 | Incognito mode must be disabled. | Registry value not found. | False |
| DTBC-0037 | Online revocation checks must be done. | Registry value is '0'. Expected: 1 | False |
| DTBC-0038 | Safe Browsing must be enabled. | Registry value not found. | False |
| DTBC-0039 | Browser history must be saved. | Compliant | True |
| DTBC-0040 | Default behavior must block webpages from automatically running plugins. | Compliant | True |
| DTBC-0051 | URLs must be whitelisted for plugin use | Registry value not found. | False |
| DTBC-0052 | Deletion of browser history must be disabled. | Compliant | True |
| DTBC-0053 | Prompt for download location must be enabled. | Compliant | True |
| DTBC-0064 | Autoplay must be disabled. | Registry value not found. | False |
| DTBC-0056 | Chrome must be configured to allow only TLS. | Registry value not found. | False |
| DTBC-0057 | Safe Browsing Extended Reporting must be disabled. | Registry value not found. | False |
| DTBC-0058 | WebUSB must be disabled. | Compliant | True |
| DTBC-0060 | Chrome Cleanup must be disabled. | Registry value is '1'. Expected: 0 | False |
| DTBC-0061 | Chrome Cleanup reporting must be disabled. | Compliant | True |
| DTBC-0063 | Google Cast must be disabled. | Compliant | True |
| DTBC-0066 | Anonymized data collection must be disabled. | Compliant | True |
| DTBC-0067 | Collection of WebRTC event logs must be disabled. | Registry value not found. | False |
Benchmark Compliance
Generated by the ATAPAuditor Module Version 5.1 by FB Pro GmbH. Get it in the Audit Test Automation Package. Are you seeing a lot of red sections? Check out our hardening solutions.
Based on:
- CIS Google Chrome Benchmark, Version: 2.0.0, Date: 2019-05-17
- DISA Google Chrome Security Technical Implementation Guide, Version: V1R15, Date: 2019-01-28
This report was generated on 09/02/2022 13:43:23 on DESKTOP-UTMU75K.fb-pro.com with ATAPHtmlReport version 1.8.
System information
| Hostname | DESKTOP-UTMU75K.fb-pro.com |
|---|---|
| Domain role | Member Workstation |
| Operating System | Microsoft Windows 10 Pro |
| Build Number | 19044 |
| Installation Language | English (United States) |
| Free disk space (GB) | 29.1 |
| Free physical memory (GB) | 13.8% (2.7 GB / 19.7 GB) |
Current Risk Score on tested System: N/A
Risk Score calculation implemented for Microsoft Windows OS for now.
Severity
Quantity
Critical
High
Medium
Low
Critical
High
Medium
Low
A total of 103 tests have been executed.
- True 88 test(s) ≙ 85.44%
- False 15 test(s) ≙ 14.56%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
CIS Recommendations
A total of 67 tests have been executed in section CIS Recommendations.
- True 67 test(s) ≙ 100.00%
- False 0 test(s) ≙ 0.00%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
DISA Recommendations
A total of 36 tests have been executed in section DISA Recommendations.
- True 21 test(s) ≙ 58.33%
- False 15 test(s) ≙ 41.67%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Risk Score
To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.
Current Risk Score on tested System:
Severity
Quantity
Critical
High
Medium
Low
Critical
High
Medium
Low
Risk Score Calculation
The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.
| Compliance to Benchmarks (Quantity) | Risk Assessment |
|---|---|
| 85% < X | Low |
| 70% < X < 85% | Medium |
| 55% < X < 70% | High |
| X < 55% | Critical |
| Compliance to Benchmarks (Severity) | Risk Assessment |
|---|---|
| X = 0 | Low |
| X > 1 | Critical |
Severity Compliance
-| Id | Task | Status |
|---|---|---|
| 18.6.3 | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | False |
| 18.9.47.9.2 | (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' | False |
| 18.3.6 | (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | True |
| 18.9.47.5.1.2 A | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | True |
| 18.9.47.5.1.2 B | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | True |
| 18.9.47.5.1.2 C | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | True |
| 18.9.47.5.1.2 D | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | True |
| 18.9.47.5.1.2 E | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | True |
| 18.9.47.5.1.2 F | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | True |
| 18.9.47.5.1.2 G | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | True |
| 18.9.47.5.1.2 H | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | True |
| 18.9.47.5.1.2 I | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | True |
| 18.9.47.5.1.2 J | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | True |
| 18.9.47.5.1.2 K | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | True |
| 18.9.47.5.1.2 L | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | False |
| 7.9 A | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128) | True |
| 7.9 B | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128) | True |
| 7.9 C | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128) | True |
| 7.9 D | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128) | True |
| 1.1.7 | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | True |
| 2.3.11.4 | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | True |
| 2.3.11.5 | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | True |
| 18.6.2 | (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | False |
| 18.3.3 | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' | True |
| 18.3.3 | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | True |
| 18.9.58.3.10.1 | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' | True |
| 18.9.58.3.10.2 | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | True |
| 2.3.5.2 | (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only) | False |
| 9.1.7 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | True |
| 9.1.8 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | True |
| 2.2.38 | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) | True |
| 3.1.1_1 | Configuration of the lowest possible telemetry-level (Enterprise Windows 10) | True |
| 3.1.1_2 | Configuration of the lowest possible telemetry-level (Non-Enterprise Windows 10) | None |
| 3.1.2.1 | Deactivation of the telemetry service and ETW-sessions - disable service DiagTrack | True |
| 3.1.2.2 | Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diatrack-Listener | True |
| 3.1.3.1.1 | Deactivation of telemetry according to Microsoft - Windows Update | False |
| 3.1.3.1.2 | Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPS | True |
| 3.1.3.1.3 | Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample files | True |
About us
What makes FB Pro GmbH different
What do we want?
Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.
How we achieve this?
We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.
Check out our hardening solution
Check out our Audit Report Tool here
