255
1030
1286
80.09
32
5
Settings Overview
Table Of Content
Click the link(s) below for quick access to a report section.
- General Benchmarks
- BSI Benchmarks SiSyPHuS Logging
- BSI Benchmarks SiSyPHuS HD
- BSI Benchmarks SiSyPHuS ND
- BSI Benchmarks SiSyPHuS NE
- BSI Benchmarks SiM-08202 - BPOL
General Benchmarks-↑
This section contains general benchmarks
Security Base Data-↑
This section contains basic recommendations for a secure Microsoft Windows configuration.
| Id | Task | Message | Status |
|---|---|---|---|
| SBD-001 | Ensure the system is booting in 'UEFI' mode. | Compliant | True |
| SBD-002 | Ensure the system is using SecureBoot. | Compliant | True |
| SBD-003 | Ensure the TPM Chip is 'present'. | Compliant | True |
| SBD-004 | Ensure the TPM Chip is 'ready'. | Compliant | True |
| SBD-005 | Ensure the TPM Chip is 'enabled'. | Compliant | True |
| SBD-006 | Ensure the TPM Chip is 'activated'. | Compliant | True |
| SBD-007 | Ensure the TPM Chip is 'owned'. | Compliant | True |
| SBD-008 | Ensure the TPM Chip is implementing specification version 2.0 or higher. | Compliant | True |
| SBD-009 | Get the count of local users on the system. | System has 6 or more local users. | False |
| SBD-010 | Get the count of admin users on the system. | System has 6 or more admin users. | False |
| SBD-011 | Ensure the status of the Bitlocker service is 'Running'. | Compliant | True |
| SBD-012 | Ensure that Bitlocker is activated on all volumes. | Bitlocker is not activated on all volumes. | False |
| SBD-013 | Ensure the status of the Windows Defender service is 'Running'. | Compliant | True |
| SBD-014 | Ensure the status of the Microsoft Defender for Endpoint service is 'Running'. | Service is not 'Running' (More info). | False |
| SBD-015 | Ensure the Windows Firewall is enabled on all profiles. | Compliant | True |
| SBD-016 | Check if the last successful search for updates was in the past 24 hours. | Compliant | True |
| SBD-017 | Check if the last successful installation of updates was in the past 5 days. | Compliant | True |
| SBD-018 | Ensure Virtualization Based Security is enabled and running. | Compliant | True |
| SBD-019 | Ensure Hypervisor-protected Code Integrity (HVCI) is running. | Compliant | True |
| SBD-020 | Ensure Credential Guard is running. | Compliant | True |
| SBD-021 | Ensure the Attack Surface Reduction (ASR) rules are enabled. | 11 ASR rules are activated. For more information on the ASR rules, check corresponding benchmarks. | Warning |
| SBD-022 | Ensure Windows Defender Application Guard is enabled. | Windows Defender Application Guard is not enabled. | False |
BSI Benchmarks SiSyPHuS Logging-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 4.1.1 | Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | Compliant | True |
| 4.1.2 | Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | Compliant | True |
| 4.2.1.1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' | Compliant | True |
| 4.2.1.2 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
| 4.2.1.3 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
| 4.2.1.4 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
| 4.2.2.1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | Compliant | True |
| 4.2.2.2 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
| 4.2.2.3 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
| 4.2.2.4 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
| 4.2.3.1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | Compliant | True |
| 4.2.3.2 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | Compliant | True |
| 4.2.3.3 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' | Compliant | True |
| 4.2.3.4 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
| 4.3.1.1 | Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | Compliant | True |
| 4.3.2.1.1 | Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
| 4.3.2.1.2 | Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.2.2.1 | Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
| 4.3.2.2.2 | Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.2.3.1 | Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' | Compliant | True |
| 4.3.2.3.2 | Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.2.4.1 | Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
| 4.3.2.4.2 | Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 4.3.3.1 | Ensure 'Include command line in process creation events' is set to 'Disabled' | Compliant | True |
| 4.3.4.2 | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' | Compliant | True |
| 4.3.4.3 | Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | Compliant | True |
Advanced Audit Policy Configuration-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 5.1.1.1 | Ensure 'Audit Credential Validation' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.2 | Ensure 'Audit User Account Management' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.3 | Ensure 'Audit Account Lockout' is set to include 'Failure' | Compliant | True |
| 5.1.1.4 | Ensure 'Audit Group Membership' is set to include 'Success' | Compliant | True |
| 5.1.1.5 | Ensure 'Audit Logoff' is set to include 'Success' | Compliant | True |
| 5.1.1.6 | Ensure 'Audit Logon' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.7 | Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Compliant | True |
| 5.1.1.8 | Ensure 'Audit Special Logon' is set to include 'Success' | Compliant | True |
| 5.2.1.1 | Ensure 'Audit Other System Events' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.2 | Ensure 'Audit Security State Change' is set to include 'Success' | Compliant | True |
| 5.2.1.3 | Ensure 'Audit Security System Extension' is set to include 'Success' | Compliant | True |
| 5.2.1.4 | Ensure 'Audit System Integrity' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.5 | Ensure 'Audit File Share' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.6 | Ensure 'Audit Detailed File Share' is set to include 'Failure' | Compliant | True |
| 5.2.1.7 | Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.8 | Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Compliant | True |
| 5.2.1.9 | Ensure 'Audit PNP Activity' is set to include 'Success' | Compliant | True |
| 5.3.1.1 | Ensure 'Audit Security Group Management' is set to include 'Success' | Compliant | True |
| 5.3.1.2 | Ensure 'Audit Audit Policy Change' is set to include 'Success' | Compliant | True |
| 5.3.1.3 | Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Compliant | True |
| 5.3.1.4 | Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Compliant | True |
| 5.3.1.5 | Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' | Compliant | True |
| 5.3.1.6 | Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Compliant | True |
| 5.5.1.1 | Ensure 'Audit Process Creation' is set to include 'Success' | Compliant | True |
| 5.5.1.2 | Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Compliant | True |
BSI Benchmarks SiSyPHuS HD-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
| 2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
| 3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
| 4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Compliant | True |
| 5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
| 7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
| 8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
| 9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 11 | (HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'. | Compliant | True |
| 12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Compliant | True |
| 13 | (HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. | Compliant | True |
| 14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
| 15 | (HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. | Compliant | True |
| 16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
| 17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | Compliant | True |
| 18 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. | Compliant | True |
| 19 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3. | Compliant | True |
| 20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
| 21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
| 22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
| 23 | (HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | Compliant | True |
| 24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Compliant | True |
| 26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 28 | (HD) Ensure 'Enable Font Providers' is set to 'Disabled'. | Compliant | True |
| 29 | (HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. | Compliant | True |
| 30 | (HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. | Compliant | True |
| 31 | (HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. | Compliant | True |
| 32 | (HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. | Compliant | True |
| 33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
| 34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
| 35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 36 | (HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'. | Compliant | True |
| 37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
| 38 | (HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. | Registry key not found. | False |
| 39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
| 40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
| 42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Compliant | True |
| 43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Compliant | True |
| 44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
| 45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Compliant | True |
| 46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
| 47 | (HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'. | Compliant | True |
| 48 | (HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'. | Compliant | True |
| 49 | (HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'. | Compliant | True |
| 50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
| 51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Compliant | True |
| 52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
| 53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
| 54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
| 55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
| 56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
| 57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
| 58 | (HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. | Compliant | True |
| 59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
| 60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
| 61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
| 62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant | True |
| 63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Compliant | True |
| 64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Compliant | True |
| 65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
| 66 | (HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. | Compliant | True |
| 67 | (HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. | Compliant | True |
| 68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
| 69 | (HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. | Compliant | True |
| 70 | (HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. | Registry key not found. | False |
| 71 | (HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. | Compliant | True |
| 72 | (HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. | Compliant | True |
| 73 | (HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. | Compliant | True |
| 74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
| 75 | (HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
| 76 | (HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
| 77 | (HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Compliant | True |
| 78 | (HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Compliant | True |
| 79 | (HD) Ensure 'Turn off access to the Store' is set to 'Enabled'. | Compliant | True |
| 80 | (HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. | Compliant | True |
| 81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
| 82 | (HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' . | Compliant | True |
| 83 | (HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. | Compliant | True |
| 84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
| 85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
| 86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
| 89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
| 90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
| 91 | (HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. | Registry key not found. | False |
| 92 | (HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'. | Registry key not found. | False |
| 93 | (HD) Ensure 'Allow Online Tips' is set to 'Disabled'. | Compliant | True |
| 94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
| 95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
| 96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
| 97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
| 100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry value not found. | False |
| 100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry value not found. | False |
| 101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
| 102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
| 103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
| 104 | (HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. | Compliant | True |
| 105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
| 106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
| 107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
| 108 | (HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. | Compliant | True |
| 109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
| 110 | (HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. | Registry value not found. | False |
| 111 | (HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. | Registry value not found. | False |
| 112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
| 113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
| 115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
| 116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
| 117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
| 118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
| 120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
| 121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
| 122 | (HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. | Compliant | True |
| 123 | (HD) Ensure 'Allow Use of Camera' is set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
| 125 | (HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. | Compliant | True |
| 126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
| 127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 128 | (HD) Ensure 'Turn off location' is set to 'Enabled'. | Compliant | True |
| 129 | (HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'. | Compliant | True |
| 130 | (HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. | Compliant | True |
| 131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
| 132 | (HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. | Compliant | True |
| 133 | (HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. | Compliant | True |
| 134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
| 136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
| 137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
| 138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
| 139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
| 140 | (HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. | Compliant | True |
| 141 | (HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. | Compliant | True |
| 142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
| 143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
| 144 | (HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. | Compliant | True |
| 145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | Compliant | True |
| 147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
| 148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
| 149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
| 150 | (HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. | Compliant | True |
| 151 | (HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'. | Registry value not found. | False |
| 152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
| 153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
| 154 | (HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'. | Compliant | True |
| 155 | (HD) Ensure 'Turn off the Store application' is set to 'Enabled'. | Compliant | True |
| 156 | (HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. | Compliant | True |
| 157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
| 158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
| 160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '1'. Expected: 99 | False |
| 161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
| 162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
| 163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
| 164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
| 165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
| 166 | (HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
| 169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
| 170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
| 171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Registry value not found. | False |
| 172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Compliant | True |
| 172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
| 172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
| 172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
| 172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
| 172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
| 172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
| 172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
| 172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
| 172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
| 172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
| 173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
| 174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
| 175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
| 176 | (HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. | Compliant | True |
| 177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
| 178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
| 179 | (HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. | Compliant | True |
| 180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. | Compliant | True |
| 181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
| 182 | (HD) Ensure 'Prevent Codec Download' is set to 'Enabled'. | Registry key not found. | False |
| 184 | (HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. | Registry key not found. | False |
| 185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
| 186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
| 187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
| 188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
| 189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
| 190 | (HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
| 193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 195 | (HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. | Registry value not found. | False |
| 196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
| 197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
| 199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
| 210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
| 211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
| 212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
| 213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
| 214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
| 215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
| 216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
| 217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
| 218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
| 219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
| 220 | (ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
| 221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
| 222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
| 223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
| 224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
| 225 | (HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. | Compliant | True |
| 226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
| 227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
| 228 | (HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'. | Compliant | True |
| 229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
| 230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
| 231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
| 232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Compliant | True |
| 233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Compliant | True |
| 234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
| 239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
| 240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
| 241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
| 243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
| 244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
| 245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
| 248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Compliant | True |
| 250 | (HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'. | Registry value not found. | False |
| 251 | (HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'. | Registry value not found. | False |
| 252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
| 253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
| 254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
| 255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
| 256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
| 257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
| 260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
| 261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
| 262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
| 263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
| 264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
| 265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
| 266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
| 267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
| 269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
| 271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
| 272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
| 273 | (HD) Ensure 'System settings: Optional subsystems' is set to 'None'. | Compliant | True |
| 274 | (HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'. | Compliant | True |
| 275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
| 276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
| 316 | (HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. | Compliant | True |
| 317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
| 318 | (HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
| 319 | (HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
| 320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
| 322 | (HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'. | Compliant | True |
| 323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
| 325 | (HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. | Compliant | True |
| 326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 327 | (HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'. | Compliant | True |
| 328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 329 | (HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'. | Compliant | True |
| 330 | (HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
| 331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 332 | (HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'. | Compliant | True |
| 333 | (HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'. | Compliant | True |
| 334 | (HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. | Compliant | True |
| 335 | (HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. | Compliant | True |
| 336 | (HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. | Compliant | True |
| 337 | (HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'. | Compliant | True |
| 338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
| 339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
| 340 | (HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'. | Compliant | True |
| 341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 342 | (HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
| 344 | (HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'. | Compliant | True |
| 345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
| 346 | (HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'. | Compliant | True |
| 347 | (HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'. | Compliant | True |
| 348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
| 350 | (HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'. | Compliant | True |
| 351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
| 352 | (HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. | Compliant | True |
| 353 | (HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. | Compliant | True |
| 354 | (HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. | Compliant | True |
| 355 | (HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. | Registry value is '2'. Expected: 4 | False |
| 356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
| 358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
| 359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
| 360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
| 361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
| 366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
| 370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
| 371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
| 278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
| 279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
| 280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 281 | (HD) Configure 'Log on as a service'. | The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines | False |
| 282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 283 | (HD) Ensure 'Log on as a batch job' is set to 'Administrators'. | The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users | False |
| 284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0) | False |
| 285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
| 286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
| 289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
| 290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
| 291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
| 292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
| 293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
| 294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
| 296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
| 297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
| 298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
| 299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
| 302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
| 303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
| 304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
| 306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
| 310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
| 311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
| 312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
| 313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
| 314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
| 201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
| 202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
| 203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
| 204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
| 205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
| 206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
| 207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | Compliant | True |
| 208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. | Compliant | True |
Security Options-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | Compliant | True |
| 236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
| 237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
| 238 | (ND, NE) Configure 'Accounts: Rename guest account'. | Compliant | True |
| 249 | (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. | Compliant | True |
BSI Benchmarks SiSyPHuS ND-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
| 2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
| 3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
| 4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Compliant | True |
| 5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
| 6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
| 7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
| 8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
| 9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
| 12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'. | Compliant | True |
| 14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
| 16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
| 17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Compliant | True |
| 20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
| 21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
| 22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
| 24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Compliant | True |
| 26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Compliant | True |
| 33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
| 34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
| 35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
| 39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
| 40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
| 42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Compliant | True |
| 43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Compliant | True |
| 44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
| 45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Compliant | True |
| 46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
| 50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
| 51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Compliant | True |
| 52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
| 53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
| 54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
| 55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
| 56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
| 57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
| 59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
| 60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
| 61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
| 62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant | True |
| 63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Compliant | True |
| 64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Compliant | True |
| 65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
| 68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
| 74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
| 81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
| 84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
| 85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
| 86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
| 89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
| 90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
| 94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
| 95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
| 96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
| 97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
| 100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry value not found. | False |
| 100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry value not found. | False |
| 101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
| 102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
| 103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
| 105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
| 106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
| 107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
| 109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
| 112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
| 113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
| 115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
| 116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
| 117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
| 118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
| 120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
| 121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
| 124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
| 126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
| 127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
| 134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
| 136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
| 137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
| 138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
| 139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
| 142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
| 143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
| 145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Compliant | True |
| 147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
| 148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
| 149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
| 152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
| 153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
| 157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
| 158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
| 160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '1'. Expected: 99 | False |
| 161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
| 162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
| 163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
| 164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
| 165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
| 167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
| 169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
| 170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
| 171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Registry value not found. | False |
| 172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
| 172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
| 172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
| 172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
| 172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
| 172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
| 172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
| 172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
| 172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
| 172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
| 172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
| 173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
| 174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
| 175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
| 177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
| 178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
| 180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine. | Compliant | True |
| 181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
| 183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
| 185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
| 186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
| 187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
| 188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
| 189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
| 191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
| 193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
| 197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
| 199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
| 210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
| 211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
| 212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
| 213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
| 214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
| 215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
| 216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
| 217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
| 218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
| 219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
| 220 | (ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'. | Compliant | True |
| 221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
| 222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
| 223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
| 224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
| 226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
| 227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
| 229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
| 230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
| 231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
| 232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Compliant | True |
| 233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Compliant | True |
| 234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
| 239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
| 240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
| 241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
| 243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
| 244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
| 245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
| 248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Compliant | True |
| 252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
| 253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
| 254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
| 255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
| 256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
| 257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
| 260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
| 261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
| 262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
| 263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
| 264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
| 265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
| 266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
| 267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
| 269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
| 271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
| 272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
| 275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
| 276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
| 317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
| 320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
| 323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
| 326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
| 339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
| 341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
| 345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
| 348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
| 351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
| 356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
| 358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
| 359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
| 360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
| 361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
| 366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
| 370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
| 371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
| 278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
| 279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
| 280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0) | False |
| 285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
| 286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
| 289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
| 290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
| 291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
| 292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
| 293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
| 294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
| 296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
| 297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
| 298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
| 299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
| 302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
| 303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
| 304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
| 306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
| 310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
| 311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
| 312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
| 313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
| 314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
| 201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
| 202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
| 203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
| 204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
| 205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
| 206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
| 207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | Compliant | True |
| 208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. | Compliant | True |
Security Options-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | Compliant | True |
| 236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
| 237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
| 238 | (ND, NE) Configure 'Accounts: Rename guest account'. | Compliant | True |
| 249 | (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. | Compliant | True |
BSI Benchmarks SiSyPHuS NE-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
| 2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
| 3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
| 4 | (ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. | Compliant | True |
| 5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
| 6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
| 7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
| 8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
| 9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Compliant | True |
| 10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Compliant | True |
| 12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Compliant | True |
| 14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
| 16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
| 17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Compliant | True |
| 20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
| 21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
| 22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
| 24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
| 33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
| 34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
| 35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
| 39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
| 40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
| 44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
| 46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
| 50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
| 52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
| 53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
| 54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
| 55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
| 56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
| 57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
| 59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
| 60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
| 61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
| 68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
| 74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
| 81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
| 84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
| 85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
| 86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
| 89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
| 90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
| 94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
| 95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
| 96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
| 97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
| 99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
| 100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry value not found. | False |
| 100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry value not found. | False |
| 101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
| 102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
| 103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
| 106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
| 107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
| 109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
| 112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
| 113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
| 115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
| 116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
| 117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
| 118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
| 120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
| 121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
| 124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
| 126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
| 127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
| 134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
| 136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
| 137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
| 138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
| 139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
| 142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
| 143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
| 145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Compliant | True |
| 147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
| 148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
| 149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
| 152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
| 153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
| 157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
| 158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
| 160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '1'. Expected: 99 | False |
| 161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
| 162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
| 163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
| 164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
| 165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
| 167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
| 168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
| 169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
| 170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
| 171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Registry value not found. | False |
| 172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Compliant | True |
| 172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
| 172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
| 172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
| 172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
| 172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
| 172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
| 172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
| 172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
| 172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
| 172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
| 173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
| 174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
| 175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
| 177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
| 178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
| 180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. | Compliant | True |
| 181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
| 183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
| 185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
| 186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
| 187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
| 188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
| 189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
| 191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
| 193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
| 196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
| 197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
| 198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
| 199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
| 210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
| 211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
| 212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
| 213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
| 214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
| 215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
| 216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
| 217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
| 218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
| 226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
| 227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
| 229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
| 230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
| 231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
| 234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
| 239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
| 240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
| 241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
| 243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
| 244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
| 245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
| 252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
| 253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
| 254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
| 255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
| 256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
| 257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
| 259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
| 260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
| 261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
| 262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
| 263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
| 264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
| 265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
| 266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
| 267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
| 269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
| 270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
| 271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
| 272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
| 275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
| 276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
| 317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
| 320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
| 323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
| 326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
| 339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
| 341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
| 345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
| 348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
| 351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
| 356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
| 357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
| 358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
| 359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
| 360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
| 365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
| 366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
| 369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
| 370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
| 371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
| 372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
| 373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
| 374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
| 278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
| 279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
| 280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0) | False |
| 285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
| 286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
| 289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
| 290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
| 291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
| 292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
| 294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
| 296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
| 297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
| 298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
| 299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
| 300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
| 302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
| 303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
| 304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
| 306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
| 307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
| 310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
| 311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
| 312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
| 313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
| 314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
| 201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
| 202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
| 203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
| 204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
| 205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
Security Options-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | Compliant | True |
| 236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
| 237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
| 238 | (ND, NE) Configure 'Accounts: Rename guest account'. | Compliant | True |
BSI Benchmarks SiM-08202 - BPOL-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0003 | Ensure 'Configure Automatic Updates' is set to 4 | Registry value not found. | False |
| 0004 | Ensure 'Configure Automatic Updates' is set to 'Every Day' | Compliant | True |
| 0005 | Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
| 0006 | Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768' | Compliant | True |
| 0032 | Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768. | Registry key not found. | False |
| 0037 | Ensure 'Allow enhanced PINs for startup' is set 'Enabled'. | Compliant | True |
| 0038 | Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'. | Compliant | True |
| 0039 | Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'. | Registry value not found. | False |
| 0040 | Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'. | Compliant | True |
| 0041 | Ensure 'Allow user control over installs' is set 'Disabled'. | Compliant | True |
| 0043 | Ensure 'Enable Windows NTP Client' is set to 'Enabled' | Compliant | True |
| 0065 | Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'. | Registry value not found. | False |
| 0101 | Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled' | Compliant | True |
| 0109 | Ensure 'Allow Telemetry' is set to 0. | Registry value is '1'. Expected: 0 | False |
| 0110 | Ensure 'Do not show feedback notifications' is set to 1. | Compliant | True |
| 0111 | Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'. | Compliant | True |
| 0112 | Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
| 0113 | Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
| 0114 | Ensure 'Turn off location' is set to 'Enabled'. | Compliant | True |
| 0115 | Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
| 0116 | Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
| 0117 | Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 0118 | Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'. | Compliant | True |
| 0119 | Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
| 82020121 | Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
| 0122 | Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
| 0123 | Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'. | Compliant | True |
| 0131 | Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. | Compliant | True |
| 0132 | Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
| 0133 | Ensure 'Allow InPrivate browsing' is set to 'Disabled'. | Compliant | True |
| 0135 | Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'. | Compliant | True |
| 0136 | Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'. | Compliant | True |
| 0137 | Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
| 0138 | Ensure 'Always install with elevated privileges ' is set to 'Disabled'. | Compliant | True |
| 0139 | Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
| 0140 | Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'. | Registry value is '3'. Expected: 1 | False |
| 0141 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. | Compliant | True |
| 0142 | Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 0143 | Ensure 'Configure Password Manager' is set to 'Disabled'. | Registry value not found. | False |
| 0144 | Ensure 'Configure Pop-up Blocker' is set to 'Enabled'. | Compliant | True |
| 0145 | Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'. | Compliant | True |
| 0146 | Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'. | Registry value is '0'. Expected: 1 | False |
| 0147 | Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
| 0148 | Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. | Registry value is '1'. Expected: 0 | False |
| 0149 | Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'. | Compliant | True |
| 0150 | Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'. | Registry value not found. | False |
| 0151 | Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
| 0152 | Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. | Compliant | True |
| 0153 | Ensure 'Do not delete temp folders upon exit' set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 0154 | Ensure 'Do not display network selection UI' set to 'Enabled'. | Compliant | True |
| 0155 | Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'. | Compliant | True |
| 0156 | Ensure 'Enable insecure guest logons' set to 'Disabled'. | Compliant | True |
| 0157 | Ensure 'Enable local admin password management' set to 'Enabled'. | Compliant | True |
| 0158 | Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'. | Compliant | True |
| 0159 | Ensure 'Enable screen saver' set to 'Enabled'. | Registry key not found. | False |
| 0160 | Ensure 'Enable Windows NTP Server' set to 'Disabled'. | Compliant | True |
| 0161 | Ensure 'Enable/Disable PerfTrack' set to 'Disabled'. | Compliant | True |
| 0163 | Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'. | Compliant | True |
| 0164 | Ensure 'Include command line in process creation events' set to 'Disabled'. | Registry key not found. | False |
| 0165 | Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0166 | Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0167 | Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0168 | Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0169 | Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0170 | Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0171 | Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0172 | Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0173 | Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0174 | Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0175 | Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0176 | Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0177 | Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0178 | Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0179 | Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'. | Registry value not found. | False |
| 0185 | Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'. | Registry value not found. | False |
| 0209 | Ensure 'Prevent downloading of enclosures' set to 'Enabled'. | Compliant | True |
| 0210 | Ensure 'Prevent enabling lock screen camera' set to 'Enabled'. | Compliant | True |
| 0211 | Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'. | Compliant | True |
| 0212 | Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'. | Registry value not found. | False |
| 0213 | Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'. | Compliant | True |
| 0214 | Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'. | Compliant | True |
| 0215 | Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'. | Compliant | True |
| 0216 | Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'. | Compliant | True |
| 0217 | Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'. | Compliant | True |
| 0218 | Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'. | Registry value is '0'. Expected: 1 | False |
| 0220 | Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'. | Compliant | True |
| 0221 | Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'. | Compliant | True |
| 0222 | Ensure 'Require additional authentication at startup' set to 'Enalbed'. | Compliant | True |
| 0223 | Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'. | Compliant | True |
| 0224 | Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'. | Compliant | True |
| 0225 | Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'. | Compliant | True |
| 0229 | Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'. | Compliant | True |
| 0230 | Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'. | Compliant | True |
| 0231 | Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'. | Compliant | True |
| 0232 | Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'. | Compliant | True |
| 0233 | Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'. | Compliant | True |
| 0234 | Ensure 'Turn off heap termination on corruption' set to 'Disabled'. | Compliant | True |
| 0235 | Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'. | Compliant | True |
| 0236 | Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'. | Compliant | True |
| 0237 | Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'. | Compliant | True |
| 0238 | Ensure 'Turn off picture password sign-in' set to 'Enabled'. | Compliant | True |
| 0239 | Ensure 'Turn off printing over HTTP' set to 'Enabled'. | Compliant | True |
| 0240 | Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'. | Compliant | True |
| 0241 | Ensure 'Turn off Search Companion content file updates' set to 'Enabled'. | Compliant | True |
| 0242 | Ensure 'Turn off shell protocol protected mode' set to 'Disabled'. | Compliant | True |
| 0243 | Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'. | Compliant | True |
| 0244 | Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'. | Compliant | True |
| 0245 | Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'. | Compliant | True |
| 0246 | Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'. | Compliant | True |
| 0247 | Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'. | Compliant | True |
| 0248 | Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'. | Compliant | True |
| 0249 | Ensure 'Untrusted Font Blocking' set to 'Enabled'. | Registry key not found. | False |
| 0250 | Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'. | Compliant | True |
| 0251 | Ensure 'WDigest Authentication' set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 0253 | Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'. | Registry value not found. | False |
| 0254 | Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 0279 | Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'. | Registry value is '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. Expected: %windir%\system32\logfiles\firewall\domainfirewall.log | False |
| 0280 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'. | Compliant | True |
| 0281 | Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'. | Registry value is '0'. Expected: 1 | False |
| 0282 | Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'. | Compliant | True |
| 0283 | Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'. | Compliant | True |
| 0284 | Ensure 'Do not display the password reveal button' set to 'Enabled'. | Compliant | True |
| 0285 | Ensure 'Join Microsoft MAPS' set to 'Disabled'. | Registry value not found. | False |
| 0286 | Ensure 'Configure search suggestions in Address bar' set to 'Disabled'. | Compliant | True |
| 0287 | Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'. | Registry value is '1'. Expected: 2 | False |
| 0288 | Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'. | Compliant | True |
| 0289 | Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'. | Compliant | True |
| 0290 | Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'. | Registry value not found. | False |
| 0291 | Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'. | Compliant | True |
| 0292 | Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'. | Compliant | True |
| 0293 | Ensure 'Allow Cortana' set to 'Disabled'. | Compliant | True |
| 0294 | Ensure 'Allow search and Cortana to use location' set to 'Disabled'. | Compliant | True |
| 0295 | Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'. | Registry value not found. | False |
| 0296 | Ensure 'Disable pre-release features or settings' set to 'Disabled'. | Registry value not found. | False |
| 0297 | Ensure 'Turn off access to the Store' set to 'Enabled'. | Compliant | True |
| 0298 | Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'. | Registry value is '4'. Expected: 2 | False |
| 0299 | Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'. | Compliant | True |
| 0300 | Ensure 'Turn off the Store application' set to 'Enabled'. | Compliant | True |
| 0301 | Ensure 'Allow Basic authentication' set to 'Disabled'. | Compliant | True |
| 0302 | Ensure 'Allow unencrypted traffic' set to 'Disabled'. | Compliant | True |
| 0304 | Ensure 'Allow Remote Shell Access' set to 'Disabled'. | Registry value is '1'. Expected: 0 | False |
| 0306 | Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'. | Compliant | True |
| 0307 | Ensure 'Disallow Digest authentication' set to 'Enabled'. | Compliant | True |
| 0308 | Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'. | Compliant | True |
| 0309 | Ensure 'Do not allow COM port redirection' set to 'Enabled'. | Compliant | True |
| 0310 | Ensure 'Do not allow drive redirection' set to 'Enabled'. | Compliant | True |
| 0311 | Ensure 'Do not allow LPT port redirection' set to 'Enabled'. | Compliant | True |
| 0312 | Ensure 'Do not use temporary folders per session' set to 'Disabled'. | Registry value not found. | False |
| 0313 | Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'. | Compliant | True |
| 0323 | Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'. | Compliant | True |
| 0324 | Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'. | Compliant | True |
| 0325 | Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'. | Registry value not found. | False |
| 0328 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'. | Compliant | True |
| 0329 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'. | Compliant | True |
| 0330 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'. | Registry value not found. | False |
| 0331 | Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10. | Registry value not found. | False |
| 0332 | Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'. | Compliant | True |
| 0333 | Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'. | Compliant | True |
| 0334 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'. | Compliant | True |
| 0335 | Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'. | Compliant | True |
| 0336 | Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'. | Compliant | True |
| 0337 | Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'. | Registry value not found. | False |
| 0338 | Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'. | Compliant | True |
| 0339 | Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'. | Compliant | True |
| 0340 | Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'. | Compliant | True |
| 82020342 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'. | Compliant | True |
| 0343 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'. | Compliant | True |
| 0344 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'. | Compliant | True |
| 0345 | Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'. | Registry value not found. | False |
| 0346 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'. | Compliant | True |
| 0347 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'. | Compliant | True |
| 0348 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'. | Compliant | True |
| 0349 | Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'. | Compliant | True |
| 0350 | Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'. | Compliant | True |
| 0351 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'. | Compliant | True |
| 0352 | Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'. | Compliant | True |
| 0353 | Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'. | Compliant | True |
| 0354 | Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'. | Registry value is '0'. Expected: 1 | False |
| 0355 | Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'. | Compliant | True |
| 0358 | Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'. | Compliant | True |
| 0359 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'. | Compliant | True |
| 0360 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'. | Compliant | True |
| 0361 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'. | Compliant | True |
| 0362 | Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'. | Registry value not found. | False |
| 0363 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'. | Compliant | True |
| 0364 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '. | Registry value is '2'. Expected: 1 | False |
| 0365 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'. | Registry value not found. | False |
| 0366 | Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'. | Compliant | True |
| 0367 | Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'. | Compliant | True |
| 0368 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'. | Compliant | True |
| 0369 | Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15. | Registry value is '14'. Expected: x >= 15 | False |
| 0370 | Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '. | Registry value not found. | False |
| 0371 | Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '. | Compliant | True |
| 0372 | Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'. | Registry value not found. | False |
| 0373 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'. | Compliant | True |
| 0374 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'. | Compliant | True |
| 0375 | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'. | Compliant | True |
| 0376 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'. | Compliant | True |
| 0377 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'. | Compliant | True |
| 0378 | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'. | Compliant | True |
| 0380 | Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'. | Compliant | True |
| 0384 | Ensure 'Password Age' set to less or equal 42. | Registry value is '10'. Expected: 42 | False |
| 0385 | Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'. | Registry value not found. | False |
| 0386 | Ensure 'Turn on PowerShell Transcription' set to 'Disabled'. | Compliant | True |
| 0387 | Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
| 0388 | Ensure 'Require secure RPC communication' set to 'Enabled'. | Compliant | True |
| 0389 | Ensure 'Set client connection encryption level' set to 'Enabled: High Level'. | Compliant | True |
| 0390 | Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'. | Registry value is '900000'. Expected: 300000 | False |
| 0391 | Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'. | Compliant | True |
User Rights Assignment-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0044 | Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled' | Compliant | True |
| 0045 | Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users' | The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0046 | Ensure 'SeTcbPrivilege' is set to 'None' | Compliant | True |
| 0047 | Ensure ’Adjust memory quotas for a process’ set to ’Administrators, LOCAL SERVICE, NETWORK SERVICE’ | The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 0048 | Ensure 'Allow log on locally' set to 'Administrators, Users' | The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup Operators | False |
| 0049 | Ensure 'SeBackupPrivilege' is set to 'Administrator' | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0050 | Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE' | Compliant | True |
| 0051 | Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE' | The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\Users | False |
| 0052 | Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE' | The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICE | False |
| 0053 | Ensure 'SeCreateTokenPrivilege' is set to 'None' | Compliant | True |
| 0054 | Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
| 0055 | Ensure 'SeCreatePermanentPrivilege' is set to 'None' | Compliant | True |
| 0056 | Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator' | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
| 0057 | Ensure 'SeDebugPrivilege' is set to 'Administrator' | Compliant | True |
| 0064 | Ensure 'SeEnableDelegationPrivilege' is set to 'None' | Compliant | True |
| 0066 | Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator' | Compliant | True |
| 0067 | Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
| 0068 | Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE' | The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICE | False |
| 0069 | Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator' | The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager Group | False |
| 0085 | Ensure 'SeRelabelPrivilege' is set to 'None' | Compliant | True |
| 0086 | Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator' | Compliant | True |
| 0087 | Ensure 'SeManageVolumePrivilege' is set to 'Administrator' | Compliant | True |
| 0088 | Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator' | Compliant | True |
| 0089 | Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost' | Compliant | True |
| 0090 | Ensure 'SeRestorePrivilege' is set to 'Administrator' | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0091 | Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users' | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
| 0094 | Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator' | Compliant | True |
| 0104 | Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest' | The user right 'SeDenyNetworkLogonRight' contains following unexpected users: LOCAL The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local account | False |
| 0105 | Ensure 'SeDenyBatchLogonRight' is set to 'Guest' | Compliant | True |
| 0106 | Ensure 'SeDenyServiceLogonRight' is set to 'Guest' | Compliant | True |
| 0107 | Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest' | Compliant | True |
| 0108 | Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest' | Compliant | True |
| 0180 | Ensure 'Load and unload device drivers' is set to 'Administrator' | Compliant | True |
| 0181 | Ensure 'Lock pages in memory' is set to 'No one' | Compliant | True |
| 0182 | Ensure 'Log on as a batch job' is set to 'Administrator' | The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users | False |
| 0183 | Ensure 'Log on as a service' is set to 'No one' | The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines | False |
| 0184 | Ensure 'Manage auditing and security log' is set to 'Administrator' | Compliant | True |
| 0219 | Ensure 'Replace a process level token' is set to 'Local Service, Network Service' | The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER | False |
| 0303 | Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User' | The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\Administrators | False |
Account Policies-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0001 | Ensure 'Maximum password age' is set to between 1 and 42 | 'MaximumPasswordAge' currently set to: 60. Expected: x <= 42 and x >= 1 | False |
| 0002 | Ensure 'Password must meet complexity requirements' is set to 'Enabled' | Compliant | True |
| 0100 | Ensure 'Reset account lockout counter after' is set greater or equal 15 | Compliant | True |
| 0102 | Ensure 'Account lockout duration' is set to '15 or more minute(s)' | Compliant | True |
| 0103 | Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10 | Compliant | True |
| 0162 | Ensure 'Enforce password history' is set greater or equal 24 | Compliant | True |
| 0186 | Ensure 'Minimum password age' is set to greater or equal 1 | Compliant | True |
| 0187 | Ensure 'Minimum password length' is set to greater or equal 14 | Compliant | True |
Advanced Audit Policy Configuration-↑
| Id | Task | Message | Status |
|---|---|---|---|
| 0008 | Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Compliant | True |
| 0011 | Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' | Set to: No Auditing | False |
| 0012 | Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0013 | Ensure 'Audit account management' is set to 'SuccessAndFailure' | Compliant | True |
| 0014 | Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure' | Set to: Success | False |
| 0015 | Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure' | Set to: Success | False |
| 0016 | Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure' | Compliant | True |
| 0017 | Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure' | Set to: Failure | False |
| 0018 | Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure' | Compliant | True |
| 0019 | Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure' | Compliant | True |
| 0020 | Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled' | Compliant | True |
| 0021 | Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure' | Compliant | True |
| 0022 | Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0023 | Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0025 | Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure' | Compliant | True |
| 0026 | Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure' | Compliant | True |
| 0027 | Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0028 | Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure' | Set to: Success | False |
| 0029 | Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure' | Compliant | True |
Benchmark Compliance
Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.
Based on:
- BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
- Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03
This report was generated on 09/05/2022 13:50:04 on DESKTOP-UTMU75K.fb-pro.com with ATAPHtmlReport version 1.8.
System information
| Hostname | DESKTOP-UTMU75K.fb-pro.com |
|---|---|
| Domain role | Member Workstation |
| Operating System | Microsoft Windows 10 Pro |
| Build Number | 19044 |
| Installation Language | English (United States) |
| Free disk space (GB) | 40.2 |
| Free physical memory (GB) | 3.2% (0.7 GB / 22.8 GB) |
Current Risk Score on tested System:
For further information, please head to the tab "Risk Score".
Severity
Quantity
Critical
High
Medium
Low
Critical
High
Medium
Low
A total of 1286 tests have been executed.
- True 1030 test(s) ≙ 80.09%
- False 255 test(s) ≙ 19.83%
- Warning 1 test(s) ≙ 0.08%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
General Benchmarks
A total of 22 tests have been executed in section General Benchmarks.
- True 16 test(s) ≙ 72.73%
- False 5 test(s) ≙ 22.73%
- Warning 1 test(s) ≙ 4.55%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS Logging
A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.
- True 51 test(s) ≙ 100.00%
- False 0 test(s) ≙ 0.00%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS HD
A total of 384 tests have been executed in section BSI Benchmarks SiSyPHuS HD.
- True 318 test(s) ≙ 82.81%
- False 66 test(s) ≙ 17.19%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS ND
A total of 292 tests have been executed in section BSI Benchmarks SiSyPHuS ND.
- True 244 test(s) ≙ 83.56%
- False 48 test(s) ≙ 16.44%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiSyPHuS NE
A total of 262 tests have been executed in section BSI Benchmarks SiSyPHuS NE.
- True 215 test(s) ≙ 82.06%
- False 47 test(s) ≙ 17.94%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SiM-08202 - BPOL
A total of 275 tests have been executed in section BSI Benchmarks SiM-08202 - BPOL.
- True 186 test(s) ≙ 67.64%
- False 89 test(s) ≙ 32.36%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Risk Score
To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.
Current Risk Score on tested System:
Severity
Quantity
Critical
High
Medium
Low
Critical
High
Medium
Low
Risk Score Calculation
The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.
| Compliance to Benchmarks (Quantity) | Risk Assessment |
|---|---|
| More than 85% | Low |
| Between 70% and 85% | Medium |
| Between 55% and 70% | High |
| Less than 55% | Critical |
| Compliance to Benchmarks (Severity) | Risk Assessment |
|---|---|
| All critical settings compliant | Low |
| 1 or more incompliant setting(s) | Critical |
Severity Compliance
-| Id | Task | Status |
|---|---|---|
| 1.1.7 | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | True |
| 2.2.38 | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) | True |
| 2.3.5.2 | (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only) | None |
| 2.3.11.4 | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | True |
| 2.3.11.5 | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | True |
| 7.9 A | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128) | True |
| 7.9 B | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128) | True |
| 7.9 C | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128) | True |
| 7.9 D | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128) | True |
| 9.1.7 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | True |
| 9.1.8 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | True |
| 18.3.3 | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' | True |
| 18.3.3 | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | True |
| 18.3.6 | (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | True |
| 18.6.2 | (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | False |
| 18.6.3 | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | False |
| 18.9.47.9.2 | (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' | False |
| 18.9.47.5.1.2 A | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | True |
| 18.9.47.5.1.2 B | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | True |
| 18.9.47.5.1.2 C | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | True |
| 18.9.47.5.1.2 D | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | True |
| 18.9.47.5.1.2 E | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | True |
| 18.9.47.5.1.2 F | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | True |
| 18.9.47.5.1.2 G | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | True |
| 18.9.47.5.1.2 H | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | True |
| 18.9.47.5.1.2 I | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | True |
| 18.9.47.5.1.2 J | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | True |
| 18.9.47.5.1.2 K | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | True |
| 18.9.47.5.1.2 L | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | False |
| 18.9.48.11 | Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled' | True |
| 18.9.58.3.10.1 | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' | True |
| 18.9.58.3.10.2 | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | True |
About us
What makes FB Pro GmbH different
What do we want?
Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.
How we achieve this?
We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.
Check out our hardening solution
Check out our Audit Report Tool here
