CCE to NIST 800 53 Chapter CCE Summary RONLAB - · PDF fileCCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) ... Chapter CCE Summary
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Chapter CCE SummaryCCE to NIST 800 53April 18, 2013 at 5:53am EDT[cody]Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.
CCE-10591-6 - Use Classic Logon should be properly configured.
CCE-10661-7 - The startup type of the Bluetooth service should be correct.
CCE-9985-3 - The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.
CCE-9136-3 - The 'Account lockout threshold' setting should be configured correctly.
CCE-9960-6 - Unsolicited offers of remote assistance (aka the 'Offer Remote Assistance' setting) should be automatically rejected or passed to the logged-on userfor confirmation as appropriate.
CCE-9107-4 - The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.
CCE-10763-1 - The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
CCE-10608-8 - The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
CCE-10103-0 - The 'Always prompt for password upon connection' setting should be configured correctly.
CCE-9407-8 - The 'Act as part of the operating system' user right should be assigned to the appropriate accounts.
CCE-9879-8 - The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet(UPnP).
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-10148-5 - The 'Screen Saver timeout' setting should be configured correctly.
CCE-9274-2 - The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-8807-0 - The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly.
CCE-8945-8 - The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly.
CCE-9938-2 - The 'Enumerate administrator accounts on elevation' setting should be configured correctly.
CCE-8936-7 - The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly.
CCE-9449-0 - The 'Interactive logon: Do not display last user name' setting should be configured correctly.
CCE-10359-8 - The "Require domain users to elevate when setting a network's location" setting should be configured correctly.
CCE-8467-3 - The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts.
CCE-8811-2 - The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly.
CCE-10154-3 - The 'Do not process the run once list' setting should be configured correctly.
CCE-8813-8 - The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.
CCE-9907-7 - The "Report Logon Server Not Available During User logon" setting should be configured correctly.
CCE-8958-1 - The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.
CCE-9218-9 - The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-9801-2 - The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly.
CCE-9938-2 - The 'Enumerate administrator accounts on elevation' setting should be configured correctly.
CCE-9985-3 - The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.
CCE-9189-2 - The 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly.
CCE-9215-5 - The 'Create a token object' user right should be assigned to the appropriate accounts.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9156-1 - The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly.
CCE-9199-1 - The 'Accounts: Administrator account status' setting should be configured correctly.
CCE-9212-2 - The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-9185-0 - The 'Create a pagefile' user right should be assigned to the appropriate accounts.
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-8999-5 - The 'Increase scheduling priority' user right should be assigned to the appropriate accounts.
CCE-9253-6 - The 'Access this computer from the network' user right should be assigned to the appropriate accounts.
CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.
CCE-9616-4 - The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-9021-7 - The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly.
CCE-9534-9 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' settingshould be enabled or disabled as appropriate.
CCE-9098-5 - The 'Deny log on as a service' user right should be assigned to the appropriate accounts.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-10769-8 - The "Allow remote access to the PnP interface" setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-8475-6 - The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-9014-2 - The 'Shut down the system' user right should be assigned to the appropriate accounts.
CCE-8817-9 - The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly.
CCE-8414-5 - The 'Bypass traverse checking' user right should be assigned to the appropriate accounts.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-9121-5 - The 'Network access: Remotely accessible registry paths' setting should be configured correctly.
CCE-9301-3 - The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly.
CCE-9068-8 - The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-9395-5 - The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE-9149-6 - The 'Modify an object label' user right should be assigned to the appropriate accounts.
CCE-9531-5 - The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly.
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
CCE-8431-9 - The 'Create global objects' user right should be assigned to the appropriate accounts.
CCE-8583-7 - The 'Debug programs' user right should be assigned to the appropriate accounts.
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
CCE-9345-0 - The 'Allow log on locally' user right should be assigned to the appropriate accounts.
CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.
CCE-8806-2 - The 'Network security: LAN Manager authentication level' setting should be configured correctly.
CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.
CCE-10509-8 - The "Route all traffic through the internal network" setting should be configured correctly.
CCE-9348-4 - The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly.
CCE-9426-8 - The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.
CCE-9501-8 - The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configuredcorrectly.
CCE-8560-5 - The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configuredcorrectly.
CCE-9439-1 - The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly.
CCE-8562-1 - The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting shouldbe configured correctly.
CCE-10661-7 - The startup type of the Bluetooth service should be correct.
CCE-9801-2 - The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly.
CCE-9189-2 - The 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly.
CCE-8817-9 - The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly.
CCE-9199-1 - The 'Accounts: Administrator account status' setting should be configured correctly.
CCE-9616-4 - The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly.
CCE-9301-3 - The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly.
CCE-9021-7 - The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly.
CCE-10644-3 - The "Prevent users from sharing files within their profile" setting should be configured correctly.
CCE-9395-5 - The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly.
CCE-9235-3 - Auditing of 'Policy Change: Audit Policy Change' events on failure should be enabled or disabled as appropriate.
CCE-9811-1 - Auditing of 'Object Access: File System' events on failure should be enabled or disabled as appropriate.
CCE-9213-0 - Auditing of 'Logon-Logoff: Logon' events on failure should be enabled or disabled as appropriate.
CCE-10156-8 - The 'Maximum Log Size (KB)' setting should be configured correctly for the system log.
CCE-8789-0 - The 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly.
CCE-10157-6 - The Windows Error Reporting "Disable Logging" setting should be configured correctly.
CCE-9432-6 - The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configuredcorrectly.
CCE-9718-8 - Auditing of 'Account Logon: Credential Validation' events on failure should be enabled or disabled as appropriate.
CCE-9925-9 - Auditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate.
CCE-9194-2 - Auditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate.
CCE-9521-6 - Auditing of 'Logon-Logoff: Special Logon' events on failure should be enabled or disabled as appropriate.
CCE-9562-0 - Auditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate.
CCE-9725-3 - Auditing of 'Account Logon: Credential Validation' events on success should be enabled or disabled as appropriate.
CCE-9603-2 - The 'Maximum Log Size (KB)' setting should be configured correctly for the application log.
CCE-9763-4 - Auditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate.
CCE-9668-5 - Auditing of 'Account Management: Other Account Management Events' events on failure should be enabled or disabled as appropriate.
CCE-10021-4 - Auditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate.
CCE-10014-9 - Auditing of 'Policy Change: Authentication Policy Change' events on failure should be enabled or disabled as appropriate.
CCE-9179-3 - Auditing of 'System: Security State Change' events on failure should be enabled or disabled as appropriate.
CCE-9223-9 - The 'Manage auditing and security log' user right should be assigned to the appropriate accounts.
CCE-9260-1 - The 'Store passwords using reversible encryption' setting should be configured correctly.
CCE-9501-8 - The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configuredcorrectly.
CCE-10856-3 - The "Do not delete temp folder upon exit" setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000202CCE-10856-3:Do not delete temp foldersupon exit
High 1
Plugin Plugin Name Severity Total
1000109
CCE-9501-8:MSS: (WarningLevel)Percentage threshold for the security eventlog at which the system will generate awarning
CCE-9783-2 - The "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly.
CCE-10183-2 - The 'Prevent the computer from joining a homegroup' setting should be configured correctly.
CCE-8460-8 - The 'Create symbolic links' user right should be assigned to the appropriate accounts.
CCE-10602-1 - The "Disable Media Player for automatic updates" policy should be set correctly.
CCE-9156-1 - The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly.
CCE-10181-6 - The 'RPC Endpoint Mapper Client Authentication' setting should be configured correctly.
CCE-9866-5 - The "Prevent indexing uncached Exchange folders" setting should be configured correctly.
CCE-9864-0 - The "Do not use temporary folders per session" setting should be configured correctly.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-9253-6 - The 'Access this computer from the network' user right should be assigned to the appropriate accounts.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-10295-4 - The "Turn off Help Ratings" setting should be configured correctly.
CCE-9040-7 - The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly.
CCE-10311-9 - The startup type of the Parantal Controls service should be correct.
CCE-9098-5 - The 'Deny log on as a service' user right should be assigned to the appropriate accounts.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-10787-0 - The "Turn off Program Inventory" setting should be configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
CCE-10591-6 - Use Classic Logon should be properly configured.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9014-2 - The 'Shut down the system' user right should be assigned to the appropriate accounts.
CCE-10160-0 - The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
CCE-9908-5 - The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.
CCE-10496-8 - The "Allow indexing of encrypted files" setting should be configured correctly.
CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.
CCE-9823-6 - The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.
CCE-10130-3 - The "ISATAP State" setting for IPv6 should be configured correctly.
CCE-10219-4 - The "Enable/Disable PerfTrack" setting should be configured correctly.
CCE-10103-0 - The 'Always prompt for password upon connection' setting should be configured correctly.
CCE-10553-6 - The "Do not create system restore point when new device driver installed" setting should be configured correctly.
CCE-9319-5 - The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-9375-7 - The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly.
CCE-10699-7 - The startup type of the Media Center Extenders service should be correct.
CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.
CCE-8431-9 - The 'Create global objects' user right should be assigned to the appropriate accounts.
CCE-9229-6 - The built-in Guest account should be correctly named.
CCE-9396-3 - The 'Restrictions for Unauthenticated RPC clients' setting should be configured correctly.
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9048-0 - The 'Increase a process working set' user right should be assigned to the appropriate accounts.
CCE-9254-4 - The 'Create permanent shared objects' user right should be assigned to the appropriate accounts.
CCE-9026-6 - The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly.
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-10764-9 - The "IP HTTPS" state setting should be configured correctly.
CCE-10140-2 - The 'Turn off Search Companion content file updates' setting should be configured correctly.
CCE-8732-0 - The 'Replace a process level token' user right should be assigned to the appropriate accounts.
CCE-9985-3 - The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.
CCE-9215-5 - The 'Create a token object' user right should be assigned to the appropriate accounts.
CCE-10811-8 - The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-10059-4 - The "Turn on Responder (RSPNDR) Driver" setting should be configured correctly.
CCE-10500-7 - The "Configure Windows NTP Client\NtpServer" setting should be configured correctly.
CCE-9212-2 - The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts.
CCE-9868-1 - The "Configure Microsoft SpyNet Reporting" setting should be configured correctly.
CCE-9185-0 - The 'Create a pagefile' user right should be assigned to the appropriate accounts.
CCE-8999-5 - The 'Increase scheduling priority' user right should be assigned to the appropriate accounts.
CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.
CCE-9534-9 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' settingshould be enabled or disabled as appropriate.
CCE-8484-8 - The built-in Administrator account should be correctly named.
CCE-10769-8 - The "Allow remote access to the PnP interface" setting should be configured correctly.
CCE-10759-9 - The "Do not allow Digital Locker to run" setting should be configured correctly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-8475-6 - The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-10623-7 - The "Turn off shell protocol protected mode" setting should be configured correctly.
CCE-9506-7 - User-intiated solicitations for remote assistance (aka the 'Solicited Remote Assistance' setting) should be enabled or disabled as appropriate.
CCE-9910-1 - The startup type of the Homegroup Provider service should be correct.
CCE-8912-8 - The "enforce password history" policy should meet minimum requirements.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-9857-4 - The "Override the More Gadgets Link" setting should be configured correctly.
CCE-10655-9 - The "Turn off Autoplay for non-volume devices" setting should be configured correctly.
CCE-9121-5 - The 'Network access: Remotely accessible registry paths' setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
CCE-10606-2 - The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via WindowsOnline Troubleshooting Service - WOTS)" setting should be configured correctly.
CCE-10692-2 - The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.
CCE-9643-8 - The 'Turn off the "Publish to Web" task for files and folders' setting should be configured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-9419-3 - The 'Profile system performance' user right should be assigned to the appropriate accounts.
CCE-9531-5 - The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly.
CCE-10165-9 - The "Prevent device metadata retrieval from internet" setting should be configured correctly.
CCE-10166-7 - The 'Do not preserve zone information in file attachments' setting should be configured correctly.
CCE-9730-3 - The 'Password protect the screen saver' setting should be configured correctly.
CCE-9464-9 - The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly.
CCE-9684-2 - The 'Hide mechanisms to remove zone information' setting should be configured correctly.
CCE-9191-8 - The 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' setting should be configured correctly.
CCE-9783-2 - The "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly.
CCE-10591-6 - Use Classic Logon should be properly configured.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-10183-2 - The 'Prevent the computer from joining a homegroup' setting should be configured correctly.
CCE-8460-8 - The 'Create symbolic links' user right should be assigned to the appropriate accounts.
CCE-9014-2 - The 'Shut down the system' user right should be assigned to the appropriate accounts.
CCE-9196-7 - The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly.
CCE-9908-5 - The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.
CCE-9156-1 - The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-10311-9 - The startup type of the Parantal Controls service should be correct.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-8612-4 - The 'Change the system time' user right should be assigned to the appropriate accounts.
CCE-9768-3 - The 'Network security: LDAP client signing requirements' setting should be configured correctly.
CCE-9528-1 - The 'Turn off Autoplay' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE-10527-0 - The default behavior for AutoRun should be properly configured.
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-8732-0 - The 'Replace a process level token' user right should be assigned to the appropriate accounts.
CCE-8804-7 - The 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.
CCE-10059-4 - The "Turn on Responder (RSPNDR) Driver" setting should be configured correctly.
CCE-10130-3 - The "ISATAP State" setting for IPv6 should be configured correctly.
CCE-8423-6 - The 'Change the time zone' user right should be assigned to the appropriate accounts.
CCE-9096-9 - The 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly.
CCE-10763-1 - The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
CCE-9770-9 - The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly.
CCE-10219-4 - The "Enable/Disable PerfTrack" setting should be configured correctly.
CCE-10103-0 - The 'Always prompt for password upon connection' setting should be configured correctly.
CCE-10500-7 - The "Configure Windows NTP Client\NtpServer" setting should be configured correctly.
CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-9503-4 - The 'Network access: Sharing and security model for local accounts' setting should be configured correctly.
CCE-9540-6 - The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
CCE-8945-8 - The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly.
CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-10661-7 - The startup type of the Bluetooth service should be correct.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-10655-9 - The "Turn off Autoplay for non-volume devices" setting should be configured correctly.
CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.
CCE-10759-9 - The "Do not allow Digital Locker to run" setting should be configured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-10438-0 - The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.
CCE-9386-4 - The 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly.
CCE-9736-0 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers'setting should be enabled or disabled as appropriate.
CCE-9531-5 - The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly.
CCE-10778-9 - The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.
CCE-9707-1 - The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly.
CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.
IA-2 - Identification and Authentication (Organizational Users)
Tenable Network Security 83
IA-2 - Identification and Authentication(Organizational Users)
CCE-8804-7 - The 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly.
CCE-9196-7 - The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly.
CCE-9096-9 - The 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly.
CCE-9407-8 - The 'Act as part of the operating system' user right should be assigned to the appropriate accounts.
CCE-9770-9 - The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly.
CCE-9239-5 - The 'Deny log on locally' user right should be assigned to the appropriate accounts.
CCE-8936-7 - The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly.
CCE-9503-4 - The 'Network access: Sharing and security model for local accounts' setting should be configured correctly.
CCE-9672-7 - The 'No auto-restart with logged on users for scheduled automatic updates installations' setting should be configured correctly.
CCE-8807-0 - The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly.
CCE-8811-2 - The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly.
CCE-8813-8 - The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
CCE-9244-5 - The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts.
CCE-9218-9 - The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.
CCE-8958-1 - The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.
CCE-8654-6 - The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly.
CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000069CCE-8654-6:Network access: Do not allowstorage of passwords and credentials fornetwork authentication
High 1
Plugin Plugin Name Severity Total
1000067CCE-9249-4:Network access: Do not allowanonymous enumeration of SAM accounts
CCE-9375-7 - The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly.
CCE-10606-2 - The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via WindowsOnline Troubleshooting Service - WOTS)" setting should be configured correctly.
CCE-9953-1 - Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
CCE-9387-2 - The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000176
CCE-10606-2:Troubleshooting: allow userto access online troubleshooting content onMicrosoft server from the troubleshootingcontrol panel
High 1
Plugin Plugin Name Severity Total
1000136CCE-9953-1:Prohibit installation andconfiguration of Network Bridge on yourDNS domain network
High 1
Plugin Plugin Name Severity Total
1000050CCE-9387-2:Domain member: Requirestrong (Windows 2000 or later) session key
Info 1
Plugin Plugin Name Severity Total
1000047CCE-9375-7:Domain member: Digitally signsecure channel data (when possible)
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-9348-4 - The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.
CCE-9426-8 - The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-9501-8 - The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configuredcorrectly.
CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
CCE-9026-6 - The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly.
CCE-8562-1 - The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting shouldbe configured correctly.
CCE-8560-5 - The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configuredcorrectly.
CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000238CCE-8560-5:MSS: (Hidden) Hide computerfrom the browse list (Not Recommendedexcept for highly secure environments)
High 1
Plugin Plugin Name Severity Total
1000052CCE-9317-9:Interactive logon: Do notrequire CTRL+ALT+DEL
CCE-9559-6 - The 'Turn off the Windows Messenger Customer Experience Improvement Program' setting should be configured correctly.
CCE-9842-6 - The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" setting should be configured correctly.
CCE-10266-5 - The "6to4 State" setting should be configured correctly.
CCE-9953-1 - Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000175CCE-9842-6:Microsoft support diagnostictool: turn on msdt interactive communicationwith support provider
High 1
Plugin Plugin Name Severity Total
1000164CCE-9559-6:Turn off the WindowsMessenger Customer ExperienceImprovement Program
High 1
Plugin Plugin Name Severity Total
1000139 CCE-10266-5:6to4 State High 1
Plugin Plugin Name Severity Total
1000136CCE-9953-1:Prohibit installation andconfiguration of Network Bridge on yourDNS domain network
CCE-10441-4 - The "Enable Error Reporting" policy should be set correctly.
CCE-10602-1 - The "Disable Media Player for automatic updates" policy should be set correctly.
CCE-10824-1 - The Windows Error Reporting "Do not send additional data" setting should be configured correctly.
CCE-10709-4 - The Windows Error Reporting "Display Error Notification" setting should be configured correctly.
CCE-10205-3 - The 'Reschedule Automatic Updates scheduled installations' setting should be enabled or disabled as appropriate.
CCE-9403-7 - Automatic Updates should be enabled or disabled as appropriate.
CCE-10782-1 - The "Extend Point and Print connection to search Windows Update and use alternate connection if needed" setting should be configured correctly.
CCE-10137-8 - The "Prevent Windows Anytime Upgrade from running" setting should be configured correctly.
CCE-10645-0 - The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.
CCE-9901-0 - The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.
CCE-9914-3 - The "Disable Windows Error Reporting" setting should be configured correctly.
CCE-10658-3 - The "Turn off handwriting personalization data sharing" setting should be configured correctly.
CCE-9464-9 - The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly.