CIS Microsoft Windows XP Benchmark v3.1.0 (03 Dec 2013) Security Configuration Recommendations Mapped to IEC/TR 8000122 Security Capabilities 15 October 2014 The complete CIS Microsoft Windows XP Benchmark v3.1.0 is freely available for download at: https://benchmarks.cisecurity.org/downloads/showsingle/?file=winxp.310 To provide comments/feedback or to learn more about and/or join other CIS/MDISS benchmark mapping efforts in support of healthcare security, please contact: [email protected]
110
Embed
CISMicrosoftWindowsXPBenchmark!v3.1.0! Security ... · 3.3 Each time You Distribute a PUBLICLY AVAILABLE WORK PRODUCT, CIS offers to the recipient a license to the PUBLICLY AVAILABLE
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CIS Microsoft Windows XP Benchmark v3.1.0 (03 Dec 2013) Security Configuration Recommendations Mapped to IEC/TR 80001-‐2-‐2 Security Capabilities
15 October 2014
The complete CIS Microsoft Windows XP Benchmark v3.1.0 is freely available for download at: https://benchmarks.cisecurity.org/downloads/show-‐single/?file=winxp.310
To provide comments/feedback or to learn more about and/or join other CIS/MDISS benchmark mapping efforts in support of healthcare security, please contact: [email protected]
CENTER FOR INTERNET SECURITY (“CIS”) SECURITY BENCHMARKS LICENSE CIS PROVIDES ACCESS TO CERTAIN OF ITS “PUBLICLY AVAILABLE WORK PRODUCTS” (AS DEFINED HEREIN) THROUGH THE TERMS OF THIS LICENSE; ANY USE OF A PUBLICLY AVAILABLE WORK PRODUCT OTHER THAN AS AUTHORIZED UNDER THIS LICENSE IS PROHIBITED. BY EXERCISING ANY OF THE RIGHTS PROVIDED HEREIN FOR ANY PUBLICLY AVAILABLE WORK PRODUCT, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED A CONTRACT, CIS GRANTS YOU THE RIGHTS CONTAINED HEREIN IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1. Definitions: “PUBLICLY AVAILABLE WORK PRODUCT” means each of the consensus-based information security resources, including documents, metrics, suggestions and recommendations produced and made available for public use by CIS in Portable Document Format (PDF). “You” means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to any PUBLICLY AVAILABLE WORK PRODUCT, or who has received permission from CIS to exercise rights under this License despite a previous violation. Anyone exercising rights under this License in a manner that will be used by others in an entity, does so on behalf of that entity and the entity will be bound by its terms. “Reproduce” means to make copies of any PUBLICLY AVAILABLE WORK PRODUCT by any means including without limitation by photocopying or storage in digital form or other electronic medium. “Distribute” means to share or make available a copy of any PUBLICLY AVAILABLE WORK PRODUCT (1) within Your organization, including any subsidiaries, parents or other affiliated organizations, and (2) to persons or entities outside Your organization, in each case subject to the terms and conditions of this License. 2. License Grant: Subject to the terms and conditions of this License, CIS hereby grants You a worldwide, royalty-free, non-exclusive, perpetual license to exercise the rights in any PUBLICLY AVAILABLE WORK PRODUCT as set forth below: • Download, read and/or use each of the PUBLICLY AVAILABLE WORK PRODUCTs, • Reproduce one or more copies of any PUBLICLY AVAILABLE WORK PRODUCT, and/or • Distribute any PUBLICLY AVAILABLE WORK PRODUCT. 3. Restrictions:
3.1 Intellectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any PUBLICLY AVAILABLE WORK PRODUCT, and full title and all ownership rights to the PUBLICLY AVAILABLE WORK PRODUCTs remain the exclusive property of CIS. All rights to the PUBLICLY AVAILABLE WORK PRODUCTs not expressly granted in this License are hereby reserved.
3.2 You acknowledge and agree that you may not: (1) sublicense any PUBLICLY AVAILABLE WORK PRODUCT; (2) Distribute, re-Distribute, sell, rent, lease or otherwise transfer or exploit any rights to any PUBLICLY AVAILABLE WORK PRODUCT in a manner that is primarily intended for or directed toward commercial advantage or monetary compensation; (3) distort, mutilate, modify or take other derogatory action in relation to any PUBLICLY AVAILABLE WORK PRODUCT that would be prejudicial to CIS’s reputation; (4) remove or alter the copy of this License or any other proprietary notice(s) included in any PUBLICLY AVAILABLE WORK PRODUCT; (5) represent or claim a particular level of compliance or consistency with any PUBLICLY AVAILABLE WORK PRODUCT; or (6) facilitate or otherwise aid other individuals or entities in violating this License.
3.3 Each time You Distribute a PUBLICLY AVAILABLE WORK PRODUCT, CIS offers to the recipient a license to the PUBLICLY AVAILABLE WORK PRODUCT under the same terms and conditions as the license granted to You under this License.
4. Representations, Warranties and Disclaimers:
4.1 PUBLICLY AVAILABLE WORK PRODUCTs Provided As Is. CIS is providing the PUBLICLY AVAILABLE WORK PRODUCTs “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty) regarding: (a) the effect or lack of effect of any PUBLICLY AVAILABLE WORK PRODUCT on the operation or the security of any network, system, device, hardware, software, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any PUBLICLY AVAILABLE WORK PRODUCT; or (2) the responsibility to make or notify You of any corrections, updates, upgrades, or fixes made to any PUBLICLY AVAILABLE WORK PRODUCT.
4.2 Your Responsibility to Evaluate Risks. You acknowledge and agree that: (1) no network, system, device, hardware, software, or component can be made fully secure; (2) You have the sole responsibility to evaluate the risks and benefits of the PUBLICLY AVAILABLE WORK PRODUCTs to Your particular circumstances and requirements; and (3) CIS is not assuming any of the liabilities associated with Your use of any or all of the PUBLICLY AVAILABLE WORK PRODUCTs.
4.3 CIS Liability. You acknowledge and agree that neither CIS nor any of its employees, officers, directors, agents or other service providers has or will have any liability to You whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential or special damages that arise out of or are connected in any way, directly or indirectly, with Your use of any PUBLICLY AVAILABLE WORK PRODUCT.
4.4 Indemnification. You agree to indemnify, defend, and hold CIS and all of CIS's employees, officers, directors, agents and other service providers harmless from and against any liabilities, costs, and expenses (including reasonable attorneys’ fees) incurred by any of them in connection with Your violation of this License.
5. Termination. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Sections 1, 3, 4, 5 and 6 will survive termination of this License. 6. Miscellaneous:
6.1 Jurisdiction. You acknowledge and agree that: (1) this License will be governed by and construed in accordance with the laws of the State of New York, without regard for conflicts of law principles; (2) any action at law or in equity arising out of or relating to this License shall be filed only in the courts located in the State of New York; and (3) You hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action.
6.2 U.S. Export Control and Sanctions Laws. Regarding Your use of the PUBLICLY AVAILABLE WORK PRODUCTs with any non-U.S. entity or country, You acknowledge that it is Your responsibility to understand and abide by all U.S. sanctions and export control laws as set from time to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).
6.3 Partial Invalidity. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this License, such provision shall be reformed to the minimum extent necessary to make sure the provision is valid and enforceable.
6.4 Waiver and Consent. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent is in writing and signed by the party to be charged with such waiver or consent.
6.5 Entire Agreement. This License constitutes the entire agreement between the parties with respect to the PUBLICLY AVAILABLE WORK PRODUCTs licensed herein. There are no understandings, agreements or representations with respect to the PUBLICLY AVAILABLE WORK PRODUCTs not specified herein. CIS shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of CIS and You.
Table of Contents Background, Description and Purpose of the Joint Effort Resulting in this Security Mapping ........................................................................................................................................................... 2 1. Complete Mapping of All CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities .................................. 4
Table: Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................................... 43
Graph: Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................................. 44 2. Mapping of CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations by Each Applicable IEC/TR 80001-‐2-‐2 Security Capability
Configuration of security features (CNFS) ...................................................................................................................................................................................................................................................... 60
Data backup and disaster recovery (DTBK) .................................................................................................................................................................................................................................................. 69
Person authentication (PAUT) ............................................................................................................................................................................................................................................................................. 73
Transmission integrity (TXIG) ............................................................................................................................................................................................................................................................................. 79 3. Mapping of Scored (Only) CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities ............................. 81
Table: Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................. 106
Graph: Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................ 107
1
Background, Description and Purpose of the Joint Effort Resulting in this Security Mapping In August 2013, the Center for Internet Security (CIS) launched a new initiative to develop security configuration guidelines, or benchmarks, for networked medical devices and issued a request for information (RFI) to invite participation. CIS has been helping to build consensus on secure configuration settings across a wide range of information technologies for well over a decade. CIS is now bringing that experience and its industry best practice standards to add value to the cybersecurity of medical devices and healthcare systems, however may be possible and without duplicating existing or previous efforts. Soon after the RFI was issued, CIS began coordinating with the Medical Device Innovation, Safety and Security Consortium (MDISS). MDISS is an established leader in the medical device security and safety space, and MDISS agreed to co-‐lead this initiative. The Council on CyberSecurity (CCS) also came on board in support of this effort, as well as other organizations including Albany Medical College, the Association for the Advancement of Medical Instrumentation (AAMI), the College of Healthcare Information Management Executives (CHIME), Underwriters Laboratories (UL), Industrial Control Systems Cyber Emergency Response Team (ICS-‐CERT) and many other partners. This CIS and MDISS-‐led initiative has included many interactive workshops where subject matter experts from healthcare delivery organizations (HDOs), medical device manufacturers, cybersecurity consultancies and government entities have engaged to identify critical cybersecurity challenges faced by all members of the medical device ecosystem. Various cyber risks and potential mitigations, as well as which entities should be responsible for addressing them, were shared in an open and honest communications environment. The ideas generated from the workshops and from additional collaboration and consensus-‐based review and feedback has resulted in two initial resources being made publicly available for free reference and use. One of those resources is this mapping of security configuration recommendations in the CIS Microsoft Windows XP Benchmark v3.1.0 to supported Security Capabilities (e.g. “Automatic Logoff,” “Authorization,” “Audit Controls”) prescribed within Part 2-‐2: Guidance for the disclosure and communication of medical device security needs, risks and controls, which is a Technical Report (TR) within the International Electrotechnical Commission’s (IEC) 80001-‐1 standard, Application of Risk Management for IT-‐Networks Incorporating Medical Devices. A similar mapping between IEC/TR 80001-‐2-‐2’s Security Capabilities and the CIS Microsoft Windows 7 Benchmark v2.1.0 is the other, first-‐to-‐be-‐published resource resulting from this consensus-‐based effort. Implementation of applicable CIS benchmark security configuration recommendations, which do not negatively impact patient safety or device effectiveness within an intended use environment, may further reduce cybersecurity risk to a medical device. The Healthcare Information and Management Systems Society (HIMSS)/National Electrical Manufacturers Association’s (NEMA) Manufacturer Disclosure Statement for Medical Device Security (MDS2) form also includes a series of questions specifically based on and grouped by each of the IEC/TR 80001-‐2-‐2 Security Capabilities. An HDO may leverage the HIMSS/NEMA MDS2 form by requesting a device manufacturer from which it is considering to procure one or more medical devices to address the form’s Security Capability-‐based questions for the device(s). This mapping could be leveraged by HDOs as a supplement to the MDS2 form to further inquire into whether or not a medical device(s) with some form of a Microsoft Windows XP operating system (OS) installed also complies with the IEC/TR 80001-‐2-‐2 Security Capabilities-‐mapped configuration recommendations of the CIS Microsoft Windows XP Benchmark v3.1.0 provided here. And wherever the OS may not be so configured, the HDO could ask the device manufacturer for the rationale supporting such exceptions to determine if they are based on competing needs to ensure patient safety and/or device effectiveness. An HDO could also use this guidance post-‐procurement to ask a medical device manufacturer(s) if configuration setting updates can be made to any Windows XP-‐based medical device(s) already deployed in order to meet the minimum due diligence level of security prescribed by the CIS Microsoft Windows XP Benchmark v3.1.0. This guide maps the CIS Microsoft Windows XP Benchmark v3.1.0 to the applicable Security Capabilities contained in IEC/TR 80001-‐2-‐2, but in effect it is really three mappings in one. The first section maps each security configuration recommendation according to the same hierarchical structure of the full CIS Benchmark, which is laid out according to the user interface view in Microsoft’s Group Policy Editor. The next part provides the CIS Benchmark
recommendations that map to each applicable IEC/TR 80001-‐2-‐2 Security Capability, with the exception of “System and Application Hardening (SAHD),” which is supported by every Benchmark recommendation. The final component of this guide again presents the mapping according to the format of the full CIS Benchmark for Windows XP but only includes those recommendations that are “Scored” in the Benchmark. Most configuration recommendations in a CIS Benchmark are “Scored;” however, there are a small number that are “Not Scored,” which essentially are those Benchmark recommendations that still add security value but for which the exact settings are organizational environment-‐specific and therefore a particular setting cannot be generally prescribed. Assessed system/application conformance to a CIS Benchmark is based only on compliance with “Scored” Benchmark recommendations. This voluntary guidance is meant to serve only as a reference document to aid both HDOs and medical device manufacturers. It supports the additional hardening of Microsoft Windows XP OS-‐based medical devices by providing the associated CIS benchmark-‐prescribed mitigations for potential configuration-‐based vulnerabilities within that OS. A key element of this guidance is that because it maps setting recommendations from the CIS Benchmark for Windows XP Professional, it is intended for use only with medical devices that are built on some form of the Windows XP OS—full Windows XP Professional, which is licensed specifically for use in embedded systems such as medical devices, or one of the componentized forms of Windows XP Embedded (e.g. Windows XP Embedded Service Pack 3, Windows Embedded Standard 2009). Because Windows XP Embedded is a componentized OS, there may be any number of available components of Windows XP that are not included within a medical device if they are not needed to support the functionality and intended use of the device. This capability to build a version of Windows XP that only includes OS components that are needed and none that are not reduces the total OS footprint, which improves OS security right from the outset by minimizing the available attack surface. Therefore, for devices running on a Windows XP Embedded OS there may be many security configuration recommendations within this benchmark that simply do not apply because the features or services they address were specifically not included in the Windows XP Embedded image by the medical device manufacturer during development. For any medical device(s) with Windows XP Embedded or some components of Windows XP Embedded installed, it is essential for the individual(s) responsible for the security, administration, updating and/or servicing of such device(s) to know and understand which components of Windows XP Embedded are included in the OS image in order to determine which sections/groupings of security configuration recommendations within the CIS Benchmark for Windows XP would and would not apply.
The Way Forward… Again, this mapping and the guide also being released at this time based on the CIS Microsoft Windows 7 Benchmark v2.1.0 are the first of such documents to be published, but if the reception by those in the medical device/healthcare industry is positive and they would like to see other such mappings, then CIS and MDISS—as well as any other prospective partners that would like to join this effort—will look to create other such mapping resources. There are currently over 90 supported CIS Benchmarks so there are many possible candidates for follow-‐on mappings to the IEC/TR 80001-‐2-‐2 Security Capabilities, including CIS Benchmarks for Microsoft Windows 8 and 8.1, as well as for many types of UNIX/Linux operating systems and even mobile devices such as Google Android and Apple iOS. CIS and MDISS also welcome and appreciate as much constructive feedback on these two initial mappings as possible so that the security value of these resources can be improved going forward. (Please provide comments to [email protected].) All other related ideas are also welcome, such as the development of example use cases for various medical devices (e.g. MRI, CT Scanner, portable ultrasound, patient monitoring device) that leverage OSs such as Microsoft Windows XP and Windows 7 or embedded versions derived from them and utilized across multiple intended use environments. And by examining newer OSs with support lives running well into the future such as Microsoft Windows 8/8.1 for embedded devices and their componentized embedded versions, the value proposition of such resources is much more likely to be available earlier on in, and even before, the medical device development process. Such mappings could aid in OS configuration decisions as early as possible in the development lifecycle and prior to submission for FDA certification and the follow-‐on sales cycle and associated pilot testing, etc.
1 Computer Configuration1.1 Windows Settings1.1.1 Security Settings1.1.1.1 Local Policies1.1.1.1.1 User Rights Assignment1.1.1.1.1.1 Configure 'Deny log on through Terminal Services' X X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2814-2
1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2829-0
1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2864-7
1.1.1.1.1.4 Configure 'Log on as a service' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2948-8
1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentPerform volume maintenance tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2960-3
1.1.1.1.1.6 Set 'Bypass traverse checking' to 'Administrators, Users, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBypass traverse checking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2806-8
IEC/TR 80001-2-2 Security Capabilities
1. Complete Mapping of All CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
4
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.7 Configure 'Log on as a batch job' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2882-9
1.1.1.1.1.8 Configure 'Add workstations to domain' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdd workstations to domain
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2374-7
1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify firmware environment values
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2657-5
1.1.1.1.1.10 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2982-7
1.1.1.1.1.11 Set 'Deny log on as a batch job' to 'Guests, Support_388945a0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2898-5
1.1.1.1.1.12 Configure 'Deny log on as a service' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2792-0
1.1.1.1.1.13 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdjust memory quotas for a process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2547-8
5
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.14 Configure 'Create permanent shared objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate permanent shared objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-1969-5
1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentShut down the system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2366-3
1.1.1.1.1.16 Configure 'Back up files and directories' X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBack up files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2299-6
1.1.1.1.1.17 Configure 'Restore files and directories' X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentRestore files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2847-2
1.1.1.1.1.18 Set 'Take ownership of files or other objects' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentTake ownership of files or other objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2021-4
1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile system performance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2675-7
1.1.1.1.1.20 Configure 'Create a token object' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a token object
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2791-2
6
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentIncrease scheduling priority
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2944-7
1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2700-3
1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2786-2
1.1.1.1.1.25 Set 'Access this computer from the network' to 'Users, Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2379-6
1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2609-6
1.1.1.1.1.27 Set 'Deny access to this computer from the network' to 'Support_388945a0, Guests'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-1978-6
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
7
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.29 Configure 'Allow log on through Terminal Services' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3004-9
1.1.1.1.1.30 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.1.31 Set 'Replace a process level token' to 'Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2860-5
1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2446-3
1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2167-5
1.1.1.1.1.34 Configure 'Create global objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate global objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3107-0
1.1.1.1.1.35 Configure 'Profile single process' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile single process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2807-6
8
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.36 Set 'Force shutdown from a remote system' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentForce shutdown from a remote system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2886-0
1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2846-4
1.1.1.1.2 Security Options1.1.1.1.2.1 Configure 'Domain controller: LDAP server signing
requirements'X X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to Named Pipes and Shares'
X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict anonymous access to Named Pipes and Shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.4 Configure 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.5 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Force strong key protection for user keys stored on the computer
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore privilege'
X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Administrator account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2943-9
1.1.1.1.2.12 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.13 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Let Everyone permissions apply to anonymous users
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.16 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.18 Set 'Domain member: Maximum machine account password age' to '30'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 30.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Maximum machine account password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3018-9
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X X X X Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.21 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2973-6
12
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.25 Configure 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.26 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.27 Configure 'Domain controller: Allow server operators to schedule tasks'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Allow server operators to schedule tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.30 Configure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.31 Set 'Network access: Remotely accessible registry paths and sub-paths' as recommended
X X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Amount of idle time required before suspending session
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.33 Configure 'Audit: Audit the access of global system objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the access of global system objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.34 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.35 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Limit local account use of blank passwords to console logon only
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.37 Set 'System objects: Default owner for objects created by members of the Administrators group' to 'Object creator'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Default owner for objects created by members of the Administrators group
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.38 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.40 Set 'Interactive logon: Do not display last user name' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not display last user name
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.41 Configure 'Network access: Named Pipes that can be accessed anonymously'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Named Pipes that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.42 Configure 'Network security: Force logoff when logon hours expire'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Force logoff when logon hours expire
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3139-3
1.1.1.1.2.43 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.44 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Do not store LAN Manager hash value on next password change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.47 Configure 'MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.48 Set 'Network access: Do not allow storage of credentials or .NET Passports for network authentication' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of credentials or .NET Passports for network authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.50 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 90.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.52 Configure 'Interactive logon: Message title for users attempting to log on'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Message title for users attempting to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.53 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Guest account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3040-3
1.1.1.1.2.55 Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.57 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Allowed to format and eject removable media
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.58 Configure 'Recovery console: Allow floppy copy and access to all drives and all folders'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow floppy copy and access to all drives and all folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.59 Configure 'Interactive logon: Message text for users attempting to log on'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Message text for users attempting to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.60 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Shut down system immediately if unable to log security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.62 Configure 'Interactive logon: Require smart card' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.63 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Require case insensitivity for non-Windows subsystems
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.66 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.67 Configure 'Shutdown: Allow system to be shut down without having to log on'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Allow system to be shut down without having to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2867-0
1.1.1.1.3.2 Configure 'Audit object access' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2259-0
1.1.1.1.3.3 Configure 'Audit directory service access' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit directory service access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2933-0
1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No Auditing.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit process tracking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2816-7
1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit privilege use
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2913-2
20
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2902-5
1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2971-0
1.1.1.1.3.8 Set 'Audit system events' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit system events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2878-7
1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2904-1
1.1.1.2.2 Configure 'Retain application log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3019-7
1.1.1.2.3 Configure 'Retain security log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2966-0
1.1.1.2.4 Configure 'Retain system log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2050-3
21
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.2.5 Set 'Maximum system log size' to '16384' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum system log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3006-4
1.1.1.2.6 Set 'Prevent local guests group from accessing security log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.7 Set 'Retention method for security log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2336-6
1.1.1.2.8 Set 'Retention method for application log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3014-8
1.1.1.2.9 Set 'Maximum security log size' to '81920' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.2 Configure 'Human Interface Device Access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.3 Configure 'Distributed Link Tracking Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDistributed Link Tracking Client
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.4 Configure 'Telephony' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.5 Configure 'Network Connections' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.6 Configure 'SNMP Trap' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.7 Configure 'Distributed Transaction Coordinator' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.8 Configure 'WMI Performance Adapter' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.3.10 Configure 'Microsoft Software Shadow Copy Provider' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.11 Configure 'Workstation' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.12 Configure 'Remote Access Auto Connection Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRemote Access Auto Connection Manager
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.13 Configure 'Print Spooler' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.14 Configure 'Performance Logs & Alerts' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.15 Configure 'TCP/IP NetBIOS Helper' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.16 Configure 'Background Intelligent Transfer Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesBackground Intelligent Transfer Service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.17 Configure 'Netlogon' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.18 Configure 'Remote Access Connection Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.19 Configure 'Network Location Awareness (NLA)' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.20 Configure 'DHCP Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.21 Configure 'Plug and Play' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesPlug and Play
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.22 Configure 'COM+ System Application' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCOM+ System Application
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.23 Configure 'Windows Time' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.24 Configure 'Smart Card' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.25 Set 'Routing and Remote Access' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRouting and Remote Access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.3.26 Configure 'IPSEC Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.27 Configure 'COM+ Event System' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCOM+ Event System
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.28 Configure 'Security Accounts Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.29 Configure 'DCOM Server Process Launcher' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDCOM Server Process Launcher
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.30 Configure 'Internet Connection Sharing (ICS)' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.31 Configure 'Application Management' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.32 Configure 'Windows Management Instrumentation' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.3.34 Configure 'System Event Notification Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSystem Event Notification Service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.35 Configure 'Volume Shadow Copy' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.36 Configure 'Windows Audio' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.37 Configure 'Cryptographic Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.3.39 Configure 'Windows Installer' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.40 Configure 'Server' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.41 Configure 'Application Layer Gateway Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesApplication Layer Gateway Service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.3.42 Configure 'DNS Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.4 Account Policies1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyPassword must meet complexity requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2735-9
1.1.1.4.1.2 Set 'Minimum password length' to '14' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2981-9
1.1.1.4.1.3 Set 'Enforce password history' to '24' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyEnforce password history
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2994-2
1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2920-7
1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2889-4
1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2439-8
1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 50 or less.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2986-8
29
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2466-1
1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2928-0
1.2 Administrative Templates1.2.1 Network1.2.1.1 Network Connections1.2.1.1.1 Windows Profile1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.3 Configure 'Windows Firewall: Prohibit notifications' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.1.4 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.6 Configure 'Windows Firewall: Do not allow exceptions' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.8 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.9 Configure 'Windows Firewall: Define inbound port exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.1.10 Configure 'Windows Firewall: Define inbound program exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.13 Configure 'Windows Firewall: Allow local program exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.2 Set 'Windows Firewall: Allow local program exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.1.1.1.2.4 Configure 'Windows Firewall: Define inbound port exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.2.5 Configure 'Windows Firewall: Define inbound program exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.2.6 Configure 'Windows Firewall: Prohibit notifications' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.2.7 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.9 Configure 'Windows Firewall: Do not allow exceptions' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.13 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2 System1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to
'Enabled:Authenticated'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to Authenticated.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRestrictions for Unauthenticated RPC clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.2.2 Set 'Process even if the Group Policy objects have not changed' to 'True'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Process even if the Group Policy objects have not changed
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.2.3 Set 'Do not apply during periodic background processing' to 'False'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Do not apply during periodic background processing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.3.2 Set 'Offer Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4 Internet Communication Management1.2.2.4.1 Internet Communication settings1.2.2.4.1.1 Set 'Turn off downloading of print drivers over HTTP' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off downloading of print drivers over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.2.4.1.2 Set 'Turn off Windows Update device driver searching' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Windows Update device driver searching
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.3 Set 'Turn off the "Publish to Web" task for files and folders' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the "Publish to Web" task for files and folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.4 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Internet download for Web publishing and online ordering wizards
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.5 Set 'Turn off printing over HTTP' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off printing over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.6 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the Windows Messenger Customer Experience Improvement Program
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.7 Set 'Turn off Search Companion content file updates' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Search Companion content file updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.2.5 Logon1.2.2.5.1 Configure 'Do not process the legacy run list' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesSystemLogonDo not process the legacy run list
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.2.5.2 Configure 'Do not process the run once list' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesSystemLogonDo not process the run once list
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.3 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateNo auto-restart with logged on users for scheduled automatic updates installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.3.1.5 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.6 Configure 'Specify intranet Microsoft update service location'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateSpecify intranet Microsoft update service location
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.3.1.7 Configure 'Set the intranet statistics server' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet statistics server
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.3.1.8 Configure 'Set the intranet update service for detecting updates'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet update service for detecting updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.3.2 Windows Installer1.2.3.2.1 Set 'Always install with elevated privileges' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows InstallerAlways install with elevated privileges
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.3 Remote Desktop Services1.2.3.3.1 Remote Desktop Connection Client1.2.3.3.1.1 Set 'Do not allow passwords to be saved' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Connection ClientDo not allow passwords to be saved
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.3.3.2 Remote Desktop Session Host1.2.3.3.2.1 Connections1.2.3.3.2.1.1 Configure 'Allow users to connect remotely using Remote
Desktop Services'X X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnectionsAllow users to connect remotely using Remote Desktop Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.3.3.2.2 Device and Resource Redirection1.2.3.3.2.2.1 Set 'Do not allow drive redirection' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow drive redirection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.3.2.3 Security1.2.3.3.2.3.1 Set 'Always prompt for password upon connection' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High Level'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to High Level.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to All drives.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsAutoPlay PoliciesTurn off Autoplay
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.3.5 Windows Error Reporting1.2.3.5.1 Advanced Error Reporting Settings1.2.3.5.1.1 Set 'Report operating system errors' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.5.1.2 Set 'Display Error Notification' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.7 Windows Messenger1.2.3.7.1 Set 'Do not allow Windows Messenger to be run' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows MessengerDo not allow Windows Messenger to be run
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2 User Configuration2.1 Administrative Templates2.1.1 System2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /
suspend' to 'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesSystemPower ManagementPrompt for password on resume from hibernate / suspend
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.1.1.2 Configure 'Prevent access to registry editing tools' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!User ConfigurationAdministrative TemplatesSystemPrevent access to registry editing tools
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_USER:Not Configured
CCE-8326-1
2.1.2.1.2 Configure 'Remove CD Burning features' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!User ConfigurationAdministrative TemplatesWindows ComponentsWindows ExplorerRemove CD Burning features
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_USER:Not Configured
CCE-8374-1
2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerHide mechanisms to remove zone information
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2.2.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerNotify antivirus programs when opening attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2.2.3 Set 'Do not preserve zone information in file attachments' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerDo not preserve zone information in file attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationPassword protect the screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationForce specific screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
ALOF Automatic logoff 8 Benchmark recommendations on setting screen saver, logon hours, session timeout, etc.
AUDT Audit controls 27 All audit-‐related items in BenchmarkAUTH Authorization 55 All user rights and "anonymous can/cannot do x"
recommendations in BenchmarkCNFS Configuration of security features 37 Firewall, logon as a service, etc. Benchmark settingsCSUP Cyber security product upgrades 8 All Windows-‐update related items in BenchmarkDTBK Data backup and disaster recovery 5 User rights related to file and backupMLDP Malware detection/protection 6 IE Benchmark-‐smartscreenNAUT Node authentication 12 All authentication-‐related controls, but not password storage-‐
related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
PAUT Person authentication 24 All authentication-‐related controls, but not password storage-‐related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
SAHD System and Application Hardening 249 Everything in the Benchmark maps to this Security CapabilityTXCF Transmission confidentiality 8 All the SSP RPC crypto itemsTXIG Transmission integrity 12 All the SSP RPC signing items
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
DIDT HEALTH DATA de-‐identification N/AEMRG Emergency access N/AIGAU HEALTH DATA integrity and authenticity N/A File permisionsPLOK Physical locks on device N/ARDMP Third-‐party components in product lifecycle roadmaps N/A See related CIS Benchmarks, as applicableSGUD Security guides N/ASTCF HEALTH DATA storage confidentiality N/A
Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability
Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-2-2 Security Capability
44
IEC/TR 80001-2-2 Security Capability
Automatic logoff (ALOF)
Alignment Total 8
1.1.1.1.2 Security Options1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required
before suspending session' to '15'X Scored To implement the recommended configuration
state, set the following Group Policy setting to 15.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Amount of idle time required before suspending session
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.42 Configure 'Network security: Force logoff when logon hours expire'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Force logoff when logon hours expire
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.66 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationPassword protect the screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
45
IEC/TR 80001-2-2 Security Capability
Automatic logoff (ALOF)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationForce specific screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.1 User Rights Assignment1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
1.1.1.1.2 Security Options1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore
privilege'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.33 Configure 'Audit: Audit the access of global system objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the access of global system objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.50 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 90.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.60 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Shut down system immediately if unable to log security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
47
IEC/TR 80001-2-2 Security Capability
Audit controls (AUDT)CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.3 Audit Policy1.1.1.1.3.1 Set 'Audit account logon events' to 'Success, Failure' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Success, Failure.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2867-0
1.1.1.1.3.2 Configure 'Audit object access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2259-0
1.1.1.1.3.3 Configure 'Audit directory service access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit directory service access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2933-0
1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X Scored To implement the recommended configuration state, set the following Group Policy setting to No Auditing.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit process tracking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2816-7
1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit privilege use
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2913-2
1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2902-5
1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2971-0
48
IEC/TR 80001-2-2 Security Capability
Audit controls (AUDT)CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.3.8 Set 'Audit system events' to 'Success' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit system events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2878-7
1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2904-1
1.1.1.2.2 Configure 'Retain application log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3019-7
1.1.1.2.3 Configure 'Retain security log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2966-0
1.1.1.2.4 Configure 'Retain system log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2050-3
1.1.1.2.5 Set 'Maximum system log size' to '16384' X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum system log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3006-4
49
IEC/TR 80001-2-2 Security Capability
Audit controls (AUDT)CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.2.6 Set 'Prevent local guests group from accessing security log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.7 Set 'Retention method for security log' to 'Overwrites events as needed'
X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2336-6
1.1.1.2.8 Set 'Retention method for application log' to 'Overwrites events as needed'
X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3014-8
1.1.1.2.9 Set 'Maximum security log size' to '81920' X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2693-0
1.1.1.2.10 Set 'Prevent local guests group from accessing application log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2116-2
1.1.1.2.11 Set 'Prevent local guests group from accessing system log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2345-7
1.1.1.2.12 Set 'Retention method for system log' to 'Overwrites events as needed'
X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2777-1
50
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)
Alignment Total 55
1.1.1.1.1 User Rights Assignment1.1.1.1.1.1 Configure 'Deny log on through Terminal Services' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2814-2
1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2829-0
1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2864-7
1.1.1.1.1.4 Configure 'Log on as a service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2948-8
1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentPerform volume maintenance tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2960-3
1.1.1.1.1.6 Set 'Bypass traverse checking' to 'Administrators, Users, Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBypass traverse checking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2806-8
1.1.1.1.1.7 Configure 'Log on as a batch job' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2882-9
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
51
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.8 Configure 'Add workstations to domain' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdd workstations to domain
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2374-7
1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify firmware environment values
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2657-5
1.1.1.1.1.10 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'
X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2982-7
1.1.1.1.1.11 Set 'Deny log on as a batch job' to 'Guests, Support_388945a0'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2898-5
1.1.1.1.1.12 Configure 'Deny log on as a service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2792-0
1.1.1.1.1.13 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdjust memory quotas for a process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2547-8
1.1.1.1.1.14 Configure 'Create permanent shared objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate permanent shared objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-1969-5
52
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentShut down the system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2366-3
1.1.1.1.1.16 Configure 'Back up files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBack up files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2299-6
1.1.1.1.1.17 Configure 'Restore files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentRestore files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2847-2
1.1.1.1.1.18 Set 'Take ownership of files or other objects' to 'Administrators'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentTake ownership of files or other objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2021-4
1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile system performance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2675-7
1.1.1.1.1.20 Configure 'Create a token object' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a token object
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2791-2
1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentIncrease scheduling priority
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2944-7
53
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2700-3
1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2786-2
1.1.1.1.1.25 Set 'Access this computer from the network' to 'Users, Administrators'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2379-6
1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2609-6
1.1.1.1.1.27 Set 'Deny access to this computer from the network' to 'Support_388945a0, Guests'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-1978-6
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
54
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.29 Configure 'Allow log on through Terminal Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3004-9
1.1.1.1.1.30 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.1.31 Set 'Replace a process level token' to 'Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2860-5
1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2446-3
1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2167-5
1.1.1.1.1.34 Configure 'Create global objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate global objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3107-0
1.1.1.1.1.35 Configure 'Profile single process' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile single process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2807-6
55
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.36 Set 'Force shutdown from a remote system' to 'Administrators'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentForce shutdown from a remote system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2886-0
1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2846-4
1.1.1.1.2 Security Options1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to
Named Pipes and Shares'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict anonymous access to Named Pipes and Shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Administrator account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2943-9
1.1.1.1.2.13 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Let Everyone permissions apply to anonymous users
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.16 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2973-6
1.1.1.1.2.26 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.27 Configure 'Domain controller: Allow server operators to schedule tasks'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Allow server operators to schedule tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.31 Set 'Network access: Remotely accessible registry paths and sub-paths' as recommended
X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.41 Configure 'Network access: Named Pipes that can be accessed anonymously'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Named Pipes that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.57 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Allowed to format and eject removable media
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.67 Configure 'Shutdown: Allow system to be shut down without having to log on'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Allow system to be shut down without having to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.2 Event Log1.1.1.2.6 Set 'Prevent local guests group from accessing security log'
to 'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.10 Set 'Prevent local guests group from accessing application log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2116-2
1.1.1.2.11 Set 'Prevent local guests group from accessing system log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2345-7
1.2.3.3.2.1 Connections1.2.3.3.2.1.1 Configure 'Allow users to connect remotely using Remote
Desktop Services'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnectionsAllow users to connect remotely using Remote Desktop Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2 Security Options1.1.1.1.2.5 Configure 'System cryptography: Force strong key
protection for user keys stored on the computer'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Force strong key protection for user keys stored on the computer
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.25 Configure 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
60
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.43 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.44 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Do not store LAN Manager hash value on next password change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.48 Set 'Network access: Do not allow storage of credentials or .NET Passports for network authentication' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of credentials or .NET Passports for network authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.4.1 Password Policy1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to
'Disabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2889-4
1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.1.2 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.3 Configure 'Windows Firewall: Prohibit notifications' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.1.4 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.6 Configure 'Windows Firewall: Do not allow exceptions' X unscored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.1.8 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.9 Configure 'Windows Firewall: Define inbound port exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.1.10 Configure 'Windows Firewall: Define inbound program exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.13 Configure 'Windows Firewall: Allow local program exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.2 Set 'Windows Firewall: Allow local program exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.4 Configure 'Windows Firewall: Define inbound port exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.2.5 Configure 'Windows Firewall: Define inbound program exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.1.1.1.2.6 Configure 'Windows Firewall: Prohibit notifications' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.2.7 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.9 Configure 'Windows Firewall: Do not allow exceptions' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.2.13 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.3 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateNo auto-restart with logged on users for scheduled automatic updates installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.5 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.6 Configure 'Specify intranet Microsoft update service location'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateSpecify intranet Microsoft update service location
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
67
IEC/TR 80001-2-2 Security Capability
Cyber security product upgrades (CSUP)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.3.1.7 Configure 'Set the intranet statistics server' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet statistics server
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.2.3.1.8 Configure 'Set the intranet update service for detecting updates'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet update service for detecting updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.1 User Rights Assignment1.1.1.1.1.16 Configure 'Back up files and directories' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBack up files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2299-6
1.1.1.1.1.17 Configure 'Restore files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentRestore files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2847-2
1.1.1.1.2 Security Options1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore
privilege'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.58 Configure 'Recovery console: Allow floppy copy and access to all drives and all folders'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow floppy copy and access to all drives and all folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
69
IEC/TR 80001-2-2 Security Capability
Malware detection/protection (MLDP)
Alignment Total 6
1.1.1.1.2 Security Options1.1.1.1.2.4 Configure 'System settings: Use Certificate Rules on
Windows Executables for Software Restriction Policies'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to All drives.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsAutoPlay PoliciesTurn off Autoplay
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerHide mechanisms to remove zone information
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2.2.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerNotify antivirus programs when opening attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2.2.3 Set 'Do not preserve zone information in file attachments' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerDo not preserve zone information in file attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
70
IEC/TR 80001-2-2 Security Capability
Node authentication(NAUT)
Alignment Total 12
1.1.1.1.2 Security Options1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM
SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
71
IEC/TR 80001-2-2 Security Capability
Node authentication(NAUT)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.22 Set 'Domain member: Disable machine account password changes' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to
'Enabled:Authenticated'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to Authenticated.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRestrictions for Unauthenticated RPC clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.1 User Rights Assignment1.1.1.1.1.30 Set 'Impersonate a client after authentication' to
'Administrators, SERVICE, Local Service, Network Service'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.2 Security Options1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to
Named Pipes and Shares'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict anonymous access to Named Pipes and Shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.21 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
73
IEC/TR 80001-2-2 Security Capability
Person authentication(PAUT)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.35 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Limit local account use of blank passwords to console logon only
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Guest account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3040-3
1.1.1.1.2.62 Configure 'Interactive logon: Require smart card' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.68 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyPassword must meet complexity requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2735-9
1.1.1.4.1.2 Set 'Minimum password length' to '14' X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2981-9
1.1.1.4.1.3 Set 'Enforce password history' to '24' X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyEnforce password history
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2994-2
1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2920-7
1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2439-8
1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X Scored To implement the recommended configuration
state, set the following Group Policy setting to 50 or less.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2986-8
75
IEC/TR 80001-2-2 Security Capability
Person authentication(PAUT)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2466-1
1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2928-0
1.2.3.3.2.3 Security1.2.3.3.2.3.1 Set 'Always prompt for password upon connection' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /
suspend' to 'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesSystemPower ManagementPrompt for password on resume from hibernate / suspend
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2 Security Options1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM
SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
77
IEC/TR 80001-2-2 Security Capability
Transmission confidentiality (TXCF)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
79
IEC/TR 80001-2-2 Security Capability
Transmission integrity(TXIG)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1 Computer Configuration1.1 Windows Settings1.1.1 Security Settings1.1.1.1 Local Policies1.1.1.1.1 User Rights Assignment1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2829-0
1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2864-7
1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentPerform volume maintenance tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2960-3
1.1.1.1.1.6 Set 'Bypass traverse checking' to 'Administrators, Users, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBypass traverse checking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2806-8
1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify firmware environment values
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2657-5
1.1.1.1.1.10 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2982-7
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
3. Mapping of Scored (Only) CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities
1.1.1.1.1.11 Set 'Deny log on as a batch job' to 'Guests, Support_388945a0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2898-5
1.1.1.1.1.13 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdjust memory quotas for a process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2547-8
1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentShut down the system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2366-3
1.1.1.1.1.18 Set 'Take ownership of files or other objects' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentTake ownership of files or other objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2021-4
1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile system performance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2675-7
1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentIncrease scheduling priority
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2944-7
1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2786-2
1.1.1.1.1.25 Set 'Access this computer from the network' to 'Users, Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2379-6
1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2609-6
1.1.1.1.1.27 Set 'Deny access to this computer from the network' to 'Support_388945a0, Guests'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-1978-6
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
1.1.1.1.1.30 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.1.31 Set 'Replace a process level token' to 'Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2446-3
1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2167-5
1.1.1.1.1.36 Set 'Force shutdown from a remote system' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentForce shutdown from a remote system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2886-0
1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2846-4
1.1.1.1.2 Security Options1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM
SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Administrator account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2943-9
1.1.1.1.2.12 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.13 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Let Everyone permissions apply to anonymous users
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.16 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.18 Set 'Domain member: Maximum machine account password age' to '30'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 30.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Maximum machine account password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3018-9
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X X X X Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.21 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2973-6
1.1.1.1.2.26 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.31 Set 'Network access: Remotely accessible registry paths and sub-paths' as recommended
X X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Amount of idle time required before suspending session
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.34 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.35 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Limit local account use of blank passwords to console logon only
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.37 Set 'System objects: Default owner for objects created by members of the Administrators group' to 'Object creator'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Default owner for objects created by members of the Administrators group
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.38 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.40 Set 'Interactive logon: Do not display last user name' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not display last user name
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.44 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Do not store LAN Manager hash value on next password change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.48 Set 'Network access: Do not allow storage of credentials or .NET Passports for network authentication' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of credentials or .NET Passports for network authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.50 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 90.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Guest account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3040-3
1.1.1.1.2.55 Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.57 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Allowed to format and eject removable media
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.60 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Shut down system immediately if unable to log security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.63 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Require case insensitivity for non-Windows subsystems
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.2.66 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.1.3 Audit Policy1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to No Auditing.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit process tracking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2816-7
1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit privilege use
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2913-2
1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2902-5
1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2971-0
1.1.1.1.3.8 Set 'Audit system events' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit system events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2904-1
1.1.1.2.5 Set 'Maximum system log size' to '16384' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum system log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3006-4
1.1.1.2.6 Set 'Prevent local guests group from accessing security log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.7 Set 'Retention method for security log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2336-6
1.1.1.2.8 Set 'Retention method for application log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3014-8
1.1.1.2.9 Set 'Maximum security log size' to '81920' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.3.25 Set 'Routing and Remote Access' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRouting and Remote Access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.1.1.4.1.2 Set 'Minimum password length' to '14' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2981-9
1.1.1.4.1.3 Set 'Enforce password history' to '24' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyEnforce password history
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2994-2
1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2920-7
1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2889-4
1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2439-8
1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 50 or less.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2986-8
1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2928-0
1.2 Administrative Templates1.2.1 Network1.2.1.1 Network Connections1.2.1.1.1 Windows Profile1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.4 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.1.8 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.2 Set 'Windows Firewall: Allow local program exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.7 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.1.1.1.2.13 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2 System1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to
'Enabled:Authenticated'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to Authenticated.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRestrictions for Unauthenticated RPC clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.2.2 Set 'Process even if the Group Policy objects have not changed' to 'True'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Process even if the Group Policy objects have not changed
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.2.3 Set 'Do not apply during periodic background processing' to 'False'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Do not apply during periodic background processing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.3.2 Set 'Offer Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4 Internet Communication Management1.2.2.4.1 Internet Communication settings1.2.2.4.1.1 Set 'Turn off downloading of print drivers over HTTP' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off downloading of print drivers over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.2 Set 'Turn off Windows Update device driver searching' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Windows Update device driver searching
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.3 Set 'Turn off the "Publish to Web" task for files and folders' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the "Publish to Web" task for files and folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.4 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Internet download for Web publishing and online ordering wizards
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.5 Set 'Turn off printing over HTTP' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off printing over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.6 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the Windows Messenger Customer Experience Improvement Program
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.2.4.1.7 Set 'Turn off Search Companion content file updates' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Search Companion content file updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.3 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateNo auto-restart with logged on users for scheduled automatic updates installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.1.5 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.2 Windows Installer1.2.3.2.1 Set 'Always install with elevated privileges' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows InstallerAlways install with elevated privileges
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.3 Remote Desktop Services1.2.3.3.1 Remote Desktop Connection Client1.2.3.3.1.1 Set 'Do not allow passwords to be saved' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Connection ClientDo not allow passwords to be saved
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.3.2 Remote Desktop Session Host1.2.3.3.2.1 Connections1.2.3.3.2.2 Device and Resource Redirection1.2.3.3.2.2.1 Set 'Do not allow drive redirection' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow drive redirection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.3.2.3 Security1.2.3.3.2.3.1 Set 'Always prompt for password upon connection' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High Level'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to High Level.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to All drives.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsAutoPlay PoliciesTurn off Autoplay
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.5 Windows Error Reporting1.2.3.5.1 Advanced Error Reporting Settings1.2.3.5.1.1 Set 'Report operating system errors' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.5.1.2 Set 'Display Error Notification' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
1.2.3.7 Windows Messenger1.2.3.7.1 Set 'Do not allow Windows Messenger to be run' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows MessengerDo not allow Windows Messenger to be run
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2 User Configuration2.1 Administrative Templates2.1.1 System2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /
suspend' to 'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesSystemPower ManagementPrompt for password on resume from hibernate / suspend
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2 Windows Components2.1.2.1 Windows Explorer2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerHide mechanisms to remove zone information
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2.2.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerNotify antivirus programs when opening attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.2.2.3 Set 'Do not preserve zone information in file attachments' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerDo not preserve zone information in file attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationPassword protect the screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationForce specific screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
ALOF Automatic logoff 6 Benchmark recommendations on setting screen saver, logon hours, session timeout, etc.
AUDT Audit controls 19 All audit-‐related items in BenchmarkAUTH Authorization 38 All user rights and "anonymous can/cannot do x"
recommendations in BenchmarkCNFS Configuration of security features 26 Firewall, logon as a service, etc. Benchmark settingsCSUP Cyber security product upgrades 5 All Windows-‐update related items in BenchmarkDTBK Data backup and disaster recovery 1 User rights related to file and backupMLDP Malware detection/protection 5 IE Benchmark-‐smartscreenNAUT Node authentication 12 All authentication-‐related controls, but not password storage-‐
related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
PAUT Person authentication 22 All authentication-‐related controls, but not password storage-‐related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
SAHD System and Application Hardening 156 Everything in the Benchmark maps to this Security CapabilityTXCF Transmission confidentiality 8 All the SSP RPC crypto itemsTXIG Transmission integrity 11 All the SSP RPC signing items
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
DIDT HEALTH DATA de-‐identification N/AEMRG Emergency access N/AIGAU HEALTH DATA integrity and authenticity N/A File permisionsPLOK Physical locks on device N/ARDMP Third-‐party components in product lifecycle roadmaps N/A See related CIS Benchmarks, as applicable
SGUD Security guides N/ASTCF HEALTH DATA storage confidentiality N/A
Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability