Software Deveolpment Matrix and an Business Continuity Plan (BCP) that addresses the mission needs and systems for recovery of the whole enterprise after a cyberattack event.
Requirements: 9pages
Business Continuity Plan
To help ease the concerns of the CISO and other executive officials tied into cyber operations, the chief technology officer (CTO) is asking for processes and procedures regarding exposed systems. You created a security baseline of your nation team’s
(AUSTRALIA) systems in Project 1, and that is a necessary part of determining mission priorities and identifying critical systems in the event of a cyber incident. You’ve also completed several steps that will provide an assessment of the software life cycle and development, including a development matrix.
Now you will create an 8 – to 10-page Business Continuity Plan (BCP) that addresses the mission needs and systems for recovery of the whole enterprise after a cyberattack event. This BCP will be used to help the CISO identify current systems and timelines that will be used to bring systems back online and the sequence of events that occur during deployment of the plan. Make sure that all citations are in proper APA format.
Refer to the following documents to assist you in creating the final portion of the BCP:
· Your team’s security baseline from Project 1
· Contingency Planning Guide for Federal Information Systems for examples of what to include in your BCP
· Best Practices for Creating a BCP
Consider and include the following as you develop your BCP:
· The BCP should include the software development life cycle assessment and the software development matrix you completed in prior steps.
· The BCP should describe the normal operation standards, practices, and procedures for operating systems, including critical systems. Develop standard operating procedures based on what the team identifies as the most critical to least critical to continue business operations. Included in the standard operating procedures and best security engineering practices should be operating system fundamentals, operating system security, management of patches, and operating system protections.
· All partner nations at the summit have maintained that there will possibly be the use of an ad hoc wireless network. The nations’ CISOs will have to determine differences between rogue and authorized access points with consideration to authorized service set identifiers (SSID). These considerations will have to be included in the BCP.
· Limit the scope to communications systems.
· The BCP should be tailored to recover from a ransomware attack. Include leadership decision-making options for payouts in such currencies as Bitcoin, which uses blockchain technology. Based on the recent outbreaks of ransomware attacks, identify key components of the given topology and describe how a ransomware incident would be contained or identified if an event occurred inside the given topology. What are the network security threats for a ransomware attack? Include these vectors as scenarios in the BCP and address remediation paths.
· The BCP should also include an incident response plan, IR response flow for DDoS, malware, insider threats—in case of a need to execute the plan, documentation will be used for identified parties to follow to ensure proper communication channels and flow of information/triggers are understood so breakdown does not occur.
Develop Software Development Matrix Template
Now that you have completed an assessment of the software development life cycle, you will research open source, commercial, and internally developed software methodologies available to the organization to fulfill future software assurance needs and expectations. You will use this information to develop your one-page Software Development Matrix, a component of the BCP.
Using this software development matrix template, develop and submit a matrix that compares and contrasts open-source, commercial, and internally developed software development methodologies. Evaluate each alternative to help inform your final recommendation. Consider cost, software assurance needs and expectations, software assurance objectives, and the merits of a software assurance coding and development plan. This matrix will provide options to be considered for evaluation of maintenance in the next step and will also be used in your final project briefing, with a look at improving the process for the future. Commit to accurate and complete findings for a fully accountable final project briefing.
In addition to the BCP, the matrix will be included in the cyber operations and risk management briefing, which you develop later in the project. At this point, you should have several of the components of the BCP to submit in the next step of the project.
Software Development Matrix
Software Development Methodology |
|
Pros and Cons |
Software Assurance Concerns |
|||||||||
Waterfall Model |
Pros:
Cons: |
|||||||||||
Prototype Model |
Pros: Cons: |
. |
||||||||||
Agile Software Development |
||||||||||||
Rapid Application Development |
Pros Cons: |
|||||||||||
Dynamic Systems Development |
||||||||||||
Spiral Model |
Pros: . Cons |
|||||||||||
Extreme Programming |
||||||||||||
Feature-Driven Development |
||||||||||||
Joint Application Development |
||||||||||||
Lean Development |
||||||||||||
Rational Unified Process |
||||||||||||
Scrum Development |
SECURITY BASELINE REPORT 1
Security Baseline Report
Table of Contents
Attribution Report 3
Network Security Checklist 7
System Security Risk Vulnerability R 13
Security Baseline 20
Network Forensics Considerations 28
Appendix A 32
References 33
Attribution Report
Nation-states have had different alliances and corporations in information and intelligence sharing over the years. One such alliance that has effectively existed is the Five Eyes (FVEY) Alliance, through which the United States, United Kingdom, Australia, Canada, and New Zealand collect, analyze, and share signal intelligence and, at the same time, not acting as an adversary to each other (Mansfield, 2017). Under this agreement, intelligence is gathered about specific individuals and groups and stored in the FVEY database to protect communication networks and prevent exploitations in member countries from foreign and domestic sources.
From an Australian Perspective, different Acts, Statutes, and policies by the federal government have been passed to ensure telecommunications, network, and information security. Among these are the Australian Privacy Act of 1988, the Telecommunications Act of 1997, the Intelligence Services Act of 2001, and the Data Retention Act of 2015 (Australian Government Federal Register of Legislation, 2015)
Bad actors, from domestic to nation states, consistently try to infiltrate into information systems of economies for different motives. It beholds any state to be on the alert about attackers constantly. As a result, the host of the FVEY summit has provided the IP addresses of potential attackers to member countries to avert any attacks that may come from these sources. Team Australia has investigated these IP addresses and established the sources, owners, and other relevant information to make better decisions on the network infrastructure the Australian Team will create.
The IP addresses given to the Australian Team are found below:
7.26.42.136
222.215.134.15
190.142.94.44
85.209.52.248
113.245.133.236
174.73.217.102
17.158.163.43
161.234.248.208
82.196.6.46
16.106.9.38
207.88.46.144
209.183.236.40
46.3.152.107
203.96.22.39
Team Australia has determined that the significant threat actors operate from Venezuela, China, the US, the Netherlands, Russia, Germany, and New Zealand. To gather thorough and accurate information about the IP addresses, our Team used tools such as ip2nation, Alien Vault, NordVPN IP Address Lookup, and GeoTEK IP Checker. The following information was gathered from analyzing the IP addresses:
IP Address
Location
Name/Owner
Other Information
7.26.42.136
United States
DoD Network Information Center
3990 E. Broad Street Columbus, OH- 43218
190.142.94.44
Venezuela
Corporacion Telemic C.A.
Av. Los Leones con Av. Caroni, 25133, Centro Empresarial Caracas, Piso 1
113.245.133.236
China
Chinanet Hunan Province Network
No.31, Jingrong street, Beijing, 100032
17.158.163.43
United States
Apple – WWNET
20400 Stevens Creek Blvd., City Center Bldg 3
Cupertino, CA. 95014
82.196.6.46
Netherlands
Digital Ocean LLC
101 Ave of the Americas, 2nd Floor
New York, NY, 10013
207.88.46.144
United States
MCI Communication/ Verizon
22001 Loudoun County Pkwy
Ashburn
46.3.152.107
Russia
Dom Tehniki Ltd
Nizhegorodskaya street 11 – 66
109029, Moscow
222.215.134.15
China
Chinanet Sichuan Province Network
A12, Xin-Jie-Kou-Wai Street Beijing 100088, CN
85.209.52.248
Germany
Georg Kroeber
Egerstrasse 2
65205 Wiesbaden
174.73.217.102
United States
Cox Communication
1400 Lake Hearn Dr.
Atlanta, GA
161.234.248.208
Venezuela
Telephonica Venezolana
Rambla Republica de Mexico 6125
Montevideo
11400, UY
16.106.9.38
United States
Hewlett Packard
3000 Hanover Street
Palo Alto, CA
209.183.236.40
United States
Atlantech Online
1010 Wayne Ave.
Suite 630
Silver Spring, MD
203.96.22.39
New Zealand
ACTRIX Networks
Actrix Networks
PO Box 11-410
Wellington
Network Security Checklist
A network’s security enables a safe and productive work environment by preventing unauthorized access to sensitive data and other information security threats. Therefore, network infrastructure should be secure to ensure information confidentiality, integrity, and availability to the appropriate individuals for the intended purpose. Moreover, network security risks continuously evolve and pose a persistent threat to vital information resources. For instance, deploying wireless network devices without encryption protection measures could render a network infrastructure susceptible to attacks. According to Best 2021, security risks are associated with network-connected devices and applications, providing attackers the opportunity to steal sensitive data; however, a robust cybersecurity practice, such as a network security checklist, can protect the network from cyber-attacks. Consequently, a network security checklist is intended to evaluate the security and stability of an organization’s network security best practices by identifying and verifying the potential threats associated with the network and ensuring that cyberattacks related to those threats are mitigated.
Firewall
Yes
In Progress
No
N/A
The organization should have a firewall or equivalents to prevent unwanted access to its internal network and devices.
The default password on the firewall device should be changed to a strong alternative password.
Use stateful packet inspection on the firewall, preventing IP address spoofing and DOS attacks.
Ensure that all externally sourced IP addresses are not allowed inside the LAN but only to the DMZ.
Configure the firewall to block incoming access to unused ports.
Review the firewall policies for potential security risks periodically.
Make sure the firewall firmware and software are regularly updated.
IT Security Policy
Yes
In Progress
No
N/A
A network-acceptable use policy that outlines the rules, rights, and obligations of all employees, contractors, and vendors requesting access to network resources
Conduct penetration testing for further vulnerability assessment.
Establish comprehensive onboarding and off-boarding procedure for all employees.
Implement a BYOD policy and use Mobile Device Management for an effective security solution.
Create cybersecurity awareness training programs for all employees and conduct phishing audits to test employees for preparedness against attacks.
Develop an incident response plan in the event of a data breach.
User Account Management
Yes
In Progress
No
N/A
All unnecessary user accounts, guest or admin accounts should be removed or disabled.
Create a unique user account and username for everyone.
All user accounts and permissions should be subject to an approval procedure and documented.
Password Security
Yes
In Progress
No
N/A
Establish a password security policy
Implement and enforce the use of a strong password for all authorized users.
Screen all passwords against the list of compromised passwords to ensure their integrity.
Implement 2FA (Two-Factor Authentication)
LAN Security
Yes
In progress
No
N/A
Ensure that Wireless Network security is configured appropriately, including wireless security protocols.
Disable Wireless Protected Setup (WPS) on all wireless devices
Maintain a list of all your networking equipment, including the device’s name, type, location, serial number, service tag, and other pertinent information.
Ensure that all devices on your network utilize WPA2 encryption.
Develop and implement a security policy for remote access.
Use virtual private networks (VPNs) for remote access.
Disable ports that are not being used by any devices
Disable Universal Plug n Play (UPnP)
Software Patch Management
Yes
In Progress
No
N/A
Configure patch management, which includes the downloading and installation of the operating system and security updates at a scheduled time
Ensure that the firmware, updates, patches, and upgrades are downloaded from reputable sources.
Delete any software that is not supported from any devices capable of being connected to the internet.
Use the Patch Management tool to control and streamline the process.
Antivirus and Malware Protection
Yes
In Progress
No
N/A
Antivirus software and Malware protection software should be installed on all computers and mobile devices that can access the internet.
Malware protection and Antivirus software should be configured to perform routine scans of all files and to block malicious content connections.
Antivirus software and Malware protection software must be updated every day.
Additional Requirements
Yes
In progress
No
N/A
Implement a Data Loss Prevention solution to protect critical information.
Encrypt all sensitive data stored in every device.
Unless authorized by the organization, employees should not utilize file-sharing or cloud-storage services.
Unless otherwise permitted, employees should not be allowed to access their social media accounts from any company-issued or networked device.
System Security Risk Vulnerability
Determining threats, risks, and weaknesses while putting in place comprehensive security procedures to protect critical information assets is the goal of system security risk and vulnerability assessment. Attendees at the Global Economic Summit must assess information security risks and vulnerabilities because cyberattacks can exploit any flaws in the system to launch a cybersecurity attack that, if successful, could be catastrophic. System risk assessment, according to Cobb n.d., helps to understand the risks related to the information infrastructure while identifying the asset that is most susceptible to cyberattacks. Additionally, the analysis and identification of security risks help stakeholders and security experts put mitigation and preventive measures into mitigating risks and threats to the system infrastructure.
Generally, the results of a vulnerability assessment do not automatically prevent security incidents or improve an organization’s security posture. However, they help by pointing out where improvements can be made (ISACA,2017). Besides, categorizing identified risks based on likelihood and severity to ascertain the potential impact of each vulnerability is one of the primary priorities of the system security risk and vulnerability assessment. For instance, allocating threats and vulnerabilities severity scores like critical, high, medium, and low based on their discoverability, exploitability, and replicability rather than past occurrences. Therefore, risk and vulnerability assessments are carefully considered when choosing and implementing security controls and countermeasures to protect critical system assets.
Attack Vectors
Critical information systems are essential targets for attackers, who employ various attack vectors to exploit the system’s vulnerability. Hackers constantly scan for potential entry points into systems and networks to identify potential vulnerabilities. Thus, attack vectors generally exist because of vulnerabilities or security holes in hardware or software or because of the human element (Shachklett, 2021). Attack vectors are the tools or techniques an unauthorized individual uses to gain access to a network or computer system before launching a malicious attack. Besides, hackers leverage attack vectors to exploit system vulnerabilities to steal sensitive credentials or cause a data breach. Common attack vectors include malicious web links, email attachments, pop-up windows, and duped person instant messengers.
Understanding attack vector patterns is crucial in designing a practical mitigation approach to prevent or minimize attacks. The two main methods hackers exploit attack vectors are passive and active attacks. An attacker uses a passive attack to obtain critical information on their target by monitoring systems for vulnerabilities and open ports without interacting with system data or resources. Network sniffers, brute-force attacks, and keystroke loggers are examples of passive attacks (UMGC, n.d). Active assaults, on the other hand, allow hackers to engage directly with the target system, conducting malicious attacks against the system’s weaknesses. Phishing emails, denial-of-service (DoS) attacks, brute force attacks, and malware attacks are examples of active attacks.
The Common Attack Pattern Enumeration and Classification Framework is essential to explore (CAPEC). The Common Attack Pattern Enumeration and Classification (CAPEC) standard provides a database of common attack patterns that guide individuals in understanding how attackers exploit vulnerabilities in applications and other cyber-enabled capabilities (Capec.mitre.org, n.d). The US Department of Homeland Security created CAPEC as part of the Software Assurance program to create a standard mechanism for identifying, analyzing, refining, and sharing attack patterns among the cybersecurity community.
Threats to Authentication and Credentials
Authentication and credential threats are issues that impact the process of authenticating a legitimate user’s identification to system, application, or computer resources. Authentication is simply verifying a subject’s identity before granting access to information on a system. On the other hand, a credential comprises information about a subject that is employed in the authentication procedure. Passwords, usernames, public key certificates, personal identification number (PIN) codes, and biometric elements are all types of credentials. According to Thomas 2021, the volume of authentication attacks in the threat landscape is increasing because hackers waste no time exploiting vulnerabilities to gain access to systems and user accounts to delete data or steal critical data such as Personal Identifiable Information (PII), Personal Health Information (PHI), among others. Below are the most common threats to authentication and credentials.
Brute Force Attacks
A brute force attack is a popular type of cyber-attack in which an attacker uses an automated process of offline and online trial and error to guess information such as a login, password, or cryptographic key to gain access to a system. Simple brute force attacks, dictionary assaults, hybrid brute force attacks, reverse brute force attacks, and credential stuffing are the most common types of brute force attacks. Although brute force attacks are a relatively old technique of system access, they are easy, dependable, and preferred tactics because hackers use information collected about their target as a starting point. Furthermore, attackers can steal login credentials to compromise the security of user credentials if there is a vulnerability in the authentication process or Remote Desktop Protocol (RDP), but using encryption techniques can secure and safeguard crucial data from brute force assaults (Magnusson, 2022). Another strategy to protect against brute force password attacks is to use stronger passwords and adhere to stringent password best practices such as designing strong and multi-character passwords, avoiding common passwords, using unique passwords for each account, and utilizing a password manager.
Man-In-The-Middle Attacks
Man-In-The-Middle (MitM) attacks include the interception of an insecure network connection by an attacker using tools that imitate a legitimate Wi-Fi access point. Thus, hackers can inject themselves between communication channels and steal critical information. After successfully intercepting the network, attackers execute various Man-in-the-Middle attacks, including session hijacking, IP and DNS Spoofing, eavesdropping, email hijacking, ARP cache poisoning, and Secure Sockets Layer hijacking (Fortinet,n.d). Attackers generally exploit vulnerabilities in the network, internet, or browser-based security systems to intercept legitimate communications. They may install a malicious software update containing malware to steal personal credentials and login information. Consequently, countermeasures such as employing end-to-end encryption for all communication channels, deploying multifactor authentication for system access, encrypting DNS traffic, and adopting the zero-trust security principle can prevent and mitigate a MITM attack.
Structured Query Language (SQL) Attacks
In a Structured Query Language (SQL) attack, an attacker inserts malicious code into an underlying SQL database manipulating it to divulge encrypted data and read or modify a database. In addition, an attacker can fake identity, expose, modify, destroy, or render existing data inaccessible. According to Magnusson 2022, SQL injections can allow attacks on authentication measures by stealing sensitive data from an unsecured database or bypassing authentication mechanisms if the injected SQL code is performed internally. One technique to prevent SQL injection attacks is using parameterized statements to prohibit the direct insertion of user-supplied data into SQL statements. Also, installing a web application firewall (WAF) can filter out known malicious SQL queries.
Social Engineering
Social engineering is a popular tactic employed by attackers, which largely depends on human interaction and emotions to earn people’s confidence before exploiting them. Cybercriminals utilize social engineering to trick and manipulate their victims before acquiring access to sensitive information or systems. According to Rosencrance & Bacon 2021, hackers employ social engineering as a first step in a more extensive effort to infiltrate a system since it is sometimes easier to target humans than network or system weaknesses. In addition, there are several types of social engineering attacks, such as Baiting, Whaling, Vishing, Pretexting, Dumpster Diving, Quid pro quo, and Tailgating. However, Phishing is the most prevalent form of social engineering that poses a danger to credentials.
In a Phishing attack, hackers use human error to steal credentials and spread malware through email attachments or links to malicious websites. For example, the attacker sends an email to the victim while posing as a well-known contact. The email contains a link that directs the victim to a fake website that requests their login information, such as username and password. It is crucial to remember that social engineering attacks can take many different forms and that preventative security measures like firewalls, anti-malware, access management policies, and cyber security staff awareness can mitigate the threat of social engineering attacks.
Significance of Public-Key Infrastructure (PKI)
Public-Key Infrastructure (PKI) is essential to security protocol communication and information technology systems. It offers a secure mechanism for authenticating the identity of individuals, organizations, and systems involved in online communication and protecting the confidentiality and integrity of data communicated over the internet. According to Fruhlinger 2020, Public-Key Infrastructure (PKI) is based on public cryptographic keys, which play a crucial role in the encryption process and verify the identity of the persons or devices engaged in communication. The value of PKI may be understood by examining the challenges it addresses. One of the most significant obstacles to internet communication is verifying that the individual you are communicating with is whom they claim to be. The term for this is authentication. PKI provides a safe and fast authentication method (CA) by utilizing digital certificates and a reputable third-party certificate authority.
Public Key Infrastructure (PKI) enables not only authentication but also encryption, which helps protect sensitive information while it is being sent over the network. Data is encrypted when it is converted into a code that can only be read by those who have the keys, which prevents eavesdropping and makes it harder for hackers to access critical data. Finally, PKI is crucial in protecting information security. This implies it checks to see if the sent data has not been tampered with. Digital signatures, generated with the sender’s private key and cryptographic methods, are used for this purpose. Overall, PKI has proven to be a critical component of modern secure communication systems that guarantee the privacy and secrecy of digital interactions and the safety of sensitive data while providing a secure system for authentication, encryption, non-repudiation, and integrity.
Leapfrogging Across Network
Leapfrogging is a technique of cyber-attack that exploits weaknesses in sophisticated networks to get unauthorized access to sensitive information. Since corporations embrace new and more complex technology, these attacks are becoming more prevalent, as attackers can bypass standard security procedures by exploiting network vulnerabilities. Afolabi 2022 argues that threat actors often access an organization’s network, typically a Managed Security Service Provider (MSSP), before to compromising other connected network systems. Organizations should deploy robust security measures, such as encryption, firewalls, and intrusion detection systems, to prevent attacks that leapfrog across networks. In addition, organizations must continually evaluate and upgrade their security systems to ensure they can stay up with emerging threats and technology.
Privilege Escalation
Escalation in a cyberattack, either horizontal or vertical, refers to the process by which an attacker gains increasing levels of access to a target system or obtains more sensitive data, leading to a more severe or widespread breach. The objective of escalation is to achieve a greater degree of control or privilege within the target system so that the attacker may carry out more destructive actions, such as data theft, service interruption, or malware distribution. In addition, attackers utilize credential exploitation, system misconfiguration, system vulnerabilities, and social engineering to conduct privilege escalation attacks (Cynet,n.d).
Once an attacker has administrative access to a sensitive system, privilege escalation attacks may be devastating. However, implementing holistic security solutions, such as endpoint security and network analytics to detect unusual system activity, may assist in managing and protecting network resources against possible attacks.
Security Baseline
Establishing a security baseline in the context of information technology systems helps ensure that the technology infrastructure is properly secure against possible threats, such as those discussed in the vulnerability assessment section. According to the National Institute of Standards and Technology (NIST), a security baseline is a set of minimum-security controls for information systems established through information security strategic planning activities to address one or more specified security categorizations (2012). That is not to say that the systems cannot be secure any further, but at the very least, the security controls must meet the ones established in the baseline analysis. Security analysts continuously scan their infrastructure and compare the current state of the systems with the initially established baseline to ensure those security controls are always being met. These system integrity checks help administrators determine a system’s trustworthiness, whether data has been changed or damaged, or whether technical and operational conditions are being met without fault. (System Integrity Checks, 2023). The security controls will vary based on the importance of the asset to the organization. An asset is anything of value to an organization, from physical infrastructure to the same data used by the Australian government, as seen from the Cyber Policy Matrix (see Appendix A). Like many other countries, the Australian government deals with many operations necessary for the country’s daily operations.
Communication and data sharing between nations is an essential factor of relationship building between countries, but equally important is securing the data and communication channels used so sensitive data does not fall into the wrong hands. In today’s age, technology is deeply rooted within these operations and has become an essential part of their infrastructures. While these have simplified many processes and operations, it has brought many security risks varying from cyberattacks to legal concerns. To assist with many of these concerns, the Australian government has provided policies, processes, and standards that guide how to secure its information technology systems. The Cyber Policy Matrix briefly discusses these policies, processes, and standards, with most of the information drawn from various documents published by the Australian Cyber Security Centre (ACSC), such as the
Strategies to Mitigate Cyber Security Incidents, the
Essential Eight Maturity Model, and
Information Security Manual. Using the information from the
Attribution Report,
Cyber Policy Matrix,
Network Security Checklist,
System Security Risk Vulnerability, and the documents mentioned above, a baseline profile will be established to ensure the IT infrastructure of
the Australian government is adequately secured. This baseline will also be used to analyze the security of the newly established network communications used during the Global Economic Summit.
Establishing a Security Baseline
To establish this baseline, all the available information will be compiled and analyzed to develop a set of security rules to include in the baseline profile. These rules are what will be compared to the current condition of the systems to ensure they are being met and communications are secured. Analyzing the internet protocol (IP) addresses in the
Attri
bution Report
yielded information as to possible threat actors. This information was further analyzed to document common tactics and tools employed by these threats to understand better how bad actors exploit vulnerabilities and gain control of systems. Additionally, the information found on the
Network Security Checklist
will aid security administrators in checking that the appropriate physical and logical security controls are in place. The infrastructure is then analyzed for vulnerabilities, and a risk assessment report is completed. The
System Security Risk Vulnerability
section covers the importance of conducting risk and vulnerability assessment and common attack vectors that will be mitigated by employing the proper controls.
Furthermore, to have a broader understanding of the network’s vulnerabilities, a network scan will be conducted using industry-standard tools, such as
Nessus, to identify existing vulnerabilities and mitigation strategies. Another important document for the security of the Australian government’s technology systems and communications within the Global Economic Summit is the Cyber Policy Matrix (see Appendix A). This matrix briefly discusses Australia’s policies and laws regarding cybersecurity management and technology. Most of the information presented in the matrix has been compiled from the Australian Cyber Security Centre (ACSC) publications on protecting against cyber threats. This is important because administrators must develop a communication network for the summit that is not only secure but abides by any applicable laws and policies established in these publications. These include following best practices discussed in the
Strategies to Mitigate Cyber Security Incidents,
Essential Eight Maturity Model, and
Information Security Manual, as well as laws within the Privacy Act, the Telecommunications (Interception and Access) Act, the Intelligence Services Act 2001, the Security of Critical Infrastructure Act 2018 (Cth), and any other applicable laws or regulations.
Creating the Baseline Profile
Using all the previously compiled information and the
OpenSCAP Workbench tool, a baseline profile was created that meets compliance with the required security controls, laws, and policies. This baseline will then be used to analyze the network infrastructure.
OpenSCAP is a graphical user interface tool that allows users to create a profile with specified security rules and then use the profile to conduct vulnerability scans on a single local or remote system. Users can then perform remediation of the system in accordance with the given profile (OpenSCAP, n.d.). Aside from using the framework provided by the ASCS, security practices drawn from the American National Institute of Standards and Technology (NIST) are used, when needed, to supplement the security of network communications. A profile provided by NIST was used to create the baseline. This profile was customized for compliance with the Australian Government’s information assurance needs. Figure 1 below shows the Open
SACP Workbench and the customized profile.
Figure 1. OpenSCAP Workbench
Changes to the original profile were made to ensure accuracy with the requirements outlined in the
Network Security Checklist
. Examples, as seen in figures 2 and 3 below, include changing password policies to meet compliance with password security requirements.
Figure 2. Changing the Minimum Password Age requirements.
Figure 3. Changing the Account Lockout Counter to meet requirements.
A copy of the profile’s rules can be found in appendix A for a complete list of the rules and the original profile obtained from NIST.
With this profile created, systems can be scanned for compliance with all the required security controls. Any vulnerabilities or non-compliance will be mitigated following a risk assessment and vulnerability management plan. Aside from scanning,
OpenSCAP can also produce auditing reports for sharing with stakeholders to make future decisions on security controls.
Vulnerability Management Process
A well-established vulnerability management process aids with standardizing vulnerability mitigation, so systems are not exposed to attacks. Scanning systems and identifying vulnerabilities is just half of the process. These vulnerabilities need to be prioritized and remediated as soon as possible to reduce the attack surface. Using the four-step vulnerability management process outlined below will strengthen the communication systems used in the summit and make sure the underlying technologies are secured.
· Asset & Vulnerability Discovery – using
Nessus to scan the network will allow the discovery of assets and any vulnerabilities.
Nessus performs in-depth scans and can identify more vulnerabilities when compared to other scanners.
· Vulnerability and Risk Prioritization – The scan output of the scan not only displays vulnerabilities and categorizes them based on their Critical Vulnerability Scoring System (CVSS). Administrators and stakeholders can use this information to make an informed decision as to which vulnerabilities to prioritize for patching.
· Patch Management – Nessus can query a variety of patch management solutions and verify whether patches are installed on managed systems (Dunn, 2016). Additionally, creating a patch management policy will help identify which vulnerabilities will be patched first, under what circumstances, and how the process will be documented to maintain accountability.
· Remediation, Validation, and Exception Tracking –
Nessus also suggests remediating vulnerabilities. It will also be used continuously to monitor the systems and maintain accountability.
Network Forensics Considerations
No system is perfectly secure. Vulnerabilities will always exist, and the goal of scanning the infrastructure to identify vulnerabilities and harden the systems is to reduce the attack surface to minimize the possibilities of an attack. Nevertheless, if the attacker is successful, considerations must be taken to respond to an attack and conduct the proper investigation swiftly. Network forensics is a specific type of forensic investigation that most commonly deals with the acquisition, processing, analysis, reporting, and safekeeping of network resources (servers, workstations, printers, hubs/switches/routers) and the travel of information through network ports (Network Forensics, 2023). In the event of a compromise, a forensic examiner will identify the seriousness of the compromise and collect and analyze the appropriate data forensically soundly to make sense of what occurred. This data may include data found in system registries, memory, caches, logs, network states, connections, running times and active processes, and data acquisition of all unencrypted data (2023). Various hardware and software security appliances are already in place to monitor network traffic for suspicious traffic and connections. These appliances include firewalls, intruder detection systems (IDS), and intruder prevention systems (IPS). The systems operate based on the rules established for secure network communications, such as closing all ports except the ones needed for communications, denying access to specified IP addresses (i.e., the ones in the
Attribution Report
), allowing access only to specified applications, and webpages, etc. These tools leverage threat intelligence and other information to determine malicious activity within network traffic, applications, system behavior, and more. The security baseline also aids in identifying abnormal behavior and suspicious traffic. Since communication at the summit between the participating countries is of utmost importance, network procedures must be established in case communications are compromised. NIST defines network traffic as computer network communications carried over a wired or wireless network between hosts (Kent, Chevalier, Grance, & Dang, 2006). Most network communication relies on the TCP/IP model for communication. However, the fundamental of network forensics can also be applied to other types of network traffic. TCP/IP uses a four-layer approach for communications. A brief overview of the layers can be found below (Kent, Chevalier, Grance, & Dang, 2006):
· Application – rather than applications themselves, these layers deal with the protocols such applications use. Examples include HTTP, FTP, DNS, SMTP, etc., and their encrypted counterparts.
· Transport – provides connection-oriented (TCP) or connectionless (UDP) services for transporting application layer services within a network.
· Internet Protocol (Network layer) – this layer deals with IP addresses and is responsible for routing the addressing and routing of data.
· Hardware – the hardware layer involves the network’s physical components, including cables, routers, switches, and network interface cards (NIC).
As a forensic examiner, understanding what occurs at every layer provides valuable knowledge that aids in conducting thorough investigations and finding relevant artifacts. For example, since every NIC has a unique Media Access Control (MAC) address, the network traffic can be analyzed to find the source MAC address for suspicious traffic. Note that multiple IP addresses can map to a single MAC address. Analysis of the network layer can help identify suspicious IP addresses during a compromise. Additionally, analyzing the communication ports might yield information about the targeted application or service. Examiners may use this information to then gather log data and other information from relevant data sources. These data sources may include firewalls, routers, IDS, IPS, remote access servers, Security Management Events (SEM), DHCP servers, packet analyzers (i.e.,
Wireshark), and network forensic analysis tools. Examiners must also account for technical issues commonly found during the collection of network traffic. Some of these issues are discussed by Kent, Chevalier, Grance, and Dang (2006) which include:
· Data storage – accounting for the collection of network traffic can be complex, especially in a large environment such as the Global Economic Summit, where large volumes of network activity occur. Since storage capacity might impede data collection, examiners must dictate when and what data should be collected.
· Encrypted Traffic – security is paramount when various countries communicate and share sensitive data; therefore, encryption must be used to secure communication. However, this is also detrimental to forensic examinations since encrypted traffic cannot be analyzed. NIST recommends placing a data source where it can see the decrypted traffic, i.e., placing an IDS before a VPN to detect suspicious traffic. Furthermore, they recommend establishing policies that specify the appropriate use of traffic encryption technologies so that security controls such as IDS sensors can monitor the contents of traffic that do not need to be or should not be encrypted.
· Services Running on Unknown Ports – network security appliances should be configured to block all unused ports and alert on connections using unknown server ports. Furthermore, configuring appliances to perform protocol analysis, monitoring traffic flow, and configuring protocol analyzers can help identify suspicious traffic.
· Alternate Access Point – attackers often leverage access points to connect to the network and avoid detection by security appliances. Limiting access points at the summit is a mitigating strategy for this issue.
· Monitoring Failure – as stated before, no system is perfect, and failures are bound to happen. Redundancy is vital to mitigate this problem. Having various appliances monitoring traffic at various levels can help with this. Examples include using network-based firewalls and a host-based firewall for security and logging.
Making sense of what occurred can often be challenging for an examiner. An in-depth understanding of the network infrastructure at the summit is critical to quickly identifying relevant data sources and beginning the forensic process. Knowing the fundamentals of network communications and their underlying technologies is essential to answering questions about how, when, where, why, what, and possibly who. Additionally, understanding issues such as the ones discussed above helps in knowing the limitations that an examiner may face during the investigation’s collection, preservation, processing, analysis, and reporting phases. Forensics can be a challenge in a significant event such as the Global Economic Summit, where every nation has its communication infrastructure, security, and policies. Nations must be prepared to collaborate and share information in case of a compromise involving other countries at the summit.
Appendix A
References
Afolabi, O. (2022, December 26). Island hopping attacks: What they are and how to protect yourself. MUO. Retrieved February 1, 2023, from https://www.makeuseof.com/what-are-island-hopping-attacks/
Australian Government Federal Register of Legislation. (2015). Telecommunications (Interception and Access) Amendment (Data Retention) Act of 2015. Retrieved from
https://www.legislation.gov.au/Details/C2015A00039
Best, A. (2021, August 11). The quick and essential network security checklist for 2023. Inspired eLearning. Retrieved January 30, 2023, from https://inspiredelearning.com/blog/network-security-checklist/ \ Capec.mitre.org. (n.d.). Common attack pattern enumeration and classification. CAPEC. Retrieved February 1, 2023, from https://capec.mitre.org/about/
Capec.mitre.org. (n.d.). Common attack pattern enumeration and classification. CAPEC. Retrieved February 1, 2023, from https://capec.mitre.org/about/
Cobb, M. (2022, November 10). How to perform a cybersecurity risk assessment in 5 steps: TechTarget. Security. Retrieved February 1, 2023, from https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment-step-by-step
Cynet.com. (2023, January 6). Understanding privilege escalation and 5 common attack techniques. Cynet. Retrieved February 1, 2023, from https://www.cynet.com/network-attacks/privilege-escalation/
Dunn, S. (2016, August 24). Patch management overview. Retrieved from
https://www.tenable.com/sc-dashboards/patch-management-overview
Fortinet. (n.d.). What is a man-in-The middle (mitm) attack? Fortinet. Retrieved February 1, 2023, from https://www.fortinet.com/resources/cyberglossary/man-in-the-middle-attack
Fruhlinger, J. (2020, May 29). What is PKI? and how it secures just about everything online. CSO Online. Retrieved February 1, 2023, from https://www.csoonline.com/article/3400836/what-is-pki-and-how-it-secures-just-about-everything-online.html
GeoTek (2023) IP Checker.
https://ipinfo.info/html/ip_checker.php
ISACA. (2017). Security vulnerability assessment. Retrieved February 1, 2023, from https://www.datasqlvisionary.com/wp-content/uploads/2018/06/Security-Vulnerability-Assessment
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006, August).
Guide to integrating forensic techniques into incident response. National Institute of Standards and Technology. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86 .
Magnusson, A. (2022, December 9). What is a brute force attack? types, examples & prevention. StrongDM. Retrieved February 1, 2023, from https://www.strongdm.com/blog/brute-force-attack
Mansfield, H. (2017, April 1). Using VPNs to protect your Internet privacy.
https://haroldmansfield.com/using-a-vpn-to-protect-your-internet-privacy/
Network Forensics. (2023). UMGC. Retrieved from
https://leocontent.umgc.edu/content/scor/uncurated/cyb/2215-cyb670/learning-topic-list/network-forensics.html?ou=722363
NIST. (2012, September).
Information Security. Retrieved from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1
.
NordVPN (2023) IP Address Lookup.
https://nordvpn.com/ip-lookup/
OpenSCAP. (n.d.). SCAP workbench. Retrieved from
Pempal.org. (n.d.). Network Security Audit Checklist. Pempal. Retrieved January 30, 2023, from https://www.pempal.org/
Shacklett, M. E. (2021, April 13). What is attack vector? Security. Retrieved February 1, 2023, from https://www.techtarget.com/searchsecurity/definition/attack-vector
Subedi, H. (2019, November 1). The Ultimate Network Security Checklist: Jones it. Jones IT | Managed IT Services, IT Support, IT Consulting. Retrieved January 30, 2023, from
https://www.itjones.com/blogs/2019/11/1/the-ultimate-network-security-checklist
System Integrity Checks. (2023). UMGC. Retrieved from
https://leocontent.umgc.edu/content/scor/uncurated/cyb/2215-cyb670/learning-resource-list/system-integrity-checks.html?ou=722363
Thomas. (2021, September 2). The spam auditor blog: The Information Nexus for the anti-spam community. Spam Auditor Blog. Retrieved February 1, 2023, from https://spamauditor.org/2021/09/the-different-types-of-authentication-attacks-what-you-can-do-to-protect-yourself/
image3
image4.emf
Microsoft_Excel_Worksheet.xlsx
Cyber Matrix
CYBER POLICY MATRIX
Cyber Elements
Information Security
Information Technology
Operations
Business
Legal
Audit
Human Resources
Leadership Positions
Column1
Column2
Column3
Column4
Column5
Column6
Column7
Column8
Column9
Column10
Governance
Corporations Act 2001. It imposes duties on directions to excercise powers and duties with care and deligence. A director who ignores the real possibility of an incident may be liable for failing to exercise their duties with care and deligence.
The Australian Signals Directorate (ASD) provides information security recommendations and support to organizations.
The Australian Cyber Security Centre (ACSC) is the Australian Government’s primary agency for cyber security operational matters at the national level.
The Essential Eight is an Australian Cybersecurity framework developed by the Australian Signals Directorate (ASD)
The Privacy Act (Cth), the Crimes Act 1914 (Cth), the Security of Critical Infrastructure Act 2018 (Cth), the Code (Cth), and the Telecommunications (Interception and Access) Act 1979 (Cth).
The Joint Committee of Public Accounts and Audit suggested that the Australian Signals Directorate (ASD) and the Attorney-Department General’s (AGD) report annually to Parliament on the Nation’s cyber security posture.
Most employees wants HR to take a bigger role when it comes to Cybersecurity. HR should come down harder on individuals who is the cause of the breach. A survey of 500 IT professionals, 68% of them mentioned that the best way to reduce breach is by offering more training by HR.
The Hon Richard Marles MP. Deputy Prime Minister and Minister for Defence
Policies, Processes, Standards
The Protective Security Policy Framework (PSPF) assists Australian Government organizations in protecting their people, information, and assets domestically and internationally. (PSPF Policy 9)
The Information Security Manual (ISM) is intended to provide an outline of a cyber security framework that an organization can use in conjunction with its risk management framework to safeguard its systems and data from cyber threats.
The Information Security Manual (ISM) provides organizations with principles and practical guidance on how an organisation can protect their systems and data from cyber threats. The guidelines cover governance, physical security, personnel security, and information and communications technology security matters.
The PSPF represents better practices for corporate Commonwealth entities and wholly-owned Commonwealth companies under the PGPA Act of 2013.
The Archives Act, the Privacy Act, and the Telecommunications (Interception and Access) Act.
Most employees wants HR to take a bigger role when it comes to Cybersecurity. HR should come down harder on individuals who is the cause of the breach. A survey of 500 IT professionals, 68% of them mentioned that the best way to reduce breach is by offering more training by HR.
The Hon Clare O’Neil MP.Minister for Home Affairs and Minister for Cyber Security.
Strategy
Australia’s Cyber Security Strategy 2020
The Australian Government Information Security Manual(ISM).
The Australian Government Information Security Manual(ISM). Additionally, the Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details publication provides information to assit organizations with miitgating cyber security incidents caused by a wide range of threats (Australian Cyber Security Centre, 2017).
The Intelligence Services Act 2001 (ISA)
Most employees wants HR to take a bigger role when it comes to Cybersecurity. HR should come down harder on individuals who is the cause of the breach. A survey of 500 IT professionals, 68% of them mentioned that the best way to reduce breach is by offering more training by HR.
The Hon Clare O’Neil MP.Minister for Home Affairs and Minister for Cyber Security.
Risk Management
Cyber Incident Management Arrangements (CIMA) for Australian governments is to reduce the scope, impact, and severity of national cyber incidents on all Australians.
The Australian Government Information Security Manual(ISM). Outlines risk management approach to protect systems and information from cyber risks
The Australian Government Information Security Manual (ISM) outlines risk management approach to protect systems and information from cyber threats. The risk management framework offered in the manual is baed on data by the Australian Cyber Security Centre and the Australian Signals Directorate.
Prudential Standard CPS 234
The Australian Prudential Regulation Authority (APRA)
Most employees wants HR to take a bigger role when it comes to Cybersecurity. HR should come down harder on individuals who is the cause of the breach. A survey of 500 IT professionals, 68% of them mentioned that the best way to reduce breach is by offering more training by HR.
Ms. Rachel Noble PSM. Director-General of the Australian Signals Directorate.
Risk Assessment–Execution
The Australian Cyber Security Centre (ACSC) collaborates with the private and public sectors to share information on threats and increase resilience
The Essential Eight Maturity Assessment Process
Section 7(e) of the Intelligence Services Act 2001
NA
Asset Security
(Information Security Manual) Control: ISM-1633; Revision: 0; specifies that system owners establish the type, value, and security objectives for each system based on an analysis of the impact of a breach.
(Information Security Manual) Control: ISM-1634; Revision: 1; states that system owners select controls for each system and tailor them to achieve desired security objectives.
The Information Security Manual (ISM) outlines different guidelines to help protect assets on a physical level, using a defence-in-depth aproach, as well as on the logical level.
(Information Security Manual) Security Control: 1504; Revision: 1; states that multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.
(Information Security Manual) Control: ISM-1587; Revision: 0; system owners report the security status of each system to its authorizing officer at least annually.
Information Security Management
The Australian Cyber Security Centre (ACSC) provides cyber security information, advice, and assistance to all Australians.
The Essential Eight Maturity Model.
Ms Abigail Bradshaw CSCHead, Australian Cyber Security Centre
Communications and Network
The PSPF Policy 9 states that access to networks, operating systems, applications and sensitive or classified information that is processed, stored or communicated is controlled through a clear understanding of the information held on such system.
(Information Security Manual) Security Control: 1381; Revision: 2; states that all dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities
(Information Security Manual) Security Control: 0520 states that network access controls are implemented on networks to prevent the connection of unauthorized network devices.
The Australian Security of Critical Infrastructure Act of 2018 (SOCI Act) aims to safeguard Australian infrastructures against cyberattacks.
Identity and Access Management
The Australian Cyber Security Centre (ACSC) utilizes cyber security principles to better understand how to protect systems and data. The Protect Principle 12 states that multiple techniques are used to identify and authenticate personnel to systems, applications and data repositories.
The Protect Principle 1 specifies that systems and applications are administered in a secure and accountable manner.
The Protect Principle 10 states that only trusted and vetted personnel are granted access to systems, applications, and organizational data.
Protect Principle 2 specifies that systems and applications are delivered and supported by trusted suppliers.
Protect Principle 11 states that personnel are granted the minimum access to systems, applications, and organizational resources required for their duties.
Security Architecture
The Protective Security Policy Framework (PSPF) policy 11: Robust ICT systems describe safeguarding information and communication technology (ICT) systems to ensure the secure and uninterrupted performance of government activities.
(Information Security Manual) Control: ISM-1739; Revision: 0, states that a system’s security architecture is approved prior to the development of the system.
An organization’s ICT systems should be resilient to the failure of security controls. When designing systems, the concept of defense-in-depth should be considered, particularly where control failures have occurred in the past (ACSC).
Security Technology
The Australian Cyber Security Centre (ACSC) utilizes Gateway security mechanism to separate different security domains by allowing only authorized data to flow from one security domain to another.
The controls implemented in a gateway should be designed to reduce or eliminate the attack surface associated with the flow of data entering and leaving a security domain.
As specified by the Australian Cyber Security Centre (ACSC), A Commonwealth entity needs to consider its obligations, including strategies outlined in the PSPF, PGPA Act, and ISM.
Security Engineering
Security of Critical Infrustructure Act 2018. It seeks to respond to technological changes that have increased cybersecurity connectivity to critical infrustructure
Security Development
(Information Security Manual) Security Control: 0042; Revision: 5; states that all System administration processes, and supporting system administration procedures, are developed and implemented.
(Information Security Manual) Security Control: 1617; Revision: 0; Updated: Oct-20; states that the CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.
Operations and Service Delivery
(Information Security Manual) Security Control: 0408; Revision: specify that systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted.
Project Management
(Information Security Manual) Security Control: 0246; Revision: 3; Updated: Sep-18; specify that an emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications.
(Information Security Manual) Security Control: 1478; Revision: 1; states that the CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation.
(Information Security Manual) Security Control: 0726; Revision: 2; states that the CISO coordinates security risk management activities between cyber security and business teams.
Audit, Review, Monitoring
Information Security Manual) Control: ISM-1610; Revision: 0; states that ICT equipment, with the execption of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
Incident Response
(Information Security Manual) Control: ISM-0576; Revision: 9; states that an incident management policy, and associated incident response plan, are developed, implemented, and maintained.
(Information Security Manual) Control: ISM-1610; Revision: 0; states that a method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
(Information Security Manual) Control: ISM-0140; Revision: 6; All Cyber security incidents are reported to the Australian Cyber Security Centre (ACSC).
The Australian Cyber Security Centre (ACSC) provides advice and guidance to business and government entities on how to respond to and report cybersecurity incidents.
S.30cd of The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 states that an entity responsible for a system of national significance must adopt and maintain an incident response plan for a cybersecurity incident.
Legal and Regulatory
The Protective Security Policy Framework (PSPF) gives Australian Government organizations the ability to secure their people, information, and assets.
The Center for Internet Security (CIS) Controls are a collection of security initiatives meant to defend systems from typical cyber-attacks.
Businesses must implement the information security management system and comply with standards such as ISO/IEC 27001,ISO/IEC 38500,GDPR, the Australian Privacy Act 1988, and the Essential eight.
The Australian Signals Directorate ASD’s designated functions under section 7(1)(ca) of the Intelligence Services Act 2001. Archives Act 1983, Privacy Act 1988, and Telecommunications (Interception and Access)Act 1979.
Data Acquisition, Preservation, Analysis, Transfer
(Information Security Manual) Security Control: 0347; Revision: 5; specify that transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured.
References
Asd.gov.au. (n.d.). Leadership. Leadership | Australian Signals Directorate. Retrieved January 24, 2023, from https://www.asd.gov.au/about/leadership
Cyber.gov.au. (2021, December). Information security manual. Australia Cyber Security Centre. Retrieved January 24, 2023, from https://www.cyber.gov.au/sites/default/files/2021-12/ISM%20December%202021%20Changes%20%28December%202021%29
Iclg.com (2023, November). Cybersecurity Laws and Regulations Australia 2023
Kost, E. (2023, January 5). Essential eight compliance guide (updated for 2023). Upguard. Retrieved January 24, 2023, from https://www.upguard.com/blog/essential-eight
Kost, E. (2023, January 5). Top 10 Australian cybersecurity frameworks in 2023: Upguard. UpGuard. Retrieved January 24, 2023, from https://www.upguard.com/blog/australian-cybersecurity-frameworks#toc-0
Miralis, D., Gibson, P., & Ceic, J. (n.d.). Cybersecurity laws and regulations report 2023 Australia. International Comparative Legal Guides International Business Reports. Retrieved January 24, 2023, from https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/australia
Protectivesecurity.gov.au. (2021, June 25). Policies. Protective Security Policy Framework. Retrieved January 24, 2023, from https://www.protectivesecurity.gov.au/policies
Muncaster, P. (2015, September 15) Most Employees Want HR to Take a Bigger Role in Cybersecurity. Retrieved January 26, 2023, from https://www.infosecurity-magazine.com/news/most-employees-want-hr-take-bigger/
http://iclg.com/
image5.emf
scap_gov.nist_USGCB-Windows-7.xml
accepted
USGCB: Guidance for Securing Microsoft Windows 7 Systems
This guide has been created to assist IT professionals in effectively securing systems running Microsoft 7
Do not attempt to implement any of the settings in this guide
without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its
use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any
other characteristic. NIST would appreciate acknowledgement if the document and template are
used.
The Federal CIO council created the Technology Information Subcommittee
(TIS) at the direction of OMB to govern, among other federal activities, the FDCC iniatitive. The TIS, based on
federal agency input, selects platforms and applcations for federal implementation. The TIS also is the Change
Control Board (CCB) for configuration settings. As stated in the Federal CIO Council Memo to federal agencies,
“The USGCB settings replace the Federal Desktop Core Configuration (FDCC) settings and provide the
recommended security baselines for Information Technology products widely deployed across the agencies.”
Trademark Information
Microsoft, Windows, Windows 7, Windows XP, Windows
Vista, Internet Explorer, and Windows Firewall are either registered trademarks or trademarks of Microsoft
Corporation in the United States and other countries.
All other names are registered trademarks or trademarks of
their respective companies.
National Institute of Standards and Technology
SP 800-68
Automatic Updates are not Enabled
IPv6 Network Protocol is not Enabled
Windows Error Reporting is not Enabled
Remote Assistance is not Enabled
Remote Desktop Services is not Enabled
Bluetooth is not Enabled
v2.0.5.1
National Institute of Standards and Technology
National Institute of Standards and Technology
National Institute of Standards and Technology
http://alpha.nist.gov
United States Government Configuration Baseline 2.0.5.1
This profile represents guidance outlined in United States Government Configuration Baseline for desktop systems with Microsoft Windows 7 installed.
Introduction
This guide has been created to assist federal agencies in effectively
securing systems with Microsoft Windows 7 based on OMB US Government Configuration
Baseline (USGCB) recommendations.Under the direction of OMB
and in collaboration with DHS, DISA, NSA, USAF, and Microsoft, NIST has provided
the following baseline to help agencies test, implement, and deploy the Microsoft
Windows 7 USGCB baseline. The USGCB is an OMB-mandated security
configuration.Please refer to the USGCB home page for
additional information: http://usgcb.nist.gov/
Security Guide Development
In today’s computing environment, the security of all computing resources,
from network infrastructure devices to users’ desktop computers, is essential.
There are many threats to users’ computers, ranging from remotely launched network
service exploits to malware spread through e-mails, Web sites, and file downloads.
Increasing the security of individual computers protects them from these threats
and reduces the likelihood that a system will be compromised or that data will be
disclosed to unauthorized parties. Effective and well-tested security
configurations means that less time and money is spent eradicating malware,
restoring systems from backups, and reinstalling operating systems and
applications. In addition, having stronger host security increases network
security (e.g., home, business, government, the Internet); for example, most
distributed denial of service attacks against networks use large numbers of
compromised hosts. The goal of this guide is to provide security
configuration guidance to the users and system administrators of Microsoft Windows
7 systems. This advice can be adapted to any environment, from individual SOHO
installations to large geographically diverse organizations. Although the guide is
primarily targeted toward business environments and Windows 7 Enterprise Edition,
some of the guidance is also appropriate for other Windows 7 editions. This guide
draws on a large body of vendor knowledge and government and security community
experience gained over many years of securing computer systems. This
section of the guide is based largely on the steps proposed in NIST’s FISMA
Implementation Project for achieving more secure information systems. Sections 2.1
and 2.2 address the need to categorize information and information systems. Each
Windows 7 system can be classified as having one of three roles; each system can
also be classified according to the potential impact caused by security breaches.
Section 2.3 describes threats and provides examples of security controls that can
mitigate threats. Section 2.4 outlines the primary types of environments for
information systems – SOHO, Enterprise, Specialized Security-Limited
Functionality, and Legacy – and ties each environment to typical threat categories
and security controls. Section 2.5 provides a brief overview of the implementation
of the security controls and the importance of performing functionality and
security testing. Finally, Section 2.6 discusses the need to monitor the security
controls and maintain the system. Figure 2-1 shows the six facets to Windows 7
security that are covered in Sections 2.1 through 2.6.
Windows 7 System Roles and Requirements
Windows 7 security should take into account the role that the system
plays. For the purposes of this guide, Windows 7 systems can be divided into
three roles: inward-facing, outward-facing, and
mobile. Inward-Facing: An
inward-facing Windows 7 system is typically a user workstation on the
interior of a network that is not directly accessible from the Internet.
Physical access is also generally limited in some manner (e.g., only
employees have access to the work area). In many environments, inward-facing
systems share a common hardware and software configuration because they are
centrally deployed and managed (e.g., Microsoft domains, Novell networks).
Because an inward-facing system is usually in the same environment all the
time (e.g., desktop on the corporate local area network [LAN]), the threats
against the system do not change quickly. In general, inward-facing systems
are relatively easy to secure, compared to outward-facing and mobile
systems. Outward-Facing: An
outward-facing Windows 7 system is one that is directly connected to the
Internet. The classic example is a home computer that connects to the
Internet through dial-up or broadband access. Such a system is susceptible
to scans, probes, and attacks launched against it by remote attackers. It
typically does not have the layers of protection that an inward-facing
system has, such as network firewalls and intrusion detection systems.
Outward-facing systems are often at high risk of compromise because they
have relatively high security needs, yet are typically administered by users
with little or no security knowledge. Also, threats against outward-facing
systems may change quickly since anyone can attempt to attack them at any
time. Mobile: A system with a
mobile role typically moves between a variety of environments and physical
locations. For network connectivity, this system might use both traditional
wired methods (e.g., Ethernet, dialup) and wireless methods (e.g., IEEE
802.11). The mobility of the system makes it more difficult to manage
centrally. It also exposes the system to a wider variety of threat
environments; for example, in a single day the system might be in a home
environment, an office environment, a wireless network hotspot, and a hotel
room. An additional threat is the loss or theft of the system. This could
lead to loss of productivity at a minimum, but could also include the
disclosure of confidential information or the possible opening of a back
door into the organization if remote access is not properly
secured.
Security Categorization of Information and Information Systems
This section discusses the most significant security features
inherited from previous Windows versions: Kerberos, smart card support,
Internet Connection Sharing, Internet Protocol Security, and Encrypting File
System. For each security feature, the section includes a brief description,
an analysis of the security impact of each feature, and general
recommendations for when the feature should or should not be used. It is
outside the scope of this document to cover the features in great depth, so
pointers to resources with additional information are provided as
needed. The classic model for information security defines three
objectives of security: maintaining confidentiality, integrity, and
availability. Confidentiality refers to protecting information from being
accessed by unauthorized parties. Integrity refers to ensuring the
authenticity of information-that information is not altered, and that the
source of the information is genuine. Availability means that information is
accessible by authorized users. Each objective addresses a different aspect
of providing protection for information. Determining how strongly a
system needs to be protected is based largely on the type of information
that the system processes and stores. For example, a system containing
medical records probably needs much stronger protection than a computer only
used for viewing publicly released documents. This is not to imply that the
second system does not need protection; every system needs to be protected,
but the level of protection may vary based on the value of the system and
its data. To establish a standard for determining the security category of a
system, NIST created Federal Information Processing Standards (FIPS)
Publication (PUB) 199, Standards for Security Categorization of Federal
Information and Information Systems. FIPS PUB 199 establishes three security
categories-low, moderate, and high-based on the potential impact of a
security breach involving a particular system. The FIPS PUB 199 definitions
for each category are as follows: The potential impact is
LOW if the loss of confidentiality,
integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
A limited adverse effect means that, for example, the loss of
confidentiality, integrity, or availability might (i) cause a degradation in
mission capability to an extent and duration that the organization is able
to perform its primary functions, but the effectiveness of the functions is
noticeably reduced; (ii) result in minor damage to organizational assets;
(iii) result in minor financial loss; or (iv) result in minor harm to
individuals. The potential impact is
MODERATE if the loss of confidentiality,
integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.
A serious adverse effect means that, for example, the loss of
confidentiality, integrity, or availability might (i) cause a significant
degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness
of the functions is significantly reduced; (ii) result in significant damage
to organizational assets; (iii) result in significant financial loss; or
(iv) result in significant harm to individuals that does not involve loss of
life or serious life threatening injuries. The potential impact is
HIGH if the loss of confidentiality,
integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational
assets, or individuals. A severe or catastrophic adverse effect means that,
for example, the loss of confidentiality, integrity, or availability might
(i) cause a severe degradation in or loss of mission capability to an extent
and duration that the organization is not able to perform one or more of its
primary functions; (ii) result in major damage to organizational assets;
(iii) result in major financial loss; or (iv) result in severe or
catastrophic harm to individuals involving loss of life or serious life
threatening injuries. Each system should be protected based on the
potential impact to the system of a loss of confidentiality, integrity, or
availability. Protection measures (otherwise known as security controls)
tend to fall into two categories. First, security weaknesses in the system
need to be resolved. For example, if a system has a known vulnerability that
attackers could exploit, the system should be patched so that the
vulnerability is removed or mitigated. Second, the system should offer only
the required functionality to each authorized user, so that no one can use
functions that are not necessary. This principle is known as least
privilege. Limiting functionality and resolving security weaknesses have a
common goal: give attackers as few opportunities as possible to breach a
system. Although each system should ideally be made as secure as
possible, this is generally not feasible because the system needs to meet
the functional requirements of the system’s users. Another common problem
with security controls is that they often make systems less convenient or
more difficult to use. When usability is an issue, many users will attempt
to circumvent security controls; for example, if passwords must be long and
complex, users may write them down. Balancing security, functionality, and
usability is often a challenge. This guide attempts to strike a proper
balance and make recommendations that provide a reasonably secure solution
while offering the functionality and usability that users
require. Another fundamental principle endorsed by this guide is
using multiple layers of security. For example, a host may be protected from
external attack by several controls, including a network-based firewall, a
host-based firewall, and OS patching. The motivation for having multiple
layers is that if one layer fails or otherwise cannot counteract a certain
threat, other layers might prevent the threat from successfully breaching
the system. A combination of network-based and host-based controls is
generally most effective at providing consistent protection for
systems. NIST SP 800-53, Recommended Security Controls for Federal
Information Systems, proposes minimum baseline management, operational, and
technical security controls for information systems. These controls are to
be implemented based on the security categorizations proposed by FIPS 199,
as described earlier in this section. This guidance should assist agencies
in meeting baseline requirements for Windows 7 Enterprise systems deployed
in their environments.
Baseline Security Controls and Threat Analysis Refinement
To secure a system, it is essential first to define the threats that
need to be mitigated. This knowledge of threats is also key to understanding
the reasons the various configuration options have been chosen in this
guide. Most threats against data and resources are possible because of
mistakes-either bugs in operating system and application software that
create exploitable vulnerabilities, or errors made by users and
administrators. Threats may involve intentional actors (e.g., an attacker
who wants to access credit cards on a system) or unintentional actors (e.g.,
an administrator who forgets to disable user accounts of a terminated
employee). Threats can be local, such as a disgruntled employee, or remote,
such as an attacker in another country. The following sections describe each
major threat category, list possible controls, provide examples of threats,
and summarize the potential impact of the threat. The list of threats is not
exhaustive; it simply represents the major threat categories that were
considered during the selection of the security controls as described in
this guide. Organizations should conduct risk assessments to identify the
specific threats against their systems and determine the effectiveness of
existing security controls in counteracting the threats, then perform risk
mitigation to decide what additional measures (if any) should be
implemented. This section has describes various types of local and
remote threats that can negatively impact systems. The possible controls
listed for the threats are primarily technical, as are the controls
discussed throughout this document. However, it is important to further
reduce the risks of operating a Windows 7 system by also using management
and operational controls. Examples of important operational controls are
restricting physical access to a system; performing contingency planning,
backing up the system, storing the backups in a safe and secure location,
and testing the backups regularly; and monitoring Microsoft mailing lists
for relevant security bulletins. Management controls could include
developing policies regarding Windows 7 system security and creating a plan
for maintaining Windows 7 systems. By selecting and implementing management,
operational, and technical controls for Windows 7, organizations can better
mitigate the threats that Windows 7 systems may face. Another
reason to use multiple types of controls is to provide better security in
situations where one or more controls are circumvented or otherwise
violated. This may be done not only by attackers, but also by authorized
users with no malicious intent. For example, taping a list of passwords to a
monitor for convenience may nullify controls designed to prevent
unauthorized local access to that system. Establishing a policy against
writing down passwords (management control), educating users on the dangers
of password exposure (operational control), and performing periodic physical
audits to identify posted passwords (operational control) may all be helpful
in reducing the risks posed by writing down
Local Threats
Local threats either require physical access to the system or
logical access to the system (e.g., an authorized user account). Local
threats are grouped into three categories: boot process, unauthorized
local access, and privilege escalation.
Boot Process
Threat: An
unauthorized individual boots a computer from
third-party media (e.g., removable drives, Universal
Serial Bus [USB] token storage devices). This could
permit the attacker to circumvent operating system
(OS) security measures and gain unauthorized access
to information.
Examples:
While traveling, an employee misplaces a
laptop, and the party that acquires it tries to
see what sensitive data it contains.
A disgruntled employee boots a computer
off third-party media to circumvent other security
controls so the employee can access sensitive
files (e.g., confidential data stored locally,
local password file).
Impact:
Unauthorized parties could cause a loss of
confidentiality, integrity, and
availability.
Possible Controls:
Implement physical security measures
(e.g., locked doors, badge access) to restrict
access to equipment.
Enable a strong and difficult-to-guess
password for the Basic Input Output System (BIOS),
and configure the BIOS to boot the system from the
local hard drive only, assuming that the case
containing the OS and data is physically secure.
This will help protect the data unless the hard
drive is removed from the computer.
Secure local files via encryption to
prevent access to data in the event the physical
media is placed in another computer.
Unauthorized Local Access
Threat: An
individual who is not permitted to access a system
gains local access.
Examples:
A visitor to a company sits down at an
unattended computer and logs in by guessing a weak
password for a default user account.
A former employee gains physical access
to facilities and uses old credentials to log in
and gain access to company resources.
Impact: Because the
unauthorized person is masquerading as an authorized
user, this could cause a loss of confidentiality and
integrity; if the user has administrative rights,
this could also cause a loss of
availability.
Possible Controls:
Require valid username and password
authentication before allowing any access to
system resources, and enable a password-protected
screen saver. These actions help to prevent an
attacker from walking up to a computer and
immediately gaining access.
Enable a logon banner containing a
warning of the possible legal consequences of
misuse.
Implement a password policy to enforce
stronger passwords, so that it is more difficult
for an attacker to guess passwords.
Do not use or reuse a single password
across multiple accounts; for example, the
password for a personal free e-mail account should
not be the same as that used to gain access to the
Windows 7 host.
Establish and enforce a checkout policy
for departing employees that includes the
immediate disabling of their user
accounts.
Physically secure removable storage
devices and media, such as CD-ROMs, that contain
valuable information. An individual who gains
access to a workspace may find it easier to take
removable media than attempt to get user-level
access on a system.
Privilege Escalation
Threat: An
authorized user with normal user-level rights
escalates the account’s privileges to gain
administrator-level access.
Examples:
A user takes advantage of a
vulnerability in a service to gain
administrator-level privileges and access another
user’s files.
A user guesses the password for an
administrator-level account, gains full access to
the system, and disables several security
controls.
Impact: Because the
user is gaining full privileges on the system, this
could cause a loss of confidentiality, integrity,
and availability.
Possible Controls:
Restrict access to all
administrator-level accounts and administrative
tools, configuration files, and settings. Use
strong, difficult-to-guess passwords for all
administrator-level accounts. Do not use the
domain administrator accounts from
non-administrative client hosts. These actions
will make it more difficult for users to escalate
their privileges.
Disable unused local services.
Vulnerabilities in these services may permit users
to escalate their privileges.
Install application and OS updates
(e.g., hotfixes, service packs, patches). These
updates will resolve system vulnerabilities,
reducing the number of attack vectors that can be
used.
Encrypt sensitive data. Even
administrator-level access would not permit a user
to access data in encrypted files.
Remote Threats
Unlike local threats, remote threats do not require physical or
logical access to the system. The categories of remote threats
described in this section are network services, data disclosure, and
malicious payloads.
Network Services
Threat: Remote
attackers exploit vulnerable network services on a
system. This includes gaining unauthorized access to
services and data, and causing a denial of service
(DoS) condition.
Examples:
A worm searches for systems with an
unsecured service listening on a particular port,
and then uses the service to gain full control of
the system.
An attacker gains access to a system
through a service that did not require
authentication.
An attacker impersonates a user by
taking advantage of a weak remote access
protocol.
Impact: Depending
on the type of network service that is being
exploited, this could cause a loss of
confidentiality, integrity, and
availability.
Possible Controls:
Disable unused services. This provides
attackers with fewer chances to breach the
system.
Test and install application and OS
updates (e.g., hotfixes, service packs, patches).
These updates will resolve system software
vulnerabilities, reducing the number of attack
vectors that can be used.
Require strong authentication before
allowing access to the service. Implement a
password policy to enforce stronger passwords that
are harder to guess. Establish and enforce a
checkout policy for departing employees that
includes the immediate disabling of their user
accounts. These actions help to ensure that only
authorized users can access each
service.
Do not use weak remote access protocols
and applications; instead, use only accepted,
industry standard strong protocols (e.g., Internet
Protocol Security [IPsec], Secure Shell [SSH],
Transport Layer Security [TLS]) for accessing and
maintaining systems remotely.
Use firewalls or packet filters to
restrict access to each service to the authorized
hosts only. This prevents unauthorized hosts from
gaining access to the services and also prevents
worms from propagating from one host to other
hosts on the network.
Enable logon banners containing a
warning of the possible legal consequences of
misuse.
Data Disclosure
Threat: A third
party intercepts confidential data sent over a
network.
Examples:
On a nonswitched network, a third party
is running a network monitoring utility. When a
legitimate user transmits a file in an insecure
manner, the third party captures the file and
accesses its data.
An attacker intercepts usernames and
passwords sent in plaintext over a local network
segment.
Impact: The
interception of data could lead to a loss of
confidentiality. If authentication data (e.g.,
passwords) are intercepted, it could cause a loss of
confidentiality and integrity, and possibly a loss
of availability, if the intercepted credentials have
administrator-level privileges.
Possible Controls:
Use switched networks, which make it
more difficult to sniff packets.
Use a secure user identification and
authentication system, such as NT LanManager
version 2 (NTLMv2) or Kerberos. Section 3.2.1
contains a discussion of the choices that Windows
Windows 7 provides.
Encrypt network communications or
application data through the use of various
protocols (e.g., TLS, IPsec, SSH). This protects
the data from being accessed by a third
party.
Malicious Payloads
Threat: Malicious
payloads such as viruses, worms, Trojan horses, and
active content attack systems through many vectors.
End users of the system may accidentally trigger
malicious payloads.
Examples:
A user visits a Web site and downloads a
free game that includes a Trojan horse. When the
user installs the game on her computer, the Trojan
horse is also installed, which compromises the
system.
A user with administrative-level
privileges surfs the Web and accidentally visits a
malicious Web site, which successfully infects the
user’s system.
A user installs and operates
peer-to-peer (P2P) file sharing software to
download music files, and the P2P software
installs spyware programs onto the
system.
A user opens and executes a payload that
was attached to a spam or spoofed
message.
Impact: Malware
often gains full administrative-level privileges to
the system, or inadvertently crashes the system.
Malware may cause a loss of confidentiality,
integrity, and availability.
Possible Controls:
Educate users on avoiding malware
infections, and make them aware of local policy
regarding the use of potential transmission
methods such as instant messaging (IM) software
and P2P file sharing services. Users who are
familiar with the techniques for spreading malware
should be less likely to infect their
systems.
Use antivirus software and spyware
detection and removal utilities as an automated
way of preventing most infections and detecting
the infections that were not prevented.
Use e-mail clients that support spam
filtering-automatically detecting and quarantining
messages that are known to be spam or have the
same characteristics as typical spam.
Do not install or use non-approved
applications (e.g., P2P, IM) to connect to unknown
servers. Educate users regarding the potential
impact caused by the use of P2P, IM, and other
untrusted software applications.
Operate the system on a daily basis with
a limited user account. Only use
administrator-level accounts when needed for
specific maintenance tasks. Many instances of
malware cannot successfully infect a system unless
the current user has administrative
privileges.
Configure server and client software
such as e-mail servers and clients, Web proxy
servers and clients, and productivity applications
to reduce exposure to malware. For example, email
servers and clients could be configured to block
e-mail attachments with certain file extensions.
This should help to reduce the likelihood of
infections.
Configure systems, particularly in
specialized security-limited functionality
environments, so that the default file
associations prevent automatic execution of active
content files (e.g., Java, JavaScript,
ActiveX).
Environments and Security Controls Documentation
The section describes the types of environments in which a Windows 7
host may be deployed – SOHO, enterprise, and custom – as described in the
NIST Security Configuration Checklists Program for IT Products. The two
typical custom environments for Windows 7 are specialized security-limited
functionality, which is for systems at high risk of attack or data exposure,
with security taking precedence over functionality, and legacy, which is
intended for situations in which the Windows 7 system has special needs that
do not fit into the other profiles, such as a requirement for backward
compatibility with legacy applications or servers. Each environment
description also summarizes the primary threats and controls that are
typically part of the environment. In addition to documenting controls,
every environment should have other various security-related documentation,
such as acceptable use policies and security awareness materials, that
affects configuration and usage of systems and applications. The last part
of this section lists some common types of security-related
documentation.
SOHO
SOHO, sometimes called standalone, describes small, informal
computer installations that are used for home or business purposes.
SOHO encompasses a variety of small-scale environments and devices,
ranging from laptops, mobile devices, and home computers, to
telecommuting systems located on broadband networks, to small
businesses and small branch offices of a company. Figure 2-2 shows a
typical SOHO network architecture. Historically, SOHO environments are
the least secured and most trusting. Generally, the individuals
performing SOHO system administration are less knowledgeable about
security. This often results in environments that are less secure than
they need to be because the focus is generally on functionality and
ease of use. A SOHO system might not use any security software (e.g.,
antivirus software, personal firewall). In some instances, there are
no network-based controls such as firewalls, so SOHO systems may be
directly exposed to external attacks. Therefore, SOHO environments are
frequently targeted for exploitation-not necessarily to acquire
information, but more commonly to be used for attacking other
computers, or incidentally as collateral damage from the propagation
of a worm. Because the primary threats in SOHO environments are
external, and SOHO computers generally have less restrictive security
policies than enterprise or specialized security-limited functionality
computers, they tend to be most vulnerable to attacks from remote
threat categories. (Although remote threats are the primary concern
for SOHO environments, it is still important to protect against other
threats.) SOHO systems are typically threatened by attacks against
network services and by malicious payloads (e.g., viruses, worms).
These attacks are most likely to affect availability (e.g., crashing
the system, consuming all network bandwidth, breaking functionality)
but may also affect integrity (e.g., infecting data files) and
confidentiality (e.g., providing remote access to sensitive data,
e-mailing data files to others). SOHO security is improving
with the proliferation of small, inexpensive, hardware-based firewall
routers that protect to some degree the SOHO machines behind them. The
adoption of personal firewalls (e.g., BlackICE, ZoneAlarm, Windows
Firewall) is also helping to better secure SOHO environments. Another
key to SOHO security is strengthening the hosts on the SOHO network by
patching vulnerabilities and altering settings to restrict unneeded
functionality.
Enterprise
The enterprise environment, also known as a managed
environment, is typically comprised of large organizational systems
with defined, organized suites of hardware and software
configurations, usually consisting of centrally managed workstations
and servers protected from threats on the Internet with firewalls and
other network security devices. Figure 2-3 shows a typical enterprise
network architecture. Enterprise environments generally have a group
dedicated to supporting users and providing security. The combination
of structure and skilled staff allows better security practices to be
implemented during initial system deployment and in ongoing support
and maintenance. Enterprise installations typically use a domain model
to effectively manage a variety of settings and allow the sharing of
resources (e.g., file servers, printers). The enterprise can enable
only the services needed for normal business operations, with other
possible avenues of exploit removed or disabled. Authentication,
account, and policy management can be administered centrally to
maintain a consistent security posture across an
organization. The enterprise environment is more restrictive
and provides less functionality than the SOHO environment. Managed
environments typically have better control on the flow of various
types of traffic, such as filtering traffic based on protocols and
ports at the enterprise’s connections with external networks. Because
of the supported and largely homogeneous nature of the enterprise
environment, it is typically easier to use more functionally
restrictive settings than it is in SOHO environments. Enterprise
environments also tend to implement several layers of defense (e.g.,
firewalls, antivirus servers, intrusion detection systems, patch
management systems, e-mail filtering), which provides greater
protection for systems. In many enterprise environments,
interoperability with legacy systems may not be a major requirement,
further facilitating the use of more restrictive settings. In an
enterprise environment, this guide should be used by advanced users
and system administrators. The enterprise environment settings
correspond to an enterprise security posture that will protect the
information in a moderate risk environment. In the enterprise
environment, systems are typically susceptible to local and remote
threats. In fact, threats often encompass all the categories of
threats defined in Section 2.3. Local attacks, such as unauthorized
usage of another user’s workstation, most often lead to a loss of
confidentiality (e.g., unauthorized access to data) but may also lead
to a loss of integrity (e.g., data modification) or availability
(e.g., theft of a system). Remote threats may be posed not only by
attackers outside the organization, but also by internal users who are
attacking other internal systems across the organization’s network.
Most security breaches caused by remote threats involve malicious
payloads sent by external parties, such as viruses and worms acquired
via e-mail or infected Web sites. Threats against network services
tend to payloads and network service attacks are most likely to affect
availability (e.g., crashing the system, consuming all network
bandwidth, breaking functionality) but may also affect integrity
(e.g., infecting data files) and confidentiality (e.g., providing
remote access to sensitive data). Data disclosure threats tend to come
from internal parties who are monitoring traffic on local networks,
and they primarily affect confidentiality.
Specialized Security-Limited Functionality
A specialized security-limited functionality environment is any
environment, networked or standalone, that is at high risk of attack
or data exposure. Figure 2-4 shows examples of systems that are often
found in specialized security-limited functionality environments,
including outward-facing Web, e-mail, and DNS servers, and firewalls.
Typically, providing sufficiently strong protection for these systems
involves a significant reduction in system functionality. It assumes
systems have limited or specialized functionality in a highly
threatened environment such as an outward facing firewall or public
Web server, or whose data content or mission purpose is of such value
that aggressive trade-offs in favor of security outweigh the potential
negative consequences to other useful system attributes such as legacy
applications or interoperability with other systems. The specialized
security-limited functionality environment encompasses computers that
contain highly confidential information (e.g., personnel records,
medical records, financial information) and perform vital
organizational functions (e.g., accounting, payroll processing, air
traffic control). These computers might be targeted by third parties
for exploitation, but also might be targeted by trusted parties inside
the organization. A specialized security-limited
functionality environment could be a subset of a SOHO or enterprise
environment. For example, three desktops in an enterprise environment
that hold confidential employee data could be thought of as a
specialized security-limited functionality environment within an
enterprise environment. In addition, a laptop used by a mobile worker
might be a specialized security-limited functionality environment
within a SOHO environment. A specialized security-limited
functionality environment might also be a self-contained environment
outside any other environment-for instance, a government security
installation dealing in sensitive data. Systems in
specialized security-limited functionality environments face the same
threats as systems in enterprise environments. Threats from both
insiders and external parties are a concern. Because of the risks and
possible consequences of a compromise in a specialized
security-limited functionality environment, it usually has the most
functionally restrictive and secure configuration. The suggested
configuration is complex and provides the greatest protection at the
expense of ease of use, functionality, and remote system management.
In a specialized security-limited functionality environment, this
guide is targeted at experienced security specialists and seasoned
system administrators who understand the impact of implementing these
strict requirements.
Legacy
A legacy environment contains older systems or applications
that use outdated communication mechanisms. This most often occurs
when machines operating in a legacy environment need more open
security settings so they can communicate to the appropriate
resources. For example, a system may need to use services and
applications that require insecure authentication mechanisms such as
null user sessions or open pipes. Because of these special needs, the
system does not fit into any of the standard environments; therefore,
it should be classified as a legacy environment system. Legacy
environments may exist within SOHO and enterprise environments, and in
rare cases within specialized security-limited functionality
environments as well. Depending on the situation, a legacy environment
may face any combination of internal and external threats. The
potential impact of the threats should be determined by considering
the threats that the system faces (as described in the previous three
sections) and then considering what additional risk the system has
because of the legacy accommodations.
SecurityDocumentation
An organization typically has many documents related to the
security of Windows 7 systems. Foremost among the documents is a
Windows 7 security configuration guide that specifies how Windows 7
systems should be configured and secured. As mentioned in Section 2.2,
NIST SP 800-53 proposes management, operational, and technical
security controls for systems, each of which should have associated
documentation. In addition to documenting procedures for implementing
and maintaining various controls, every environment should also have
other security-related policies and documentation that affect the
configuration, maintenance, and usage of systems and applications.
Examples of such documents are as follows: Rules of behavior and acceptable use policy Configuration management policy, plan, and
procedures Authorization to connect to the network IT contingency plans Security awareness and training for end users and
administrators.
Implementation and Testing of Security Controls
Implementing security controls can be a daunting task. As described
in Section 2.2, many security controls have a negative impact on system
functionality and usability. In some cases, a security control can even have
a negative impact on other security controls. For example, installing a
patch could inadvertently break another patch, or enabling a firewall could
inadvertently block antivirus software from automatically updating its
signatures or disrupt patch management software, remote management software
and other security and maintenance-related utilities. Therefore, it is
important to perform testing for all security controls to determine what
impact they have on system security, functionality, and usability, and to
take appropriate steps to address any significant issues. As
described in Section 5, NIST has compiled a set of security templates, as
well as additional recommendations for security-related configuration
changes. The controls proposed in this guide and the NIST Windows 7 security
templates are consistent with the FISMA controls, as discussed in Section
2.2. The NIST template for Specialized Security-Limited Functionality
environments represents the consensus settings from CIS, DISA, Microsoft,
NIST, NSA, and USAF; the other NIST templates are based on Microsoft’s
templates and recommendations. Although the guidance presented in
this document has undergone considerable testing, every system is unique, so
it is certainly possible for certain settings to cause unexpected problems.
System administrators should perform their own testing, especially for the
applications used by their organizations, to identify any functionality or
usability problems before the guidance is deployed throughout organizations.
It is also critical to confirm that the desired security settings have been
implemented properly and are working as expected. See Section 4.4 for
information on tools that can identify security-related misconfigurations
and vulnerabilities on Windows 7 systems.
Monitoring and Maintenance
Every system needs to be monitored and maintained on a regular basis
so that security issues can be identified and mitigated promptly, reducing
the likelihood of a security breach. However, no matter how carefully
systems are monitored and maintained, incidents may still occur, so
organizations should be prepared to respond to them. Depending on the
environment, some preventative actions may be partially or fully automated.
Guidance on performing various monitoring and maintenance activities is
provided in subsequent sections of this document or other NIST publications.
Recommended actions include the following: Subscribing to and monitoring various vulnerability
notification mailing lists (e.g., Microsoft Security
Notification Service) Acquiring and installing software updates (e.g., OS and
application patches, antivirus signatures) Monitoring event logs to identify problems and suspicious
activity Providing remote system administration and
assistance Monitoring changes to OS and software settings Protecting and sanitizing media Responding promptly to suspected incidents Assessing the security posture of the system through
vulnerability assessments Disabling unneeded user accounts and deleting accounts that
have been disabled for some time Maintaining system, peripheral, and accessory hardware
(periodically and as needed), and logging all hardware
maintenance activities.
Summary of Recommendations
Protect each system based on the potential impact to the
system of a loss of confidentiality, integrity, or
availability.
Reduce the opportunities that attackers have to breach a
system by resolving security weaknesses and limiting
functionality according to the principle of least
privilege.
Select security controls that provide a reasonably secure
solution while supporting the functionality and usability that
users require.
Use multiple layers of security so that if one layer fails
or otherwise cannot counteract a certain threat, other layers
might prevent the threat from successfully breaching the
system.
Conduct risk assessments to identify threats against systems
and determine the effectiveness of existing security controls in
counteracting the threats. Perform risk mitigation to decide
what additional measures (if any) should be
implemented.
Document procedures for implementing and maintaining
security controls. Maintain other security-related policies and
documentation that affect the configuration, maintenance, and
usage of systems and applications, such as acceptable use
policy, configuration management policy, and IT contingency
plans.
Test all security controls, including the settings in the
NIST security templates, to determine what impact they have on
system security, functionality, and usability. Take appropriate
steps to address any significant issues before applying the
controls to production systems.
Monitor and maintain systems on a regular basis so that
security issues can be identified and mitigated promptly.
Actions include acquiring and installing software updates,
monitoring event logs, providing remote system administration
and assistance, monitoring changes to OS and software settings,
protecting and sanitizing media, responding promptly to
suspected incidents, performing vulnerability assessments,
disabling and deleting unused user accounts, and maintaining
hardware.
Windows 7 Security Components Overview
This section presents an overview of the various security features offered
by the Windows 7 Enterprise operating system (OS). Many of the components have
been inherited from earlier versions of Windows, often with improvements and
enhancements. Windows 7 also includes several new security features. This guide
provides general descriptions of most of these features, with pointers or links to
more detailed information whenever possible.
New Features in Windows 7
Windows 7 comes with several new security features. Each new security
feature is briefly described below, and most also include a reference to a
Microsoft Web page that contains more detailed information. This section
also includes an analysis of the security impact of each feature and general
recommendations for when the feature should or should not be used. The new
security features in Windows 7 are as follows:
Security Features Inherited from earlier Windows versions
This section discusses the most significant security features
inherited from previous Windows versions: Kerberos, smart card support,
Internet Protocol Security, Encrypting File System, Windows Firewall,
Bitlocker Drive Encryption, Windows Defender, and User Account Control
(UAC). For each security feature, the section includes a brief description,
an analysis of the security impact of each feature, and general
recommendations for when the feature should or should not be used. It is
outside the scope of this document to cover the features in great depth, so
pointers to resources with additional information are provided as
needed.
Kerberos
In a domain, Windows 7 provides support for MIT Kerberos v.5
authentication, as defined in Internet Engineering Task Force (IETF)
Request for Comment (RFC) 1510. The Kerberos protocol is composed of
three subprotocols: Authentication Service (AS) Exchange,
Ticket-Granting Service (TGS) Exchange, and Client/Server (CS)
Exchange. The Kerberos v.5 standard can be used only in pure Windows
domain environments. Windows domain members use Kerberos as the
default network client/server authentication protocol, replacing the
older and less secure NTLM and LanManager (LM) authentication methods.
The older methods are still supported to allow legacy Windows clients
to authenticate to a Windows domain environment. Windows 7 standalone
workstations and members of NT domains do not use Kerberos to perform
local authentication; they use the traditional NTLM. Because Kerberos
provides stronger protection for logon credentials than older
authentication methods, it should be used whenever possible. NIST
recommends disabling LM and NTLM v1 in specialized security-limited
functionality environments, and disabling LM in all other
environments.
Smart Card Support
In the past, interactive logon meant an ability to authenticate
a user to a network by using a form of a shared credential, such as a
hashed password. Windows 7 supports public-key interactive logon by
using a X.509 v.3 certificate stored on a smart card. (This can be
used only to log on to domain accounts, not local accounts, unless
third party software has replaced the built-in Graphical
Identification and Authentication [GINA].) Instead of a password, the
user types a personal identification number (PIN) to the GINA, and the
PIN authenticates the user to the card. This process is fully
integrated with the Microsoft implementation of Kerberos. Smart
card-based authentication is appropriate for specialized
security-limited functionality environments in which strong
authentication is required, and one-factor authentication (username
and password) is insufficient. Smart cards provide two-factor
authentication, because users must possess the physical smart card and
must know the PIN. If smart cards or other types of authentication
tokens are being used, the organization should have a policy and
procedures in place to educate users on properly using tokens (e.g.,
not sharing them with other users) and protecting them (e.g.,
immediately reporting a lost or stolen token).
Internet Protocol Security
Windows 7 includes an implementation of the IETF Internet
Protocol Security (IPsec) standard called Windows IP Security. It
provides network-level support for confidentiality and integrity.
Confidentiality is achieved by encrypting packets, which prevents
unauthorized parties from gaining access to data as it passes over
networks. Integrity is supported by calculating a hash for each packet
based partially on a secret key shared by the sender and receiver, and
sending the hash in the packet. The recipient will recalculate the
hash, and if it matches the original hash, then the packet was not
altered in transit. Windows IP Security also offers packet filtering
capabilities, such as limiting traffic based on the source or
destination IP address. Windows IP Security provides a solution for
protecting data traversing public networks (e.g., the Internet) and
for protecting sensitive data on private networks (e.g., an enterprise
LAN). It is also commonly used to protect wireless network
communications in enterprise and SOHO environments. Using Windows IP
Security in conjunction with a personal firewall such as Windows
Firewall can provide protection against network-based attacks by
limiting both inbound and outbound packets.
Encrypting File System
The Encrypting File System (EFS) provides users a method to
transparently encrypt or decrypt files and folders residing on an
NTFS-formatted volume. In addition, EFS now maintains encryption
persistence, which means that any file or folder that has been
designated as encrypted will remain encrypted when moved to another
NTFS-formatted filesystem. Files are still transmitted unencrypted
across the network (except when Web Distributed Authoring and
Versioning [WebDAV] is used, which will transmit encrypted files
across networks), so users should transfer the files through a
separate encrypting protocol, such as TLS or IPsec. EFS is best used
to provide local encryption for files and is particularly useful for
laptops and other systems at high risk of physical
attack.
Windows Firewall
Windows Firewall is a stateful personal firewall. When properly
configured, it limits the access that other computers have to the
Windows 7 machine through the network. This significantly reduces the
exposure of the machine to network-based attacks such as the Blaster
worm. Windows Firewall can also be used to protect shares when a
mobile computer is used outside its normal secure and trusted
environment, or to protect access to network shares on an untrusted
network. Domain administrators can disable the use of Windows Firewall
through Group Policy, but this is generally not recommended unless it
is interfering with required functionality or a third party firewall
is already in use. Administrators can also use Group Policy to set any
Windows Firewall configuration option. Windows Firewall can add
another layer to a network security model in enterprise and
specialized security-limited functionality environments, and it is
sometimes the only layer of network defense in SOHO
environments.
Bitlocker Drive Encryption
BitLocker helps keep everything from documents to passwords
safer by encrypting the entire drive that Windows and your data reside
on. Once BitLocker is turned on, any file you save on that drive is
encrypted automatically. BitLocker To Go-a new feature of Windows
7-gives the lockdown treatment to easily-misplaced portable storage
devices like USB flash drives and external hard drives.
Windows Defender
Windows Defender is software that helps protect your computer
against pop-ups, slow performance, and security threats caused by
spyware and other unwanted software by detecting and removing known
spyware from your computer. Windows Defender features Real-Time
Protection, a monitoring system that recommends actions against
spyware when it’s detected, minimizes interruptions, and helps you
stay productive. Windows Defender does not perform the functions
normally associated with an anti-virus application.
User Account Control
User Account Control (UAC) is a security component first
introduced in Windows Vista. UAC enables users to perform common tasks
as non-administrators, called standard users in Windows 7, and as
administrators without having to switch users, log off, or use Run As.
A standard user account is synonymous with a non-administrative user
account in Windows. User accounts that are members of the local
Administrators group will run most applications as a standard user. By
separating user and administrator functions while enabling
productivity, UAC is an important enhancement for Windows
7.
Summary of Recommendations
Disable LM and NTLM v1 in specialized security-limited
functionality environments.
Use Kerberos authentication whenever possible.
As appropriate, use Smart Cards or another multifactor
authentication method.
As appropriate, use Windows IP Security to protect data
traversing public networks and sensitive data on private
networks.
Use EFS to protect confidential data.
Use host-based firewalls on systems.
Consider implementing Bitlocker Drive Encryption on systems
that store sensitive data. This is particular important for
mobile systems and systems that may not be physically
secure.
Utilize an anti-spyware product to protect system
integrity
Enable User Account Control to help ensure the principle of
least privilege while enabling productivity.
Installation, Backup, and Patching
This section of the guide contains advice on performing Windows 7
installations, and backing up and patching Windows 7 systems. It discusses the
risks of installing a new system on a network and the factors to consider when
partitioning Windows 7 hard drives. It also describes various installation
techniques and provides pointers to more information on performing them. Another
important topic is the ability of Windows 7 to back up and restore data and system
configuration information. This section also discusses how to update existing
systems through Microsoft Update and other means to ensure that they are running
the latest service packs and hotfixes. Advice is also presented on identifying
missing patches and security misconfigurations on systems. Organizations
should have sound configuration management policies that govern changes made to
operating systems and applications, such as applying patches to an operating
system or modifying application configuration settings to provide greater
security. Configuration management policies should also address the initial
installation of the operating system, the installation of each application, and
the roles, responsibilities, and processes for performing and documenting system
changes caused by upgrades, patches, and other methods of
modification.
Performing a New Installation
This guide assumes that a new Windows 7 installation is being
performed from scratch. If an administrator or user is upgrading an existing
Windows installation, some of the advice in this guide may be inappropriate
and could possibly cause problems. Because a machine is unsecured and very
vulnerable to exploitation through the network during installation, it is
recommended that all installations and initial patching be done with the
computer disconnected from any network. If a computer must be connected to a
network, then it is recommended that the network be isolated and strongly
protected (e.g., shielded by a firewall on a trusted network segment) to
minimize exposure to any network attacks during installation. If possible,
the latest service pack and security patches should be downloaded from
Microsoft’s Web site, archived to read-only media, such as CD-ROMs, and kept
physically secure.
Partitioning Advice
One of the major decisions during installation is how to
partition hard drives. The primary consideration is how large the disk
drive is; for example, partitioning is not recommended for drives
under 6 gigabytes (GB). For larger drives, the following factors
should be considered: How large is the drive? How many physical drives does the machine
have? If the system only has one drive, is there a desire to
logically separate the OS and applications from data? An
example of the benefit of this is that if the OS needs to
be upgraded or reinstalled, the data can easily be
preserved. What is the purpose of this computer? For example, if
a computer will be used to share files within a workgroup,
it may be useful to have a separate partition for the file
share. Is there a need for redundancy (e.g., mirroring a data
partition onto a second drive)? Windows 7 provides a feature known as dynamic disks. On a
dynamic disk, partition sizes can be changed as needed. For example,
an administrator could create an OS and applications partition and a
data partition on a large drive, leaving much of the drive space
available for future allocation. As needed, the administrator can use
the free space to create new partitions and to expand the existing
partitions. This provides considerable flexibility for future growth.
Users are cautioned that, as with any other feature, dynamic disks
should be tested before deploying them on production
systems. Another important consideration during installation
is which type of filesystem to use for each partition. NIST recommends
using NTFS for each partition unless there is a particular need to use
another type of filesystem. Section 7.1 contains more information on
NTFS and other filesystem options.
Installation Methods
There are several ways to perform Windows 7 installations. This
section covers three primary methods: local installations, cloning
through Sysprep, and the Remote Installation Services
(RIS).
Local Installation
The local installation approach refers to traditional
methods of installing Windows, such as using a Microsoft CD.
This is effective only for installing a small number of
computers at a time because it requires user attention
throughout the installation. When installing Windows 7 from a
CD, follow the default steps, except for the following: For the Network Setting configuration, select
Custom and disable all network clients, services,
and protocols that are not required. Although this
will help to limit the computer’s exposure to
network-based attacks, consider the implications of
disabling each service because this may
inadvertently break required functionality (e.g.,
connecting to remote servers and printers). See
Section 7.5 for more information on network clients,
services, and protocols. Consider disabling the
following services: Client for Microsoft Networks (most
users will require this service) Client Service for NetWare File and Printer Sharing for Microsoft
Networks QoS Packet Scheduler NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol If possible, assign an Internet Protocol (IP)
address, default gateway, and domain name system
(DNS) server. Even if the computer will be joining a domain,
choose to be in only a workgroup, and change the
workgroup name to something other than the default
of WORKGROUP. Set all environment-specific settings, such as
the time zone. When the installation prompts for accounts to be
added, only one account should be added initially. Other
accounts can always been added later once the system is fully
patched and configured. By default, the account created during
the installation and the built-in Administrator account both
belong to the Administrators group. After the initial
post-installation boot, assign both accounts strong passwords.
The next task is to install the latest service pack and
hotfixes. Only after the machine has been brought up to current
patch levels should it be connected to a regular network. Then,
the networking configuration can be changed, such as joining the
workstation to a domain, or assigning a workgroup to enable
sharing of workgroup resources (e.g., shared directories,
printers). Other services that were disabled during installation
can be enabled if needed. It is also helpful to scan through the
list of installed Windows components, determine which
applications and utilities (e.g., Internet games) are not
needed, and remove them.
Sysprep
Sysprep is a tool that permits an image from a single
Windows 7 computer installation, known as a gold system, to be
cloned onto multiple systems in conjunction with a cloning
software program such as Symantec Ghost or cloning hardware.
This technique reduces user involvement in the installation
process to approximately 5 to 10 minutes at the start of the
installation. The Sysprep approach has several benefits. Because
the standard image can be created with a strong security
configuration, Sysprep reduces the possibility of human error
during the installation process. In addition, the Windows 7
installation occurs more quickly with Sysprep. This is
beneficial not only for building new systems, but also for
reinstalling and reconfiguring the operating system and
applications much more quickly when needed – for example, as a
result of hardware failure or a virus infection. In preparing
the “gold” image for Sysprep, the same guidelines used for a
local installation should be used, with the addition of enabling
any needed services and patching the system. It is also
important to physically secure image media so that it is not
inadvertently or purposely altered.
Remote Installation Services
The Remote Installation Services (RIS) allow a computer
to be booted from the network and then to automatically install
an instance of Windows 7. RIS can be configured to perform
either a completely automated and unattended installation with
RISetup, or one that requires minimal user attendance (similar
to the Sysprep tool) with RIPrep. Several hardware and software
dependencies exist; therefore, Microsoft’s documentation on the
tool should be consulted for detailed instructions regarding how
to configure this installation method. The RIS method
has the same advantages as Sysprep. RIS has the additional
advantage of not needing the machine to be installed to have
direct access to the physical install media (e.g., a CD-ROM).
This can be ideal in a specialized security-limited
functionality environment in which machines might not have
CD-ROM drives. The primary disadvantage of RIS is that the
machine must be connected to a network while it is being
installed. This could open up a window of opportunity to exploit
a security weakness before installation is
completed.
Backing Up Systems
To increase the availability of data in case of a system failure or
data corruption caused by a power failure or other event, Windows 7 has
built-in capabilities to back up and restore data and systems. Users run the
Backup and Restore Center, which automates most of the processes. For
example, during a backup the user is presented with several options,
including backing up the current user’s files and settings, backing up all
users’ files and settings, and backing up the whole system. This allows the
user to back up data and systems without having to manually indicate which
files and directories should be backed up, if the user’s files are where the
backup program expects them to be. To open the Backup and Restore center,
perform the following steps: Open the Control Panel and select ‘Backup or restore your
files’ If this is your first time using the center select ‘Set up
backup’ the Backup and Restore Center is used to both backup or restore
files. It is very important to verify periodically that backups and restores
can be performed successfully; backing up a system regularly may not be
beneficial if the backups are corrupt or the wrong files are being backed
up, for example. Organizations should have policies and procedures that
address the entire backup and recovery process, as well as the protection
and storage of backup media and recovery disks. Because backups may contain
sensitive user data as well as system configuration and security information
(e.g., passwords), backup media should be properly protected to prevent
unauthorized access. Besides the backup wizards and utilities
provided by Windows 7, there are also various third-party utilities for
backing up and restoring files and systems. It is important to verify that
the third-party software can properly back up and restore Windows 7 specific
resources, such as the Windows registry and EFS-encrypted files and folders.
Windows 7’s built-in utilities also use a shadow copy backup technique when
possible, which allows it to create backups of files that are in use.
Third-party backup utilities used on Windows 7 systems should have good
mechanisms for handling open files.
Updating Existing Systems
Host security – securing a given computer – has become increasingly
important. As such, it is essential to keep a host up to current patch
levels to eliminate known vulnerabilities and weaknesses. In conjunction
with antivirus software and a personal firewall, patching goes a long way to
securing a host against outside attacks and exploitation. Microsoft provides
two mechanisms for distributing security updates: Automatic Updates and
individual patch distribution. In smaller environments, either method may be
sufficient for keeping systems current with patches. Other environments
typically have a software change management control process or a patch
management program that tests patches before deploying them; distribution
may then occur through local Windows Update Services (WUS) or Windows Server
Update Services (WSUS) servers or through a third party configuration
management tool. This section discusses Automatic Updates as well as patch
management considerations for managed environments. This section also
defines the types of updates that Microsoft typically
provides.
Update Notification
As described later in this section, it is possible to configure
Windows 7 systems to download critical updates automatically. However,
this still leaves other updates that can only be downloaded manually.
Therefore, it is important for Windows 7 system administrators to be
notified of new updates that Microsoft releases. The Microsoft
Security Notification Service is a mailing list that notifies
subscribers of new security issues and the availability of all types
of Microsoft updates. Microsoft security bulletins are also available
online from the TechNet Security Resource Center. Individual bulletins
are issued for each new vulnerability and are incorporated into
monthly bulletins that list the vulnerabilities and potential severity
(e.g., critical, important, moderate). Each bulletin provides guidance
regarding under what circumstances the suggested mitigation strategy
(e.g., patch) should be applied.
Microsoft Update Types
Microsoft releases updated code for Windows 7-related security
issues through three mechanisms: hotfixes, security rollups, and
service packs. A hotfix is a patch that fixes a specific problem.
When a new vulnerability is discovered in Windows 7 or a
Microsoft application (e.g., Internet Explorer), Microsoft
develops a hotfix that will resolve the problem. Hotfixes
are released on an individual basis as needed. Hotfixes
should be applied as soon as practical for vulnerabilities
that are likely to be exploited. (Whenever possible,
hotfixes should first be tested on a nonproduction system
to ensure that they do not inadvertently break
functionality or introduce a new security problem by
invalidating a previously configured security
control.) A security rollup is a collection of several hotfixes.
The security rollup makes the same cumulative changes to
the system that would be performed if each hotfix were
installed separately. However, it is easier to download
and install a single security rollup than 10 hotfixes.
Microsoft releases security rollups on occasion when
merited. Security rollups are most useful for updating
existing systems that have not been maintained and for
patching new systems. A service pack (SP) is a major upgrade to the
operating system that resolves dozens of functional and
security problems and often introduces some new features
or makes significant configuration changes to systems.
Service packs incorporate most previously released
hotfixes, so once an SP has been applied to a system,
there is no need to install the hotfixes that were
included in the service pack. Service packs are released
on a periodic basis. Because SPs often make major changes
to the operating system, organizations should test the SP
thoroughly before deploying it in production. In SOHO
environments, the best approach is to delay installation
of the SP for at least a few weeks so that early adopters
can identify any bugs or issues. However, if the SP
provides a fix for a major security issue, and the fix is
not available through hotfixes, it may be less risky to
install the SP immediately than to let the system remain
unpatched.
Automatic Updates
One facility that is available to patch systems with little to
no user intervention is the Automatic Updates feature. When enabled,
it will automatically check the Microsoft update servers for OS and
Microsoft application updates, including service packs, security
roll-ups, and hotfixes, as well as updated hardware drivers. Automatic
Updates has a prioritization feature that ensures the most critical
security updates are installed before less important
updates. Automatic Updates provides four configuration
options to users: Install updates automatically Download updates but let me choose whether to install
them Check for updates but let me choose whether to
download and install them Never check for updates The following options are also cofigurable: The day and time to install updates if
Install updates automatically is
selected. Give me recommended updates the same way I receive
important updates Allow all users to install updates on the
computer Give me updates for Microsoft products and check for
new optional Microsoft software when I update
Windows Show me detailed notifications when new Microsoft
software is available Generally, it is best to configure the system to download
updates automatically, unless bandwidth usage is a concern. For
example, downloading patches could adversely affect the functionality
of a computer that is connected to the Internet on a slow link. In
this case, it would be preferable for Automatic Updates to be
configured to notify the user that new patches are available. The user
should then make arrangements to download the patch at the next time
when the computer is not needed for normal functionality. Choosing
whether to install updates automatically or prompt the user is
dependent upon the situation. If the user is likely to ignore the
notifications, then it may be more effective to install the updates on
a schedule. If the system is in use at unpredictable days and times,
then it may be difficult to set a schedule that will not interfere
with system usage. Another issue to consider is that many updates
require the system to be rebooted before the update takes effect.
Windows 7 offers an Install updates and
shutdown option as part of its Shut Down dialog
box, which may be helpful in reminding users to launch the update
installation process. It is highly recommended that the
Automatic Updates service be enabled to keep the OS and key Microsoft
applications (e.g., Internet Explorer, Outlook Express) fully patched.
To enable Automatic Updates, perform the following steps: Click the Start menu and
select Control
Panel. Select System and
Security. Select Turn Automatic Updating On or
Off. Choose the appropriate selection in the combobox (such
as Download updates for me, but let me
choose when to install
them). Configure additional options as desired Click OK to apply the
settings. A user can also force the system to check for available
updates by selecting Windows Update from the start
menu. Some organizations do not want the latest updates
applied immediately to their Windows systems. For example, in a
managed environment it may be undesirable for hotfixes to be deployed
to production systems until they have been tested by Windows
administrators and security administrators. In addition, in large
environments, many systems may need to download the same hotfix
simultaneously. This could cause a serious impact on network
bandwidth. Organizations with such concerns often establish a local
WUS or WSUS update server that contains approved updates or implement
another method of patch management. The Automatic Updates feature on
Windows 7 systems should then be configured to point to the local
update server. Unfortunately, although WUS and WSUS provide a method
for distributing Microsoft updates, they cannot be used to distribute
third party software updates.
Patching in Managed Environments
Enterprise and specialized security-limited functionality
environments, especially those that are considered managed
environments, should have a patch management program that is
responsible for acquiring, testing, and verifying each patch, then
arranging for its distribution to systems throughout the organization.
NIST SP 800-40 version 2, Creating a Patch and Vulnerability
Management Program, provides in-depth advice on establishing patching
processes and testing and applying patches. For each patch that is
released, the patch management team should research the associated
vulnerabilities and prioritize the patch appropriately. It is not
uncommon for several patches to be released in a relatively short
time, and typically one or two of the patches are much more important
to the organization than the others. Each patch should be tested with
system configurations that are representative of the organization’s
systems. Once the team determines that the patch is suitable for
deployment, the patch needs to be distributed through automated or
manual means for installation on all appropriate systems. (There are
several third-party applications available for patch management and
distribution, which support many types of platforms and offer
functionality that supports enterprise requirements.) Finally, the
team needs to check systems periodically to confirm that the patch has
been installed on each system, and to take actions to ensure that
missing patches are applied. Microsoft offers the following
command-line tools that may be helpful in hotfix deployment, as
follows: The qchain.exe tool
allows multiple hotfixes to be installed at one time,
instead of installing a hotfix, rebooting, then installing
another hotfix. The qfecheck.exe tool can
be used to track and verify installed hotfixes.
Identifying Security Issues
Host security is largely dependent upon staying up to date with
security patches as well as identifying and remediating other security
weaknesses. The Microsoft Baseline Security Analyzer (MBSA) is a utility
that can scan the local computer and remote computers to identify security
issues. MBSA must have local administrator-level access on each computer
that it is scanning. MBSA offers both graphical user interface (GUI) and
command-line interfaces. MBSA can identify which updates are missing from
the operating system and common Microsoft applications (e.g., Internet
Explorer, Media Player, Internet Information Services [IIS], Exchange
Server, Structured Query Language [SQL] Server) on each system. For the
operating system and a few applications (e.g., Internet Explorer, IIS, SQL
Server, Office), it can also identify other security issues, such as
insecure configurations and settings. MBSA only identifies the problems; it
has no ability to change settings or download and install updates onto
systems. The methods discussed in Section 4.3 should be used to download and
apply patches. Individual systems can also monitor their own
security state and alert users of potential problems. Windows 7 offers the
Windows Security Action Center, which is a service that can be configured to
monitor the state of the system’s firewall (either Windows Firewall or a
third-party firewall) and antivirus software, as well as the settings for
Automatic Updates. Windows Security Center can generate alerts if the
firewall, antivirus software, or Automatic Updates feature is not enabled,
and also if certain major configuration settings are insecure, such as not
setting antivirus software to perform real-time scanning, and not setting
Automatic Updates to download and install updates automatically. Windows
Security Center can monitor several types of third-party firewall and
antivirus software. Windows Security Center is most helpful in SOHO
environments, so that users can monitor the security state of their systems.
In an enterprise environment, systems might be updated through methods other
than Automatic Updates, and the status of systems’ firewalls and antivirus
software might already be monitored centrally.
Summary of Recommendations
Use the recommendations presented in this guide only on new
Windows 7 systems, not systems upgraded from previous versions
of Windows. For upgraded systems, some of the advice in this
guide may be inappropriate and could possibly cause
problems.
Have sound configuration management policies that govern
changes made to operating systems and applications, such as
applying patches and modifying configuration
settings.
Until a new system has been fully installed and patched,
either keep it disconnected from all networks, or connect it to
an isolated, strongly protected network.
Use NTFS for each hard drive partition unless there is a
particular need to use another type of filesystem.
Disable all network clients, services, and protocols that
are not required.
Assign strong passwords to the built-in administrator
account and the user account created during
installation.
Keep systems up to current patch levels to eliminate known
vulnerabilities and weaknesses.
Use MBSA or other similar utilities on a regular basis to
identify patch status issues.
USGCB Security Settings
This section identfies specific controls identified as part of the USGCB
for Windows 7 that must be implemented. Most of the settings in this section can
be configured manually using the Local Security
Policy mmc snap-in.
Account Policies Group
This section includes both account lockout and password policy settings
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies
Account Lockout Policy Settings
Attackers often attempt to gain access to user accounts by
guessing passwords. Windows 7 can be configured to lock out (disable)
an account when too many failed login attempts occur for a single user
account in a certain time period. The following account lockout
parameters are set in the NIST templates:One of
the main challenges in setting account policies is balancing security,
functionality, and usability. For example, locking out user accounts
after only a few failed logon attempts in a long time period may make
it more difficult to gain unauthorized access to accounts by guessing
passwords, but may also sharply increase the number of calls to the
help desk to unlock accounts accidentally locked by failed attempts
from legitimate users. This could also cause more users to write down
their passwords or choose easier-to-remember passwords. Organizations
should carefully think out such issues before setting Windows 7
account policies.
GPO
Computer Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policy
Account Lockout Duration
The amount of time in seconds that an account is locked
before it is automatically unlocked by the system. 15 minutes =
900 seconds A value of 0 means that an administrator must unlock
the account.
900
0
900
3600
86400
Account Lockout Threshold
The maximum number of failed attempts that can occur
before the account is locked out
50
3
5
10
50
Reset Account Lockout Counter After
The time period in seconds to be used with the lockout
threshold value. For example, if the threshold is set to 10
attempts and the duration is set to 15 minutes, then if more
than 10 failed login attempts occur with a single user account
within a 15-minute period, the account will be disabled. 15
minutes = 900 seconds
900
900
3600
86400
Account Lockout Duration
This value specifies how long the user account should be locked out. This is often set to a low but substantial value (e.g., 15 minutes), for two reasons. First, a legitimate user that is accidentally locked out only has to wait 15 minutes to regain access, instead of asking an administrator to unlock the account. Second, an attacker who is guessing passwords using brute force methods will only be able to try a small number of passwords at a time, then wait 15 minutes before trying any more. This greatly reduces the chances that the brute force attack will be successful.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
CCE-9308-8
Account Lockout Threshold
The threshold value specifies the maximum number of failed attempts that can occur before the account is locked out.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
CCE-9136-3
Reset Account Lockout Counter After
This specifies the time period to be used with the lockout threshold value. For example, if the threshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failed login attempts occur with a single user account within a 15-minute period, the account will be disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
CCE-9400-3
Password Policy Settings
In addition to educating users regarding the selection and use
of good passwords, it is also important to set password parameters so
that passwords are sufficiently strong. This reduces the likelihood of
an attacker guessing or cracking passwords to gain unauthorized access
to the system.86 As described in Section 3.2.1, NIST recommends the
use of NTLM v2 or Kerberos instead of LM or NTLM v1 for
authentication. The following parameters are specified in the NIST
templates:
GPO
Computer Configuration\Windows Settings\Security
Settings\Account Policies\Password Policy
Enforce Password History
The number of passwords remembered
24
5
24
Maximum Password Age
The maximum age in seconds before a password expires. (90
days = 7776000 seconds; 60 days = 5184000)
7776000
5184000
7776000
Minimum Password Age
The minimum age in seconds before a password may be
changed. 1 day = 86400 seconds
86400
86400
172800
432000
Minimum Password Length
The minimum number of characters required for a
password
14
8
9
12
14
15
Enforce Password Complexity
This value determines whether Windows 7 implements a
minimum level of strong password filtering. 1 =
enabled
1
0
1
Enforce Reversible Encryption When Storing Passwords
This value determines whether Windows 7 is configured to
prevent passwords from being stored using a two-way hash. 1 =
enabled
0
0
1
Enforce Password History
This setting determines how many old passwords the system will remember for each account. Users will be prevented from reusing any of the old passwords. For example, if this is set to 24, then the system will not allow users to reuse any of their last 24 passwords. Old passwords may have been compromised, or an attacker may have taken a long time to crack encrypted passwords. Reusing an old password could inadvertently give attackers access to the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-8912-8
Maximum Password Age
This forces users to change their passwords regularly. The lower this value is set, the more likely users will be to choose poor passwords that are easier for them to remember (e.g., Mypasswd1, Mypasswd2, Mypasswd3). The higher this value is set, the more likely the password will be compromised and used by unauthorized parties.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-9193-4
Minimum Password Age
This setting requires users to wait for a certain number of days before changing their password again. The setting prevents a user from changing a password when it reaches the maximum age and then immediately changing it back to the previous password. Unfortunately, this setting also prevents users who inadvertently reveal a new password to others from changing it immediately without administrator intervention.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-9330-2
Minimum Password Length
This setting specifies the minimum length of a password in characters. The rationale behind this setting is that longer passwords are more difficult to guess and crack than shorter passwords. The downside is that longer passwords are often more difficult for users to remember. Organizations that want to set a relatively large minimum password length should encourage their users to use passphrases, which may be easier to remember than conventional passwords.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-9357-5
Password Complexity
Like the Minimum Password Length setting, this setting makes it more difficult to guess or crack passwords. Enabling this setting implements complexity requirements including not having the user account name in the password and using a mixture of character types, including upper case and lower case letters, digits, and special characters such as punctuation marks.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-9370-8
Reversible Password Encryption
If this setting is enabled, passwords will be stored in a decryptible format, putting them at higher risk of compromise. This setting should be disabled unless it is needed to support a legacy authentication protocol, such as Challenge Handshake Authentication Protocol (CHAP).
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-9260-1
Local Policies Group
This section includes legacy audit policy settings, user rights assignment policy settings, and security options policy settings.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies
Audit Policy Settings
Windows 7 includes powerful system auditing capabilities. The
purpose of auditing is to record certain types of actions to a log, so
that system administrators can review the logs and detect unauthorized
activity. Audit logs may also be helpful when investigating a security
incident that has occurred. As shown in Table 6-1, system auditing is
available for logon events, account management, directory service
access, object access, policy change, privilege use, process tracking,
and system events. Each audit policy category can be configured to
record successful events, failed events, both successful and failed
events, or neither. Section 7.3 describes how file auditing can be
configured, as well as how the Event Viewer can be used to review log
entries.
GPO
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy
User Rights Assignments
The NIST security templates specify which groups (e.g.,
Administrators, Users) have certain user rights. The goal is for each
group to have only the necessary rights, and for users to only belong
to the necessary groups. This is the principle of least privilege,
described previously in Section 2.2. Examples of user rights that can
be specified are as follows: Accessing the system remotely and locally Performing backups Changing the time and date on the system Managing the logs Shutting down the system.Verify that the user right ” has been granted
appropriately.
GPO
Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
Access This Computer From The Network
Verify that the user right ‘Access This Computer From The Network’ has been granted appropriately. (Only Administrators) NOTE: This can break IPSec see Microsoft Knowledge Base article 823659 for further guidance
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9253-6
Act As Part Of The Operating System
Verify that the user right ‘Act As Part Of The Operating System’ has been granted appropriately. (No One)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9407-8
Adjust Memory Quotas For A Process
Verify that the user right ‘Adjust Memory Quotas For A Process’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9068-8
Log On Locally
Verify that the user right ‘Allow Log On Locally’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9345-0
Log On Through Terminal Services
Verify that the user right ‘Allow Log On Through Terminal Services’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9107-4
Back Up Files and Directories
Verify that the user right ‘Back Up Files and Directories’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9389-8
Bypass Traverse Checking
Verify that the user right ‘Bypass Traverse Checking’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8414-5
Change the System Time
Verify that the user right ‘Change the System Time’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8612-4
Change the time zone
The “Change the time zone” user right should be assigned to the appropriate accounts.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8423-6
Create A Pagefile
Verify that the user right ‘Create A Pagefile’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9185-0
Create A Token Object
Verify that the user right ‘Create A Token Object’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9215-5
Create Global Objects
Verify that the user right ‘Create Global Objects’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8431-9
Create Permanent Shared Objects
Verify that the user right ‘Create Permanent Shared Objects’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9254-4
Create Symbolic Links
Verify that the user right ‘Create Symbolic Links’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8460-8
Debug Programs
Verify that the user right ‘Debug Programs’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8583-7
Deny Access To This Computer From The Network
Verify that the user right ‘Deny Access To This Computer From The Network’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9244-5
Deny Logon As A Batch Job
Verify that the user right ‘Deny Logon As A Batch Job’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9212-2
Deny Logon As A Service
Verify that the user right ‘Deny Logon As A Service’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9098-5
Deny Logon Locally
Verify that the user right ‘Deny Logon Locally’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9239-5
Deny Logon Through Remote Desktop Services
Verify that the user right ‘Deny Logon Through Remote Desktop Services’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9274-2
Force Shutdown From A Remote System
Verify that the user right ‘Force Shutdown From A Remote System’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9336-9
Generate Security Audits
Verify that the user right ‘Generate Security Audits’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9226-2
Impersonate a Client After Authentication
Verify that the user right ‘Impersonate a Client After Authentication’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8467-3
Increase a Process Working Set
The “Increase a Process Working Set” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9048-0
Increase Scheduling Priority
Verify that the user right ‘Increase Scheduling Priority’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8999-5
Load And Unload Device Drivers
Verify that the user right ‘Load And Unload Device Drivers’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9135-5
Lock Pages In Memory
Verify that the user right ‘Lock Pages In Memory’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9289-0
Log On As A Batch Job
Verify that the user right ‘Log On As A Batch Job’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9320-3
Log On As A Service
Verify that the user right ‘Log On As A Service’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9461-5
Manage Auditing And Security Log
Verify that the user right ‘Manage Auditing And Security Log’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9223-9
Modify an object label
The “Modify an object label” user right should be assigned to the appropriate accounts.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9149-6
Modify Firmware Environment Values
Verify that the user right ‘Modify Firmware Environment Values’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9417-7
Perform Volume Maintenance Tasks
Verify that the user right ‘Perform Volume Maintenance Tasks’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8475-6
Profile Single Process
Verify that the user right ‘Profile Single Process’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9388-0
Profile System Performance
Verify that the user right ‘Profile System Performance’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9419-3
Remove Computer From Docking Station
Verify that the user right ‘Remove Computer From Docking Station’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9326-0
Replace A Process Level Token
Verify that the user right ‘Replace A Process Level Token’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-8732-0
Restore Files And Directories
Verify that the user right ‘Restore Files And Directories’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9124-9
Shut Down The System
Verify that the user right ‘Shut Down The System’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9014-2
Take Ownership Of Files Or Other Objects
Verify that the user right ‘Take Ownership Of Files Or Other Objects’ has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-9309-6
Security Options Settings
Besides the Local Security Policy settings mentioned earlier in
this section, additional settings called Security Options can be
modified to achieve greater security than the default settings
provide. The NIST templates specify values for dozens of such
settings. Examples of the types of settings available are as follows: Limiting the use of blank passwords Renaming the default Administrator and Guest
accounts Restricting remote access to floppy and CD-ROM
drives Encrypting secure channel data in a domain Securing the interactive logon screen (e.g., not
showing the previous user’s account name, displaying a
warning banner, prompting users to change passwords before
they expire) Restricting which types of network access may be
performed Specifying which types of authentication may be used
(e.g., NTLM v2).The Security Options settings can also be accessed and
adjusted manually by performing the following steps: From the Start menu, choose Control Panel. Select Administrative Tools, and then choose Local
Security Policy. Expand Local Policies and select Security
Options. The right pane lists the security option and indicates
the current setting for each. Make any necessary changes
by double-clicking on the appropriate security option,
modifying the setting, and clicking OK to save the
change.
GPO
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security options
Accounts: Administrator account status
The Administrator account status is enabled to allow the administrator to perform configuration control of the system.
0
0
1
Status of Guest Account
This value defines the desired status of the built-in Guest account. 0 = disabled; 1 = enabled.
0
0
1
Accounts: Limit local account use to blank passwords to console logon only
This value defines the desired status of limiting the use of blank passwords. 1 = enabled; 0= disabled
1
0
1
Audit: Audit the use of Backup and Restore privilege
Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if “Audit privilege use” audit policy is enabled.
00
00
01
Audit: Audit the access of global system objects
Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL).
0
0
1
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
1
0
1
Audit: Shut down system immediately if unable to log security audits
If events cannot be written to the security log, the system is halted immediately. If the system halts as a result of a full log, an administrator must log ont the system and clear the log.
0
0
1
Prevent Users From Installing Printer Drivers
Defines who is allowed to add and to delete printer drivers on the local system. 1 = Enabled; 0 = disabled
0
0
1
Restrict Access to CDROM Drive
This value determines if access to the CDROM drive is restricted to locally logged-on users. 1 = restricted
0
0
1
Restrict Access to Floppy Drive
This value determines if access to the floppy drive is restricted to locally logged-on users. 1 = restricted
0
0
1
Domain member: Digitally encrypt secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted.
1
0
1
Domain member: Disable machine account password changes
Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week.
0
0
1
Maximum Machine Account Password Age
This setting controls the maximum password age that a machine account may have.
30
7
30
Require Strong Session Key
This setting controls the required strength of a session key.
1
0
1
Interactive logon: Do not display last user name
This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box.
1
0
1
Interactive logon: Do not require CTRL+ALT+DEL
Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner. 0 = disabled
0
0
1
Interactive logon: Message text for users attempting to log on
Specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
.+
.+
Interactive logon: Message title for users attempting to log on
The logon banner should be titled with a warning label containing the name of the owning organization.
.+
.+
Number of Previous Logons to Cache (in Case Domain Controller Is Not Available)
Defines the number of last logon credentials cached for users who log on interactively to a system.
2
0
1
2
5
10
Prompt User to Change Password Before Expiration
This setting configures the system to display a warning to users telling them how many days are left before their password expires.
14
14
Require Domain Controller Authentication to Unlock Workstation
This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked.
0
0
1
Smart Card Removal Behavior
This value determines the desired behavior when a smart card is removed. 0 – No action 1 – Lock workstation 2 – Force logoff
1
0
1
2
Client Digitally Sign Communications (Always)
This check verifies that the client policy is set to always sign packets.
0
0
1
Microsoft network client: Digitally sign communications (if server agrees)
This check verifies that the client policy is set to sign packets if the server agrees.
1
0
1
Microsoft network client: Send unencrypted password to third-party SMB servers
Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication.
0
0
1
Amount of Idle Time Required Before Suspending Session
Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished.
15
15
Microsoft network server: Digitally sign communications (always)
This check verifies that the server policy is set to always sign packets.
1
0
1
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees.
1
0
1
Microsoft network server: Disconnect clients when logon hours expire
Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored.
1
0
1
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
537395200
537395200
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
537395200
537395200
Network access: Allow anonymous SID/Name translation
Network access: Allow anonymous SID/name translation
This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user.
If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator’s SID could contact a computer that has this policy enabled and use the SID to get the administrator’s name. This setting affects both the SID-to-name translation as well as the name-to-SID translation.
If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user.
Default on workstations and member servers: Disabled.
Default on domain controllers running Windows Server 2008 or later: Disabled.
Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled
0
0
1
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts
This security setting determines what additional permissions will be granted for anonymous connections to the computer.
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
This security option allows additional restrictions to be placed on anonymous connections as follows:
Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Disabled: No additional restrictions. Rely on default permissions.
Default on workstations: Enabled.
Default on server:Disabled.
Important
This policy has no impact on domain controllers.
1
0
1
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow anonymous enumeration of SAM accounts and shares
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
Default: Disabled.
1
0
1
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network access: Do not allow storage of credentials or .NET Passports for network authentication
1
0
1
Network access: Let Everyone permissions apply to anonymous users
Network access: Let Everyone permissions apply to anonymous users
0
0
1
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict anonymous access to Named Pipes and Shares
1
0
1
Network access: Sharing and security model for local accounts
Network access: Sharing and security model for local accounts
0
0
1
Network security: Do not store LAN Manager hash value on next password change
Network security: Do not store LAN Manager hash value on next password change
1
0
1
Network security: Force logoff when logon hours expire
Network security: Force logoff when logon hours expire
0
0
1
Network Security: LAN Manager Authentication Level
Network Security: LAN Manager Authentication Level
5
0
1
2
3
4
5
Network Security: LDAP client signing requirements
Network Security: LDAP client signing requirements
1
0
1
2
Recovery Console: Allow Automatic Administrative Logon
Recovery Console: Allow Automatic Administrative Logon
0
0
1
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
0
0
1
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted.
1
0
1
Domain member: Digitally sign secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed.
1
0
1
Shutdown: Allow System to be Shut Down Without Having to Log On
Shutdown: Allow System to be Shut Down Without Having to Log On
0
0
1
Shutdown: Clear Virtual Memory Pagefile
Shutdown: Clear Virtual Memory Pagefile
1
0
1
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
0
0
1
System objects: Require case insensitivity for non-Windows subsystems
System objects: Require case insensitivity for non-Windows subsystems
0
0
1
System objects: Strengthen default permissions of internal system objects
System objects: Strengthen default permissions of internal system objects
1
0
1
Admin Approval Mode for the Built-in Administrator account
This security setting determines the behavior of Admin Approval Mode for the Built-in Administrator account.
0
0
1
Behavior of the elevation prompt for administrators in Admin Approval Mode
This security setting determines the behavior of the elevation prompt for administrators.
4
0
1
2
3
4
5
Behavior of the elevation prompt for standard users
This security setting determines the behavior of the elevation prompt for standard users.
1
0
1
3
Detect application installations and prompt for elevation
This security setting determines the behavior of application installation detection for the computer.
0
0
1
Only elevate executables that are signed and validated
This security setting will enforce public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control which administrative applications are allowed through the certificates in the local computer’s Trusted Publishers certificate store.
0
0
1
Only elevate UIAccess applications that are installed in secure locations
This security setting will enforce the requirement that applications requesting to be run with a UIAccess integrity level must reside in a secure location on the file system.
0
0
1
Run all administrators in Admin Approval Mode
This security setting determines the behavior of all UAC policies for the entire system.
0
0
1
Switch to the secure desktop when prompting for elevation
This security setting determines whether the elevation prompt appears on the interactive user’s desktop or the secure desktop.
0
0
1
Virtualize file and registry write failures to per-user locations
This security setting enables the redirection of application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data to protected locations (%ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software\…). Virtualization facilitates the running of applications that historically failed to run as standard user because of application write failures.
0
0
1
Accounts: Administrator account status
The Administrator account status is enabled to allow the administrator to perform configuration control of the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9199-1
Accounts: Guest account status
A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned. This account is a member of the Everyone user group and has all the rights and permissions associated with that group, which could subsequently provide access to system resources to anonymous users. Ensure the built-in guest account is disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8714-8
Accounts: Limit local account use to blank passwords to console logon only
In Windows 7, accounts with null or blank passwords can only be used to log on at the physical system’s logon screen. This means that accounts with blank or null passwords cannot be used over networks or with the secondary logon service (RunAs). This feature prevents attackers and malware from gaining remote access through blank passwords. Section 6 contains information on other recommended password settings.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9418-5
Accounts: Rename administrator account
The Administrator account is created by default when installing Windows 7, but is disabled. Associating the Administrator SID with a different name may thwart a potential hacker who is targeting the built-in Administrator account.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8484-8
Accounts: Rename guest account
The Guest account is created by default when installing Windows 7, but is disabled. Associating the Guest SID with a different name may thwart a potential hacker who is targeting the built-in Guest account.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9229-6
Audit: Audit the access of global system objects
Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL).
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9150-4
Audit: Audit the use of Backup and Restore privilege
Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if “Audit privilege use” audit policy is enabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8789-0
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9432-6
Devices: Prevent users from installing printer drivers
This setting determines who is allowed to install a printer driver as part of adding a network printer.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9026-6
Devices: Restrict CD-ROM access to locally logged-on user only
Removable media devices (CD-ROM) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9304-7
Devices: Restrict floppy access to locally logged-on user only
Removable media devices (floppy disks) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9440-9
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8974-8
Domain member: Digitally encrypt secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9251-0
Domain member: Digitally sign secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9375-7
Domain member: Disable machine account password changes
Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9295-7
Domain member: Maximum machine account password age
This setting controls the maximum password age that a machine account may have. This setting should be set to no more that 30 days, ensuring that the machine changes its password monthly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9123-1
Domain member: Require strong (Windows 2000 or later) session key
This setting controls the required strength of a session key.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9387-2
Interactive logon: Do not display last user name
This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9449-0
Interactive logon: Do not require CTRL+ALT+DEL
Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9317-9
Interactive logon: Message text for users attempting to log on
Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8973-0
Interactive logon: Message title for users attempting to log on
The logon banner should be titled with a warning label containing the name of the owning organization.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8740-3
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
The default Windows 7 configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the users machine is disconnected from the network or domain controllers are not available. Even though the credential cache is well-protected, storing encrypted copies of users passwords on workstations do not always have the same physical protection required for domain controllers. If a workstation is attacked, the unauthorized individual may isolate the password to a domain user account using a password-cracking program, and gain access to the domain.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8487-1
Interactive logon: Prompt user to change password before expiration
This setting configures the system to display a warning to users telling them how many days are left before their password expires. By giving the user advanced warning, the user has time to construct a sufficiently strong password.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9307-0
Interactive logon: Require Domain Controller authentication to unlock workstation
This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8818-7
Interactive logon: Smart card removal behavior
When the smart card for a logged-on user is removed from the smart card reader, the workstation should be locked.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9067-0
Microsoft network client: Digitally sign communications (always)
This check verifies that the client policy is set to always sign packets.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9327-8
Microsoft network client: Digitally sign communications (if server agrees)
This check verifies that the client policy is set to sign packets if the server agrees.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9344-3
Microsoft network client: Send unencrypted password to third-party SMB servers
Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9265-0
Microsoft network server: Amount of idle time required before suspending session
Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9406-0
Microsoft network server: Digitally sign communications (always)
This check verifies that the server policy is set to always sign packets.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9040-7
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8825-2
Microsoft network server: Disconnect clients when logon hours expire
Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9358-3
Network access: Allow anonymous SID-Name translation
Determines if an anonymous user can request security identifier (SID) attributes for another user or use a SID to get the corresponding username.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9531-5
Network access: Do not allow anonymous enumeration of SAM accounts
If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names, thus providing a map of potential points to attack the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9249-4
Network access: Do not allow anonymous enumeration of SAM accounts and shares
If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9156-1
Network access: Do not allow storage of passwords and credentials for network authentication
This setting controls the storage of authentication credentials or .NET passports on the local system. Such credentials should never be stored on the local machine as that may lead to account compromise.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8654-6
Network access: Let Everyone permissions apply to anonymous users
This setting helps define the permissions that anonymous users have. If this setting is enabled then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users should not have these permissions or rights.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8936-7
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths(System\CurrentControlSet\Control\ProductOptions; System\CurrentControlSet\Control\Server Applications; Software\Microsoft\Windows NT\CurrentVersion)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9121-5
Network access: Remotely accessible registry paths and sub paths
Network access: Remotely accessible registry paths (“Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog”)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9386-4
Network access: Restrict anonymous access to Named Pipes and Shares
This check determines whether anonymous access is restricted to named pipes and shares.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9540-6
Network access: Sharing and security model for local accounts
Windows 7 includes two network-sharing security models Classic and Guest only. It is recommended that the Classic mode be used.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9503-4
Network security: Do not store LAN Manager hash value on next password change
This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed. The LAN Manager hash is a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8937-5
Network security: Force logoff when logon hours expire
This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, then this should be enforced.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9704-8
Network security: LAN Manager Authentication Level
Windows network authentication has changed considerably as various security vulnerabilities have been identified and fixed. The original LAN Manager (or LM) password hash is considered very weak, but is still used by most Windows 9x clients. Using commercially available software, and off-the-shelf computers, most LM password hashes can be used to reveal the actual password in a matter of days, or hours. With the release of Windows NT 4.0, Microsoft developed NTLM authentication. Serious vulnerabilities made NTLM almost as easy to crack as LM, so NTLM version 2 (NTLMv2) was introduced. NTLMv2 provides significant improvements to security; when combined with strong password policy, accounts are well protected against brute force attacks. All of these authentication methods are incorporated into Windows 2000. All authentication models work with a hash of the password, not the password itself. This presents challenges with down-level compatibility
between operating systems. In order to smooth the transition, when one computer attempts to authenticate with another, the default behavior is to send the basic LM hash along with the more secure NTLM hash. This setting improves control over the response to an authentication challenge: Send LM and NTLM responses, Send LM and NTLM, Use NTLMv2 session security if negotiated, Send NTLM response only, Send NTLMv2 response only, Send NTLMv2 response only\refuse LM, Send NTLMv2 response only\refuse LM and NTLM, The default, and weakest option, is the first: send LM and NTLM responses. As a result, using NTLM is ineffective because both protocols are sent together. In order to take a much more effective stand to protect network authentication, set LAN Manager Authentication Level to Send NTLMv2 response only\refuse LM and NTLM. Enabling this setting may have adverse effects on your ability to communicate with other Windows machines unless the change is made
network-wide. If you find that you are unable to require a certain level of LM Authentication, back down to “Send LM and NTLM – Use NTLMv2 session security if negotiated” and try your network authentication again. Communication with Windows 9x/Me machines requires the DSCLIENT.EXE utility from the Windows 2000 installation CD.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8806-2
Network security: LDAP client signing requirements
Similar to the SMB protocol, the LDAP protocol supports signing. LDAP, “Lightweight Directory Access Protocol,” provides one means for the client to talk to active directory. LDAP protocol is text-based, but supports authentication to gain access to sensitive sections of the directory. Require signing to provide the assurance of mutual authentication for this communications channel.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9768-3
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
NTLM authentication can provide a security service to manage connection between various clients and servers, including through the Remote Procedure Call (RPC) service. Windows 2000 improved the security model for secure, authenticated client-server communications; this setting manages the new features for communications established by this workstation.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9534-9
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Similar to “Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients”, this setting manages features for communication services provided by this workstation to other computers.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9736-0
Recovery Console: Allow Automatic Administrative Logon
The Recovery Console, new to Windows 2000 and XP, provides a limited command-line access to an otherwise unbootable operating system. The console allows access to the NTFS file system, which does not natively allow access when the operating system becomes unbootable. Other third-party applications have been developed to perform this action as well, but the Recovery Console is part of the operating system. It can be installed from the Windows 2000 CD with the “d:\i386\winnt32.exe /cmdcons” command. It can also be run directly from the Windows 2000 installation CD. The Recovery Console does not grant full and unrestricted access to the operating system by default. It does require that you log on using the password of the default Administrator account. Keep in mind that this must be the local administrator account, not just a member of the local administrators group. Also, the policy for renaming the administrator account does not apply to the
recovery console, and that password must be used. If configured, a boot to the recovery console could result in automatic logon, and bypass the need for the password of the administrator account. Since this gives administrator access to anyone who can reboot the computer, the setting is generally disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8807-0
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
By default, the Recovery Console only allows access to the root folder of each drive, and the operating system folder (typically C:\Windows). The console also prevents copying files from the hard drive onto removable media. Although this protection can be bypassed by enabling floppy copy and drive access, the setting is enabled by default and should remain disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8945-8
Shutdown: Allow System to be Shut Down Without Having to Log On
Some systems run critical processes and should only be shut down by authorized users. Occasionally, special processes could be evoked during system startup, sometimes even trojaned processes. In environments where abnormal system reboots could cause problems, require a logon prior to reboot.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9707-1
Shutdown: Clear Virtual Memory Pagefile
Virtual memory extends the physical memory available to the CPU. As data and applications fill the available physical memory, the operating system writes less-frequently used pages of memory out to disk, into the virtual memory pagefile. This greatly extends the amount of “virtual” memory available to the computer. Since the pagefile contains information that was in memory, it potentially holds a great deal of information useful for an attacker. Digging through the pagefile can reveal SSL web pages, queries set from the client to databases, sometimes even user ids and passwords from poorly written applications. The workstation does not clean this information from the pagefile on shutdown. Although the file can not be accessed when booted in Windows, anyone booting the workstation to an alternate operating system (e.g., from a boot CD) may access the page file. Enabling this options provides greater security by erasing the data during normal
operations; however, this may also significantly increase the time required to shut down the computer. When enabled, the hibernation file (hiberfil.sys) is also cleaned on shutdown.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9222-1
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9266-8
System objects: Require case insensitivity for non-Windows subsystems
The Windows operating systems ignore case when accessing resources; for example, “C:\Windows”, “C:\WINDOWS” and “c:\windows” all refer to the same directory. However, the Windows kernel allows interfaces with other case-sensitive operating systems (e.g., Unix). Enabling this setting causes the interoperability features to be case-insensitive as well. This setting has no effect when the workstation communicates only with other Windows systems.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9319-5
System objects: Strengthen default permissions of internal system objects
This setting actually digs deep into the operating system behavior and should be left at the default setting (Enabled) unless explicitly required. “Internal system objects” are shared physical and logical resources such as semaphores and DOS device name; the objects all are created with access control lists (ACLs). When enabled, the ACL allows other non-administrative system processes to query internal system objects, but will not allow them to modify them.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9191-8
User Account Control: Admin Approval Mode for the Built-in Administrator account
The “User Account Control: Admin Approval Mode for the Built-in Administrator account” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8811-2
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
The “User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8958-1
User Account Control: Behavior of the elevation prompt for standard users
The “User Account Control: Behavior of the elevation prompt for standard users” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8813-8
User Account Control: Detect application installations and prompt for elevation
The “User Account Control: Detect application installations and prompt for elevation” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9616-4
User Account Control: Only elevate executables that are signed and validated
The “User Account Control: Only elevate executables that are signed and validated” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9021-7
User Account Control: Only elevate UIAccess applications that are installed in secure locations
The “User Account Control: Only elevate UIAccess applications that are installed in secure locations” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9801-2
User Account Control: Run all administrators in Admin Approval Mode
The “User Account Control: Run all administrators in Admin Approval Mode” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9189-2
User Account Control: Switch to the secure desktop when prompting for elevation
The “User Account Control: Switch to the secure desktop when prompting for elevation” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9395-5
User Account Control: Virtualize file and registry write failures to per-user locations
The “User Account Control: Virtualize file and registry write failures to per-user locations” setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8817-9
MSS Security Options Settings
The settings identified in this section do not appear in the Windows 7 GPO by default. They can be added by obtaining a modified sceregvl.inf file for use on the system.
GPO
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security options
MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended)
Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed.
0
0
1
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. Microsoft recommends to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
2
0
1
2
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes, attackers can use source routed packets to conceal the address of their computer. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
0
0
1
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds
This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime
300000
300000
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The NoNameReleaseOnDemand setting configures the system to refuse name release requests to release its SMB name. This setting prevents an attacker from sending a name release request to a server, causing the server to be inaccessible to legitimate clients. If this setting is configured on a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key.
1
0
1
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery
0
0
1
2
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for a DLL, the default search order is used to locate it. By default, the search order used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and .local 4. Application directory 5. Current working directory 6. System directories (%systemroot%, %systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that the current working directory is searched before the system directories can be used by someone with access to the file system to cause a program launched by a user to load a spoofed DLL. If a user launches a program by double-clicking a document, the current working directory is actually the location of the
document. If a DLL in that directory has the same name as a system DLL in that location will then be loaded instead of the system DLL. This attack vector was actually used by the Nimda virus. To combat this, a new setting was created in Service Pack 3, which moves the current working directory to after the system directories in the search order. To avoid application compatibility issues, however, this switch was not turned on by default. To turn it on, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
1
0
1
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen – saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period.
0
0
5
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
3
3
5
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generating a security audit in the security event log when the security log reaches a user defined threshold. Note: new to W2K3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
90
90
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec
Filtering (recommended)
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec
Filtering
1
0
1
2
3
Microsoft network server: SPN Target name validation
This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.
1
0
1
2
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
Allowing source routed network traffic allows attackers to obscure their identity and location.
2
0
1
2
MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments)
Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network.
1
0
1
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default).
3
3
5
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows services running as Local System to use the computer identity when negotiating NTLM authentication.
1
0
1
Network security: Allow LocalSystem NULL session fallback
This policy setting allows the system to fall back no a NULL session.
0
0
1
Network Security: Allow PKU2U authentication requests to this computer to use online identities
Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U.
0
0
1
Network Security: Configure encryption types allowed for Kerberos
This policy setting allows you to specify tdhe allowed encryption types for Kerberos authentication.
2147483644
2147483644
MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended)
Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9342-7
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9496-1
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8513-4
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds
This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9426-8
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended)
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9439-1
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The NoNameReleaseOnDemand setting configures the system to refuse name release requests to release its SMB name. This setting prevents an attacker from sending a name release request to a server, causing the server to be inaccessible to legitimate clients. If this setting is configured on a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8562-1
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9458-1
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for a DLL, the default search order is used to locate it. By default, the search order used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and .local 4. Application directory 5. Current working directory 6. System directories (%systemroot%, %systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that the current working directory is searched before the system directories can be used by someone with access to the file system to cause a program launched by a user to load a spoofed DLL. If a user launches a program by double-clicking a document, the current working directory is actually the location of the
document. If a DLL in that directory has the same name as a system DLL in that location will then be loaded instead of the system DLL. This attack vector was actually used by the Nimda virus. To combat this, a new setting was created in Service Pack 3, which moves the current working directory to after the system directories in the search order. To avoid application compatibility issues, however, this switch was not turned on by default. To turn it on, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9348-4
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen – saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8591-0
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9456-5
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generating a security audit in the security event log when the security log reaches a user defined threshold. Note: new to W2K3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9501-8
Microsoft network server: SPN Target name validation
This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8503-5
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
Allowing source routed network traffic allows attackers to obscure their identity and location.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8655-3
MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments)
Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8560-5
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default).
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9487-0
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows services running as Local System to use the computer identity when negotiating NTLM authentication.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9096-9
Network security: Allow LocalSystem NULL session fallback
This policy setting allows the system to fall back no a NULL session.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-8804-7
Network Security: Allow PKU2U authentication requests to this computer to use online identities
Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9770-9
Network Security: Configure encryption types allowed for Kerberos
This policy setting allows you to specify tdhe allowed encryption types for Kerberos authentication.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9532-3
System Services Group
This section identifies requirements for the state of certain services on the system.
System Services Settings
This section identifies requirements for the state of certain services on the system.
Fax Service
Defines the startup state of the service
4
2
3
4
HomeGroup Listener Service
Defines the startup state of the service
4
2
3
4
HomeGroup Provider Service
Defines the startup state of the service
4
2
3
4
Media Center Extender Service
Defines the startup state of the service
4
2
3
4
Parental Controls Service
Defines the startup state of the service
4
2
3
4
Fax Service
Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.
GPO
Computer Configuration\Windows Settings\Security Settings\System Services
CCE-10150-1
HomeGroup Listener
Makes local computer changes associated with configuration and maintenance of the homegroup-joined computer. If this service is stopped or disabled, your computer will not work properly in a homegroup and your homegroup might not work properly. It is recommended that you keep this service running.
CCE-10543-7
Homegroup Provider
Performs networking tasks associated with configuration and maintenance of homegroups. If this service is stopped or disabled, your computer will be unable to detect other homegroups and your homegroup might not work properly. It is recommended that you keep this service running.
CCE-9910-1
Media Center Extender
Allows Media Center Extenders to locate and connect to the computer.
CCE-10699-7
Parental Controls Service
This service is a stub for Windows Parental Control functionality that existed in Vista. It is provided for backward compatibility only.
CCE-10311-9
Conditional: Bluetooth not enabled
Conditional: Bluetooth not enabled
Bluetooth Support Service
Defines the startup state of the service
4
2
3
4
Bluetooth Support Service
The Bluetooth service supports discovery and association of remote Bluetooth devices. Stopping or disabling this service may cause already installed Bluetooth devices to fail to operate properly and prevent new devices from being discovered or associated.
CCE-10661-7
Advanced Audit Policy Settings
Windows 7 give more control over individual audit policy through subcategories that were not available prior to Windows Vista.
Account Logon Audit Settings
This section contains the policy settings which control the auditing of credential validation.
Credential Validation
This audit policy reports the results of validation tests on credentials submitted for a user account logon request.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Computer Account Management
This audit policy reports the results of validation tests on credentials submitted for a user account logon request.
CCE-9725-3
CCE-9718-8
Account Management Settings
The Account Management audit category helps you track attempts
to create new users or groups, rename users or groups, enable or
disable user accounts, change account passwords, and enable auditing
for Account Management events. If you enable this Audit policy
setting, administrators can track events to detect malicious,
accidental, and authorized creation of user and group
accounts.
computer-account-management
This audit policy reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
other-account-management-events
This audit policy reports other account management events.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
security-group-management
This audit policy reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
user-account-management
This audit policy reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Computer Account Management
This audit policy reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled.
CCE-9498-7
CCE-9608-1
Other Account Management Events
This audit policy reports other account management events.
CCE-9657-8
CCE-9668-5
Security Group Management
This audit policy reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group.
CCE-9692-5
CCE-9056-3
User Account Management
This audit policy reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed.
CCE-9542-2
CCE-9800-4
Detailed Tracking Settings
The Detailed Tracking audit category determines whether to
audit detailed tracking information for events such as program
activation, process exit, handle duplication, and indirect object
access. Enabling Audit process tracking will generate a large number
of events, so it is typically set to No Auditing. However, this
setting can provide a great benefit during an incident response from
the detailed log of the processes started and the time when they were
launched.
process-creation
This audit policy reports the creation of a process and the name of the program or user that created it.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Process Creation
This audit policy reports the creation of a process and the name of the program or user that created it.
CCE-9562-0
CCE-9805-3
Logon Logoff Settings
This audit category generates events that record the creation
and destruction of logon sessions. These events occur on the accessed
computer. For interactive logons, the generation of these events
occurs on the computer that is logged on to. If a network logon takes
place to access a share, these events generate on the computer that
hosts the accessed resource.
logoff
when a user logs off from the system.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
logon
This audit policy reports a user attempts to log on to the system.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
special-logon
This audit policy reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Logoff
when a user logs off from the system.
CCE-8856-7
CCE-9058-9
Logon
This audit policy reports a user attempts to log on to the system.
CCE-9683-4
CCE-9213-0
Special Logon
This audit policy reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
CCE-9763-4
CCE-9521-6
Object Access Settings
By itself, this policy setting will not cause auditing of any
events. It determines whether to audit the event of a user who
accesses an object-for example, a file, folder, registry key, or
printer-that has a specified system access control list (SACL),
effectively enabling auditing to take place.
file-system
This audit policy reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
registry
This audit policy reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
File System
This audit policy reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL.
CCE-9217-1
CCE-9811-1
Registry
This audit policy reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL.
CCE-9737-8
CCE-10078-4
Policy Change Settings
The Policy Change audit category determines whether to audit
every incident of a change to user rights assignment policies, Windows
Firewall policies, Trust policies, or changes to the Audit policy
itself.
policy_change_audit
changes in audit policy including SACL changes.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
authentication-policy-change
changes in authentication policy.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Policy Change
changes in audit policy including SACL changes.
CCE-10021-4
CCE-9235-3
Authentication Policy Change
changes in authentication policy.
CCE-9976-2
CCE-10014-9
Privilege Use Settings
The Privilege Use audit category determines whether to audit
each instance of a user exercising a user right. If you configure this
value to Success, an audit entry is generated each time that a user
right is exercised successfully. If you configure this value to
Failure, an audit entry is generated each time that a user right is
exercised unsuccessfully. This policy setting can generate a very
large number of event records.
sensitive-privilege-use
when a user account or service uses a sensitive privilege.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Sensitive Privilege Use
when a user account or service uses a sensitive privilege.
CCE-9878-0
CCE-9172-8
System Settings
The System audit category allows you to monitor system events
that succeed and fail, and provides a record of these events that may
help determine instances of unauthorized system access. System events
include starting or shutting down computers in your environment, full
event logs, or other security-related events that affect the entire
system.
ipsec-driver
This audit policy reports on the activities of the Internet Protocol security (IPsec) driver.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
security-state-change
This audit policy reports changes in security state of the system, such as when the security subsystem starts and stops.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
security-system-extension
the loading of extension code such as authentication packages by the security subsystem.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
system-integrity
on violations of integrity of the security subsystem.
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
IPsec Driver
This audit policy reports on the activities of the Internet Protocol security (IPsec) driver.
CCE-9925-9
CCE-9802-0
Security State Change
This audit policy reports changes in security state of the system, such as when the security subsystem starts and stops.
CCE-9850-9
CCE-9179-3
Security System Extension
the loading of extension code such as authentication packages by the security subsystem.
CCE-9863-2
CCE-9998-6
System Integrity
on violations of integrity of the security subsystem.
CCE-9520-8
CCE-9194-2
USGCB Other Settings
USGCB identifies the following additional controls that must be checked in
order to verify compliance.
Computer Configuration – Administrative Templates – Network Settings
This section includes settings for configuring network features.
Link-Layer Topology Discovery
The Link Layer Topology Discovery (LLTD) specification
describes how the LLTD protocol operates over wired (802.3 Ethernet)
and wireless (802.11) media. LLTD enables device discovery via the
data-link layer and determines the topology of a network. This
specification also describes the Quality of Service (QoS) Extensions
that enable stream prioritization and quality media streaming
experiences, even on networks with limited bandwidth.
Turn on Mapper I/O (LLTDIO) driver
This policy setting turns on the Mapper I/O network protocol driver. (Enabled=1; Disabled=0; Not Configured)
0
0
1
Turn on Responder (RSPNDR) driver
This policy setting turns on the Responder network protocol driver. (Enabled=1; Disabled=0; Not Configured)
0
0
1
Turn on Mapper I/O (LLTDIO) driver
This policy setting turns on the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it’s connected to.
GPO
Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery
CCE-9783-2
Turn on Responder (RSPNDR) driver
This policy setting turns on the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network.
GPO
Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery
CCE-10059-4
Microsoft Peer-to-Peer Networking Services
This section includes settings for configuring Microsoft Peer-to-Peer Networking Services.
Turn Off Microsoft Peer-to-Peer Networking Services
This setting turns off Microsoft Peer-to-Peer Networking Services. (Enabled=1; Disabled=0; Not Configured)
1
0
1
Turn Off Microsoft Peer-to-Peer Networking Services
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working.
GPO
Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services
CCE-10438-0
Network Connection Settings
The features for implementing and administering small networks
are described as follows: — Internet Connection Sharing
(ICS) — ICS provides Internet access for a home or small
office network by using one common connection as the Internet gateway.
The ICS host is the only computer that is directly connected to the
Internet. Multiple ICS clients simultaneously use the common Internet
connection and benefit from Internet services as if the clients were
directly connected to the Internet service provider (ISP). Security is
enhanced when ICS is enabled because only the ICS host computer is
visible to the Internet. The addresses of ICS clients are hidden from
the Internet rendering ICS clients invisible to the Internet. In
addition, ICS simplifies the configuration of small networks by
providing local private network services, such as name resolution and
addressing. Note: You should not use Internet Connection
Sharing in an existing network with Windows 2000 Server domain
controllers, Domain Name System (DNS) servers, gateways, Dynamic Host
Configuration Protocol (DHCP) servers, or systems configured for
static IP addresses. — Internet Connection Firewall (ICF)
— With ICF, the firewall checks all communications that
cross the connection between your network and the Internet and is
selective about which responses from the Internet it allows. ICF
protects only the computer on which it is enabled. If ICF is enabled
on the Internet Connection Sharing (ICS) host computer, however, ICS
clients that use the shared Internet connection for Internet
connectivity are protected because they cannot be seen from outside
your network. For this reason, you should always enable ICF on the ICS
host computer. In addition, if there are clients on your network with
direct Internet connections, or if you have a stand-alone computer
that is connected to the Internet, then you should enable ICF on those
Internet connections as well. — Network Bridge
— Network Bridge removes the need for routing and bridging
hardware in a home or small office network that consists of multiple
LAN segments. With Network Bridge, multiple LAN segments become a
single IP subnet, even if the LAN segments are of mixed network media
types. Network Bridge automates the configuration and management of
the address allocation, routing, and name resolution that is typically
required in a network that consists of multiple LAN
segments. Caution If neither ICF nor ICS is enabled on your
network, do not set up Network Bridge between the public Internet
connection and the private network connection. Setting up Network
Bridge between the public Internet connection and the private network
connection creates an unprotected link between your network and the
Internet, leaving your network vulnerable to external attacks. When
either ICF or ICS is enabled, this risk is mitigated.
Prohibit installation and configuration of Network Bridge on your DNS domain network
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
1
1
0
require_domain_users_to_elevate_when_setting_a_networks_location
Require Domain users to elevate when setting a networks location should be properly configured.
1
0
1
require_domain_users_to_elevate_when_setting_a_networks_location
Route all traffic through the internal network should be properly configured.
Enabled
Enabled
Disabled
Prohibit installation and configuration of Network Bridge on your DNS domain network
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections
CCE-9953-1
Require Domain users to elevate when setting a networks location
Require Domain users to elevate when setting a networks location should be properly configured.
CCE-10359-8
Route all traffic through the internal network
Route all traffic through the internal network should be properly configured.
CCE-10509-8
TCP/IP Settings
This section includes settings for configuring the TCP/IP stack.
Conditional: IPv6 not enabled
Conditional: IPv6 not enabled
6to4 State
This policy setting allows you to configure 6to4 state.
Disabled
Default
Enabled
Disabled
ISATAP State
This policy setting allows you to configure ISATAP State.
Disabled
Default
Enabled
Disabled
Teredo State
This policy setting allows you to configure Teredo State.
Disabled
Disabled
Default
Client
Enterprise Client
IP HTTPS State
This policy setting allows you to configure IP HTTPS state.
3
0
3
2
IP HTTPS URL
This policy setting allows you to configure IP HTTPS URL.
^.+$
^.+$
^$
6to4 State
This policy setting allows you to configure 6to4 state.
CCE-10266-5
ISATAP State
This policy setting allows you to configure ISATAP State.
CCE-10130-3
Teredo State
This policy setting allows you to configure Teredo State.
CCE-10011-5
IP HTTPS
This policy setting allows you to configure IP HTTPS state.
CCE-10764-9
Windows Connect Now
This section includes settings for configuring Windows Connect Now.
Configuration of Wireless Settings Using Windows Connect Now
Configuration of Wireless Settings Using Windows Connect Now. (Enabled = 1; Disabled = 0)
0
0
1
Prohibit Access of the Windows Connect Now Wizards
Prohibit Access of the Windows Connect Now Wizards. (Enabled = 1; Disabled = 0)
0
0
1
Configuration of Wireless Settings Using Windows Connect Now
Configuration of Wireless Settings Using Windows Connect Now
GPO
Computer Configuration\Administrative Templates\Network\Windows Connect Now
CCE-9879-8
Prohibit Access of the Windows Connect Now Wizards
Prohibit Access of the Windows Connect Now Wizards
GPO
Computer Configuration\Administrative Templates\Network\Windows Connect Now
CCE-10778-9
Printers
This section includes settings for configuring Printers.
Printers Settings
This section includes settings for configuring Printers.
Extend point and print connection to search Windows update and use alternate connection if needed
Extend Point and Print connection to search Windows Update and use alternate cooection if needed
1
1
0
Extend point and print connection to search Windows update and use alternate connection if needed
This policy setting allows you to manage where client computers search for Point and Printer drivers.
CCE-10782-1
Computer Configuration – Administrative Templates – System Settings
This section includes settings for configuring the system.
Device Installation
This section includes settings for configuring device installation.
Allow remote access to the PnP interface
Computer Configuration\Administrative Templates\System\Device Installation: Allow remote access to the PnP interface. (Enabled = 1; Disabled = 0)
0
0
1
Do not create system restore point when new device driver installed
Computer Configuration\Administrative Templates\System\Device Installation: Do not create system restore point when new device driver installed. (Enabled = 1; Disabled = 0)
0
0
1
Do not send a Windows Error Report when a generic driver is installed on a device
Computer Configuration\Administrative Templates\System\Device Installation: Do not send a Windows Error Report when a generic driver is installed on a device. (Enabled = 0; Disabled = 1)
1
0
1
prevent_device_metadata_retrieval_from_the_internet
prevent_device_metadata_retrieval_from_the_internet
1
0
1
specify_search_order_for_device_driver_source_locations
specify_search_order_for_device_driver_source_locations
0
0
1
1
Allow remote access to the PnP interface
Computer Configuration\Administrative Templates\System\Device Installation: Allow remote access to the PnP interface.
GPO
Computer Configuration\Administrative Templates\System\Device Installation
CCE-10769-8
Do not send a Windows Error Report when a generic driver is installed on a device
Computer Configuration\Administrative Templates\System\Device Installation: Do not send a Windows Error Report when a generic driver is installed on a device.
GPO
Computer Configuration\Administrative Templates\System\Device Installation
CCE-9901-0
Prevent creation of a system restore point during device activity that would normally promp creation of a restore point.
Computer Configuration\Administrative Templates\System\Device Installation: Do not create system restore point when new device driver installed.
GPO
Computer Configuration\Administrative Templates\System\Device Installation
CCE-10553-6
Prevent device metadata retrieval from the internet
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
CCE-10165-9
Specify search order for device driver source locations
This policy setting allows you to specify the order in which Windows searches source locations for device drivers.
CCE-9919-2
Driver Installation
This section includes settings for configuring driver installation.
Group Policy Client-Side Extensions
The following rules specify the desired setting for the
client-side extensions designed for Group Policy.
Registry Policy Processing
Computer Configuration\Administrative Templates\System: Group Policy – Registry Policy Processing.
0
-1
0
1
2
3
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy SUCCESS Type: REG_DWORD, Length: 4, Data: 1
Computer Configuration\Administrative Templates\System: Group Policy – Registry Policy Processing.
0
0
1
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges SUCCESS Type: REG_DWORD, Length: 4, Data: 0
Computer Configuration\Administrative Templates\System: Group Policy – Registry Policy Processing.
1
0
1
Registry Policy
Computer Configuration\Administrative Templates\System: Group Policy – Registry Policy Processing.
GPO
Computer Configuration\Administrative Templates\System\Group Policy
CCE-9361-7
Internet Communication Management
This section includes settings for configuring Internet Communication Management.
Internet Communication settings
This section includes settings for configuring Internet communications.
Turn off downloading of print drivers over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off downloading of print drivers over HTTP.
1
0
1
Turn off event views “Events.asp” links
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Event Views “Events.asp” Links.
1
0
1
Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com.
1
0
1
Turn off Internet download for Web publishing and online ordering wizards
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards.
1
0
1
Turn Off Internet File Association Service
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet File Association Service.
1
0
1
Turn off printing over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off printing over HTTP.
1
0
1
Turn Off Registration if URL Connection is Referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Registration if URL Connection is Referring to Microsoft.com.
1
0
1
Turn off Search Companion content file updates
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Search Companion content file updates.
1
0
1
Turn Off the “Order Prints” Picture Task
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off the “Order Prints” Picture Task.
1
0
1
Turn off the “Publish to Web” task for files and folders
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the “Publish to Web” task for files and folders.
1
0
1
Turn off the Windows Messenger Customer Experience Improvement Program
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program.
2
1
2
Turn Off Windows Error Reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Error Reporting.
0
1
0
Turn Off Handwriting Recognition Error Reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Handwriting Recognition Error Reporting.
1
0
1
turn_off_handwriting_personalization_data_sharing
turn_off_handwriting_personalization_data_sharing
1
0
1
Turn off downloading of print drivers over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off downloading of print drivers over HTTP.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-9195-9
Turn off event views “Events.asp” links
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Event Views “Events.asp” Links.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-9819-4
Turn off handwriting personalization data sharing
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off handwriting personalization data sharing.
CCE-10658-3
Turn off handwriting recognition error reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Handwriting Recognition Error Reporting.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-10645-0
Turn off Internet connection wizard if URL connection is referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-10649-2
Turn off Internet download for Web publishing and online ordering wizards
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-9674-3
Turn off Internet file association service
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet File Association Service.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-10795-3
Turn off printing over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off printing over HTTP.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-10061-0
Turn off registration if URL connection is referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Registration if URL Connection is Referring to Microsoft.com.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-10160-0
Turn off Search Companion content file updates
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Search Companion content file updates.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-10140-2
Turn off the “Order Prints” picture task
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off the “Order Prints” Picture Task.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-9823-6
Turn off the “Publish to Web” task for files and folders
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the “Publish to Web” task for files and folders.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-9643-8
Turn off the Windows Messenger Customer Experience Improvement Program
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-9559-6
Turn Off Windows Error Reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Error Reporting.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-10441-4
Logon
This section includes settings for configuring logon options.
Always Use Classic Logon
Computer Configuration\Administrative Templates\System: Logon – Always Use Classic Logon.
0
1
0
Do not process the run once list
Computer Configuration\Administrative Templates\System: Logon – Do not process the run once list.
1
0
1
Always Use Classic Logon
Computer Configuration\Administrative Templates\System: Logon – Always Use Classic Logon.
GPO
Computer Configuration\Administrative Templates\System\Logon
CCE-10591-6
Do not process the run once list
Computer Configuration\Administrative Templates\System: Logon – Do not process the run once list.
GPO
Computer Configuration\Administrative Templates\System\Logon
CCE-10154-3
Power Management
This section includes settings for configuring power management.
Sleep settings
This section includes settings for configuring sleep.
Require a Password when a Computer Wakes (On Battery)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings – Require a Password when a Computer Wakes (On Battery).
1
0
1
Require a Password when a Computer Wakes (Plugged)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings – Require a Password when a Computer Wakes (Plugged).
1
0
1
Require a Password when a Computer Wakes (On Battery)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings – Require a Password when a Computer Wakes (On Battery).
GPO
Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings
CCE-9829-3
Require a Password when a Computer Wakes (Plugged)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings – Require a Password when a Computer Wakes (Plugged).
GPO
Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings
CCE-9670-1
Remote Assistance
This section includes settings for configuring remote assistance.
Turn on session logging
Computer Configuration\Administrative Templates\System: Remote Assistance – Turn on session logging.
1
0
1
Turn on session logging
Computer_Configuration – Administrative_Templates – System: Remote Assistance – Turn on session logging.
GPO
Computer Configuration\Administrative Templates\System\Remote Assistance
CCE-10344-0
Conditional: Remote assistance not enabled
Conditional: remote assistance not enabled
Offer Remote Assistance
Computer Configuration\Administrative Templates\System: Remote Assistance – Offer Remote Assistance.
0
0
1
Solicited Remote Assistance
Computer Configuration\Administrative Templates\System: Remote Assistance – Solicited Remote Assistance.
0
0
1
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. It allows certain applications stored in secure folders, such as system32, to bypass the secure desktop so that they can function as designed. Enabling this setting will lower security slightly but enable Remote Assistance. For more information see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx.
0
0
1
Offer Remote Assistance
Computer_Configuration – Administrative_Templates – System: Remote Assistance – Offer Remote Assistance.
GPO
Computer Configuration\Administrative Templates\System\Remote Assistance
CCE-9960-6
Solicited Remote Assistance
Computer_Configuration – Administrative_Templates – System: Remote Assistance – Solicited Remote Assistance.
GPO
Computer Configuration\Administrative Templates\System\Remote Assistance
CCE-9506-7
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. It allows certain applications stored in secure folders, such as system32, to bypass the secure desktop so that they can function as designed. Enabling this setting will lower security slightly but enable Remote Assistance. For more information see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9301-3
Remote Procedure Call
This section includes settings for configuring remote procedure call.
Restrictions for Unauthenticated RPC clients
Computer Configuration\Administrative Templates\System: Remote Assistance – Restrictions for Unauthenticated RPC clients. (Enabled: Authenticated = 1)
1
0
1
2
RPC Endpoint Mapper Client Authentication
Computer Configuration\Administrative Templates\System: Remote Assistance – RPC Endpoint Mapper Client Authentication.
1
0
1
Restrictions for Unauthenticated RPC clients
Computer_Configuration – Administrative_Templates – System: Remote Assistance – Restrictions for Unauthenticated RPC clients.
GPO
Computer Configuration\Administrative Templates\System\Remote Procedure Call
CCE-9396-3
RPC Endpoint Mapper Client Authentication
Computer_Configuration – Administrative_Templates – System: Remote Assistance – RPC Endpoint Mapper Client Authentication.
GPO
Computer Configuration\Administrative Templates\System\Remote Procedure Call
CCE-10181-6
Troubleshooting and Diagnostics
This section includes settings for configuring troubleshooting and diagnostics.
Microsoft Support Diagnostic Tool
This section includes settings for configuring the Microsoft Support Diagnostic Tool.
Microsoft support diagnostic tool: turn on msdt interactive communication with support provider
Microsoft support diagnostic tool: turn on msdt interactive communication with support provider
0
0
1
Microsoft support diagnostic tool: turn on msdt interactive communication with support provider
Microsoft support diagnostic tool: turn on msdt interactive communication with support provider
CCE-9842-6
Scripted Diagnostic Settings
This section includes settings for configuring the scripted diagnostics.
troubleshooting_allow_user_to_access_online_troubleshooting_content_on_microsoft_servers_from_the_troubleshooting_control_panel
troubleshooting_allow_user_to_access_online_troubleshooting_content_on_microsoft_servers_from_the_troubleshooting_control_panel
0
0
1
Troubleshooting: allow user to access online troubleshooting content on Microsoft server from the troubleshooting control panel
Troubleshooting: allow user to access online troubleshooting content on Microsoft server from the troubleshooting control panel
CCE-10606-2
Windows Performance Perftrack
This section includes settings for configuring Windows Performance Perftrack.
Enable or disable perftrack
This policy setting specifies whether to enable or disable tracking of responsiveness events.
0
0
1
Enable or disable perftrack
This policy setting specifies whether to enable or disable tracking of responsiveness events.
CCE-10219-4
Windows Time Service
This section includes settings for configuring the Windows Time Service.
Time Providers
This section includes settings for configuring Windows time providers.
Configure Windows NTP client
This policy setting includes parameters for controlling the Windows NTP Client.
.*
.+
Configure Windows NTP client
This policy setting includes parameters for controlling the Windows NTP Client.
CCE-10500-7
Windows Components
This section includes settings for configuring Windows components.
Application Compatibility Settings
This section includes settings for configuring application compatibility.
Turn off program inventory
This policy controls the state of the Program Inventory collector in the system.
1
0
1
Turn off program inventory
This policy controls the state of the Program Inventory collector in the system.
CCE-10787-0
Autoplay Policies
Computer Configuration\Administrative Templates\Windows
Components: Autoplay Policies
Turn off autoplay for non volume devices
This policy setting determines whether autoplay is enabled for non volume devices.
1
0
1
default_behavior_for_autorun
default_behavior_for_autorun
1
1
2
Turn off Autoplay
Turn off Autoplay
0
181
255
Default behavior for autorun
Configures the autorun settings on the system.
GPO
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies: Default behavior for autorun
CCE-10527-0
Turn off Autoplay
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies: Turn off Autoplay.
GPO
Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies
CCE-9528-1
Turn off autoplay for non volume devices
This policy setting determines whether autoplay is enabled for non volume devices.
CCE-10655-9
Credential User Interface
Computer Configuration\Administrative Templates\Windows
Components: Credential User Interface
Enumerate administrator accounts on elevation
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface: Enumerate administrator accounts on elevation.
1
0
1
Enumerate administrator accounts on elevation
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface: Enumerate administrator accounts on elevation.
GPO
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
CCE-9938-2
Digital Locker
This section includes settings for configuring Digital Locker.
digital_locker
Specifies whether Digital Locker can run.
1
0
1
Do not allow digital locker to run
Specifies whether Digital Locker can run.
CCE-10759-9
Desktop Gadgets
This section includes settings for configuring Desktop Gadgets.
Disable unpacking and installation of gadgets that are not digitally signed
Sidebar gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, Windows Sidebar will not extract any gadgets that have not been digitally signed. If you disable or do not configure this setting, Window
1
0
1
Turn Off User Installed Windows Sidebar Gadgets
Turn Off User Installed Windows Sidebar Gadgets
1
0
1
Override the More Gadgets Link
Override the More Gadgets Link
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Sidebar
CCE-9857-4
Disable unpacking and installation of gadgets that are not digitally signed
Sidebar gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, Windows Sidebar will not extract any gadgets that have not been digitally signed. If you disable or do not configure this setting, Window
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Sidebar
CCE-10811-8
Turn Off User Installed Windows Sidebar Gadgets
Turn Off User Installed Windows Sidebar Gadgets
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Sidebar
CCE-10586-6
Event Log Service Settings
Windows 7 records information about significant
events in four logs: the Application Log, the Security Log, the
Setup Log, and the System Log. The logs contain error messages,
audit information, and other records of activity on the system.
The logs can be used not only to identify suspicious and
malicious behavior and investigate security incidents, but also
to assist in troubleshooting system and application problems. It
is important to specify the maximum log size because if it is
too low, the system will not have much room for storing
information on system activity.
Application Log
This section includes settings for configuring the application log.
Maximum Application Log Size
The value defines the maximum size (in KB) of the application log.
32768
16384
32768
81920
Maximum Application Log Size
Maximum Application Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application
CCE-9603-2
Security Log
This section includes settings for configuring the security log.
Maximum Security Log Size
The value defines the maximum size (in KB) of the security log.
81920
16384
32768
81920
Maximum Security Log Size
Maximum Security Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security
CCE-9967-1
Setup Log
This section includes settings for configuring the setup log.
Maximum Setup Log Size
The value defines the maximum size (in KB) of the setup log.
32768
16384
32768
81920
Maximum Setup Log Size
Maximum Setup Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup
CCE-10714-4
System Log
This section includes settings for configuring the system log.
Maximum System Log Size
The value defines the maximum size (in KB) of the system log.
32768
16384
32768
81920
Maximum System Log Size
Maximum System Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System
CCE-10156-8
Game Explorer
Computer Configuration\Administrative Templates\Windows
Components: Game Explorer
Turn Off Downloading of Game Information
Computer Configuration\Administrative Templates\Windows Components\Game Explorer: Turn Off Downloading of Game Information.
0
1
0
turn_off_game_updates
turn_off_game_updates
0
1
0
Turn Off Downloading of Game Information
Computer Configuration\Administrative Templates\Windows Components\Game Explorer: Turn Off Downloading of Game Information.
GPO
Computer Configuration\Administrative Templates\Windows Components\Game Explorer
CCE-10828-2
Turn off game updates
Turn off game updates
CCE-10850-6
HomeGroup Settings
This section includes settings for configuring the HomeGroup feature.
prevent_the_computer_from_joining_a_homegroup
prevent_the_computer_from_joining_a_homegroup
1
0
1
Prevent the computer from joining a Homegroup
Prevent the computer from joining a Homegroup
CCE-10183-2
Netmeeting
This section includes settings for configuring Netmeeting.
Disable remote desktop sharing
Disable remote desktop sharing.
1
0
1
Disable remote desktop sharing
Specifies whether Digital Locker can run.
CCE-10763-1
Remote Desktop Services
This section includes settings for configuring Remote Desktop Services.
Remote Desktop Connection Client
This section includes settings for configuring the Remote Desktop client.
Do not allow passwords to be saved
Do not allow passwords to be saved
1
0
1
Do not allow passwords to be saved
The “Do not allow passwords to be saved” setting should be configured correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client
CCE-10090-9
Remote Desktop Session Host
This section includes settings for configuring the Remote Desktop Session Host.
Conditional: RDS not enabled
Conditional: RDS not enabled
Allow users to connect remotely using Remote Desktop Services
This policy setting determines whether or not users can connect to the computer using Remote Desktop Services.
1
1
0
Allow users to connect remotely using Remote Desktop Services
This policy setting determines whether or not users can connect to the computer using Remote Desktop Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
CCE-9985-3
Security Settings
This section includes settings for configuring the Remote Desktop security settings.
Set client connection encryption level
Set client connection encryption level
3
1
2
3
Always prompt client for password upon connection
Always prompt client for password upon connection
1
0
1
Always prompt client for password upon connection
The “Always Prompt Client for Password upon Connection” policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security
CCE-10103-0
Set client connection encryption level
The “Set Client connection Encryption Level” policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security
CCE-9764-2
Session Time Limits
This section includes settings for configuring the Remote Desktop connection session time limit settings.
Set a time limit for disconnected sessions
You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session. (1 min)
60000
60000
Set a time limit for active but idle Terminal Services sessions
This policy setting allows you to specify the maximum amount of time that an active Terminal Services session can be idle (without user input) before it is automatically disconnected. (15 min)
900000
900000
Set a time limit for disconnected sessions
The “Set time limit for disconnected sessions” policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits
CCE-9858-2
Set a time limit for active but idle Terminal Services sessions
The “Set time limit for idle sessions” policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits
CCE-10608-8
Temporary Folders
This section includes settings for configuring Remote Desktop temporary folders.
do_not_delete_temp_folders_upon_exit
do_not_delete_temp_folders_upon_exit
1
1
0
do_not_use_temporary_folders_per_session
do_not_use_temporary_folders_per_session
1
1
0
Do not delete temp folders upon exit
Do not delete temp folders upon exit
CCE-10856-3
Do not use temporary folders per session
Do not use temporary folders per session
CCE-9864-0
RSS Feeds
This section includes settings for configuring RSS feeds.
turn_off_downloading_of_enclosures
turn_off_downloading_of_enclosures
1
0
1
Turn off downloading of enclosures
Turn off downloading of enclosures
CCE-10730-0
Search
Search
Allow indexing of encrypted files
Allow indexing of encrypted files
0
0
1
Prevent indexing uncached Exchange folders
Prevent indexing uncached Exchange folders
1
0
1
Enable indexing uncached Exchange folders
Enable indexing uncached Exchange folders
1
1
0
Allow indexing of encrypted files
Allow indexing of encrypted files
GPO
Computer Configuration\Administrative Templates\Windows Components\Search
CCE-10496-8
Enable indexing uncached Exchange folders
Prevent indexing uncached Exchange folders
GPO
Computer Configuration\Administrative Templates\Windows Components\Search
CCE-9866-5
Windows Anytime Upgrade
This section includes settings for configuring Windows Anytime Upgrade.
prevent_windows_anytime_upgrade_from_running
prevent_windows_anytime_upgrade_from_running
1
0
1
Prevent Windows anytime upgrade from running
Prevent Windows anytime upgrade from running
CCE-10137-8
Windows Defender
Windows Defender
Configure Microsoft SpyNet Reporting
When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.
0
0
1
Configure Microsoft SpyNet Reporting
When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Defender
CCE-9868-1
Windows Error Reporting
Windows Error Reporting
Disable Logging
If this setting is enabled Windows Error Reporting events will not be logged to the system event log.
0
0
1
Display Error Notification
Display Error Notification
1
1
0
Do Not Send Additional Data
If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user.
1
0
1
Disable Logging
If this setting is enabled Windows Error Reporting events will not be logged to the system event log.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-10157-6
Display Error Notification
The “Display Error Notification” setting should be configured correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-10709-4
Do Not Send Additional Data
If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-10824-1
Conditional: WER not enabled
Conditional: WER not enabled
Disable Windows Error Reporting
If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel.
1
0
1
Disable Windows Error Reporting
If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-9914-3
Windows Explorer Settings
Windows Explorer
Turn off Heap termination on corruption
Turn off Heap termination on corruption
0
0
1
Turn off shell protocol protected mode
Turn off shell protocol protected mode
0
0
1
turn_off_data_execution_prevention_for_explorer
turn_off_data_execution_prevention_for_explorer
0
0
1
Turn off data execution prevention for explorer
Turn off data execution prevention for explorer
CCE-9918-4
Turn off Heap termination on corruption
Turn off Heap termination on corruption
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Explorer
CCE-9874-9
Turn off shell protocol protected mode
Turn off shell protocol protected mode
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Explorer
CCE-10623-7
Windows Installer Settings
Windows Installer
Disable IE security prompt for Windows Installer scripts
Disable IE security prompt for Windows Installer scripts
0
0
1
Enable user control over installs
Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer.
0
0
1
Prohibit non-administrators from applying vendor signed updates
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
1
0
1
Disable IE security prompt for Windows Installer scripts
Disable IE security prompt for Windows Installer scripts
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
CCE-9875-6
Enable user control over installs
Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
CCE-9876-4
Prohibit non-administrators from applying vendor signed updates
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
CCE-9888-9
Windows Logon Options
Windows Logon Options
Report when logon server was not available during user logon
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.
1
0
1
Report Logon Server Not Available During User logon
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options
CCE-9907-7
Windows Mail
Windows Mail
Turn off the communities features
Turn off the communities features
1
0
1
Allow Windows Mail
Allow Windows Mail
0
0
1
Turn off the communities features
Turn off the communities features
CCE-11252-4
Allow Windows Mail
Allow Windows Mail
CCE-10882-9
Windows Media Digital Rights Management
Windows Media Digital Rights Management
Prevent Windows Media DRM Internet Access
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.
1
0
1
Prevent Windows Media DRM Internet Access
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management
CCE-9908-5
Windows Media Player Settings
This section includes settings for configuring Windows Media Player.
Do Not Show First Use Dialog Boxes
The “Do Not Show First Use Dialog Boxes” setting for Windows Media Player should be configured correctly.
1
0
1
Prevent Automatic Updates
The “Disable Media Player for automatic updates” policy should be set correctly.
1
0
1
Do Not Show First Use Dialog Boxes
The “Do Not Show First Use Dialog Boxes” setting for Windows Media Player should be configured correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Media Player
CCE-10692-2
Prevent Automatic Updates
The “Disable Media Player for automatic updates” policy should be set correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Media Player
CCE-10602-1
Conditional: Automatic Updates
Conditional: automatic updates not enabled
Configure automatic updates
Configure automatic updates
0
0
1
Reschedule automatic updates scheduled installation
Reschedule automatic updates scheduled installation
1
0
1
No auto restart with logged on users for scheduled automatic updates installations
No auto restart with logged on users for scheduled automatic updates installations
0
0
1
Do not display ‘Install updates and shut diown option’ in shut down windows dialog box
Do not display ‘Install updates and shut diown option’ in shut down windows dialog box
0
0
1
Configure automatic updates
Configure automatic updates
CCE-9403-7
Reschedule automatic updates scheduled installation
Reschedule automatic updates scheduled installation
CCE-10205-3
No auto restart with logged on users for scheduled automatic updates installations
No auto restart with logged on users for scheduled automatic updates installations
CCE-9672-7
Do not display ‘Install updates and shut diown option’ in shut down windows dialog box
Do not display ‘Install updates and shut diown option’ in shut down windows dialog box
CCE-9464-9
Programs and Features Group
Optional Windows Programs and Features that should not be installed, located at Control Panel\Programs and Features\Turn Windows features on or off
Games are not installed
Games are not installed
CCE-18880-5
Internet Information Services
Internet Information Services is not installed
CCE-18249-3
Simple TCPIP Services
Simple TCPIP Services is not installed
CCE-18629-6
Telnet Client
Telnet Client is not installed
CCE-18659-3
Telnet Server
Telnet Server is not installed
CCE-18739-3
TFTP Client
TFTP Client is not installed
CCE-18190-9
Windows Media Center
Windows Media Center is not installed
CCE-18300-4
Local User Policy Settings
Local User Policy Settings
Enable screen saver
Enable screen saver
GPO
User Configuration\Administrative Templates\Control Panel\Personalization
CCE-10051-1
Password protect the screen saver
Password protect the screen saver
GPO
User Configuration\Administrative Templates\Control Panel\Personalization
CCE-9730-3
Screen Saver timeout
Screen Saver timeout
GPO
User Configuration\Administrative Templates\Control Panel\Personalization
CCE-10148-5
Turn off Help Ratings
Turn off Help Ratings
GPO
User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings
CCE-10295-4
Do not preserve zone information in file attachments
Do not preserve zone information in file attachments
GPO
User Configuration\Administrative Templates\Windows Components\Attachment Manager
CCE-10166-7
Hide mechanisms to remove zone information
Hide mechanisms to remove zone information
GPO
User Configuration\Administrative Templates\Windows Components\Attachment Manager
CCE-9684-2
Notify antivirus programs when opening attachments
Notify antivirus programs when opening attachments
GPO
User Configuration\Administrative Templates\Windows Components\Attachment Manager
CCE-10076-8
Prevent users from sharing files within their profile
Prevent users from sharing files within their profile
GPO
User Configuration\Administrative Templates\Windows Components\Network Sharing
CCE-10644-3
Network access: Named Pipes that can be accessed anonymously
Network access: Named Pipes that can be accessed anonymously. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9218-9
Network access: Shares that can be accessed anonymously
This setting controls which network shares may be accessed by an anonymous user. The default setting includes the shares, DFS$, and COMCFG. It is recommended that they be left as the default setting.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-9196-7
Security Patches
Securing a given computer has become increasingly important. As such, it is
essential to keep a host up to current patch levels to eliminate known
vulnerabilities and weaknesses. In conjunction with antivirus software and a
personal firewall, patching goes a long way to securing a host against outside
attacks and exploitation. Microsoft provides two mechanisms for distributing
security updates: Automatic Updates and Microsoft Update. In smaller environments,
either method may be sufficient for keeping systems current with patches. Other
environments typically have a software change management control process or a
patch management program that tests patches before deploying them; distribution
may then occur through local Windows Update Services (WUS) or Windows Server
Update Services (WSUS) servers, which provide approved security patches for use by
the Automatic Updates feature.
Security Patches Up-To-Date
All known security patches have been installed.
2.0
2015-04-07T10:00:00
USGCB Windows 7 User Settings Checklist
USGCB Windows 7 User Settings: Question 1
Enable screen saver
CCE-10051-1
ocil:usgcb.win7.checklist:testaction:1
USGCB Windows 7 User Settings: Question 2
Password protect the screen saver
CCE-9730-3
ocil:usgcb.win7.checklist:testaction:2
USGCB Windows 7 User Settings: Question 3
Screen Saver timeout
CCE-10148-5
ocil:usgcb.win7.checklist:testaction:3
USGCB Windows 7 User Settings: Question 4
Turn off Help Ratings
CCE-10295-4
ocil:usgcb.win7.checklist:testaction:4
USGCB Windows 7 User Settings: Question 5
Do not preserve zone information in file attachments
CCE-10166-7
ocil:usgcb.win7.checklist:testaction:5
USGCB Windows 7 User Settings: Question 6
Hide mechanisms to remove zone information
CCE-9684-2
ocil:usgcb.win7.checklist:testaction:6
USGCB Windows 7 User Settings: Question 7
Notify antivirus programs when opening attachments
CCE-10076-8
ocil:usgcb.win7.checklist:testaction:7
USGCB Windows 7 User Settings: Question 8
Prevent users from sharing files within their profile.
CCE-10644-3
ocil:usgcb.win7.checklist:testaction:8
USGCB Windows 7 Security Options Settings: Question 9
Network access: Named Pipes that can be accessed anonymously
CCE-9218-9
ocil:usgcb.win7.checklist:testaction:9
USGCB Windows 7 Security Options Settings: Question 10
Network access: Shares that can be accessed anonymously
CCE-9196-7
ocil:usgcb.win7.checklist:testaction:10
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
Does the Windows setting “Enable screen saver” located at “User
Configuration\Administrative Templates\Control Panel\Personalization” have the value
Enabled?
Does the Windows setting “Password protect the screen saver” located at
“User Configuration\Administrative Templates\Control Panel\Personalization” have the
value Enabled?
Does the Windows setting “Screen Saver timeout” located at “User
Configuration\Administrative Templates\Control Panel\Personalization” have the value
Enabled:900 seconds?
Does the Windows setting “Turn off Help Ratings” located at “User
Configuration\Administrative Templates\System\Internet Communication
Management\Internet Communication Settings” have the value Enabled?
Does the Windows setting “Do not preserve zone information in file
attachments” located at “User Configuration\Administrative Templates\Windows
Components\Attachment Manager” have the value Disabled?
Does the Windows setting “Hide mechanisms to remove zone information”
located at “User Configuration\Administrative Templates\Windows
Components\Attachment Manager” have the value Enabled?
Does the Windows setting “Notify antivirus programs when opening
attachments” located at “User Configuration\Administrative Templates\Windows
Components\Attachment Manager” have the value Enabled?
Does the Windows setting “Prevent users from sharing files within their
profile.” located at “User Configuration\Administrative Templates\Windows
Components\Network Sharing” have the value Enabled?
Does the Windows setting “Network access: Named Pipes that can be accessed anonymously”
located at “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options”
have no value (None)?
Does the Windows setting “Network access: Shares that can be accessed anonymously
located at “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options”
have no value (None)?
National Institute of Standards and Technology
5.8
2015-04-07T10:00:00.000-04:00
Account Lockout Duration
Microsoft Windows 7
Account Lockout Duration
Account Lockout Threshold
Microsoft Windows 7
Account Lockout Duration
Reset Account Lockout Counter After
Microsoft Windows 7
Reset Account Lockout Counter After
Enforce Password History
Microsoft Windows 7
The number of passwords remembered
Maximum Password Age
Microsoft Windows 7
This forces users to change their passwords regularly.
Minimum Password Age
Microsoft Windows 7
This setting requires users to wait for a certain number of days before changing their password again.
Minimum Password Length
Microsoft Windows 7
Minimum Password Length
Password Complexity
Microsoft Windows 7
Password Complexity
Reversible Password Encryption
Microsoft Windows 7
Reversible Password Encryption
Access from the Network – Administrators
Microsoft Windows 7
Administrators may access this computer from the network. NOTE: This can break IPSec see Microsoft Knowledge Base article 823659 for further guidance
Act as Part of the Operating System – None
Microsoft Windows 7
No one has the right to act as part of the operating system
Adjust Memory Quotas – Administrators, LOCAL SERVICE, NETWORK SERVICE
Microsoft Windows 7
Administrators, LOCAL SERVICE, NETWORK SERVICE may adjust memory quotas for a process
Log On Locally – Administrators, Users
Microsoft Windows 7
Administrators and Users are allowed to log on locally
Logon Through Terminal Services – Administrators, Remote Desktop Users
Microsoft Windows 7
Administrators, Remote Desktop Users are allowed to logon through Terminal Services
Back Up Files and Directories – Administrators
Microsoft Windows 7
Administrators are allowed to back up files and directories
Bypass Traverse Checking – Administrators, Users, Local Service, Network Service
Microsoft Windows 7
Administrators, Users, Local Service and Network Service may bypass traverse checking
Change System Time – Administrators and Local Service
Microsoft Windows 7
Administrators and Local Service may change the system time
Change the time zone – Administrators, Users, and Local Service
Microsoft Windows 7
Administrators, Users, and Local Service may change the time zone
Create a Pagefile – Administrators
Microsoft Windows 7
Administrators may create a pagefile
Create a Token Object – None
Microsoft Windows 7
No one is allowed to create a token object
Create Global Objects – Administrators, SERVICE, Local Service, Network Service
Microsoft Windows 7
Administrators, SERVICE, Local Service and Network Service may Create Global Objects
Create Permanent Shared Objects – None
Microsoft Windows 7
No one is allowed to create permanent shared objects
Create Symbolic Links – Administrators
Microsoft Windows 7
Administrators may create symbolic links
Debug Programs – None
Microsoft Windows 7
No one is allowed to debug programs
Deny Access from Network – Guest
Microsoft Windows 7
Guests are denied access to this computer from the network
Deny Logon As Batch Job – Guests
Microsoft Windows 7
Guests are denied logon as a batch job
Deny Logon As A Service – None
Microsoft Windows 7
No one is denied logon as a service
Deny Logon Locally – Guests, any service accounts
Microsoft Windows 7
Guests, and any service accounts are denied logon locally
Deny Logon Through Terminal Services – Guests
Microsoft Windows 7
Guests are denied logon through Terminal Services
Force Shutdown From Remote System – Adminstrators
Microsoft Windows 7
Administrators may force shutdown from a remote system
Generate Security Audits – LOCAL SERVICE, NETWORK SERVICE
Microsoft Windows 7
LOCAL SERVICE and NETWORK SERVICE may generate security audits
Impersonate a Client after Authentication – Administrators, SERVICE, Local Service, Network Service
Microsoft Windows 7
Administrators, SERVICE, Local Service and Network Service may Impersonate a Client after Authentication
Increase a Process Working Set – Administrators and Local Service
Microsoft Windows 7
Administrators and Local Service may increase a process working set.
Increase Scheduling Priority – Administrators
Microsoft Windows 7
Administrators may increase scheduling priority
Load and Unload Device Drivers – Administrators
Microsoft Windows 7
Administrators may load and unload device drivers
Lock Pages in Memory – None
Microsoft Windows 7
No one may lock pages in memory
Log On As a Batch Job – None
Microsoft Windows 7
No one may log on as a batch job
Log On As a Service – None
Microsoft Windows 7
Noone may log on as a service
Manage Auditing and Security Log – Administrators
Microsoft Windows 7
Administrators may manage the auditing and security log
Modify an object label – None
Microsoft Windows 7
Noone may modify an object label.
Modify Firmware Environment Values – Administrators
Microsoft Windows 7
Administrators may modify firmware environment variables
Perform Volume Maintenance Tasks – Administrators
Microsoft Windows 7
Administrators may perform volume maintenance tasks
Profile Single Process – Administrators
Microsoft Windows 7
Administrators may profile a single process
Profile System Performance – Administrators, NT Service\WdiServiceHost
Microsoft Windows 7
Administrators, NT Service\WdiServiceHost may profile the system performance
Remove Computer From Docking Stations – Administrators, Users
Microsoft Windows 7
Users and Administrators may remove the computer from its docking station
Replace a Process Level Token – LOCAL SERVICE, NETWORK SERVICE
Microsoft Windows 7
LOCAL SERVICE and NETWORK SERVICE may replace a process level token
Restore Files and Directories – Administrators
Microsoft Windows 7
Administrators may restore files and directories
Shut Down the System – Administrators, Users
Microsoft Windows 7
Administrators and Users may shut down the system
Take Ownership of Files or Other Objects – Administrators
Microsoft Windows 7
Administrators may take ownership of files or other objects
Accounts: Guest account status
Microsoft Windows 7
This definition verifies that the Guest account is enabled/disabled based on the policy defined by the user.
Accounts: Limit local account use to blank passwords to console logon only
Microsoft Windows 7
Accounts: Limit local account use to blank passwords to console logon only
Accounts: Rename Administrator Account
Microsoft Windows 7
Accounts: Rename Administrator Account
Accounts: Rename Guest Account
Microsoft Windows 7
Accounts: Rename Guest Account
Audit: Audit the access of global system objects
Microsoft Windows 7
Audit the access of global system objects is disabled
Audit: Audit the use of Backup and Restore privilege
Microsoft Windows 7
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Microsoft Windows 7
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Devices: Prevent users from installing printer drivers
Microsoft Windows 7
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Microsoft Windows 7
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict Floppy access to locally logged-on user only
Microsoft Windows 7
Devices: Restrict Floppy access to locally logged-on user only
Domain member: Digitally encrypt or sign secure channel data (always)
Microsoft Windows 7
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt or sign secure channel data (when possible)
Microsoft Windows 7
Domain member: Digitally encrypt or sign secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Microsoft Windows 7
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Microsoft Windows 7
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Microsoft Windows 7
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Microsoft Windows 7
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Do not display last user name
Microsoft Windows 7
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Microsoft Windows 7
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Message text for users attempting to log on
Microsoft Windows 7
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Microsoft Windows 7
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Microsoft Windows 7
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Microsoft Windows 7
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Microsoft Windows 7
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Smart card removal behavior
Microsoft Windows 7
Interactive logon: Require Domain Controller authentication to unlock workstation
Microsoft network client: Digitally sign communications (always)
Microsoft Windows 7
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft Windows 7
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft Windows 7
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft Windows 7
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft Windows 7
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft Windows 7
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft Windows 7
Microsoft network server: Disconnect clients when logon hours expire
Network access: Allow anonymous SID/Name translation
Microsoft Windows 7
Determines if an anonymous user can request security identifier (SID) attributes for another user.
Network access: Do not allow anonymous enumeration of SAM accounts
Microsoft Windows 7
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Microsoft Windows 7
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Microsoft Windows 7
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network access: Let Everyone permissions apply to anonymous users
Microsoft Windows 7
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Microsoft Windows 7
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Microsoft Windows 7
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub paths
Microsoft Windows 7
Network access: Remotely accessible registry paths and sub paths
Network access: Restrict anonymous access to Named Pipes and Shares
Microsoft Windows 7
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Microsoft Windows 7
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Microsoft Windows 7
Network access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next password change
Microsoft Windows 7
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Microsoft Windows 7
Network security: Force logoff when logon hours expire
Network Security: LAN Manager Authentication Level
Microsoft Windows 7
Network Security: LAN Manager Authentication Level
Network Security: LDAP client signing requirements
Microsoft Windows 7
Network Security: LDAP client signing requirements
Registry test. Determine the level of data signing that is requested by clients.
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Microsoft Windows 7
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Registry test. Determine the minimum session security for NTLM SSP clients.
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Microsoft Windows 7
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Recovery Console: Allow Automatic Administrative Logon
Microsoft Windows 7
Recovery Console: Allow Automatic Administrative Logon
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
Microsoft Windows 7
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
Shutdown: Allow System to be Shut Down Without Having to Log On
Microsoft Windows 7
Shutdown: Allow System to be Shut Down Without Having to Log On
Shutdown: Clear Virtual Memory Pagefile
Microsoft Windows 7
Shutdown: Clear Virtual Memory Pagefile
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Microsoft Windows 7
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows subsystems
Microsoft Windows 7
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects
Microsoft Windows 7
System objects: Strengthen default permissions of internal system objects
Admin Approval Mode for the Built-in Administrator account
Microsoft Windows 7
Admin Approval Mode for the Built-in Administrator account
Behavior of the elevation prompt for administrators in Admin Approval Mode
Microsoft Windows 7
Behavior of the elevation prompt for administrators in Admin Approval Mode
Behavior of the elevation prompt for standard users
Microsoft Windows 7
Behavior of the elevation prompt for standard users
Detect application installations and prompt for elevation
Microsoft Windows 7
Detect application installations and prompt for elevation
Only elevate executables that are signed and validated
Microsoft Windows 7
Only elevate executables that are signed and validated
Only elevate UIAccess applications that are installed in secure locations
Microsoft Windows 7
Only elevate UIAccess applications that are installed in secure locations
Run all administrators in Admin Approval Mode
Microsoft Windows 7
Run all administrators in Admin Approval Mode
Switch to the secure desktop when prompting for elevation
Microsoft Windows 7
Switch to the secure desktop when prompting for elevation
Virtualize file and registry write failures to per-user locations
Microsoft Windows 7
Virtualize file and registry write failures to per-user locations
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
Microsoft Windows 7
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Microsoft Windows 7
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
Microsoft Windows 7
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds
Microsoft Windows 7
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds
NoDefaultExempt for IPSEC Filtering Enabled
Microsoft Windows 7
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Microsoft Windows 7
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
Microsoft Windows 7
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Microsoft Windows 7
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Microsoft Windows 7
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
Microsoft Windows 7
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Microsoft Windows 7
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Bluetooth Support Service
Microsoft Windows 7
Bluetooth Support Service State
Fax Service
Microsoft Windows 7
Fax Service State
HomeGroup Listener Service
Microsoft Windows 7
HomeGroup Listener Service State
HomeGroup Provider Service
Microsoft Windows 7
HomeGroup Provider Service State
Media Center Extender Service
Microsoft Windows 7
Media Center Extender Service State
Parental Controls Service
Microsoft Windows 7
Parental Controls Service State
Computer Account Management
Microsoft Windows 7
Computer Account Management
Other Account Management Events
Microsoft Windows 7
Other Account Management Events
Security Group Management
Microsoft Windows 7
Security Group Management
User Account Management
Microsoft Windows 7
User Account Management
Process Creation
Microsoft Windows 7
Process Creation
Logoff
Microsoft Windows 7
Logoff
Logon
Microsoft Windows 7
Logon
Special Logon
Microsoft Windows 7
Special Logon
Audit Policy Change
Microsoft Windows 7
Audit Policy Change
Authentication Policy Change
Microsoft Windows 7
Authentication Policy Change
Sensitive Privilege Use
Microsoft Windows 7
Sensitive Privilege Use
IPsec Driver
Microsoft Windows 7
IPsec Driver
Security State Change
Microsoft Windows 7
Security State Change
Security System Extension
Microsoft Windows 7
Security System Extension
System Integrity
Microsoft Windows 7
System Integrity
Turn on Mapper I/O (LLTDIO) driver
Microsoft Windows 7
Turn on Mapper I/O (LLTDIO) driver
Turn on Responder (RSPNDR) driver
Microsoft Windows 7
Turn on Responder (RSPNDR) driver
Turn Off Microsoft Peer-to-Peer Networking Services
Microsoft Windows 7
Turn Off Microsoft Peer-to-Peer Networking Services
Prohibit installation and configuration of Network Bridge on your DNS domain network
Microsoft Windows 7
Prohibit installation and configuration of Network Bridge on your DNS domain network
Require domain users to elevate when setting a network’s location
Microsoft Windows 7
Require domain users to elevate when setting a network’s location
Route all traffic through the internal network
Microsoft Windows 7
Route all traffic through the internal network
6to4 State
Microsoft Windows 7
6to4 State
ISATAP State
Microsoft Windows 7
ISATAP State
Teredo State
Microsoft Windows 7
Teredo State
IP HTTPS
Microsoft Windows 7
IP HTTPS
Configuration of Wireless Settings Using Windows Connect Now
Microsoft Windows 7
Configuration of Wireless Settings Using Windows Connect Now
Prohibit Access of the Windows Connect Now Wizards
Microsoft Windows 7
Prohibit Access of the Windows Connect Now Wizards
Extend Point and Print connection to search Windows Update and use alternate cooection if needed
Microsoft Windows 7
Extend Point and Print connection to search Windows Update and use alternate cooection if needed
Allow remote access to the PnP interface
Microsoft Windows 7
Allow remote access to the PnP interface
Do not send a Windows Error Report when a generic driver is installed on a device
Microsoft Windows 7
Do not send a Windows Error Report when a generic driver is installed on a device
Do not create system restore point when new device driver installed
Microsoft Windows 7
Do not create system restore point when new device driver installed
Do not create system restore point when new device driver installed on a device matches the prescribed value
Microsoft Windows 7
Prevent device metadata retrieval from internet
Specify Search Order for device driver source locations
Microsoft Windows 7
Specify Search Order for device driver source locations
Registry Policy Processing
Microsoft Windows 7
Registry Policy Processing
Turn off downloading of print drivers over HTTP
Microsoft Windows 7
Turn off downloading of print drivers over HTTP
Turn Off Event Views “Events.asp” Links
Microsoft Windows 7
Turn Off Event Views “Events.asp” Links
Turn off handwriting personalization data sharing
Microsoft Windows 7
Turn off handwriting personalization data sharing
Turn Off Handwriting Reconition Error Reporting
Microsoft Windows 7
Turn Off Handwriting Reconition Error Reporting
Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com
Microsoft Windows 7
Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Microsoft Windows 7
Turn off Internet download for Web publishing and online ordering wizards
Turn Off Internet File Association Service
Microsoft Windows 7
Turn Off Internet File Association Service
Turn off printing over HTTP
Microsoft Windows 7
Turn off printing over HTTP
Turn Off Registration if URL Connection is Referring to Microsoft.com
Microsoft Windows 7
Turn Off Registration if URL Connection is Referring to Microsoft.com
Turn off Search Companion content file updates
Microsoft Windows 7
Turn off Search Companion content file updates
Turn Off the “Order Prints” Picture Task
Microsoft Windows 7
Turn Off the “Order Prints” Picture Task
Turn off the “Publish to Web” task for files and folders
Microsoft Windows 7
Turn off the “Publish to Web” task for files and folders
Customer Experience Improvement Program
Microsoft Windows 7
Customer Experience Improvement Program
Turn off Windows Error Reporting
Microsoft Windows 7
Turn off Windows Error Reporting
Always Use Classic Logon
Microsoft Windows 7
Always Use Classic Logon
Require a Password when a Computer Wakes (On Battery)
Microsoft Windows 7
Require a Password when a Computer Wakes (On Battery)
Require a Password when a Computer Wakes (Plugged in)
Microsoft Windows 7
Require a Password when a Computer Wakes (Plugged in)
Offer Remote Assistance
Microsoft Windows 7
Offer Remote Assistance
Solicited Remote Assistance
Microsoft Windows 7
Solicited Remote Assistance
Turn on session logging
Microsoft Windows 7
Turn on session logging
Restrictions for Unauthenticated RPC clients
Microsoft Windows 7
Restrictions for Unauthenticated RPC clients
RPC Endpoint Mapper Client Authentication
Microsoft Windows 7
RPC Endpoint Mapper Client Authentication
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
Microsoft Windows 7
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service – WOTS)
Microsoft Windows 7
Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service – WOTS)
Enable/Disable PerfTrack
Microsoft Windows 7
Enable/Disable PerfTrack
Turn off Program Inventory
Microsoft Windows 7
Turn off Program Inventory
Default behavior for AutoRun
Microsoft Windows 7
Default behavior for AutoRun
Turn off Autoplay
Microsoft Windows 7
Turn off Autoplay is set correctly.
Turn off Autoplay for non-volume devices
Microsoft Windows 7
Turn off Autoplay for non-volume devices
Enumerate administrator accounts on elevation
Microsoft Windows 7
Enumerate administrator accounts on elevation
Override the More Gadgets Lnk
Microsoft Windows 7
Override the More Gadgets Lnk
Disable unpacking and installation of gadgets that are not digitally signed
Microsoft Windows 7
Sidebar gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, Windows Sidebar will not extract any gadgets that have not been digitally signed. If you disable or do not configure this setting, Window
Turn Off User Installed Windows Sidebar Gadgets
Microsoft Windows 7
Turn Off User Installed Windows Sidebar Gadgets
Maximum Application Log Size
Microsoft Windows 7
This definition tests the the maximum allowed size of the application log is at least as big as the supplied value.
Maximum Security Log Size
Microsoft Windows 7
This definition tests the the maximum allowed size of the security log is at least as big as the supplied value.
Maximum Setup Log Size
Microsoft Windows 7
This definition tests the the maximum allowed size of the setup log is at least as big as the supplied value.
Maximum System Log Size
Microsoft Windows 7
This definition tests the the maximum allowed size of the system log is at least as big as the supplied value.
Turn Off Downloading of Game Information
Microsoft Windows 7
Turn Off Downloading of Game Information
Turn off game updates
Microsoft Windows 7
Turn off game updates
Prevent the computer from joining a HomeGroup
Microsoft Windows 7
Prevent the computer from joining a HomeGroup
Do not allow passwords to be saved
Microsoft Windows 7
Do not allow passwords to be saved
Always prompt client for password upon connection
Microsoft Windows 7
Always prompt client for password upon connection
Set client connection encryption level
Microsoft Windows 7
Set client connection encryption level
Set a time limit for active but idle Terminal Services sessions
Microsoft Windows 7
This policy setting allows you to specify the maximum amount of time that an active Terminal Services session can be idle (without user input) before it is automatically disconnected. (15 min)
Set a time limit for disconnected sessions
Microsoft Windows 7
You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session. (1 min)
Do not delete temp folder upon exit
Microsoft Windows 7
Do not delete temp folder upon exit
Do not use tempoary folders per session
Microsoft Windows 7
Do not use tempoary folders per session
Turn off downloading of enclosures
Microsoft Windows 7
Turn off downloading of enclosures
Allow indexing of encrypted files
Microsoft Windows 7
Allow indexing of encrypted files
Prevent indexing uncached Exchange folders
Microsoft Windows 7
Prevent indexing uncached Exchange folders
Prevent Windows Anytime Upgrade from running
Microsoft Windows 7
Prevent Windows Anytime Upgrade from running
Configure Microsoft SpyNet Reporting
Microsoft Windows 7
When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.
Disable Logging
Microsoft Windows 7
If this setting is enabled Windows Error Reporting events will not be logged to the system event log.
Disable Windows Error Reporting
Microsoft Windows 7
If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel.
Display Error Notification
Microsoft Windows 7
Display Error Notification
Do Not Send Additional Data
Microsoft Windows 7
If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user.
Turn off Data Execution Protection
Microsoft Windows 7
Turn off Data Execution Protection
Turn off Heap termination on corruption
Microsoft Windows 7
Turn off Heap termination on corruption
Turn off shell protocol protected mode
Microsoft Windows 7
Turn off shell protocol protected mode
Disable IE security prompt for Windows Installer scripts
Microsoft Windows 7
Disable IE security prompt for Windows Installer scripts
Enable user control over installs
Microsoft Windows 7
Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer.
Prohibit non-administrators from applying vendor signed updates
Microsoft Windows 7
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
Prohibit non-administrators from applying vendor signed updates
Microsoft Windows 7
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
Prevent Windows Media DRM Internet Access
Microsoft Windows 7
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.
Do Not Show First Use Dialog Boxes
Microsoft Windows 7
Do Not Show First Use Dialog Boxes This policy prevents the Privacy Options and Installation Options dialog boxes from being displayed the first time a user starts Windows Media Player. This policy prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. When this policy is not configured or disabled, the dialog boxes are displayed when the user starts the Player for the first time.
Prevent Automatic Updates
Microsoft Windows 7
Prevents users from being prompted to update Windows Media Player. This policy prevents the Player from being updated and prevents users with administrator rights from being prompted to update the Player if an updated version is available. The Check for Player Updates command on the Help menu in the Player is not available. In addition, none of the time intervals in the Check for updates section on the Player tab are selected or available. When this policy is not configured or disabled, Check for Player Updates is available only to users with administrator rights and they may be prompted to update the Player if an updated version is available. By default, users with administrator rights can select how frequently updates are checked for. Users without administrator rights do not see Check for Player Updates and are never prompted to update the Player even without this policy.
configure automatic updates
Microsoft Windows 7
configure automatic updates
Games are not installed
Microsoft Windows 7
Games are not installed
Internet Information Services
Microsoft Windows 7
Internet Information Services is not installed
Simple TCPIP Services
Microsoft Windows 7
Simple TCPIP Services is not installed
Telnet Client
Microsoft Windows 7
Telnet Client is not installed
Telnet Server
Microsoft Windows 7
Telnet Server is not installed
TFTP Client
Microsoft Windows 7
TFTP Client is not installed
Windows Media Center
Microsoft Windows 7
Windows Media Center is not installed
Administrator Account Status
Microsoft Windows 7
This definition verifies that the Administrator account is enabled/disabled based on the policy defined by the user.
Microsoft network server: Server SPN target name validation level
Microsoft Windows 7
This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
Microsoft Windows 7
Allowing source routed network traffic allows attackers to obscure their identity and location.
MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments
Microsoft Windows 7
Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network.
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default).
Microsoft Windows 7
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default).
Network security: Allow Local System to use computer identity for NTLM
Microsoft Windows 7
This policy setting allows services running as Local System to use the computer identity when negotiating NTLM authentication.
Network security: Allow LocalSystem NULL session fallback
Microsoft Windows 7
This policy setting allows the system to fall back no a NULL session.
Network Security: Allow PKU2U authentication requests to this computer to use online identities
Microsoft Windows 7
Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U.
Network Security: Configure encryption types allowed for Kerberos
Microsoft Windows 7
This policy setting allows you to specify tdhe allowed encryption types for Kerberos authentication.
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
Microsoft Windows 7
This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. It allows certain applications stored in secure folders, such as system32, to bypass the secure desktop so that they can function as designed. Enabling this setting will lower security slightly but enable Remote Assistance. For more information see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx.
Allow users to connect remotely using Remote Desktop Services
Microsoft Windows 7
This policy setting determines whether or not users can connect to the computer using Remote Desktop Services.
Do not run digital locker
Microsoft Windows 7
Do not run digital locker
disable remote desktop
Microsoft Windows 7
disable remote desktop
disable communities
Microsoft Windows 7
disable communities
turn off windows mail
Microsoft Windows 7
turn off windows mail
do not process the run once list
Microsoft Windows 7
do not process the run once list
do not display install updates and shut down
Microsoft Windows 7
do not display install updates and shut down
no auto restart with logged on users
Microsoft Windows 7
no auto restart with logged on users
reschedule automatic updates
Microsoft Windows 7
reschedule automatic updates
configure windows time provider
Microsoft Windows 7
configure windows time provider
File System
Microsoft Windows 7
File System
registry
Microsoft Windows 7
registry
Credential Validation
Microsoft Windows 7
This audit policy reports the results of validation tests on credentials submitted for a user account logon request.
Automatic updates are not enabled
Microsoft Windows 7
Automatic updates are not enabled
IPv6 Network Protocol is not Enabled
Microsoft Windows 7
IPv6 Network Protocol is not Enabled
Windows Error Reporting is not Enabled
Microsoft Windows 7
Windows Error Reporting is not Enabled
Remote Assistance is not Enabled
Microsoft Windows 7
Remote Assistance is not Enabled
Remote Desktop Services is not Enabled
Microsoft Windows 7
Remote Desktop Services is not Enabled
Bluetooth is not Enabled
Microsoft Windows 7
Bluetooth is not Enabled
Microsoft Windows 7 is installed
Microsoft Windows 7
The operating system installed on the system is Microsoft Windows 7
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SystemRoot
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion
ProgramFilesDir
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
.*
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\EventLog\Application
MaxSize
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\EventLog\Security
MaxSize
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\EventLog\System
MaxSize
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
MaxSize
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Network Connections
NC_AllowNetBridge_NLA
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW
DWAllowHeadless
oval:gov.nist.usgcb.windowsseven:var:23
HKEY_LOCAL_MACHINE
System\Currentcontrolset\Control\Lsa
Limitblankpassworduse
Administrator
Guest
HKEY_LOCAL_MACHINE
System\Currentcontrolset\Control\Lsa
AuditBaseObjects
HKEY_LOCAL_MACHINE
System\Currentcontrolset\Control\Lsa
FullPrivilegeAuditing
HKEY_LOCAL_MACHINE
System\Currentcontrolset\Control\Lsa
scenoapplylegacyauditpolicy
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers
AddPrinterDrivers
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
AllocateCDRoms
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
AllocateFloppies
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Netlogon\Parameters
SealSecureChannel
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Netlogon\Parameters
RequireSignOrSeal
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Netlogon\Parameters
SignSecureChannel
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Netlogon\Parameters
DisablePasswordChange
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Netlogon\Parameters
MaximumPasswordAge
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Netlogon\Parameters
RequireStrongKey
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
DontDisplayLastUserName
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCAD
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
LegalNoticeText
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
LegalNoticeCaption
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
CachedLogonsCount
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
PasswordExpiryWarning
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ForceUnlockLogon
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
scremoveoption
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanmanWorkstation\Parameters
RequireSecuritySignature
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanmanWorkstation\Parameters
EnableSecuritySignature
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanmanWorkstation\Parameters
EnablePlainTextPassword
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanmanServer\Parameters
AutoDisconnect
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanmanServer\Parameters
RequireSecuritySignature
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanmanServer\Parameters
EnableSecuritySignature
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanManServer\Parameters
EnableForcedLogOff
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoAdminLogon
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Tcpip\Parameters
DisableIPSourceRouting
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirect
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Tcpip\Parameters
KeepAliveTime
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Netbt\Parameters
NoNameReleaseOnDemand
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Tcpip\Parameters
PerformRouterDiscovery
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager
SafeDllSearchMode
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ScreenSaverGracePeriod
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxDataRetransmissions
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\Eventlog\Security
WarningLevel
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa
RestrictAnonymousSAM
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa
RestrictAnonymous
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa
DisableDomainCreds
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa
EveryoneIncludesAnonymous
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanManServer\Parameters
NullSessionPipes
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths
Machine
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths
Machine
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanManServer\Parameters
restrictnullsessaccess
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanManServer\Parameters
NullSessionShares
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa
ForceGuest
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa
NoLMHash
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Lsa
LmCompatibilityLevel
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\LDAP
LDAPClientIntegrity
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
NTLMMinClientSec
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
NTLMMinServerSec
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
SecurityLevel
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
SetCommand
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ShutdownWithoutLogon
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
ClearPageFileAtShutdown
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
Enabled
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager\Kernel
ObCaseInsensitive
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager
ProtectionMode
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting
LoggingDisabled
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting
Disabled
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting
DontSendAdditionalData
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Explorer
NoHeapTerminationOnCorruption
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
PreXPSP2ShellProtocolBehavior
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Installer
SafeForScripting
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Installer
EnableUserControl
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Installer
DisableLUAPatching
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\WindowsMediaPlayer
GroupPrivacyAcceptance
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\WindowsMediaPlayer
DisableAutoUpdate
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
ReportControllerMissing
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\WMDRM
DisableOnline
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar
TurnOffUnsignedGadgets
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar
OverrideMoreGadgetsLink
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar
TurnOffUserInstalledGadgets
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicited
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fAllowToGetHelp
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Rpc
RestrictRemoteClients
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Rpc
EnableAuthEpResolution
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoPublishingWizard
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoWebServices
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\SearchCompanion
DisableContentFileUpdates
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Printers
DisableHTTPPrinting
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Printers
DisableWebPnPDownload
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI
EnumerateAdministrators
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
DisablePasswordSaving
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fPromptForPassword
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
MinEncryptionLevel
.*
Administrators
Administrators
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
Users
Users
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:173
LOCAL SERVICE
NETWORK SERVICE
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:175
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:176
Remote Desktop Users
Remote Desktop Users
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:179
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:173
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:176
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:175
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:175
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:173
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:175
Guests
Guests
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:175
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:176
SERVICE
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:187
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:175
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:176
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
EnableLLTDIO
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
AllowLLTDIOOnDomain
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
AllowLLTDIOOnPublicNet
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
ProhibitLLTDIOOnPrivateNet
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
EnableRspndr
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
AllowRspndrOnDomain
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
AllowRspndrOnPublicNet
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\LLTD
ProhibitRspndrOnPrivateNet
HKEY_LOCAL_MACHINE
Software\policies\Microsoft\Peernet
Disabled
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\WCN\Registrars
EnableRegistrars
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\WCN\UI
DisableWcnUi
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\DeviceInstall\Settings
AllowRemoteRPC
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\DeviceInstall\Settings
DisableSystemRestore
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\DeviceInstall\Settings
DisableSendGenericDriverNotFoundToWER
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
NoBackgroundPolicy
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
NoGPOListChanges
oval:gov.nist.usgcb.windowsseven:var:145
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\EventViewer
MicrosoftEventVwrDisableLinks
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\HandwritingErrorReports
PreventHandwritingErrorReports
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Internet Connection Wizard
ExitOnMSICW
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoInternetOpenWith
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Registration Wizard Control
NoRegistration
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoOnlinePrintsWizard
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\PCHealth\ErrorReporting
DoReport
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
LogonType
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
DCSettingIndex
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
ACSettingIndex
HKEY_LOCAL_MACHINE
Software\policies\Microsoft\Windows NT\Terminal Services
LoggingEnabled
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\GameUX
DownloadGameInfo
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Windows Search
AllowIndexingEncryptedStoresOrItems
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Windows Search
PreventIndexingUncachedExchangeFolders
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
MaxIdleTime
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
MaxDisconnectionTime
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows Defender\SpyNet
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows Defender\SpyNet
SpyNetReporting
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\IPSEC
NoDefaultExempt
oval:gov.nist.usgcb.windowsseven:obj:3
oval:gov.nist.usgcb.windowsseven:obj:3
oval:gov.nist.usgcb.windowsseven:ste:3
root\rsop\computer
SELECT Setting FROM RSOP_SecuritySettingBoolean WHERE KeyName=’LSAAnonymousNameLookup’
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
FilterAdministratorToken
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorUser
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableInstallerDetection
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
ValidateAdminCodeSignatures
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableSecureUIAPaths
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
PromptOnSecureDesktop
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableVirtualization
NT Service\WdiServiceHost
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:170
oval:gov.nist.usgcb.windowsseven:obj:168
oval:gov.nist.usgcb.windowsseven:obj:3471
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\bthserv
Start
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\HomeGroupListener
Start
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\HomeGroupProvider
Start
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\Mcx2Svc
Start
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\WPCSvc
Start
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\Fax
Start
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\W3Svc
DisplayName
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\simptcp
DisplayName
telnet.exe
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\tlntsvr
tftp.exe
ehshell.exe
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\LanManServer\Parameters
SMBServerNameHardeningLevel
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Tcpip6\Parameters
DisableIPSourceRouting
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Lanmanserver\Parameters
Hidden
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Services\Tcpip6\Parameters
TcpMaxDataRetransmissions
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa
UseMachineId
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa\MSV1_0
allownullsessionfallback
HKEY_LOCAL_MACHINE
System\CurrentControlSet\Control\Lsa\pku2u
AllowOnlineID
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
SupportedEncryptionTypes
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableUIADesktopToggle
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fDenyTSConnections
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Network Connections
NC_StdDomainUserSetLocation
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
6to4_State
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
ISATAP_State
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Device Metadata
PreventDeviceMetadataFromNetwork
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
EnableQueryRemoteServer
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\AppCompat
DisableInventory
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Explorer
NoAutoplayfornonVolume
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\GameUX
GameUpdateOptions
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\HomeGroup
DisableHomeGroup
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
DeleteTempDirsOnExit
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
PerSessionTempDir
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Internet Explorer\Feeds
DisableEnclosureDownload
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU
Disabled
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\Explorer
NoDataExecutionPrevention
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
DisableQueryRemoteServer
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows NT\Printers
DoNotInstallCompatibleDriverFromWindowsUpdate
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
Force_Tunneling
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
Teredo_State
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface
IPHTTPS_ClientUrl
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface
IPHTTPS_ClientState
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoAutorun
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\TabletPC
PreventHandwritingDataSharing
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
ScenarioExecutionEnabled
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\DriverSearching
SearchOrderConfig
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Messenger\Client
CEIP
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Digital Locker
DoNotRunDigitalLocker
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Conferencing
NoRDS
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows Mail
DisableCommunities
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows Mail
ManualLaunchAllowed
HKEY_LOCAL_MACHINE
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisableLocalMachineRunOnce
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAUShutdownOption
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoRebootWithLoggedOnUsers
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
RescheduleWaitTimeEnabled
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\W32time\Parameters
NtpServer
oval:gov.nist.usgcb.windowsseven:obj:200102
oval:gov.nist.usgcb.windowsseven:obj:200102
oval:gov.nist.usgcb.windowsseven:ste:200101
.*
HKEY_LOCAL_MACHINE
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\services\TCPIP6\Parameters
DisabledComponents
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting
CorporateWerServer
HKEY_LOCAL_MACHINE
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicited
HKEY_LOCAL_MACHINE
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowToGetHelp
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fDenyTSConnections
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\bthserv
Start
windows
^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 7[a-zA-Z0-9\(\)\s]*$
reg_dword
^S-1-5-[0-9-]+501$
reg_dword
reg_dword
reg_dword
0
-1
4294967295
-1
-1
4294967295
0
reg_dword
reg_dword
reg_binary
reg_dword
reg_dword
reg_sz
reg_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
0
reg_dword
reg_dword
reg_dword
reg_sz
reg_sz
reg_sz
reg_dword
reg_dword
reg_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_multi_sz
^$
reg_multi_sz
System\CurrentControlSet\Control\ProductOptions
reg_multi_sz
System\CurrentControlSet\Control\Server Applications
reg_multi_sz
Software\Microsoft\Windows NT\CurrentVersion
reg_multi_sz
^((System\\CurrentControlSet\\Control\\ProductOptions)|(System\\CurrentControlSet\\Control\\Server Applications)|(Software\\Microsoft\\Windows NT\\CurrentVersion))$
reg_multi_sz
System\CurrentControlSet\Control\Print\Printers
reg_multi_sz
System\CurrentControlSet\Services\Eventlog
reg_multi_sz
Software\Microsoft\OLAP Server
reg_multi_sz
Software\Microsoft\Windows NT\CurrentVersion\Print
reg_multi_sz
Software\Microsoft\Windows NT\CurrentVersion\Windows
reg_multi_sz
^((Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows)|(System\\CurrentControlSet\\Control\\Print\\Printers)|(System\\CurrentControlSet\\Services\\Eventlog)|(Software\\Microsoft\\OLAP Server)|(Software\\Microsoft\\Windows NT\\CurrentVersion\\Print)|(System\\CurrentControlSet\\Control\\ContentIndex)|(System\\CurrentControlSet\\Control\\Terminal Server)|(System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig)|(System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration)|(Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib)|(System\\CurrentControlSet\\Services\\SysmonLog))$
reg_multi_sz
System\CurrentControlSet\Control\ContentIndex
reg_multi_sz
System\CurrentControlSet\Control\Terminal Server
reg_multi_sz
System\CurrentControlSet\Control\Terminal Server\UserConfig
reg_multi_sz
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
reg_multi_sz
Software\Microsoft\Windows NT\CurrentVersion\Perflib
reg_multi_sz
System\CurrentControlSet\Services\SysmonLog
reg_dword
reg_multi_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_sz
.+
reg_dword
reg_dword
reg_dword
255
reg_dword
1
0
0
1
0
1
0
0
1
1
0
1
0
1
0
0
1
0
1
0
1
0
0
1
0
0
1
1
1
1
1
1
0
1
0
1
0
1
0
1
0
0
0
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
0
reg_dword
1
-1
0
1
2
3
reg_dword
reg_dword
1
AUDIT_SUCCESS_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_SUCCESS_FAILURE
1
0
1
0
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_sz
reg_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_sz
reg_sz
reg_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_sz
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
reg_dword
^S-1-5-[0-9-]+500$
reg_dword
1
reg_dword
268435455
reg_dword
.*
reg_dword
1
reg_dword
1
reg_dword
2
\System32
-1
0
1
2
3
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
\ehome
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
AUDIT_SUCCESS
AUDIT_FAILURE
AUDIT_SUCCESS_FAILURE
National Institute of Standards and Technology
5.6
2015-04-07T10:00:00.000-04:00
Use the Windows Update Agent (WUA) to check for installed updates
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Use the Windows Update Agent (WUA) to check for installed updates
(IsInstalled=0 and IsHidden=0 and CategoryIDs contains ‘0FA1201D-4330-4FA8-8AE9-B877473B6441’)
.*
National Institute of Standards and Technology
5.4
2015-04-07T10:00:00.000-04:00
Microsoft Windows 7 is installed
Microsoft Windows 7
The operating system installed on the system is Microsoft Windows 7
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
windows
^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 7[a-zA-Z0-9\(\)\s]*$
Microsoft Windows 7
This CPE Name represents Windows 7
oval:gov.nist.cpe.oval:def:1
zy1sIAFNdTLbLCw2K7g1708d+gj7aa797PCsHv7Tx7c= OzckB6Y3eglpSTW+5CTa2+MAgsTi4V6194fTKB4EZRknzYm/KYKqh+kvUniumsnsh5BYlMshJIzr
MQqB2D9ixg== qqBXPvvIVhSROm+rJI9/5PD5F0O3WD1Lkuam5hC+JmE= F0BwfA84gd9iFR5Qu1VO6EeTSeev4xlaSiOoEW/Nf54n6pNF2vDDTlCtgzIu9VFVQaWJlLDrkPr8
HAMvvrzU27HdbLpDwqMndic0rBAmgls9Fut9Cdy3AKRRoS/vUllipOI429jdNtR+hsMVIHp5qHcn
g6EvWbauT9QqfJ5H0LoEjA7GV9kO4aYuvgvV4rGcjnIL1Qf1ie3pgKMmIK02IxvbRVSp51x/W7bL
2kDgPqh5RhcvrzC/hvhd8tNUPYzZLwiezgdRI588dWu3XxQ/9pb75Rcc5HXE+wX4mWD5CQoMxOnl
zACpXa1pHvQ6q6/IXNH817jJ3xuQdaNrwA6C8A== qWzXj28PJq2X57lS4lxyhUsi0m85AE7t/CmT1d9M56yUu8II9mru5xUuijy/LWqYGZ1fznmRchkK
c+3LPMiitLefRlDVU0ISD/pDBPc1zw/3kaH04h9RHbKdw74TUvnpE6hp7/vERCQROP9w6GZg7tq5
9AXnrXbYr25pZtoYn345uYnLgTP0w2GQ0D5rSbm5hWYkHzlOjKKgPcDIKbaL+YpkDaTMEiQ1D3E+
+bR/rBzqrZxUYUYFw/MIzuRBKDx0qbmLXc3SbyRuM3Kdz3KGdOxP7qBtFUQvbpxgS6+DP0o7pLAD
VKXsKnS04mKaaF8+RAj4rdRnsoJYJBsSyR6pJw== AQAB CN=SECURITY AUTOMATION PROGRAM MANAGER,OU=Devices,OU=National Institute of Standards and Technology,OU=Department of Commerce,O=U.S. Government,C=US BBYEFL+UoHO0E14cNCTjldeFWYWJRQEH OU=Entrust Managed Services SSP CA,OU=Certification Authorities,O=Entrust,C=US 1149213983 MIIHeTCCBmGgAwIBAgIESUO2+zANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEoMCYGA1UECxMf
RW50cnVzdCBNYW5hZ2VkIFNlcnZpY2VzIFNTUCBDQTAeFw0xNTAxMTQxMjMyNTlaFw0xODAxMTQx
MzAyNTlaMIHBMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MR8wHQYDVQQL
ExZEZXBhcnRtZW50IG9mIENvbW1lcmNlMTcwNQYDVQQLEy5OYXRpb25hbCBJbnN0aXR1dGUgb2Yg
U3RhbmRhcmRzIGFuZCBUZWNobm9sb2d5MRAwDgYDVQQLEwdEZXZpY2VzMSwwKgYDVQQDEyNTRUNV
UklUWSBBVVRPTUFUSU9OIFBST0dSQU0gTUFOQUdFUjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKls149vDyatl+e5UuJccoVLItJvOQBO7fwpk9XfTOeslLvCCPZq7ucVLoo8vy1qmBmd
X855kXIZCnPtyzzIorS3n0ZQ1VNCEg/6QwT3Nc8P95Gh9OIfUR2yncO+E1L56ROoae/7xEQkETj/
cOhmYO7aufQF56122K9uaWbaGJ9+ObmJy4Ez9MNhkNA+a0m5uYVmJB85ToyioD3AyCm2i/mKZA2k
zBIkNQ9xPvm0f6wc6q2cVGFGBcPzCM7kQSg8dKm5i13N0m8kbjNync9yhnTsT+6gbRVEL26cYEuv
gz9KO6SwA1Sl7Cp0tOJimmhfPkQI+K3UZ7KCWCQbEskeqScCAwEAAaOCA8owggPGMA4GA1UdDwEB
/wQEAwIGwDAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBAwcwggFeBggrBgEFBQcBAQSCAVAwggFMMIG4
BggrBgEFBQcwAoaBq2xkYXA6Ly9zc3BkaXIubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1FbnRydXN0
JTIwTWFuYWdlZCUyMFNlcnZpY2VzJTIwU1NQJTIwQ0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhv
cml0aWVzLG89RW50cnVzdCxjPVVTP2NBQ2VydGlmaWNhdGU7YmluYXJ5LGNyb3NzQ2VydGlmaWNh
dGVQYWlyO2JpbmFyeTBLBggrBgEFBQcwAoY/aHR0cDovL3NzcHdlYi5tYW5hZ2VkLmVudHJ1c3Qu
Y29tL0FJQS9DZXJ0c0lzc3VlZFRvRU1TU1NQQ0EucDdjMEIGCCsGAQUFBzABhjZodHRwOi8vb2Nz
cC5tYW5hZ2VkLmVudHJ1c3QuY29tL09DU1AvRU1TU1NQQ0FSZXNwb25kZXIwGwYDVR0JBBQwEjAQ
BgkqhkiG9n0HRB0xAwIBIDCCAYcGA1UdHwSCAX4wggF6MIHqoIHnoIHkhoGrbGRhcDovL3NzcGRp
ci5tYW5hZ2VkLmVudHJ1c3QuY29tL2NuPVdpbkNvbWJpbmVkMSxvdT1FbnRydXN0JTIwTWFuYWdl
ZCUyMFNlcnZpY2VzJTIwU1NQJTIwQ0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvcml0aWVzLG89
RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5hjRodHRwOi8vc3Nw
d2ViLm1hbmFnZWQuZW50cnVzdC5jb20vQ1JMcy9FTVNTU1BDQTEuY3JsMIGKoIGHoIGEpIGBMH8x
CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0aWVzMSgwJgYDVQQLEx9FbnRydXN0IE1hbmFnZWQgU2VydmljZXMgU1NQIENBMRAwDgYD
VQQDEwdDUkw3NDYwMCsGA1UdEAQkMCKADzIwMTUwMTE0MTIzMjU5WoEPMjAxNzAyMTkxNzAyNTla
MB8GA1UdIwQYMBaAFNPO51uJp81skcZnNqlYcgns4jnzMB0GA1UdDgQWBBS/lKBztBNeHDQk45XX
hVmFiUUBBzAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY4LjEDAgSwMA0GCSqGSIb3DQEB
CwUAA4IBAQCL7RYH5zCwAzajOH/U+/UOfZCbTnfhdJF0kxlaSnghJydbbTRzNALJhMv5hz8DeQ1T
O2V+ZaOGyaoeGpTD5Y5cX1du9srQ0CnMQ7LH1RgZ4i9nLUPIPk9Ahctyb4ADuqtJjdK56VUZlTZT
pez5KGFCaab63BFS7m8j9ZcS9PwDQNFk67vMatdRZlFJMUFS6aIvRBcciHRaKi9hNa6T5kWZ9XEO
16G/SzjoAo2XEbD3l9zLtSOFSDIrRrHX9cvFpvKEni4fUh+hgjLgY7+YUXunNd2opjK95eWiijwL
64fE5+yuEZNTdHiR9SRCqNnB8Q1Bghx6RqApYLf8+HH80oc4 OU=Entrust Managed Services SSP CA,OU=Certification Authorities,O=Entrust,C=US BBYEFNPO51uJp81skcZnNqlYcgns4jnz OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US 514 MIIHBDCCBeygAwIBAgIERH+dHzANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEpMCcGA1UECxMg
RW50cnVzdCBNYW5hZ2VkIFNlcnZpY2VzIFJvb3QgQ0EwHhcNMDkwNTA5MTUzMjA2WhcNMTkwNTA5
MTQwMjMxWjBtMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlm
aWNhdGlvbiBBdXRob3JpdGllczEoMCYGA1UECxMfRW50cnVzdCBNYW5hZ2VkIFNlcnZpY2VzIFNT
UCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4Y6xZWI7Bkvhi+89HwIW5REGez
eZthIq5dJoUYkrwDlbFBXZTxn9E4PnPEmZcznpNE5ru20jXFRBzsFOlkNKCFH1NborQoC8WDnc42
qCNzHXRBS0mJYxivkRH6abt1m7QvpVXNOrtLgVAAwyu748m+IBP7uPUlHqGyAV0ePih/z+AeYmuZ
YxZtAoev6HKohyW2e9ZR2bXqWp6tcM0HF+czsWGAVPZ1h3hVU+CNCvudPTYCnI2BrT7t6b1pYG5j
c8UO1dnABKvNPvERNgi4HSoTMMhzvHFVT9WXDp4endEoXjc0pzsEjV4J0pJz11Sck0TQ+IAroDw3
PzfTGOgzg10CAwEAAaOCA6kwggOlMA4GA1UdDwEB/wQEAwIBBjBPBgNVHSAESDBGMAwGCmCGSAFl
AwIBAwYwDAYKYIZIAWUDAgEDBzAMBgpghkgBZQMCAQMIMAwGCmCGSAFlAwIBAw0wDAYKYIZIAWUD
AgEDETAPBgNVHRMBAf8EBTADAQH/MIIBYwYIKwYBBQUHAQEEggFVMIIBUTCBugYIKwYBBQUHMAKG
ga1sZGFwOi8vcm9vdGRpci5tYW5hZ2VkLmVudHJ1c3QuY29tL291PUVudHJ1c3QlMjBNYW5hZ2Vk
JTIwU2VydmljZXMlMjBSb290JTIwQ0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvcml0aWVzLG89
RW50cnVzdCxjPVVTP2NBQ2VydGlmaWNhdGU7YmluYXJ5LGNyb3NzQ2VydGlmaWNhdGVQYWlyO2Jp
bmFyeTBNBggrBgEFBQcwAoZBaHR0cDovL3Jvb3R3ZWIubWFuYWdlZC5lbnRydXN0LmNvbS9TSUEv
Q2VydHNJc3N1ZWRUb0VNU1Jvb3RDQS5wN2MwQwYIKwYBBQUHMAGGN2h0dHA6Ly9vY3NwLm1hbmFn
ZWQuZW50cnVzdC5jb20vT0NTUC9FTVNSb290Q0FSZXNwb25kZXIwggGIBgNVHR8EggF/MIIBezCB
7qCB66CB6IaBrWxkYXA6Ly9yb290ZGlyLm1hbmFnZWQuZW50cnVzdC5jb20vY249V2luQ29tYmlu
ZWQxLG91PUVudHJ1c3QlMjBNYW5hZ2VkJTIwU2VydmljZXMlMjBSb290JTIwQ0Esb3U9Q2VydGlm
aWNhdGlvbiUyMEF1dGhvcml0aWVzLG89RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q7YmluYXJ5hjZodHRwOi8vcm9vdHdlYi5tYW5hZ2VkLmVudHJ1c3QuY29tL0NSTHMvRU1T
Um9vdENBMS5jcmwwgYeggYSggYGkfzB9MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEi
MCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEpMCcGA1UECxMgRW50cnVzdCBNYW5h
Z2VkIFNlcnZpY2VzIFJvb3QgQ0ExDTALBgNVBAMTBENSTDEwHwYDVR0jBBgwFoAUnGJmJp1xtqd1
U2ThrLHHJTxEXQ0wHQYDVR0OBBYEFNPO51uJp81skcZnNqlYcgns4jnzMA0GCSqGSIb3DQEBBQUA
A4IBAQB1efbjA0HgDMfS7KKmEWnOC5SzYg68tipgd0NXEpsjXLYlJny2JJ0ROZfTWfQwvnYKBita
pDFD8SIxJVd5dNnyo+tYhsQec3u6PfgQlBM8lTaJtmKbV1Rf0Iqg+LCFMGno04hf2y6nhKMiDmuR
k2BZmP6CBF5Z+2hY1VKcEllTk5klXJcpRZIAMaYAILfC+4w7lYy3E+g7QODA0TSYp0AT/uDZwRrD
FbUj2Hzpe/DlrQd1QbU9gOpMz4+XV1BIghkJ9o8n5IL4htk8i1rfaN0JFEiz/FKSsnpPpFmL+7z5
QPR3NAumcSfkae8ZK+tNTIAIXf1W3wFfUpcNigYJlKgj OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US BBYEFJxiZiadcbandVNk4ayxxyU8RF0N CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US 304 MIIGxDCCBaygAwIBAgICAgIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxGDAWBgNVBAoT
D1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21tb24g
UG9saWN5IENBMB4XDTEwMTIxNTIxMTIyNloXDTIwMTIxNTIxMTAyN1owbjELMAkGA1UEBhMCVVMx
EDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxKTAn
BgNVBAsTIEVudHJ1c3QgTWFuYWdlZCBTZXJ2aWNlcyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtntz0/7RJGVXZa6iSqs5aLys+CNBBpw/+O5oROQ7rSI4tnz2WPxiqPaC
1ddAvKRWcb2+aUvYMJfRkdpss9xBH6nRZ5l/lwkQzfgTsOQtKlFv+rT2KVdUFXRikp/CAUDkVyiC
7iPvi8kHgNK4aYgUbfGwxmwrS77n9csB3Nv5a1jjpMJQM8CXdeQ+nZ2wUtiMIMMHJRVwrTn/259O
dafLj//GO/rJolAM7E4PNm0O6Ydx06hzHkyxBj3jQa1dwrdxFzvIkwodVA9yVX/i0FVs8veomMZu
FiBPsS+eH4ixACr4t/kQk2llA6cpWChrKru8vXNHfJ/4O/NEiLVlKIC7pQIDAQABo4IDfzCCA3sw
DwYDVR0TAQH/BAUwAwEB/zBPBgNVHSAESDBGMAwGCmCGSAFlAwIBAwYwDAYKYIZIAWUDAgEDBzAM
BgpghkgBZQMCAQMIMAwGCmCGSAFlAwIBAw0wDAYKYIZIAWUDAgEDETCB6QYIKwYBBQUHAQEEgdww
gdkwPwYIKwYBBQUHMAKGM2h0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNhL2NhQ2VydHNJc3N1ZWRU
b2ZjcGNhLnA3YzCBlQYIKwYBBQUHMAKGgYhsZGFwOi8vbGRhcC5mcGtpLmdvdi9jbj1GZWRlcmFs
JTIwQ29tbW9uJTIwUG9saWN5JTIwQ0Esb3U9RlBLSSxvPVUuUy4lMjBHb3Zlcm5tZW50LGM9VVM/
Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5MIIBHgYIKwYB
BQUHAQsEggEQMIIBDDBNBggrBgEFBQcwBYZBaHR0cDovL3Jvb3R3ZWIubWFuYWdlZC5lbnRydXN0
LmNvbS9TSUEvQ2VydHNJc3N1ZWRCeUVNU1Jvb3RDQS5wN2MwgboGCCsGAQUFBzAFhoGtbGRhcDov
L3Jvb3RkaXIubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1FbnRydXN0JTIwTWFuYWdlZCUyMFNlcnZp
Y2VzJTIwUm9vdCUyMENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3Qs
Yz1VUz9jQUNlcnRpZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwDgYD
VR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFK0MenVc5fOYxHmYDqwo/Zf05wL8MIG4BgNVHR8EgbAw
ga0wKqAooCaGJGh0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNhL2ZjcGNhLmNybDB/oH2ge4Z5bGRh
cDovL2xkYXAuZnBraS5nb3YvY24lM2RGZWRlcmFsJTIwQ29tbW9uJTIwUG9saWN5JTIwQ0Esb3Ul
M2RGUEtJLG8lM2RVLlMuJTIwR292ZXJubWVudCxjJTNkVVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
TGlzdDAdBgNVHQ4EFgQUnGJmJp1xtqd1U2ThrLHHJTxEXQ0wDQYJKoZIhvcNAQELBQADggEBAF1V
nwRwXqw8cXL1cTi+ooEKDlFQJG6ABGpk9wQMMLZNCWY2SlgTubCLsdmDWss/bjwkDZ32X5/SFniT
YzOR/R/XQlCdVCrRNuEdTtB7z9GO7zVLusuc53T6yUz6btpK1Es5okLJP0txuwoMKBysSTJ7THum
muGaDkEOw5mdlygx0CgulNHrIViHsxDXIEsVpCDNMaMhSglO31oaS+gg+GOkFo6PmtOFlgLL4K6N
O9Ujr31SJqxVB9KWPf1s5QiP7/VKkU7YCRh7WbdI4Bmaw7KVTyTU5aScGLe927fayO1onZ/4yRy0
4q+7QJmbcZZvw2D33xJmXlq/UGje3aBmkxM= CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US BBYEFK0MenVc5fOYxHmYDqwo/Zf05wL8 MIIEYDCCA0igAwIBAgICATAwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxGDAWBgNVBAoT
D1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21tb24g
UG9saWN5IENBMB4XDTEwMTIwMTE2NDUyN1oXDTMwMTIwMTE2NDUyN1owWTELMAkGA1UEBhMCVVMx
GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJh
bCBDb21tb24gUG9saWN5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2HX7NRY0
WkG/Wq9cMAQUHK14RLXqJup1YcfNNnn4fNi9KVFmWSHjeavUeL6wLbCh1bI1FiPQzB6+Duir3MPJ
1hLXp3JoGDG4FyKyPn66CG3G/dFYLGmgA/Aqo/Y/ISU937cyxY4nsyOl4FKzXZbpsLjFxZ+7xaBu
gkC7xScFNknWJidpDDSPzyd6KgqjQV+NHQOGgxXgVcHFmCye7Bpy3EjBPvmE0oSCwRvDdDa3ucc2
Mnr4MrbQNq4iGDGMUHMhnv6DOzCIJOPpwX7e7ZjHH5IQip9bYi+dpLzVhW86/clTpyBLqtsgqyFO
HQ1O5piF5asRR12dP8QjwOMUBm7+nQIDAQABo4IBMDCCASwwDwYDVR0TAQH/BAUwAwEB/zCB6QYI
KwYBBQUHAQsEgdwwgdkwPwYIKwYBBQUHMAWGM2h0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNhL2Nh
Q2VydHNJc3N1ZWRCeWZjcGNhLnA3YzCBlQYIKwYBBQUHMAWGgYhsZGFwOi8vbGRhcC5mcGtpLmdv
di9jbj1GZWRlcmFsJTIwQ29tbW9uJTIwUG9saWN5JTIwQ0Esb3U9RlBLSSxvPVUuUy4lMjBHb3Zl
cm5tZW50LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7Ymlu
YXJ5MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUrQx6dVzl85jEeZgOrCj9l/TnAvwwDQYJKoZI
hvcNAQELBQADggEBAI9z2uF/gLGH9uwsz9GEYx728Yi3mvIRte9UrYpuGDco71wb5O9Qt2wmGCMi
TR0mRyDpCZzicGJxqxHPkYnos/UqoEfAFMtOQsHdDA4b8Idb7OV316rgVNdF9IU+7LQd3nyKf1tN
nJaK0KIyn9psMQz4pO9+c+iR3Ah6cFqgr2KBWfgAdKLI3VTKQVZHvenAT+0g3eOlCd+uKML80cgX
2BLHb94u6b2akfI8WpQukSKAiaGMWMyDeiYZdQKlDn0KJnNR6obLB6jI/WNaNZvSr79PMUjBhHDb
NXuaGQ/lj/RqDG8z2esccKIN47lQA2EC/0rskqTcLe4qNJMHtyznGI8= 2015-04-22T12:22:41-0400 52e80c005c797933 7rUxfdlHt7U2NIS+ZZGYv50P1e6vM/zoAhTTDPjifL0= jvLibtQNqLdWB885kkWqetusVy0qx58H9gNoPIxEl/o= vLLc6EGYq8nSAO/iakPhVdiceOPWTYbHzzpmy4GrD3Q= cMw1XYvRSaYmqcXFoj9OIE1SrKFoGmFFMIS0WbJ50lY= lOq3c9BZ4T2HhyvvpxoyD7C28g41x+cLmaS8Y51zZNE= KFYJZZ6/UQkURoyR5t/bRTAqiSTi4Khx8VH77QIXdhE=
image6.emf
tailoring-xccdf.xml
1
United States Government Configuration Baseline 2.0.5.1 [CUSTOMIZED]
This profile represents guidance outlined in United States Government Configuration Baseline for desktop systems with Microsoft Windows 7 installed.
1800
172800
image1
image2