diff --git a/Invoke-HardeningKitty.ps1 b/Invoke-HardeningKitty.ps1 index 53cd0ee..f34e470 100644 --- a/Invoke-HardeningKitty.ps1 +++ b/Invoke-HardeningKitty.ps1 @@ -1,2216 +1,2276 @@ -Function Invoke-HardeningKitty { - - <# - .SYNOPSIS - - Invoke-HardeningKitty - Checks and hardens your Windows configuration - - - =^._.^= - _( )/ HardeningKitty - - - Author: Michael Schneider - License: MIT - Required Dependencies: None - Optional Dependencies: None - - - .DESCRIPTION - - HardeningKitty supports hardening of a Windows system. The configuration of the system is - retrieved and assessed using a finding list. In addition, the system can be hardened according - to predefined values. HardeningKitty reads settings from the registry and uses other modules - to read configurations outside the registry. - - - .PARAMETER FileFindingList - - Path to a finding list in CSV format. HardeningKitty has one list each for machine and user settings. - - - .PARAMETER Mode - - The mode Config only retrieves the settings, while the mode Audit performs an assessment of the settings. - The mode HailMary hardens the system according to recommendations of the HardeningKitty list. - - - .PARAMETER EmojiSupport - - The use of emoji is activated. The terminal should support this accordingly. Windows Terminal - offers full support. - - - .PARAMETER Log - - The logging function is activated. The script output is additionally logged in a file. The file - name is assigned by HardeningKitty itself and the file is stored in the same directory as the script. - - - .PARAMETER LogFile - - The name and location of the log file can be defined by the user. - - - .PARAMETER Report - - The retrieved settings and their assessment result are stored in CSV format in a machine-readable format. - The file name is assigned by HardeningKitty itself and the file is stored in the same directory as the script. - - - .PARAMETER ReportFile - - The name and location of the report file can be defined by the user. - - .PARAMETER Backup - - The retrieved settings and their assessment result are stored in CSV format in a machine-readable format with all value to backup your previous config. - - .PARAMETER SkipMachineInformation - - Information about the system is not queried and displayed. This may be useful while debugging or - using multiple lists on the same system. - - .EXAMPLE - - Description: HardeningKitty performs an audit, saves the results and creates a log file: - Invoke-HardeningKitty -Mode Audit -Log -Report - - Description: HardeningKitty performs an audit with a specific list and does not show machine information: - Invoke-HardeningKitty -FileFindingList .\lists\finding_list_0x6d69636b_user.csv -SkipMachineInformation - - Description: HardeningKitty ready only the setting with the default list, and saves the results in a specific file: - Invoke-HardeningKitty -Mode Config -Report -Report C:\tmp\my_hardeningkitty_report.log - - #> - - [CmdletBinding()] - Param ( - - # Definition of the finding list, default is machine setting list - [ValidateScript({Test-Path $_})] - [String] - $FileFindingList, - - # Choose mode, read system config, audit system config, harden system config - [ValidateSet("Audit","Config","HailMary")] - [String] - $Mode = "Audit", - - # Activate emoji support for Windows Terminal - [Switch] - $EmojiSupport = $false, - - # Create a log file - [Switch] - $Log = $false, - - # Skip machine information, useful when debugging - [Switch] - $SkipMachineInformation = $false, - - # Skip language warning, if you understand the risk - [Switch] - $SkipLanguageWarning = $false, - - # Define name and path of the log file - [String] - $LogFile, - - # Create a report file in CSV format - [Switch] - $Report = $false, - - # Define name and path of the report file - [String] - $ReportFile, - - # Create a backup config file in CSV format - [Switch] - $Backup = $false, - - # Define name and path of the report file - [String] - $BackupFile - ) - - Function Write-ProtocolEntry { - - <# - .SYNOPSIS - - Output of an event with timestamp and different formatting - depending on the level. If the Log parameter is set, the - output is also stored in a file. - #> - - [CmdletBinding()] - Param ( - - [String] - $Text, - - [String] - $LogLevel - ) - - $Time = Get-Date -Format G - - Switch ($LogLevel) { - "Info" { $Message = "[*] $Time - $Text"; Write-Host $Message; Break} - "Debug" { $Message = "[-] $Time - $Text"; Write-Host -ForegroundColor Cyan $Message; Break} - "Warning" { $Message = "[?] $Time - $Text"; Write-Host -ForegroundColor Yellow $Message; Break} - "Error" { $Message = "[!] $Time - $Text"; Write-Host -ForegroundColor Red $Message; Break} - "Success" { $Message = "[$] $Time - $Text"; Write-Host -ForegroundColor Green $Message; Break} - "Notime" { $Message = "[*] $Text"; Write-Host -ForegroundColor Gray $Message; Break} - Default { $Message = "[*] $Time - $Text"; Write-Host $Message; } - } - - If ($Log) { - Add-MessageToFile -Text $Message -File $LogFile - } - } - - Function Add-MessageToFile { - - <# - .SYNOPSIS - - Write message to a file, this function can be used for logs, - reports, backups and more. - #> - - [CmdletBinding()] - Param ( - - [String] - $Text, - - [String] - $File - ) - - try { - Add-Content -Path $File -Value $Text -ErrorAction Stop - } catch { - Write-ProtocolEntry -Text "Error while writing log entries into $File. Aborting..." -LogLevel "Error" - Break - } - - } - - Function Write-ResultEntry { - - <# - .SYNOPSIS - - Output of the assessment result with different formatting - depending on the severity level. If emoji support is enabled, - a suitable symbol is used for the severity rating. - #> - - [CmdletBinding()] - Param ( - - [String] - $Text, - - [String] - $SeverityLevel - ) - - If ($EmojiSupport.IsPresent) { - - Switch ($SeverityLevel) { - - "Passed" { $Emoji = [char]::ConvertFromUtf32(0x1F63A); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Gray $Message; Break} - "Low" { $Emoji = [char]::ConvertFromUtf32(0x1F63C); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Cyan $Message; Break} - "Medium" { $Emoji = [char]::ConvertFromUtf32(0x1F63F); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Yellow $Message; Break} - "High" { $Emoji = [char]::ConvertFromUtf32(0x1F640); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Red $Message; Break} - Default { $Message = "[*] $Text"; Write-Host $Message; } - } - - } Else { - - Switch ($SeverityLevel) { - - "Passed" { $Message = "[+] $Text"; Write-Host -ForegroundColor Gray $Message; Break} - "Low" { $Message = "[-] $Text"; Write-Host -ForegroundColor Cyan $Message; Break} - "Medium" { $Message = "[$] $Text"; Write-Host -ForegroundColor Yellow $Message; Break} - "High" { $Message = "[!] $Text"; Write-Host -ForegroundColor Red $Message; Break} - Default { $Message = "[*] $Text"; Write-Host $Message; } - } - } - } - - Function Get-IniContent ($filePath) { - - <# - .SYNOPSIS - - Read a .ini file into a tree of hashtables - - .NOTES - - Original source see https://devblogs.microsoft.com/scripting/use-powershell-to-work-with-any-ini-file/ - #> - - $ini = @{} - switch -regex -file $FilePath - { - “^\[(.+)\]” { # Section - $section = $matches[1] - $ini[$section] = @{} - $CommentCount = 0 - } - “^(;.*)$” { # Comment - $value = $matches[1] - $CommentCount = $CommentCount + 1 - $name = “Comment” + $CommentCount - $ini[$section][$name] = $value - } - “(.+?)\s*=(.*)” { # Key - $name,$value = $matches[1..2] - $ini[$section][$name] = $value - } - } - - return $ini - } - - Function Out-IniFile($InputObject, $FilePath, $Encoding) { - - <# - .SYNOPSIS - - Write a hashtable out to a .ini file - - .NOTES - - Original source see https://devblogs.microsoft.com/scripting/use-powershell-to-work-with-any-ini-file/ - #> - - $outFile = New-Item -Force -ItemType file -Path $Filepath - - foreach ($i in $InputObject.keys) { - if (!($($InputObject[$i].GetType().Name) -eq "Hashtable")) { - #No Sections - Add-Content -Encoding $Encoding -Path $outFile -Value "$i=$($InputObject[$i])" - } else { - #Sections - Add-Content -Encoding $Encoding -Path $outFile -Value "[$i]" - Foreach ($j in ($InputObject[$i].keys | Sort-Object)) { - if ($j -match "^Comment[\d]+") { - Add-Content -Encoding $Encoding -Path $outFile -Value "$($InputObject[$i][$j])" - } else { - Add-Content -Encoding $Encoding -Path $outFile -Value "$j=$($InputObject[$i][$j])" - } - } - Add-Content -Encoding $Encoding -Path $outFile -Value "" - } - } - } - - Function Get-HashtableValueDeep { - - <# - .SYNOPSIS - - Get a value from a tree of hashtables - #> - - [CmdletBinding()] - Param ( - - [Hashtable] - $Table, - - [String] - $Path - ) - - $Key = $Path.Split('\', 2) - - $Entry = $Table[$Key[0]] - - if($Entry -is [hashtable] -and $Key.Length -eq 1) { - throw "Path is incomplete (expected a leaf but still on a branch)" - } - - if($Entry -is [hashtable]) { - return Get-HashtableValueDeep $Entry $Key[1]; - } else { - if($Key.Length -eq 1) { - return $Entry - } else { - throw "Path is too long (expected a branch but arrived at a leaf before the end of the path)" - } - } - } - - Function Set-HashtableValueDeep { - - <# - .SYNOPSIS - - Set a value in a tree of hashtables - #> - - [CmdletBinding()] - Param ( - - [Hashtable] - $Table, - - [String] - $Path, - - [String] - $Value - ) - - $Key = $Path.Split('\', 2) - - $Entry = $Table[$Key[0]] - - if($Key.Length -eq 2) { - if($Entry -eq $null) { - $Table[$Key[0]] = @{} - } elseif($Entry -isnot [hashtable]) { - throw "Not hashtable" - } - - return Set-HashtableValueDeep $Table[$Key[0]] $Key[1] $Value; - } elseif($Key.Length -eq 1) { - $Table[$Key[0]] = $Value; - } - } - - Function Get-SidFromAccount { - - <# - .SYNOPSIS - - Translate the account name (user or group) into the Security Identifier (SID) - #> - - [CmdletBinding()] - Param ( - - [String] - $AccountName - ) - - try { - - $AccountObject = New-Object System.Security.Principal.NTAccount($AccountName) - $AccountSid = $AccountObject.Translate([System.Security.Principal.SecurityIdentifier]).Value - - } catch { - - # If translation fails, return account name - $AccountSid = $AccountName - } - - Return $AccountSid - } - - Function Get-AccountFromSid { - - <# - .SYNOPSIS - - Translate the Security Identifier (SID) into the account name (user or group) - #> - - [CmdletBinding()] - Param ( - - [String] - $AccountSid - ) - - try { - - $AccountObject = New-Object System.Security.Principal.SecurityIdentifier ($AccountSid) - $AccountName = $AccountObject.Translate([System.Security.Principal.NTAccount]).Value - - } catch { - - # If translation fails, return account SID - $AccountName = $AccountSid - } - - Return $AccountName - } - - Function Translate-SidFromWellkownAccount { - - <# - .SYNOPSIS - - Translate the well-known account name (user or group) into the Security Identifier (SID) - No attempt is made to get a Computer SID or Domain SID to identify groups such as Domain Admins, - as the possibility for false positives is too great. In this case the account name is returned. - #> - - [CmdletBinding()] - Param ( - - [String] - $AccountName - ) - - Switch ($AccountName) { - - "BUILTIN\Account Operators" { $AccountSid = "S-1-5-32-548"; Break} - "BUILTIN\Administrators" { $AccountSid = "S-1-5-32-544"; Break} - "BUILTIN\Backup Operators" { $AccountSid = "S-1-5-32-551"; Break} - "BUILTIN\Guests" { $AccountSid = "S-1-5-32-546"; Break} - "BUILTIN\Power Users" { $AccountSid = "S-1-5-32-547"; Break} - "BUILTIN\Print Operators" { $AccountSid = "S-1-5-32-550"; Break} - "BUILTIN\Remote Desktop Users" { $AccountSid = "S-1-5-32-555"; Break} - "BUILTIN\Server Operators" { $AccountSid = "S-1-5-32-549"; Break} - "BUILTIN\Users" { $AccountSid = "S-1-5-32-545"; Break} - "Everyone" { $AccountSid = "S-1-1-0"; Break} - "NT AUTHORITY\ANONYMOUS LOGON" { $AccountSid = "S-1-5-7"; Break} - "NT AUTHORITY\Authenticated Users" { $AccountSid = "S-1-5-11"; Break} - "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS" { $AccountSid = "S-1-5-9"; Break} - "NT AUTHORITY\IUSR" { $AccountSid = "S-1-5-17"; Break} - "NT AUTHORITY\Local account and member of Administrators group" { $AccountSid = "S-1-5-114"; Break} - "NT AUTHORITY\Local account" { $AccountSid = "S-1-5-113"; Break} - "NT AUTHORITY\LOCAL SERVICE" { $AccountSid = "S-1-5-19"; Break} - "NT AUTHORITY\NETWORK SERVICE" { $AccountSid = "S-1-5-20"; Break} - "NT AUTHORITY\SERVICE" { $AccountSid = "S-1-5-6"; Break} - "NT AUTHORITY\SYSTEM" { $AccountSid = "S-1-5-18"; Break} - "NT SERVICE\WdiServiceHost" { $AccountSid = "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420"; Break} - "NT VIRTUAL MACHINE\Virtual Machines" { $AccountSid = "S-1-5-83-0"; Break} - "Window Manager\Window Manager Group" { $AccountSid = "S-1-5-90-0"; Break} - Default { $AccountSid = $AccountName } - } - - Return $AccountSid - } - - # - # Start Main - # - $HardeningKittyVersion = "0.7.0-1640190489" - - # - # Log, report and backup file - # - $Hostname = $env:COMPUTERNAME.ToLower() - $FileDate = Get-Date -Format yyyyMMdd-HHmmss - $ListName = [System.IO.Path]::GetFileNameWithoutExtension($FileFindingList) - $WinSystemLocale = Get-WinSystemLocale - $PowerShellVersion = "$($PSVersionTable.PSVersion.Major).$($PSVersionTable.PSVersion.Minor)" - - If ($Log.IsPresent -and $LogFile.Length -eq 0) { - $LogFile = "hardeningkitty_log_"+$Hostname+"_"+$ListName+"-$FileDate.log" - } - If ($Report.IsPresent -and $ReportFile.Length -eq 0) { - $ReportFile = "hardeningkitty_report_"+$Hostname+"_"+$ListName+"-$FileDate.csv" - } - If ($Report.IsPresent) { - $Message = '"ID","Name","Severity","Result","Recommended"' - Add-MessageToFile -Text $Message -File $ReportFile - } - If ($Backup.IsPresent -and $BackupFile.Length -eq 0) { - $BackupFile = "hardeningkitty_backup_"+$Hostname+"_"+$ListName+"-$FileDate.csv" - } - If ($Backup.IsPresent) { - $Message = '"ID","Category","Name","Method","MethodArgument","RegistryPath","RegistryItem","ClassName","Namespace","Property","DefaultValue","RecommendedValue","Operator","Severity"' - Add-MessageToFile -Text $Message -File $BackupFile - } - - # - # Statistics - # - $StatsPassed = 0 - $StatsLow = 0 - $StatsMedium = 0 - $StatsHigh = 0 - $StatsTotal = 0 - $StatsError = 0 - - # - # Header - # - Write-Output "`n" - Write-Output " =^._.^=" - Write-Output " _( )/ HardeningKitty $HardeningKittyVersion" - Write-Output "`n" - Write-ProtocolEntry -Text "Starting HardeningKitty" -LogLevel "Info" - - # - # Machine information - # - If (-not($SkipMachineInformation)) { - - Write-Output "`n" - Write-ProtocolEntry -Text "Getting machine information" -LogLevel "Info" - - # - # The Get-ComputerInfo cmdlet gets a consolidated object of system - # and operating system properties. This cmdlet was introduced in Windows PowerShell 5.1. - # - If ($PowerShellVersion -le 5.0) { - - try { - - $OperatingSystem = Get-CimInstance Win32_operatingsystem - $ComputerSystem = Get-CimInstance Win32_ComputerSystem - Switch ($ComputerSystem.domainrole) { - "0" { $Domainrole = "Standalone Workstation"; Break} - "1" { $Domainrole = "Member Workstation"; Break} - "2" { $Domainrole = "Standalone Server"; Break} - "3" { $Domainrole = "Member Server"; Break} - "4" { $Domainrole = "Backup Domain Controller"; Break} - "5" { $Domainrole = "Primary Domain Controller"; Break} - } - $Uptime = (Get-Date) - $OperatingSystem.LastBootUpTime - - $Message = "Hostname: "+$OperatingSystem.CSName - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain: "+$ComputerSystem.Domain - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain role: "+$Domainrole - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Install date: "+$OperatingSystem.InstallDate - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Last Boot Time: "+$OperatingSystem.LastBootUpTime - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Uptime: "+$Uptime - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows: "+$OperatingSystem.Caption - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows version: "+$OperatingSystem.Version - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows build: "+$OperatingSystem.BuildNumber - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "System-locale: "+$WinSystemLocale.Name - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Powershell Version: "+$PowerShellVersion - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - } catch { - Write-ProtocolEntry -Text "Getting machine information failed." -LogLevel "Warning" - } - } - Else { - - $MachineInformation = Get-ComputerInfo - $Message = "Hostname: "+$MachineInformation.CsDNSHostName - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain: "+$MachineInformation.CsDomain - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain role: "+$MachineInformation.CsDomainRole - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Install date: "+$MachineInformation.OsInstallDate - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Last Boot Time: "+$MachineInformation.OsLastBootUpTime - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Uptime: "+$MachineInformation.OsUptime - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows: "+$MachineInformation.WindowsProductName - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows edition: "+$MachineInformation.WindowsEditionId - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows version: "+$MachineInformation.WindowsVersion - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows build: "+$MachineInformation.WindowsBuildLabEx - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "System-locale: "+$WinSystemLocale.Name - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Powershell Version: "+$PowerShellVersion - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - } - } - - # - # Warning for non-english systems - # - If ($WinSystemLocale.Name -ne "en-US" -and -not($SkipLanguageWarning)) { - Write-Output "`n" - Write-ProtocolEntry -Text "Language warning" -LogLevel "Info" - $Message = "HardeningKitty was developed for the system language 'en-US'. This system uses '"+$WinSystemLocale.Name+"' Language-dependent analyses can sometimes produce false results. Please create an issue if this occurs." - Write-ProtocolEntry -Text $Message -LogLevel "Warning" - } - - # - # User information - # - Write-Output "`n" - Write-ProtocolEntry -Text "Getting user information" -LogLevel "Info" - - $Message = "Username: "+[Security.Principal.WindowsIdentity]::GetCurrent().Name - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") - $Message = "Is Admin: "+$IsAdmin - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - - # - # Start Config/Audit mode - # The processing is done per category of the finding list. - # The finding list defines which module is used and the arguments and recommended values for the test. - # - If ($Mode -eq "Audit" -or $Mode -eq "Config") { - - # A CSV finding list is imported. HardeningKitty has one machine and one user list. - If ($FileFindingList.Length -eq 0) { - - $CurrentLication = Get-Location - $FileFindingList = "$CurrentLication\lists\finding_list_0x6d69636b_machine.csv" - } - - $FindingList = Import-Csv -Path $FileFindingList -Delimiter "," - $LastCategory = "" - - ForEach ($Finding in $FindingList) { - - # - # Reset - # - $Result = "" - - # - # Category - # - If ($LastCategory -ne $Finding.Category) { - - $Message = "Starting Category " + $Finding.Category - Write-Output "`n" - Write-ProtocolEntry -Text $Message -LogLevel "Info" - $LastCategory = $Finding.Category - } - - # - # Get Registry Item - # Registry entries can be read with a native PowerShell function. The retrieved value is evaluated later. - # If the registry entry is not available, a default value is used. This must be specified in the finding list. - # - If ($Finding.Method -eq 'Registry') { - - If (Test-Path -Path $Finding.RegistryPath) { - - try { - $Result = Get-ItemPropertyValue -Path $Finding.RegistryPath -Name $Finding.RegistryItem - } catch { - $Result = $Finding.DefaultValue - } - } Else { - $Result = $Finding.DefaultValue - } - } - - # - # Get secedit policy - # Secedit configures and analyzes system security, results are written - # to a file, which means HardeningKitty must create a temporary file - # and afterwards delete it. HardeningKitty is very orderly. - # - ElseIf ($Finding.Method -eq 'secedit') { - - # Check if binary is available, skip test if not - $BinarySecedit = "C:\Windows\System32\secedit.exe" - If (-Not (Test-Path $BinarySecedit)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires secedit, and the binary for secedit was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $TempFileName = [System.IO.Path]::GetTempFileName() - - $Area = ""; - - Switch($Finding.Category) { - "Account Policies" { $Area = "SECURITYPOLICY"; Break } - "Security Options" { $Area = "SECURITYPOLICY"; Break } - } - - &$BinarySecedit /export /cfg $TempFileName /areas $Area | Out-Null - - $Data = Get-IniContent $TempFileName - - $Value = Get-HashtableValueDeep $Data $Finding.MethodArgument - - if($Value -eq $null) { - $Result = $null - } else { - $Result = $Value -as [int] - } - - Remove-Item $TempFileName - } - - # - # Get Registry List and search for item - # Depending on the registry structure, the value cannot be accessed directly, but must be found within a data structure - # If the registry entry is not available, a default value is used. This must be specified in the finding list. - # - ElseIf ($Finding.Method -eq 'RegistryList') { - - If (Test-Path -Path $Finding.RegistryPath) { - - try { - $ResultList = Get-ItemProperty -Path $Finding.RegistryPath - - If ($ResultList | Where-Object { $_ -like "*"+$Finding.RegistryItem+"*" }) { - $Result = $Finding.RegistryItem - } Else { - $Result = "Not found" - } - - } catch { - $Result = $Finding.DefaultValue - } - } Else { - $Result = $Finding.DefaultValue - } - } - - # - # Get Audit Policy - # The output of auditpol.exe is parsed and will be evaluated later. - # The desired value is not output directly, some output lines can be ignored - # and are therefore skipped. If the output changes, the parsing must be adjusted :( - # - ElseIf ($Finding.Method -eq 'auditpol') { - - # Check if binary is available, skip test if not - $BinaryAuditpol = "C:\Windows\System32\auditpol.exe" - If (-Not (Test-Path $BinaryAuditpol)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires auditpol, and the binary for auditpol was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - try { - - $SubCategory = $Finding.MethodArgument - - # auditpol.exe does not write a backup in an existing file, so we have to build a name instead of create one - $TempFileName = [System.IO.Path]::GetTempPath()+"HardeningKitty_auditpol-"+$(Get-Date -Format yyyyMMdd-HHmmss)+".csv" - &$BinaryAuditpol /backup /file:$TempFileName > $null - - $ResultOutputLoad = Get-Content $TempFileName - foreach ($line in $ResultOutputLoad){ - $table = $line.Split(",") - if ($table[3] -eq $SubCategory){ - - # Translate setting value (works only for English list, so this is workaround) - Switch ($table[6]) { - "0" { $Result = "No Auditing"; Break} - "1" { $Result = "Success"; Break} - "2" { $Result = "Failure"; Break} - "3" { $Result = "Success and Failure"; Break} - } - } - } - - # House cleaning - Remove-Item $TempFileName - Clear-Variable -Name ("ResultOutputLoad", "table") - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Get Account Policy - # The output of net.exe is parsed and will be evaluated later. - # It may be necessary to use the /domain parameter when calling net.exe. - # The values of the user executing the script are read out. These may not match the password policy. - # - ElseIf ($Finding.Method -eq 'accountpolicy') { - - # Check if binary is available, skip test if not - $BinaryNet = "C:\Windows\System32\net.exe" - If (-Not (Test-Path $BinaryNet)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires net, and the binary for net was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - try { - - $ResultOutput = &$BinaryNet accounts - - # "Parse" account policy - Switch ($Finding.Name) { - "Force user logoff how long after time expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Network security: Force logoff when logon hours expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Minimum password age" { $ResultOutput[1] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Maximum password age" { $ResultOutput[2] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Minimum password length" { $ResultOutput[3] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Length of password history maintained" { $ResultOutput[4] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Account lockout threshold" { $ResultOutput[5] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Account lockout duration" { $ResultOutput[6] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Reset account lockout counter" { $ResultOutput[7] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - } - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Get Local Account Information - # The PowerShell function Get-LocalUser is used for this. - # In order to get the correct user, the query is made via the SID, - # the base value of the computer must first be retrieved. - # - ElseIf ($Finding.Method -eq 'localaccount') { - - try { - - # Get Computer SID - $ComputerSid = ((Get-LocalUser | Select-Object -First 1).SID).AccountDomainSID.ToString() - - # Get User Status - $Sid = $ComputerSid+"-"+$Finding.MethodArgument - $ResultOutput = Get-LocalUser -SID $Sid - - If ($Finding.Name.Contains("account status")){ - $Result = $ResultOutput.Enabled - } - ElseIf ($Finding.Name.Contains("Rename")) { - $Result = $ResultOutput.Name - } - Else { - $Result = $Finding.DefaultValue - } - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # User Rights Assignment - # This method was first developed with the tool accessck.exe, hence the name. - # Due to compatibility problems in languages other than English, secedit.exe is - # now used to read the User Rights Assignments. - # - # Secedit configures and analyzes system security, results are written - # to a file, which means HardeningKitty must create a temporary file - # and afterwards delete it. HardeningKitty is very orderly. - # - ElseIf ($Finding.Method -eq 'accesschk') { - - # Check if binary is available, skip test if not - $BinarySecedit = "C:\Windows\System32\secedit.exe" - If (-Not (Test-Path $BinarySecedit)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires secedit, and the binary for secedit was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $TempFileName = [System.IO.Path]::GetTempFileName() - - try { - - &$BinarySecedit /export /cfg $TempFileName /areas USER_RIGHTS | Out-Null - $ResultOutputRaw = Get-Content -Encoding unicode $TempFileName | Select-String $Finding.MethodArgument - - If ($ResultOutputRaw -eq $null) { - $Result = "" - } - Else { - $ResultOutputList = $ResultOutputRaw.ToString().split("=").Trim() - $Result = $ResultOutputList[1] -Replace "\*","" - $Result = $Result -Replace ",",";" - } - - } catch { - # If secedit did not work, throw an error instead of using the DefaultValue - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", secedit.exe could not read the configuration. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - Remove-Item $TempFileName - } - - # - # Windows Optional Feature - # Yay, a native PowerShell function! The status of the feature can easily be read out directly. - # - ElseIf ($Finding.Method -eq 'WindowsOptionalFeature') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - try { - - $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument - $Result = $ResultOutput.State - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Get CimInstance and search for item - # Via a CIM instance classes can be read from the CIM server. - # Afterwards, you have to search for the correct property within the class. - # - ElseIf ($Finding.Method -eq 'CimInstance') { - - try { - - $ResultList = Get-CimInstance -ClassName $Finding.ClassName -Namespace $Finding.Namespace - $Property = $Finding.Property - - If ($ResultList.$Property | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" }) { - $Result = $Finding.RecommendedValue - } Else { - $Result = "Not available" - } - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # BitLocker Drive Encryption - # The values are saved from a PowerShell function into an object. - # The desired arguments can be accessed directly. - # - ElseIf ($Finding.Method -eq 'BitLockerVolume') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - try { - - $ResultOutput = Get-BitLockerVolume -MountPoint C: - If ($ResultOutput.VolumeType -eq 'OperatingSystem') { - $ResultArgument = $Finding.MethodArgument - $Result = $ResultOutput.$ResultArgument - } Else { - $Result = "Manual check required" - } - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # PowerShell Language Mode - # This is a single purpose function, the desired configuration is output directly. - # - ElseIf ($Finding.Method -eq 'LanguageMode') { - - try { - - $ResultOutput = $ExecutionContext.SessionState.LanguageMode - $Result = $ResultOutput - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Microsoft Defender Preferences - # The values are saved from a PowerShell function into an object. - # The desired arguments can be accessed directly. - # - ElseIf ($Finding.Method -eq 'MpPreference') { - - try { - - $ResultOutput = Get-MpPreference - $ResultArgument = $Finding.MethodArgument - $Result = $ResultOutput.$ResultArgument - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Microsoft Defender Preferences - Attack surface reduction rules (ASR rules) - # The values are saved from a PowerShell function into an object. - # The desired arguments can be accessed directly. - # - ElseIf ($Finding.Method -eq 'MpPreferenceAsr') { - - try { - - $ResultOutput = Get-MpPreference - $ResultAsrIds = $ResultOutput.AttackSurfaceReductionRules_Ids - $ResultAsrActions = $ResultOutput.AttackSurfaceReductionRules_Actions - $Result = $Finding.DefaultValue - $Counter = 0 - - ForEach ($AsrRule in $ResultAsrIds) { - - If ($AsrRule -eq $Finding.MethodArgument) { - $Result = $ResultAsrActions[$Counter] - Continue - } - $Counter++ - } - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Microsoft Defender Preferences - Exclusion lists - # The values are saved from a PowerShell function into an object. - # The desired arguments can be accessed directly. - # - ElseIf ($Finding.Method -eq 'MpPreferenceExclusion') { - - # Check if the user has admin rights, skip test if not - # Normal users are not allowed to get exclusions - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - try { - - $ResultOutput = Get-MpPreference - $ExclusionType = $Finding.MethodArgument - $ResultExclusions = $ResultOutput.$ExclusionType - - ForEach ($Exclusion in $ResultExclusions) { - $Result += $Exclusion+";" - } - # Remove last character - $Result = $Result -replace “.$” - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Exploit protection (System) - # The values are saved from a PowerShell function into an object. - # The desired arguments can be accessed directly. - # Since the object has several dimensions and there is only one dimension - # in the finding list (lazy) a workaround with split must be done... - # - ElseIf ($Finding.Method -eq 'Processmitigation') { - - try { - - $ResultOutput = Get-Processmitigation -System - $ResultArgumentArray = $Finding.MethodArgument.Split(".") - $ResultArgument0 = $ResultArgumentArray[0] - $ResultArgument1 = $ResultArgumentArray[1] - $Result = $ResultOutput.$ResultArgument0.$ResultArgument1 - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Exploit protection (Application) - # The values are saved from a PowerShell function into an object. - # The desired arguments can be accessed directly. - # Since the object has several dimensions and there is only one dimension - # in the finding list (lazy) a workaround with split must be done... - # - ElseIf ($Finding.Method -eq 'ProcessmitigationApplication') { - - try { - - $ResultArgumentArray = $Finding.MethodArgument.Split("/") - $ResultOutput = Get-Processmitigation -Name $ResultArgumentArray[0] - $ResultArgument0 = $ResultArgumentArray[1] - $ResultArgument1 = $ResultArgumentArray[2] - $Result = $ResultOutput.$ResultArgument0.$ResultArgument1 - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # bcdedit - # Again, the output of a tool must be searched and parsed. Ugly... - # - ElseIf ($Finding.Method -eq 'bcdedit') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if binary is available, skip test if not - $BinaryBcdedit = "C:\Windows\System32\bcdedit.exe" - If (-Not (Test-Path $BinaryBcdedit)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires bcdedit, and the binary for bcdedit was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - try { - - $ResultOutput = &$BinaryBcdedit - $ResultOutput = $ResultOutput | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" } - - If ($ResultOutput -match ' ([a-z,A-Z]+)') { - $Result = $Matches[1] - } Else { - $Result = $Finding.DefaultValue - } - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # FirewallRule - # Search for a specific firewall rule with a given name - # - ElseIf ($Finding.Method -eq 'FirewallRule') { - - try { - - $ResultOutput = Get-NetFirewallRule -DisplayName $Finding.Name 2> $null - $Result = $ResultOutput.Enabled - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Service - # Check the status of a service - # - ElseIf ($Finding.Method -eq 'service') { - - try { - - $ResultOutput = Get-Service -Name $Finding.MethodArgument 2> $null - $Result = $ResultOutput.StartType - - } catch { - $Result = $Finding.DefaultValue - } - } - - # - # Compare result value and recommendation - # The finding list specifies the test, as well as the recommended values. - # There are two output formats, one for command line output and one for the CSV file. - # - If ($Mode -eq "Audit") { - - # - # User Right Assignment - # For multilingual support, a SID translation takes place and then the known SID values are compared with each other. - # The results are already available as SID (from secedit) and therefore the specifications are now also translated and still sorted. - # - If ($Finding.Method -eq 'accesschk') { - - If ($Result -ne '') { - - $SaveRecommendedValue = $Finding.RecommendedValue - $ListRecommended = $Finding.RecommendedValue.Split(";") - $ListRecommendedSid = @() - - # SID Translation - ForEach ($AccountName in $ListRecommended) { - $AccountSid = Translate-SidFromWellkownAccount -AccountName $AccountName - $ListRecommendedSid += $AccountSid - } - # Sort SID List - $ListRecommendedSid = $ListRecommendedSid | Sort-Object - - # Build String - ForEach ($AccountName in $ListRecommendedSid) { - [String] $RecommendedValueSid += $AccountName+";" - } - - $RecommendedValueSid = $RecommendedValueSid -replace ".$" - $Finding.RecommendedValue = $RecommendedValueSid - Clear-Variable -Name ("RecommendedValueSid") - } - } - - $ResultPassed = $false - Switch($Finding.Operator) { - - "=" { If ([string] $Result -eq $Finding.RecommendedValue) { $ResultPassed = $true }; Break} - "<=" { try { If ([int]$Result -le [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} - "<=!0" { try { If ([int]$Result -le [int]$Finding.RecommendedValue -and [int]$Result -ne 0) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} - ">=" { try { If ([int]$Result -ge [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} - "contains" { If ($Result.Contains($Finding.RecommendedValue)) { $ResultPassed = $true }; Break} - "!=" { If ([string] $Result -ne $Finding.RecommendedValue) { $ResultPassed = $true }; Break} - "=|0" { try { If ([string]$Result -eq $Finding.RecommendedValue -or $Result.Length -eq 0) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} - } - - # - # Restore Result after SID translation - # The results are already available as SID, for better readability they are translated into their names - # - If ($Finding.Method -eq 'accesschk') { - - If ($Result -ne "") { - - $ListResult = $Result.Split(";") - ForEach ($AccountSid in $ListResult) { - $AccountName = Get-AccountFromSid -AccountSid $AccountSid - [String] $ResultName += $AccountName.Trim()+";" - } - $ResultName = $ResultName -replace ".$" - $Result = $ResultName - Clear-Variable -Name ("ResultName") - } - - $Finding.RecommendedValue = $SaveRecommendedValue - } - - If ($ResultPassed) { - - # Passed - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Severity=Passed" - Write-ResultEntry -Text $Message -SeverityLevel "Passed" - - If ($Log) { - Add-MessageToFile -Text $Message -File $LogFile - } - - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","Passed","'+$Result+'"' - Add-MessageToFile -Text $Message -File $ReportFile - } - - # Increment Counter - $StatsPassed++ - - } Else { - - # Failed - If ($Finding.Operator -eq "!=") { - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Recommended=Not "+$Finding.RecommendedValue+", Severity="+$Finding.Severity - } - Else { - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Recommended="+$Finding.RecommendedValue+", Severity="+$Finding.Severity - } - - Write-ResultEntry -Text $Message -SeverityLevel $Finding.Severity - - If ($Log) { - Add-MessageToFile -Text $Message -File $LogFile - } - - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$Finding.Severity+'","'+$Result+'","'+$Finding.RecommendedValue+'"' - Add-MessageToFile -Text $Message -File $ReportFile - } - - # Increment Counter - Switch($Finding.Severity) { - - "Low" { $StatsLow++; Break} - "Medium" { $StatsMedium++; Break} - "High" { $StatsHigh++; Break} - } - } - - # - # Only return received value - # - } Elseif ($Mode -eq "Config") { - - $Message = "ID "+$Finding.ID+"; "+$Finding.Name+"; Result=$Result" - Write-ResultEntry -Text $Message - - If ($Log) { - Add-MessageToFile -Text $Message -File $LogFile - } - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'",,"'+$Result+'",'+$Finding.RecommendedValue - Add-MessageToFile -Text $Message -File $ReportFile - } - If ($Backup) { - $Message = '"'+$Finding.ID+'","'+$Finding.Category+'","'+$Finding.Name+'","'+$Finding.Method+'","'+$Finding.MethodArgument+'","'+$Finding.RegistryPath+'","'+$Finding.RegistryItem+'","'+$Finding.ClassName+'","'+$Finding.Namespace+'","'+$Finding.Property+'","'+$Finding.DefaultValue+'","'+$Result+'","'+$Finding.Operator+'","'+$Finding.Severity+'",' - Add-MessageToFile -Text $Message -File $BackupFile - } - } - } - - } - - # - # Start HailMary mode - # HardeningKitty configures all settings in a finding list file. - # Even though HardeningKitty works very carefully, please only - # use HailyMary if you know what you are doing. - # - Elseif ($Mode = "HailMary") { - - # A CSV finding list is imported - If ($FileFindingList.Length -eq 0) { - - $CurrentLication = Get-Location - $FileFindingList = "$CurrentLication\lists\finding_list_0x6d69636b_machine.csv" - } - - $FindingList = Import-Csv -Path $FileFindingList -Delimiter "," - $LastCategory = "" - $ProcessmitigationEnableArray = @() - $ProcessmitigationDisableArray = @() - - ForEach ($Finding in $FindingList) { - - # - # Category - # - If ($LastCategory -ne $Finding.Category) { - - $Message = "Starting Category " + $Finding.Category - Write-Output "`n" - Write-ProtocolEntry -Text $Message -LogLevel "Info" - $LastCategory = $Finding.Category - } - - # - # accesschk - # For the audit mode, accesschk is used, but the rights are set with secedit. - # - If ($Finding.Method -eq 'accesschk') { - - # Check if binary is available, skip test if not - $BinarySecedit = "C:\Windows\System32\secedit.exe" - If (-Not (Test-Path $BinarySecedit)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires secedit, and the binary for secedit was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $TempFileName = [System.IO.Path]::GetTempFileName() - $TempDbFileName = [System.IO.Path]::GetTempFileName() - - &$BinarySecedit /export /cfg $TempFileName /areas USER_RIGHTS | Out-Null - - if($Finding.RecommendedValue -eq "") { - (Get-Content -Encoding unicode $TempFileName) -replace "$($Finding.MethodArgument).*", "$($Finding.MethodArgument) = " | Out-File $TempFileName - } else { - $ListTranslated = @() - $List = $Finding.RecommendedValue -split ';'| Where-Object { - # Get SID to translate the account name - $AccountSid = Translate-SidFromWellkownAccount -AccountName $_ - # Get account name from system with SID (local translation) - $AccountName = Get-AccountFromSid -AccountSid $AccountSid - $ListTranslated += $AccountName - } - - # If User Right Assignment exists, replace values - If ( ((Get-Content -Encoding unicode $TempFileName) | Select-String $($Finding.MethodArgument)).Count -gt 0 ) { - (Get-Content -Encoding unicode $TempFileName) -replace "$($Finding.MethodArgument).*", "$($Finding.MethodArgument) = $($ListTranslated -join ',')" | Out-File $TempFileName - } - # If it does not exist, add a new entry into the file at the right position - Else { - $TempFileContent = Get-Content -Encoding unicode $TempFileName - $LineNumber = $TempFileContent.Count - $TempFileContent[$LineNumber-3] = "$($Finding.MethodArgument) = $($ListTranslated -join ',')" - $TempFileContent[$LineNumber-2] = "[Version]" - $TempFileContent[$LineNumber-1] = 'signature="$CHICAGO$"' - $TempFileContent += "Revision=1" - $TempFileContent | Set-Content -Encoding unicode $TempFileName - } - } - - &$BinarySecedit /import /cfg $TempFileName /overwrite /areas USER_RIGHTS /db $TempDbFileName /quiet | Out-Null - - if($LastExitCode -ne 0) { - $ResultText = "Failed to import user right assignment into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Remove-Item $TempFileName - Remove-Item $TempDbFileName - Continue - } - - $ResultText = "Imported user right assignment into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "Passed" - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - - &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas USER_RIGHTS /quiet | Out-Null - - if($LastExitCode -ne 0) { - $ResultText = "Failed to configure system user right assignment" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Remove-Item $TempFileName - Remove-Item $TempDbFileName - Continue - } - - $ResultText = "Configured system user right assignment" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "Passed" - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - - Remove-Item $TempFileName - Remove-Item $TempDbFileName - } - - # - # MpPreference - # Set a Windows Defender policy - # - If ($Finding.Method -eq 'MpPreference') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $ResultMethodArgument = $Finding.MethodArgument - $ResultRecommendedValue = $Finding.RecommendedValue - - Switch($ResultRecommendedValue) { - "True" { $ResultRecommendedValue = 1; Break } - "False" { $ResultRecommendedValue = 0; Break } - } - - $ResultCommand = "Set-MpPreference -$ResultMethodArgument $ResultRecommendedValue" - - $Result = Invoke-Expression $ResultCommand - - if($LastExitCode -eq 0) { - $ResultText = "Method value modified" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", " + $ResultText - $MessageSeverity = "Passed" - } else { - $ResultText = "Failed to change Method value" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", " + $ResultText - $MessageSeverity = "High" - } - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - - # - # secedit - # Set a security policy - # - If ($Finding.Method -eq 'secedit') { - - # Check if binary is available, skip test if not - $BinarySecedit = "C:\Windows\System32\secedit.exe" - If (-Not (Test-Path $BinarySecedit)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires secedit, and the binary for secedit was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $Area = ""; - - Switch($Finding.Category) { - "Account Policies" { $Area = "SECURITYPOLICY"; Break } - "Security Options" { $Area = "SECURITYPOLICY"; Break } - } - - $TempFileName = [System.IO.Path]::GetTempFileName() - $TempDbFileName = [System.IO.Path]::GetTempFileName() - - &$BinarySecedit /export /cfg $TempFileName /areas $Area | Out-Null - - $Data = Get-IniContent $TempFileName - - Set-HashtableValueDeep $Data $Finding.MethodArgument $Finding.RecommendedValue - - Out-IniFile $Data $TempFileName unicode $true - - &$BinarySecedit /import /cfg $TempFileName /overwrite /areas $Area /db $TempDbFileName /quiet | Out-Null - - if($LastExitCode -ne 0) { - $ResultText = "Failed to import security policy into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Remove-Item $TempFileName - Remove-Item $TempDbFileName - Continue - } - - $ResultText = "Imported security policy into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "Passed" - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - - &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas SECURITYPOLICY /quiet | Out-Null - - if($LastExitCode -ne 0) { - $ResultText = "Failed to configure security policy" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Remove-Item $TempFileName - Remove-Item $TempDbFileName - Continue - } - - $ResultText = "Configured security policy" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "Passed" - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - - Remove-Item $TempFileName - Remove-Item $TempDbFileName - } - - # - # auditpol - # Set an audit policy - # - If ($Finding.Method -eq 'auditpol') { - - # Check if binary is available, skip test if not - $BinaryAuditpol = "C:\Windows\System32\auditpol.exe" - If (-Not (Test-Path $BinaryAuditpol)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires auditpol, and the binary for auditpol was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $Success = if($Finding.RecommendedValue -ilike "*success*") {"enable"} else {"disable"} - $Failure = if($Finding.RecommendedValue -ilike "*failure*") {"enable"} else {"disable"} - - $SubCategory = $Finding.MethodArgument - - &$BinaryAuditpol /set /subcategory:"$($SubCategory)" /success:$($Success) /failure:$($Failure) | Out-Null - - if($LastExitCode -eq 0) { - $ResultText = "Audit policy set" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "Passed" - } else { - $ResultText = "Failed to set audit policy" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "High" - } - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - - # - # accountpolicy - # Set a user account policy - # - If ($Finding.Method -eq 'accountpolicy') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if binary is available, skip test if not - $BinaryNet = "C:\Windows\System32\net.exe" - If (-Not (Test-Path $BinaryNet)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires net, and the binary for net was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $Sw = ""; - - Switch ($Finding.Name) { - "Force user logoff how long after time expires" { $Sw = "/FORCELOGOFF:$($Finding.RecommendedValue)"; Break } - "Minimum password age" { $Sw = "/MINPWAGE:$($Finding.RecommendedValue)"; Break } - "Maximum password age" { $Sw = "/MAXPWAGE:$($Finding.RecommendedValue)"; Break } - "Minimum password length" { $Sw = "/MINPWLEN:$($Finding.RecommendedValue)"; Break } - "Length of password history maintained" { $Sw = "/UNIQUEPW:$($Finding.RecommendedValue)"; Break } - "Account lockout threshold" { $Sw = "/lockoutthreshold:$($Finding.RecommendedValue)"; Break; } - "Account lockout duration" { $Sw = @("/lockoutwindow:$($Finding.RecommendedValue)", "/lockoutduration:$($Finding.RecommendedValue)"); Break } - "Reset account lockout counter" { $Sw = "/lockoutwindow:$($Finding.RecommendedValue)"; Break } - } - - &$BinaryNet accounts $Sw | Out-Null - - if($LastExitCode -eq 0) { - $ResultText = "Account policy set" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "Passed" - } else { - $ResultText = "Failed to set account policy" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText - $MessageSeverity = "High" - } - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - - # - # Registry - # Create or modify a registry value. - # - If ($Finding.Method -eq 'Registry' -or $Finding.Method -eq 'RegistryList') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin) -and -not($Finding.RegistryPath.StartsWith("HKCU:\"))) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $RegType = "String" - - # - # Basically this is true, but there is an exception for the finding "MitigationOptions_FontBocking", - # the value "10000000000" is written to the registry as a string - # - If ($Finding.RegistryItem -eq "MitigationOptions_FontBocking" -Or $Finding.RegistryItem -eq "Retention") { - $RegType = "String" - } ElseIf ($Finding.RecommendedValue -match "^\d+$") { - $RegType = "DWord" - } - - if(!(Test-Path $Finding.RegistryPath)) { - - $Result = New-Item $Finding.RegistryPath -Force; - - if($Result) { - $ResultText = "Registry key created" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", " + $ResultText - $MessageSeverity = "Passed" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } else { - $ResultText = "Failed to create registry key" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Continue - } - } - - # - # The method RegistryList needs a separate handling, because the name of the registry key is dynamic, usually incremented. - # Therefore, it is searched whether the value already exists or not. If the value does not exist, it counts how many - # other values are already there in order to set the next higher value and not overwrite existing keys. - # - If ($Finding.Method -eq 'RegistryList') { - - $ResultList = Get-ItemProperty -Path $Finding.RegistryPath - $ResultListCounter = 0 - If ($ResultList | Where-Object { $_ -like "*"+$Finding.RegistryItem+"*" }) { - $ResultList.PSObject.Properties | ForEach-Object { - If ( $_.Value -eq $Finding.RegistryItem ) { - $Finding.RegistryItem = $_.Value.Name - Continue - } - } - } - Else { - $ResultList.PSObject.Properties | ForEach-Object { - $ResultListCounter++ - } - } - If ($ResultListCounter -eq 0) { - $Finding.RegistryItem = 1 - } - Else { - $Finding.RegistryItem = $ResultListCounter - 4 - } - } - - $Result = Set-Itemproperty -PassThru -Path $Finding.RegistryPath -Name $Finding.RegistryItem -Type $RegType -Value $Finding.RecommendedValue - - if($Result) { - $ResultText = "Registry value created/modified" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", "+$Finding.RegistryItem+", " + $ResultText - $MessageSeverity = "Passed" - } else { - $ResultText = "Failed to create registry value" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", "+$Finding.RegistryItem+", " + $ResultText - $MessageSeverity = "High" - } - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - - # - # Exploit protection - # Set exploit protection values - # - # I noticed irregularities when the process mitigations were set individually, - # in some cases settings that had already been set were then reset. Therefore, - # the settings are collected in an array and finally set at the end of the processing. - # - If ($Finding.Method -eq 'Processmitigation') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $SettingArgumentArray = $Finding.MethodArgument.Split(".") - $SettingArgument0 = $SettingArgumentArray[0] - $SettingArgument1 = $SettingArgumentArray[1] - - If ( $Finding.RecommendedValue -eq "ON") { - - If ( $SettingArgumentArray[1] -eq "Enable" ) { - $ProcessmitigationEnableArray += $SettingArgumentArray[0] - } Else { - $ProcessmitigationEnableArray += $SettingArgumentArray[1] - } - } - ElseIf ( $Finding.RecommendedValue -eq "OFF") { - - If ($SettingArgumentArray[1] -eq "TelemetryOnly") { - $ProcessmitigationDisableArray += "SEHOPTelemetry" - } - ElseIf ( $SettingArgumentArray[1] -eq "Enable" ) { - $ProcessmitigationDisableArray += $SettingArgumentArray[0] - } - Else { - $ProcessmitigationDisableArray += $SettingArgumentArray[1] - } - } - $ResultText = "setting added to list" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - - # - # WindowsOptionalFeature - # Install / Remove a Windows feature - # - If ($Finding.Method -eq 'WindowsOptionalFeature') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # - # Check if feature is installed and should be removed, or - # it is missing and should be installed - # - try { - $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument - $Result = $ResultOutput.State - } catch { - $ResultText = "Could not check status" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Continue - } - - # Feature will be installed - If ($Result -eq "Enabled" -and $Finding.RecommendedValue -eq "Disabled") { - - try { - $Result = Disable-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument - } catch { - $ResultText = "Could not be removed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Continue - } - - $ResultText = "Feature removed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } - # No changes required - ElseIf ($Result -eq "Disabled" -and $Finding.RecommendedValue -eq "Disabled") { - $ResultText = "Feature is not installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } - # Feature will be installed - ElseIf ($Result -eq "Disabled" -and $Finding.RecommendedValue -eq "Enabled") { - - try { - $Result = Enable-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument - } catch { - $ResultText = "Could not be installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "High" - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - Continue - } - - $ResultText = "Feature installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } - # No changes required - ElseIf ($Result -eq "Enabled" -and $Finding.RecommendedValue -eq "Enabled") { - $ResultText = "Feature is already installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - - If ($Log) { - Add-MessageToFile -Text $Message -File $LogFile - } - - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' - Add-MessageToFile -Text $Message -File $ReportFile - } - } - - # - # FirewallRule - # Create a firewall rule. First it will be checked if the rule already exists - # - If ($Finding.Method -eq 'FirewallRule') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - $FwRule = $Finding.MethodArgument - $FwRuleArray = $FwRule.Split("|") - - $FwDisplayName = $Finding.Name - $FwProfile = $FwRuleArray[0] - $FwDirection = $FwRuleArray[1] - $FwAction = $FwRuleArray[2] - $FwProtocol = $FwRuleArray[3] - $FwLocalPort = @($FwRuleArray[4]).Split(",") - $FwProgram = $FwRuleArray[5] - - # Check if rule already exists - try { - - $ResultOutput = Get-NetFirewallRule -DisplayName $FwDisplayName 2> $null - $Result = $ResultOutput.Enabled - - } catch { - $Result = $Finding.DefaultValue - } - - # Go on if rule not exists - If (-Not $Result) { - - If ($FwProgram -eq "") { - - $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Protocol $FwProtocol -LocalPort $FwLocalPort - } - Else { - $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Program "$FwProgram" - } - - If ($ResultRule.PrimaryStatus -eq "OK") { - - # Excellent - $ResultText = "Rule created" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } - Else { - # Bogus - $ResultText = "Rule not created" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "High" - } - } - Else { - # Excellent - $ResultText = "Rule already exists" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - - If ($Log) { - Add-MessageToFile -Text $Message -File $LogFile - } - - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' - Add-MessageToFile -Text $Message -File $ReportFile - } - } - - # - # bcdedit - # Force use of Data Execution Prevention, if it is not already set - # - If ($Finding.Method -eq 'bcdedit') { - - # Check if the user has admin rights, skip test if not - If (-not($IsAdmin)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires admin priviliges. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - # Check if binary is available, skip test if not - $BinaryBcdedit = "C:\Windows\System32\bcdedit.exe" - If (-Not (Test-Path $BinaryBcdedit)) { - $StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Method "+$Finding.Method+" requires bcdedit, and the binary for bcdedit was not found. Test skipped." - Write-ProtocolEntry -Text $Message -LogLevel "Error" - Continue - } - - try { - - $ResultOutput = &$BinaryBcdedit - $ResultOutput = $ResultOutput | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" } - - If ($ResultOutput -match ' ([a-z,A-Z]+)') { - $Result = $Matches[1] - } Else { - $Result = $Finding.DefaultValue - } - - } catch { - $Result = $Finding.DefaultValue - } - - If ($Result -ne $Finding.RecommendedValue) { - - try { - - $ResultOutput = &$BinaryBcdedit "/set" $Finding.MethodArgument $Finding.RecommendedValue - - } catch { - - $ResultText = "Setting could not be enabled" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "High" - } - - $ResultText = "Setting enabled. Please restart the system to activate it" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } Else { - - $ResultText = "Setting is already set correct" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText - $MessageSeverity = "Passed" - } - - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - - If ($Log) { - Add-MessageToFile -Text $Message -File $LogFile - } - - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' - Add-MessageToFile -Text $Message -File $ReportFile - } - } - } - - # - # After all items of the checklist have been run through, the process mitigation settings can now be set... - # - If ( $ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -gt 0) { - - $ResultText = "Process mitigation settings set" - $MessageSeverity = "Passed" - - try { - $Result = Set-Processmitigation -System -Enable $ProcessmitigationEnableArray -Disable $ProcessmitigationDisableArray - } - catch { - $ResultText = "Failed to set process mitigation settings" - $MessageSeverity = "High" - } - - $Message = "Starting Category Microsoft Defender Exploit Guard" - Write-Output "`n" - Write-ProtocolEntry -Text $Message -LogLevel "Info" - - $Message = $ResultText - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - ElseIf ($ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -eq 0) { - $ResultText = "Process mitigation settings set" - $MessageSeverity = "Passed" - - try { - $Result = Set-Processmitigation -System -Enable $ProcessmitigationEnableArray - } - catch { - $ResultText = "Failed to set process mitigation settings" - $MessageSeverity = "High" - } - - $Message = "Starting Category Microsoft Defender Exploit Guard" - Write-Output "`n" - Write-ProtocolEntry -Text $Message -LogLevel "Info" - - $Message = $ResultText - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - ElseIf ($ProcessmitigationEnableArray.Count -eq 0 -and $ProcessmitigationDisableArray.Count -gt 0) { - $ResultText = "Process mitigation settings set" - $MessageSeverity = "Passed" - - try { - $Result = Set-Processmitigation -System -Disable $ProcessmitigationDisableArray - } - catch { - $ResultText = "Failed to set process mitigation settings" - $MessageSeverity = "High" - } - - $Message = "Starting Category Microsoft Defender Exploit Guard" - Write-Output "`n" - Write-ProtocolEntry -Text $Message -LogLevel "Info" - - $Message = $ResultText - Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - } - - Write-Output "`n" - Write-ProtocolEntry -Text "HardeningKitty is done" -LogLevel "Info" - - If ($Mode -eq "Audit") { - - # HardeningKitty Score - $StatsTotal = $StatsPassed + $StatsLow + $StatsMedium + $StatsHigh - $ScoreTotal = $StatsTotal * 4 - $ScoreAchived = $StatsPassed * 4 + $StatsLow * 2 + $StatsMedium - If ($ScoreTotal -ne 0 ) { - $HardeningKittyScore = ([int] $ScoreAchived / [int] $ScoreTotal) * 5 + 1 - } - $HardeningKittyScoreRounded = [math]::round($HardeningKittyScore,2) - - # Overwrite HardeningKitty Score if no finding is passed - If ($StatsPassed -eq 0 ) { - $HardeningKittyScoreRounded = 1.00 - } - - If ($StatsError -gt 0) { - Write-ProtocolEntry -Text "During the execution of HardeningKitty errors occurred due to missing admin rights or tools. For a complete result, these errors should be resolved. Total errors: $StatsError" -LogLevel "Error" - } - - Write-ProtocolEntry -Text "Your HardeningKitty score is: $HardeningKittyScoreRounded. HardeningKitty Statistics: Total checks: $StatsTotal - Passed: $StatsPassed, Low: $StatsLow, Medium: $StatsMedium, High: $StatsHigh." -LogLevel "Info" - } - Write-Output "`n" -} +Function Invoke-HardeningKitty { + + <# + .SYNOPSIS + + Invoke-HardeningKitty - Checks and hardens your Windows configuration + + + =^._.^= + _( )/ HardeningKitty + + + Author: Michael Schneider + License: MIT + Required Dependencies: None + Optional Dependencies: None + + + .DESCRIPTION + + HardeningKitty supports hardening of a Windows system. The configuration of the system is + retrieved and assessed using a finding list. In addition, the system can be hardened according + to predefined values. HardeningKitty reads settings from the registry and uses other modules + to read configurations outside the registry. + + + .PARAMETER FileFindingList + + Path to a finding list in CSV format. HardeningKitty has one list each for machine and user settings. + + + .PARAMETER Mode + + The mode Config only retrieves the settings, while the mode Audit performs an assessment of the settings. + The mode HailMary hardens the system according to recommendations of the HardeningKitty list. + + + .PARAMETER EmojiSupport + + The use of emoji is activated. The terminal should support this accordingly. Windows Terminal + offers full support. + + + .PARAMETER Log + + The logging function is activated. The script output is additionally logged in a file. The file + name is assigned by HardeningKitty itself and the file is stored in the same directory as the script. + + + .PARAMETER LogFile + + The name and location of the log file can be defined by the user. + + + .PARAMETER Report + + The retrieved settings and their assessment result are stored in CSV format in a machine-readable format. + The file name is assigned by HardeningKitty itself and the file is stored in the same directory as the script. + + + .PARAMETER ReportFile + + The name and location of the report file can be defined by the user. + + .PARAMETER Backup + + The retrieved settings and their assessment result are stored in CSV format in a machine-readable format with all value to backup your previous config. + + .PARAMETER SkipMachineInformation + + Information about the system is not queried and displayed. This may be useful while debugging or + using multiple lists on the same system. + + .EXAMPLE + + Description: HardeningKitty performs an audit, saves the results and creates a log file: + Invoke-HardeningKitty -Mode Audit -Log -Report + + Description: HardeningKitty performs an audit with a specific list and does not show machine information: + Invoke-HardeningKitty -FileFindingList .\lists\finding_list_0x6d69636b_user.csv -SkipMachineInformation + + Description: HardeningKitty ready only the setting with the default list, and saves the results in a specific file: + Invoke-HardeningKitty -Mode Config -Report -Report C:\tmp\my_hardeningkitty_report.log + + #> + + [CmdletBinding()] + Param ( + + # Definition of the finding list, default is machine setting list + [ValidateScript({Test-Path $_})] + [String] + $FileFindingList, + + # Choose mode, read system config, audit system config, harden system config + [ValidateSet("Audit","Config","HailMary")] + [String] + $Mode = "Audit", + + # Activate emoji support for Windows Terminal + [Switch] + $EmojiSupport = $false, + + # Create a log file + [Switch] + $Log = $false, + + # Skip machine information, useful when debugging + [Switch] + $SkipMachineInformation = $false, + + # Skip language warning, if you understand the risk + [Switch] + $SkipLanguageWarning = $false, + + # Define name and path of the log file + [String] + $LogFile, + + # Create a report file in CSV format + [Switch] + $Report = $false, + + # Define name and path of the report file + [String] + $ReportFile, + + # Create a backup config file in CSV format + [Switch] + $Backup = $false, + + # Define name and path of the report file + [String] + $BackupFile + ) + + Function Write-ProtocolEntry { + + <# + .SYNOPSIS + + Output of an event with timestamp and different formatting + depending on the level. If the Log parameter is set, the + output is also stored in a file. + #> + + [CmdletBinding()] + Param ( + + [String] + $Text, + + [String] + $LogLevel + ) + + $Time = Get-Date -Format G + + Switch ($LogLevel) { + "Info" { $Message = "[*] $Time - $Text"; Write-Host $Message; Break} + "Debug" { $Message = "[-] $Time - $Text"; Write-Host -ForegroundColor Cyan $Message; Break} + "Warning" { $Message = "[?] $Time - $Text"; Write-Host -ForegroundColor Yellow $Message; Break} + "Error" { $Message = "[!] $Time - $Text"; Write-Host -ForegroundColor Red $Message; Break} + "Success" { $Message = "[$] $Time - $Text"; Write-Host -ForegroundColor Green $Message; Break} + "Notime" { $Message = "[*] $Text"; Write-Host -ForegroundColor Gray $Message; Break} + Default { $Message = "[*] $Time - $Text"; Write-Host $Message; } + } + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + } + + Function Add-MessageToFile { + + <# + .SYNOPSIS + + Write message to a file, this function can be used for logs, + reports, backups and more. + #> + + [CmdletBinding()] + Param ( + + [String] + $Text, + + [String] + $File + ) + + try { + Add-Content -Path $File -Value $Text -ErrorAction Stop + } catch { + Write-ProtocolEntry -Text "Error while writing log entries into $File. Aborting..." -LogLevel "Error" + Break + } + + } + + Function Write-ResultEntry { + + <# + .SYNOPSIS + + Output of the assessment result with different formatting + depending on the severity level. If emoji support is enabled, + a suitable symbol is used for the severity rating. + #> + + [CmdletBinding()] + Param ( + + [String] + $Text, + + [String] + $SeverityLevel + ) + + If ($EmojiSupport.IsPresent) { + + Switch ($SeverityLevel) { + + "Passed" { $Emoji = [char]::ConvertFromUtf32(0x1F63A); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Gray $Message; Break} + "Low" { $Emoji = [char]::ConvertFromUtf32(0x1F63C); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Cyan $Message; Break} + "Medium" { $Emoji = [char]::ConvertFromUtf32(0x1F63F); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Yellow $Message; Break} + "High" { $Emoji = [char]::ConvertFromUtf32(0x1F640); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Red $Message; Break} + Default { $Message = "[*] $Text"; Write-Host $Message; } + } + + } Else { + + Switch ($SeverityLevel) { + + "Passed" { $Message = "[+] $Text"; Write-Host -ForegroundColor Gray $Message; Break} + "Low" { $Message = "[-] $Text"; Write-Host -ForegroundColor Cyan $Message; Break} + "Medium" { $Message = "[$] $Text"; Write-Host -ForegroundColor Yellow $Message; Break} + "High" { $Message = "[!] $Text"; Write-Host -ForegroundColor Red $Message; Break} + Default { $Message = "[*] $Text"; Write-Host $Message; } + } + } + } + + Function Get-IniContent ($filePath) { + + <# + .SYNOPSIS + + Read a .ini file into a tree of hashtables + + .NOTES + + Original source see https://devblogs.microsoft.com/scripting/use-powershell-to-work-with-any-ini-file/ + #> + + $ini = @{} + switch -regex -file $FilePath + { + “^\[(.+)\]” { # Section + $section = $matches[1] + $ini[$section] = @{} + $CommentCount = 0 + } + “^(;.*)$” { # Comment + $value = $matches[1] + $CommentCount = $CommentCount + 1 + $name = “Comment” + $CommentCount + $ini[$section][$name] = $value + } + “(.+?)\s*=(.*)” { # Key + $name,$value = $matches[1..2] + $ini[$section][$name] = $value + } + } + + return $ini + } + + Function Out-IniFile($InputObject, $FilePath, $Encoding) { + + <# + .SYNOPSIS + + Write a hashtable out to a .ini file + + .NOTES + + Original source see https://devblogs.microsoft.com/scripting/use-powershell-to-work-with-any-ini-file/ + #> + + $outFile = New-Item -Force -ItemType file -Path $Filepath + + foreach ($i in $InputObject.keys) { + if (!($($InputObject[$i].GetType().Name) -eq "Hashtable")) { + #No Sections + Add-Content -Encoding $Encoding -Path $outFile -Value "$i=$($InputObject[$i])" + } else { + #Sections + Add-Content -Encoding $Encoding -Path $outFile -Value "[$i]" + Foreach ($j in ($InputObject[$i].keys | Sort-Object)) { + if ($j -match "^Comment[\d]+") { + Add-Content -Encoding $Encoding -Path $outFile -Value "$($InputObject[$i][$j])" + } else { + Add-Content -Encoding $Encoding -Path $outFile -Value "$j=$($InputObject[$i][$j])" + } + } + Add-Content -Encoding $Encoding -Path $outFile -Value "" + } + } + } + + Function Get-HashtableValueDeep { + + <# + .SYNOPSIS + + Get a value from a tree of hashtables + #> + + [CmdletBinding()] + Param ( + + [Hashtable] + $Table, + + [String] + $Path + ) + + $Key = $Path.Split('\', 2) + + $Entry = $Table[$Key[0]] + + if($Entry -is [hashtable] -and $Key.Length -eq 1) { + throw "Path is incomplete (expected a leaf but still on a branch)" + } + + if($Entry -is [hashtable]) { + return Get-HashtableValueDeep $Entry $Key[1]; + } else { + if($Key.Length -eq 1) { + return $Entry + } else { + throw "Path is too long (expected a branch but arrived at a leaf before the end of the path)" + } + } + } + + Function Set-HashtableValueDeep { + + <# + .SYNOPSIS + + Set a value in a tree of hashtables + #> + + [CmdletBinding()] + Param ( + + [Hashtable] + $Table, + + [String] + $Path, + + [String] + $Value + ) + + $Key = $Path.Split('\', 2) + + $Entry = $Table[$Key[0]] + + if($Key.Length -eq 2) { + if($null -eq $Entry) { + $Table[$Key[0]] = @{} + } elseif($Entry -isnot [hashtable]) { + throw "Not hashtable" + } + + return Set-HashtableValueDeep $Table[$Key[0]] $Key[1] $Value; + } elseif($Key.Length -eq 1) { + $Table[$Key[0]] = $Value; + } + } + + Function Get-SidFromAccount { + + <# + .SYNOPSIS + + Translate the account name (user or group) into the Security Identifier (SID) + #> + + [CmdletBinding()] + Param ( + + [String] + $AccountName + ) + + try { + + $AccountObject = New-Object System.Security.Principal.NTAccount($AccountName) + $AccountSid = $AccountObject.Translate([System.Security.Principal.SecurityIdentifier]).Value + + } catch { + + # If translation fails, return account name + $AccountSid = $AccountName + } + + Return $AccountSid + } + + Function Get-AccountFromSid { + + <# + .SYNOPSIS + + Translate the Security Identifier (SID) into the account name (user or group) + #> + + [CmdletBinding()] + Param ( + + [String] + $AccountSid + ) + + try { + + $AccountObject = New-Object System.Security.Principal.SecurityIdentifier ($AccountSid) + $AccountName = $AccountObject.Translate([System.Security.Principal.NTAccount]).Value + + } catch { + + # If translation fails, return account SID + $AccountName = $AccountSid + } + + Return $AccountName + } + + Function Translate-SidFromWellkownAccount { + + <# + .SYNOPSIS + + Translate the well-known account name (user or group) into the Security Identifier (SID) + No attempt is made to get a Computer SID or Domain SID to identify groups such as Domain Admins, + as the possibility for false positives is too great. In this case the account name is returned. + #> + + [CmdletBinding()] + Param ( + + [String] + $AccountName + ) + + Switch ($AccountName) { + + "BUILTIN\Account Operators" { $AccountSid = "S-1-5-32-548"; Break} + "BUILTIN\Administrators" { $AccountSid = "S-1-5-32-544"; Break} + "BUILTIN\Backup Operators" { $AccountSid = "S-1-5-32-551"; Break} + "BUILTIN\Guests" { $AccountSid = "S-1-5-32-546"; Break} + "BUILTIN\Power Users" { $AccountSid = "S-1-5-32-547"; Break} + "BUILTIN\Print Operators" { $AccountSid = "S-1-5-32-550"; Break} + "BUILTIN\Remote Desktop Users" { $AccountSid = "S-1-5-32-555"; Break} + "BUILTIN\Server Operators" { $AccountSid = "S-1-5-32-549"; Break} + "BUILTIN\Users" { $AccountSid = "S-1-5-32-545"; Break} + "Everyone" { $AccountSid = "S-1-1-0"; Break} + "NT AUTHORITY\ANONYMOUS LOGON" { $AccountSid = "S-1-5-7"; Break} + "NT AUTHORITY\Authenticated Users" { $AccountSid = "S-1-5-11"; Break} + "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS" { $AccountSid = "S-1-5-9"; Break} + "NT AUTHORITY\IUSR" { $AccountSid = "S-1-5-17"; Break} + "NT AUTHORITY\Local account and member of Administrators group" { $AccountSid = "S-1-5-114"; Break} + "NT AUTHORITY\Local account" { $AccountSid = "S-1-5-113"; Break} + "NT AUTHORITY\LOCAL SERVICE" { $AccountSid = "S-1-5-19"; Break} + "NT AUTHORITY\NETWORK SERVICE" { $AccountSid = "S-1-5-20"; Break} + "NT AUTHORITY\SERVICE" { $AccountSid = "S-1-5-6"; Break} + "NT AUTHORITY\SYSTEM" { $AccountSid = "S-1-5-18"; Break} + "NT SERVICE\WdiServiceHost" { $AccountSid = "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420"; Break} + "NT VIRTUAL MACHINE\Virtual Machines" { $AccountSid = "S-1-5-83-0"; Break} + "Window Manager\Window Manager Group" { $AccountSid = "S-1-5-90-0"; Break} + Default { $AccountSid = $AccountName } + } + + Return $AccountSid + } + + function Write-NotAdminError { + [CmdletBinding()] + param ( + [String] + $FindingID, + [String] + $FindingName, + [string] + $FindingMethod + ) + + $Script:StatsError++ + $Message = "ID "+$FindingID+", "+$FindingName+", Method "+$FindingMethod+" requires admin priviliges. Test skipped." + Write-ProtocolEntry -Text $Message -LogLevel "Error" + } + + function Write-BinaryError { + [CmdletBinding()] + param ( + [String] + $Binary, + [String] + $FindingID, + [String] + $FindingName, + [string] + $FindingMethod + ) + $Script:StatsError++ + $Message = "ID "+$FindingID+", "+$FindingName+", Method "+$FindingMethod+" requires $Binary and it was not found. Test skipped." + Write-ProtocolEntry -Text $Message -LogLevel "Error" + } + + # + # Binary Locations + # + $BinarySecedit = "C:\Windows\System32\secedit.exe" + $BinaryAuditpol = "C:\Windows\System32\auditpol.exe" + $BinaryNet = "C:\Windows\System32\net.exe" + $BinaryBcdedit = "C:\Windows\System32\bcdedit.exe" + + # + # Start Main + # + $HardeningKittyVersion = "0.8.0-1656567332" + + # + # Log, report and backup file + # + $Hostname = $env:COMPUTERNAME.ToLower() + $FileDate = Get-Date -Format yyyyMMdd-HHmmss + $WinSystemLocale = Get-WinSystemLocale + $PowerShellVersion = "$($PSVersionTable.PSVersion.Major).$($PSVersionTable.PSVersion.Minor)" + + If ($FileFindingList.Length -eq 0) { + $ListName = "finding_list_0x6d69636b_machine" + } Else { + $ListName = [System.IO.Path]::GetFileNameWithoutExtension($FileFindingList) + } + + If ($Log.IsPresent -and $LogFile.Length -eq 0) { + $LogFile = "hardeningkitty_log_"+$Hostname+"_"+$ListName+"-$FileDate.log" + } + If ($Report.IsPresent -and $ReportFile.Length -eq 0) { + $ReportFile = "hardeningkitty_report_"+$Hostname+"_"+$ListName+"-$FileDate.csv" + } + If ($Report.IsPresent) { + $Message = '"ID","Name","Severity","Result","Recommended"' + Add-MessageToFile -Text $Message -File $ReportFile + } + If ($Backup.IsPresent -and $BackupFile.Length -eq 0) { + $BackupFile = "hardeningkitty_backup_"+$Hostname+"_"+$ListName+"-$FileDate.csv" + } + If ($Backup.IsPresent) { + $Message = '"ID","Category","Name","Method","MethodArgument","RegistryPath","RegistryItem","ClassName","Namespace","Property","DefaultValue","RecommendedValue","Operator","Severity"' + Add-MessageToFile -Text $Message -File $BackupFile + } + + # + # Statistics + # + $StatsPassed = 0 + $StatsLow = 0 + $StatsMedium = 0 + $StatsHigh = 0 + $StatsTotal = 0 + $Script:StatsError = 0 + + # + # Header + # + Write-Output "`n" + Write-Output " =^._.^=" + Write-Output " _( )/ HardeningKitty $HardeningKittyVersion" + Write-Output "`n" + Write-ProtocolEntry -Text "Starting HardeningKitty" -LogLevel "Info" + + # + # Machine information + # + If (-not($SkipMachineInformation)) { + + Write-Output "`n" + Write-ProtocolEntry -Text "Getting machine information" -LogLevel "Info" + + # + # The Get-ComputerInfo cmdlet gets a consolidated object of system + # and operating system properties. This cmdlet was introduced in Windows PowerShell 5.1. + # + If ($PowerShellVersion -le 5.0) { + + try { + + $OperatingSystem = Get-CimInstance Win32_operatingsystem + $ComputerSystem = Get-CimInstance Win32_ComputerSystem + Switch ($ComputerSystem.domainrole) { + "0" { $Domainrole = "Standalone Workstation"; Break} + "1" { $Domainrole = "Member Workstation"; Break} + "2" { $Domainrole = "Standalone Server"; Break} + "3" { $Domainrole = "Member Server"; Break} + "4" { $Domainrole = "Backup Domain Controller"; Break} + "5" { $Domainrole = "Primary Domain Controller"; Break} + } + $Uptime = (Get-Date) - $OperatingSystem.LastBootUpTime + + $Message = "Hostname: "+$OperatingSystem.CSName + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Domain: "+$ComputerSystem.Domain + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Domain role: "+$Domainrole + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Install date: "+$OperatingSystem.InstallDate + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Last Boot Time: "+$OperatingSystem.LastBootUpTime + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Uptime: "+$Uptime + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Windows: "+$OperatingSystem.Caption + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Windows version: "+$OperatingSystem.Version + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Windows build: "+$OperatingSystem.BuildNumber + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "System-locale: "+$WinSystemLocale.Name + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Powershell Version: "+$PowerShellVersion + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + } catch { + Write-ProtocolEntry -Text "Getting machine information failed." -LogLevel "Warning" + } + } + Else { + + $MachineInformation = Get-ComputerInfo + $Message = "Hostname: "+$MachineInformation.CsDNSHostName + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Domain: "+$MachineInformation.CsDomain + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Domain role: "+$MachineInformation.CsDomainRole + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Install date: "+$MachineInformation.OsInstallDate + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Last Boot Time: "+$MachineInformation.OsLastBootUpTime + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Uptime: "+$MachineInformation.OsUptime + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Windows: "+$MachineInformation.WindowsProductName + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Windows edition: "+$MachineInformation.WindowsEditionId + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Windows version: "+$MachineInformation.WindowsVersion + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Windows build: "+$MachineInformation.WindowsBuildLabEx + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "System-locale: "+$WinSystemLocale.Name + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Powershell Version: "+$PowerShellVersion + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + } + } + + # + # Warning for non-english systems + # + If ($WinSystemLocale.Name -ne "en-US" -and -not($SkipLanguageWarning)) { + Write-Output "`n" + Write-ProtocolEntry -Text "Language warning" -LogLevel "Info" + $Message = "HardeningKitty was developed for the system language 'en-US'. This system uses '"+$WinSystemLocale.Name+"' Language-dependent analyses can sometimes produce false results. Please create an issue if this occurs." + Write-ProtocolEntry -Text $Message -LogLevel "Warning" + } + + # + # User information + # + Write-Output "`n" + Write-ProtocolEntry -Text "Getting user information" -LogLevel "Info" + + $Message = "Username: "+[Security.Principal.WindowsIdentity]::GetCurrent().Name + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + $Message = "Is Admin: "+$IsAdmin + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + + # + # Start Config/Audit mode + # The processing is done per category of the finding list. + # The finding list defines which module is used and the arguments and recommended values for the test. + # + If ($Mode -eq "Audit" -or $Mode -eq "Config") { + + # A CSV finding list is imported. HardeningKitty has one machine and one user list. + If ($FileFindingList.Length -eq 0) { + + $CurrentLocation = Get-Location + $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" + + If (Test-Path -Path $DefaultList) { + $FileFindingList = $DefaultList + } Else { + $Message = "The finding list $DefaultList was not found." + Write-ProtocolEntry -Text $Message -LogLevel "Error" + Continue + } + } + + $FindingList = Import-Csv -Path $FileFindingList -Delimiter "," + $LastCategory = "" + + ForEach ($Finding in $FindingList) { + + # + # Reset + # + $Result = "" + + # + # Category + # + If ($LastCategory -ne $Finding.Category) { + + $Message = "Starting Category " + $Finding.Category + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + $LastCategory = $Finding.Category + } + + # + # Get Registry Item + # Registry entries can be read with a native PowerShell function. The retrieved value is evaluated later. + # If the registry entry is not available, a default value is used. This must be specified in the finding list. + # + If ($Finding.Method -eq 'Registry') { + + If (Test-Path -Path $Finding.RegistryPath) { + + try { + $Result = Get-ItemPropertyValue -Path $Finding.RegistryPath -Name $Finding.RegistryItem + } catch { + $Result = $Finding.DefaultValue + } + } Else { + $Result = $Finding.DefaultValue + } + } + + # + # Get secedit policy + # Secedit configures and analyzes system security, results are written + # to a file, which means HardeningKitty must create a temporary file + # and afterwards delete it. HardeningKitty is very orderly. + # + ElseIf ($Finding.Method -eq 'secedit') { + + # Check if Secedit binary is available, skip test if not + If (-Not (Test-Path $BinarySecedit)) { + Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $TempFileName = [System.IO.Path]::GetTempFileName() + + $Area = ""; + + Switch($Finding.Category) { + "Account Policies" { $Area = "SECURITYPOLICY"; Break } + "Security Options" { $Area = "SECURITYPOLICY"; Break } + } + + &$BinarySecedit /export /cfg $TempFileName /areas $Area | Out-Null + + $Data = Get-IniContent $TempFileName + + $Value = Get-HashtableValueDeep $Data $Finding.MethodArgument + + if($null -eq $Value) { + $Result = $null + } else { + $Result = $Value -as [int] + } + + Remove-Item $TempFileName + } + + # + # Get Registry List and search for item + # Depending on the registry structure, the value cannot be accessed directly, but must be found within a data structure + # If the registry entry is not available, a default value is used. This must be specified in the finding list. + # + ElseIf ($Finding.Method -eq 'RegistryList') { + + If (Test-Path -Path $Finding.RegistryPath) { + + try { + $ResultList = Get-ItemProperty -Path $Finding.RegistryPath + + If ($ResultList | Where-Object { $_ -like "*"+$Finding.RegistryItem+"*" }) { + $Result = $Finding.RegistryItem + } Else { + $Result = "Not found" + } + + } catch { + $Result = $Finding.DefaultValue + } + } Else { + $Result = $Finding.DefaultValue + } + } + + # + # Get Audit Policy + # The output of auditpol.exe is parsed and will be evaluated later. + # The desired value is not output directly, some output lines can be ignored + # and are therefore skipped. If the output changes, the parsing must be adjusted :( + # + ElseIf ($Finding.Method -eq 'auditpol') { + + # Check if Auditpol binary is available, skip test if not + If (-Not (Test-Path $BinaryAuditpol)) { + Write-BinaryError $BinaryAuditpol $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + try { + + $SubCategory = $Finding.MethodArgument + + # auditpol.exe does not write a backup in an existing file, so we have to build a name instead of create one + $TempFileName = [System.IO.Path]::GetTempPath()+"HardeningKitty_auditpol-"+$(Get-Date -Format yyyyMMdd-HHmmss)+".csv" + &$BinaryAuditpol /backup /file:$TempFileName > $null + + $ResultOutputLoad = Get-Content $TempFileName + foreach ($line in $ResultOutputLoad){ + $table = $line.Split(",") + if ($table[3] -eq $SubCategory){ + + # Translate setting value (works only for English list, so this is workaround) + Switch ($table[6]) { + "0" { $Result = "No Auditing"; Break} + "1" { $Result = "Success"; Break} + "2" { $Result = "Failure"; Break} + "3" { $Result = "Success and Failure"; Break} + } + } + } + + # House cleaning + Remove-Item $TempFileName + Clear-Variable -Name ("ResultOutputLoad", "table") + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Get Account Policy + # The output of net.exe is parsed and will be evaluated later. + # It may be necessary to use the /domain parameter when calling net.exe. + # The values of the user executing the script are read out. These may not match the password policy. + # + ElseIf ($Finding.Method -eq 'accountpolicy') { + + # Check if net binary is available, skip test if not + If (-Not (Test-Path $BinaryNet)) { + Write-BinaryError $BinaryNet $Finding.ID $Finding.Name $Finding.Method + Continue + } + + try { + + $ResultOutput = &$BinaryNet accounts + + # "Parse" account policy + Switch ($Finding.Name) { + "Force user logoff how long after time expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Network security: Force logoff when logon hours expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Minimum password age" { $ResultOutput[1] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Maximum password age" { $ResultOutput[2] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Minimum password length" { $ResultOutput[3] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Length of password history maintained" { $ResultOutput[4] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Account lockout threshold" { $ResultOutput[5] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Account lockout duration" { $ResultOutput[6] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Reset account lockout counter" { $ResultOutput[7] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + } + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Get Local Account Information + # The PowerShell function Get-LocalUser is used for this. + # In order to get the correct user, the query is made via the SID, + # the base value of the computer must first be retrieved. + # + ElseIf ($Finding.Method -eq 'localaccount') { + + try { + + # Get Computer SID + $ComputerSid = ((Get-LocalUser | Select-Object -First 1).SID).AccountDomainSID.ToString() + + # Get User Status + $Sid = $ComputerSid+"-"+$Finding.MethodArgument + $ResultOutput = Get-LocalUser -SID $Sid + + If ($Finding.Name.Contains("account status")){ + $Result = $ResultOutput.Enabled + } + ElseIf ($Finding.Name.Contains("Rename")) { + $Result = $ResultOutput.Name + } + Else { + $Result = $Finding.DefaultValue + } + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # User Rights Assignment + # This method was first developed with the tool accessck.exe, hence the name. + # Due to compatibility problems in languages other than English, secedit.exe is + # now used to read the User Rights Assignments. + # + # Secedit configures and analyzes system security, results are written + # to a file, which means HardeningKitty must create a temporary file + # and afterwards delete it. HardeningKitty is very orderly. + # + ElseIf ($Finding.Method -eq 'accesschk') { + + # Check if Secedit binary is available, skip test if not + If (-Not (Test-Path $BinarySecedit)) { + Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $TempFileName = [System.IO.Path]::GetTempFileName() + + try { + + &$BinarySecedit /export /cfg $TempFileName /areas USER_RIGHTS | Out-Null + $ResultOutputRaw = Get-Content -Encoding unicode $TempFileName | Select-String $Finding.MethodArgument + + If ($null -eq $ResultOutputRaw) { + $Result = "" + } + Else { + $ResultOutputList = $ResultOutputRaw.ToString().split("=").Trim() + $Result = $ResultOutputList[1] -Replace "\*","" + $Result = $Result -Replace ",",";" + } + + } catch { + # If secedit did not work, throw an error instead of using the DefaultValue + $Script:StatsError++ + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", secedit.exe could not read the configuration. Test skipped." + Write-ProtocolEntry -Text $Message -LogLevel "Error" + Continue + } + + Remove-Item $TempFileName + } + + # + # Windows Optional Feature + # Yay, a native PowerShell function! The status of the feature can easily be read out directly. + # + ElseIf ($Finding.Method -eq 'WindowsOptionalFeature') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + try { + + $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument + $Result = $ResultOutput.State + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Get CimInstance and search for item + # Via a CIM instance classes can be read from the CIM server. + # Afterwards, you have to search for the correct property within the class. + # + ElseIf ($Finding.Method -eq 'CimInstance') { + + try { + + $ResultList = Get-CimInstance -ClassName $Finding.ClassName -Namespace $Finding.Namespace + $Property = $Finding.Property + + If ($ResultList.$Property | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" }) { + $Result = $Finding.RecommendedValue + } Else { + $Result = "Not available" + } + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # BitLocker Drive Encryption + # The values are saved from a PowerShell function into an object. + # The desired arguments can be accessed directly. + # + ElseIf ($Finding.Method -eq 'BitLockerVolume') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + try { + + $ResultOutput = Get-BitLockerVolume -MountPoint C: + If ($ResultOutput.VolumeType -eq 'OperatingSystem') { + $ResultArgument = $Finding.MethodArgument + $Result = $ResultOutput.$ResultArgument + } Else { + $Result = "Manual check required" + } + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # PowerShell Language Mode + # This is a single purpose function, the desired configuration is output directly. + # + ElseIf ($Finding.Method -eq 'LanguageMode') { + + try { + + $ResultOutput = $ExecutionContext.SessionState.LanguageMode + $Result = $ResultOutput + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Microsoft Defender Preferences + # The values are saved from a PowerShell function into an object. + # The desired arguments can be accessed directly. + # + ElseIf ($Finding.Method -eq 'MpPreference') { + + try { + + $ResultOutput = Get-MpPreference + $ResultArgument = $Finding.MethodArgument + $Result = $ResultOutput.$ResultArgument + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Microsoft Defender Preferences - Attack surface reduction rules (ASR rules) + # The values are saved from a PowerShell function into an object. + # The desired arguments can be accessed directly. + # + ElseIf ($Finding.Method -eq 'MpPreferenceAsr') { + + try { + + $ResultOutput = Get-MpPreference + $ResultAsrIds = $ResultOutput.AttackSurfaceReductionRules_Ids + $ResultAsrActions = $ResultOutput.AttackSurfaceReductionRules_Actions + $Result = $Finding.DefaultValue + $Counter = 0 + + ForEach ($AsrRule in $ResultAsrIds) { + + If ($AsrRule -eq $Finding.MethodArgument) { + $Result = $ResultAsrActions[$Counter] + Continue + } + $Counter++ + } + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Microsoft Defender Preferences - Exclusion lists + # The values are saved from a PowerShell function into an object. + # The desired arguments can be accessed directly. + # + ElseIf ($Finding.Method -eq 'MpPreferenceExclusion') { + + # Check if the user has admin rights, skip test if not + # Normal users are not allowed to get exclusions + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + try { + + $ResultOutput = Get-MpPreference + $ExclusionType = $Finding.MethodArgument + $ResultExclusions = $ResultOutput.$ExclusionType + + ForEach ($Exclusion in $ResultExclusions) { + $Result += $Exclusion+";" + } + # Remove last character + $Result = $Result -replace “.$” + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Exploit protection (System) + # The values are saved from a PowerShell function into an object. + # The desired arguments can be accessed directly. + # Since the object has several dimensions and there is only one dimension + # in the finding list (lazy) a workaround with split must be done... + # + ElseIf ($Finding.Method -eq 'Processmitigation') { + + try { + + $ResultOutput = Get-Processmitigation -System + $ResultArgumentArray = $Finding.MethodArgument.Split(".") + $ResultArgument0 = $ResultArgumentArray[0] + $ResultArgument1 = $ResultArgumentArray[1] + $Result = $ResultOutput.$ResultArgument0.$ResultArgument1 + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Exploit protection (Application) + # The values are saved from a PowerShell function into an object. + # The desired arguments can be accessed directly. + # Since the object has several dimensions and there is only one dimension + # in the finding list (lazy) a workaround with split must be done... + # + ElseIf ($Finding.Method -eq 'ProcessmitigationApplication') { + + try { + + $ResultArgumentArray = $Finding.MethodArgument.Split("/") + $ResultOutput = Get-Processmitigation -Name $ResultArgumentArray[0] + $ResultArgument0 = $ResultArgumentArray[1] + $ResultArgument1 = $ResultArgumentArray[2] + $Result = $ResultOutput.$ResultArgument0.$ResultArgument1 + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # bcdedit + # Again, the output of a tool must be searched and parsed. Ugly... + # + ElseIf ($Finding.Method -eq 'bcdedit') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if Bcdedit binary is available, skip test if not + If (-Not (Test-Path $BinaryBcdedit)) { + Write-BinaryError $BinaryBcdedit $Finding.ID $Finding.Name $Finding.Method + Continue + } + + try { + + $ResultOutput = &$BinaryBcdedit + $ResultOutput = $ResultOutput | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" } + + If ($ResultOutput -match ' ([a-z,A-Z]+)') { + $Result = $Matches[1] + } Else { + $Result = $Finding.DefaultValue + } + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # FirewallRule + # Search for a specific firewall rule with a given name + # + ElseIf ($Finding.Method -eq 'FirewallRule') { + + try { + + $ResultOutput = Get-NetFirewallRule -PolicyStore ActiveStore -DisplayName $Finding.Name 2> $null + $Result = $ResultOutput.Enabled + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Service + # Check the status of a service + # + ElseIf ($Finding.Method -eq 'service') { + + try { + + $ResultOutput = Get-Service -Name $Finding.MethodArgument 2> $null + $Result = $ResultOutput.StartType + + } catch { + $Result = $Finding.DefaultValue + } + } + + # + # Compare result value and recommendation + # The finding list specifies the test, as well as the recommended values. + # There are two output formats, one for command line output and one for the CSV file. + # + If ($Mode -eq "Audit") { + + # + # User Right Assignment + # For multilingual support, a SID translation takes place and then the known SID values are compared with each other. + # The results are already available as SID (from secedit) and therefore the specifications are now also translated and still sorted. + # + If ($Finding.Method -eq 'accesschk') { + + $SaveRecommendedValue = $Finding.RecommendedValue + + If ($Result -ne '') { + + $ListRecommended = $Finding.RecommendedValue.Split(";") + $ListRecommendedSid = @() + + # SID Translation + ForEach ($AccountName in $ListRecommended) { + $AccountSid = Translate-SidFromWellkownAccount -AccountName $AccountName + $ListRecommendedSid += $AccountSid + } + # Sort SID List + $ListRecommendedSid = $ListRecommendedSid | Sort-Object + + # Build String + ForEach ($AccountName in $ListRecommendedSid) { + [String] $RecommendedValueSid += $AccountName+";" + } + + $RecommendedValueSid = $RecommendedValueSid -replace ".$" + $Finding.RecommendedValue = $RecommendedValueSid + Clear-Variable -Name ("RecommendedValueSid") + } + } + + # + # Exception handling for special registry keys + # Machine => Network access: Remotely accessible registry paths + # Hardened UNC Paths => Remove spaces in result and recommendation + # + If ($Finding.Method -eq 'Registry' -and $Finding.RegistryItem -eq "Machine"){ + $Finding.RecommendedValue = $Finding.RecommendedValue.Replace(";"," ") + } + ElseIf ($Finding.Method -eq 'Registry' -and $Finding.RegistryPath -eq "HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths") { + $Result = $Result.Replace(" ","") + $Finding.RecommendedValue = $Finding.RecommendedValue.Replace(" ","") + } + + $ResultPassed = $false + Switch($Finding.Operator) { + + "=" { If ([string] $Result -eq $Finding.RecommendedValue) { $ResultPassed = $true }; Break} + "<=" { try { If ([int]$Result -le [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} + "<=!0" { try { If ([int]$Result -le [int]$Finding.RecommendedValue -and [int]$Result -ne 0) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} + ">=" { try { If ([int]$Result -ge [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} + "contains" { If ($Result.Contains($Finding.RecommendedValue)) { $ResultPassed = $true }; Break} + "!=" { If ([string] $Result -ne $Finding.RecommendedValue) { $ResultPassed = $true }; Break} + "=|0" { try { If ([string]$Result -eq $Finding.RecommendedValue -or $Result.Length -eq 0) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} + } + + # + # Restore Result after SID translation + # The results are already available as SID, for better readability they are translated into their names + # + If ($Finding.Method -eq 'accesschk') { + + If ($Result -ne "") { + + $ListResult = $Result.Split(";") + ForEach ($AccountSid in $ListResult) { + $AccountName = Get-AccountFromSid -AccountSid $AccountSid + [String] $ResultName += $AccountName.Trim()+";" + } + $ResultName = $ResultName -replace ".$" + $Result = $ResultName + Clear-Variable -Name ("ResultName") + } + + $Finding.RecommendedValue = $SaveRecommendedValue + } + + If ($ResultPassed) { + + # Passed + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Severity=Passed" + Write-ResultEntry -Text $Message -SeverityLevel "Passed" + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + + If ($Report) { + $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","Passed","'+$Result+'"' + Add-MessageToFile -Text $Message -File $ReportFile + } + + # Increment Counter + $StatsPassed++ + + } Else { + + # Failed + If ($Finding.Operator -eq "!=") { + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Recommended=Not "+$Finding.RecommendedValue+", Severity="+$Finding.Severity + } + Else { + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Recommended="+$Finding.RecommendedValue+", Severity="+$Finding.Severity + } + + Write-ResultEntry -Text $Message -SeverityLevel $Finding.Severity + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + + If ($Report) { + $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$Finding.Severity+'","'+$Result+'","'+$Finding.RecommendedValue+'"' + Add-MessageToFile -Text $Message -File $ReportFile + } + + # Increment Counter + Switch($Finding.Severity) { + + "Low" { $StatsLow++; Break} + "Medium" { $StatsMedium++; Break} + "High" { $StatsHigh++; Break} + } + } + + # + # Only return received value + # + } Elseif ($Mode -eq "Config") { + + $Message = "ID "+$Finding.ID+"; "+$Finding.Name+"; Result=$Result" + Write-ResultEntry -Text $Message + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"'+$Finding.ID+'","'+$Finding.Name+'",,"'+$Result+'",'+$Finding.RecommendedValue + Add-MessageToFile -Text $Message -File $ReportFile + } + If ($Backup) { + $Message = '"'+$Finding.ID+'","'+$Finding.Category+'","'+$Finding.Name+'","'+$Finding.Method+'","'+$Finding.MethodArgument+'","'+$Finding.RegistryPath+'","'+$Finding.RegistryItem+'","'+$Finding.ClassName+'","'+$Finding.Namespace+'","'+$Finding.Property+'","'+$Finding.DefaultValue+'","'+$Result+'","'+$Finding.Operator+'","'+$Finding.Severity+'",' + Add-MessageToFile -Text $Message -File $BackupFile + } + } + } + + } + + # + # Start HailMary mode + # HardeningKitty configures all settings in a finding list file. + # Even though HardeningKitty works very carefully, please only + # use HailyMary if you know what you are doing. + # + Elseif ($Mode = "HailMary") { + + # A CSV finding list is imported + If ($FileFindingList.Length -eq 0) { + + $CurrentLocation = Get-Location + $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" + + If (Test-Path -Path $DefaultList) { + $FileFindingList = $DefaultList + } Else { + $Message = "The finding list $DefaultList was not found." + Write-ProtocolEntry -Text $Message -LogLevel "Error" + Continue + } + } + + $FindingList = Import-Csv -Path $FileFindingList -Delimiter "," + $LastCategory = "" + $ProcessmitigationEnableArray = @() + $ProcessmitigationDisableArray = @() + + ForEach ($Finding in $FindingList) { + + # + # Category + # + If ($LastCategory -ne $Finding.Category) { + + $Message = "Starting Category " + $Finding.Category + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + $LastCategory = $Finding.Category + } + + # + # Registry + # Create or modify a registry value. + # + If ($Finding.Method -eq 'Registry' -or $Finding.Method -eq 'RegistryList') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin) -and -not($Finding.RegistryPath.StartsWith("HKCU:\"))) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $RegType = "String" + + # + # Basically this is true, but there is an exception for the finding "MitigationOptions_FontBocking", + # the value "10000000000" is written to the registry as a string... + # + # ... and more exceptions are added over time: + # + # MitigationOptions_FontBocking => Mitigation Options: Untrusted Font Blocking + # Machine => Network access: Remotely accessible registry paths + # Retention => Event Log Service: *: Control Event Log behavior when the log file reaches its maximum size + # AllocateDASD => Devices: Allowed to format and eject removable media + # ScRemoveOption => Interactive logon: Smart card removal behavior + # AutoAdminLogon => MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) + # + If ($Finding.RegistryItem -eq "MitigationOptions_FontBocking" -Or $Finding.RegistryItem -eq "Retention" -Or $Finding.RegistryItem -eq "AllocateDASD" -Or $Finding.RegistryItem -eq "ScRemoveOption" -Or $Finding.RegistryItem -eq "AutoAdminLogon") { + $RegType = "String" + } ElseIf ($Finding.RegistryItem -eq "Machine") { + $RegType = "MultiString" + $Finding.RecommendedValue = $Finding.RecommendedValue -split ";" + } + ElseIf ($Finding.RecommendedValue -match "^\d+$") { + $RegType = "DWord" + } + + if(!(Test-Path $Finding.RegistryPath)) { + + $Result = New-Item $Finding.RegistryPath -Force; + + if($Result) { + $ResultText = "Registry key created" + $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", " + $ResultText + $MessageSeverity = "Passed" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } else { + $ResultText = "Failed to create registry key" + $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Continue + } + } + + # + # The method RegistryList needs a separate handling, because the name of the registry key is dynamic, usually incremented. + # Therefore, it is searched whether the value already exists or not. If the value does not exist, it counts how many + # other values are already there in order to set the next higher value and not overwrite existing keys. + # + If ($Finding.Method -eq 'RegistryList') { + + $ResultList = Get-ItemProperty -Path $Finding.RegistryPath + $ResultListCounter = 0 + If ($ResultList | Where-Object { $_ -like "*"+$Finding.RegistryItem+"*" }) { + $ResultList.PSObject.Properties | ForEach-Object { + If ( $_.Value -eq $Finding.RegistryItem ) { + $Finding.RegistryItem = $_.Value.Name + Continue + } + } + } + Else { + $ResultList.PSObject.Properties | ForEach-Object { + $ResultListCounter++ + } + } + If ($ResultListCounter -eq 0) { + $Finding.RegistryItem = 1 + } + Else { + $Finding.RegistryItem = $ResultListCounter - 4 + } + } + + $Result = Set-Itemproperty -PassThru -Path $Finding.RegistryPath -Name $Finding.RegistryItem -Type $RegType -Value $Finding.RecommendedValue + + if($Result) { + $ResultText = "Registry value created/modified" + $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", "+$Finding.RegistryItem+", " + $ResultText + $MessageSeverity = "Passed" + } else { + $ResultText = "Failed to create registry value" + $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", "+$Finding.RegistryItem+", " + $ResultText + $MessageSeverity = "High" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + + # + # secedit + # Set a security policy + # + If ($Finding.Method -eq 'secedit') { + + # Check if Secedit binary is available, skip test if not + If (-Not (Test-Path $BinarySecedit)) { + Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $Area = ""; + + Switch($Finding.Category) { + "Account Policies" { $Area = "SECURITYPOLICY"; Break } + "Security Options" { $Area = "SECURITYPOLICY"; Break } + } + + $TempFileName = [System.IO.Path]::GetTempFileName() + $TempDbFileName = [System.IO.Path]::GetTempFileName() + + &$BinarySecedit /export /cfg $TempFileName /areas $Area | Out-Null + + $Data = Get-IniContent $TempFileName + + Set-HashtableValueDeep $Data $Finding.MethodArgument $Finding.RecommendedValue + + Out-IniFile $Data $TempFileName unicode $true + + &$BinarySecedit /import /cfg $TempFileName /overwrite /areas $Area /db $TempDbFileName /quiet | Out-Null + + if($LastExitCode -ne 0) { + $ResultText = "Failed to import security policy into temporary database" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Remove-Item $TempFileName + Remove-Item $TempDbFileName + Continue + } + + $ResultText = "Imported security policy into temporary database" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "Passed" + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas SECURITYPOLICY /quiet | Out-Null + + if($LastExitCode -ne 0) { + $ResultText = "Failed to configure security policy" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Remove-Item $TempFileName + Remove-Item $TempDbFileName + Continue + } + + $ResultText = "Configured security policy" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "Passed" + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + Remove-Item $TempFileName + Remove-Item $TempDbFileName + } + + # + # auditpol + # Set an audit policy + # + If ($Finding.Method -eq 'auditpol') { + + # Check if Auditpol binary is available, skip test if not + If (-Not (Test-Path $BinaryAuditpol)) { + Write-BinaryError $BinaryAuditpol $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $Success = if($Finding.RecommendedValue -ilike "*success*") {"enable"} else {"disable"} + $Failure = if($Finding.RecommendedValue -ilike "*failure*") {"enable"} else {"disable"} + + $SubCategory = $Finding.MethodArgument + + &$BinaryAuditpol /set /subcategory:"$($SubCategory)" /success:$($Success) /failure:$($Failure) | Out-Null + + if($LastExitCode -eq 0) { + $ResultText = "Audit policy set" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "Passed" + } else { + $ResultText = "Failed to set audit policy" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "High" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + + # + # accountpolicy + # Set a user account policy + # + If ($Finding.Method -eq 'accountpolicy') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if net binary is available, skip test if not + If (-Not (Test-Path $BinaryNet)) { + Write-BinaryError $BinaryNet $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $Sw = ""; + + Switch ($Finding.Name) { + "Force user logoff how long after time expires" { $Sw = "/FORCELOGOFF:$($Finding.RecommendedValue)"; Break } + "Minimum password age" { $Sw = "/MINPWAGE:$($Finding.RecommendedValue)"; Break } + "Maximum password age" { $Sw = "/MAXPWAGE:$($Finding.RecommendedValue)"; Break } + "Minimum password length" { $Sw = "/MINPWLEN:$($Finding.RecommendedValue)"; Break } + "Length of password history maintained" { $Sw = "/UNIQUEPW:$($Finding.RecommendedValue)"; Break } + "Account lockout threshold" { $Sw = "/lockoutthreshold:$($Finding.RecommendedValue)"; Break; } + "Account lockout duration" { $Sw = @("/lockoutwindow:$($Finding.RecommendedValue)", "/lockoutduration:$($Finding.RecommendedValue)"); Break } + "Reset account lockout counter" { $Sw = "/lockoutwindow:$($Finding.RecommendedValue)"; Break } + } + + &$BinaryNet accounts $Sw | Out-Null + + if($LastExitCode -eq 0) { + $ResultText = "Account policy set" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "Passed" + } else { + $ResultText = "Failed to set account policy" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "High" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + + # + # accesschk + # For the audit mode, accesschk is used, but the rights are set with secedit. + # + If ($Finding.Method -eq 'accesschk') { + + # Check if Secedit binary is available, skip test if not + If (-Not (Test-Path $BinarySecedit)) { + Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $TempFileName = [System.IO.Path]::GetTempFileName() + $TempDbFileName = [System.IO.Path]::GetTempFileName() + + &$BinarySecedit /export /cfg $TempFileName /areas USER_RIGHTS | Out-Null + + if($Finding.RecommendedValue -eq "") { + (Get-Content -Encoding unicode $TempFileName) -replace "$($Finding.MethodArgument).*", "$($Finding.MethodArgument) = " | Out-File $TempFileName + } else { + $ListTranslated = @() + $Finding.RecommendedValue -split ';'| Where-Object { + # Get SID to translate the account name + $AccountSid = Translate-SidFromWellkownAccount -AccountName $_ + # Get account name from system with SID (local translation) + $AccountName = Get-AccountFromSid -AccountSid $AccountSid + $ListTranslated += $AccountName + } + + # If User Right Assignment exists, replace values + If ( ((Get-Content -Encoding unicode $TempFileName) | Select-String $($Finding.MethodArgument)).Count -gt 0 ) { + (Get-Content -Encoding unicode $TempFileName) -replace "$($Finding.MethodArgument).*", "$($Finding.MethodArgument) = $($ListTranslated -join ',')" | Out-File $TempFileName + } + # If it does not exist, add a new entry into the file at the right position + Else { + $TempFileContent = Get-Content -Encoding unicode $TempFileName + $LineNumber = $TempFileContent.Count + $TempFileContent[$LineNumber-3] = "$($Finding.MethodArgument) = $($ListTranslated -join ',')" + $TempFileContent[$LineNumber-2] = "[Version]" + $TempFileContent[$LineNumber-1] = 'signature="$CHICAGO$"' + $TempFileContent += "Revision=1" + $TempFileContent | Set-Content -Encoding unicode $TempFileName + } + } + + &$BinarySecedit /import /cfg $TempFileName /overwrite /areas USER_RIGHTS /db $TempDbFileName /quiet | Out-Null + + if($LastExitCode -ne 0) { + $ResultText = "Failed to import user right assignment into temporary database" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Remove-Item $TempFileName + Remove-Item $TempDbFileName + Continue + } + + $ResultText = "Imported user right assignment into temporary database" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "Passed" + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas USER_RIGHTS /quiet | Out-Null + + if($LastExitCode -ne 0) { + $ResultText = "Failed to configure system user right assignment" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Remove-Item $TempFileName + Remove-Item $TempDbFileName + Continue + } + + $ResultText = "Configured system user right assignment" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $MessageSeverity = "Passed" + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + Remove-Item $TempFileName + Remove-Item $TempDbFileName + } + + # + # WindowsOptionalFeature + # Install / Remove a Windows feature + # + If ($Finding.Method -eq 'WindowsOptionalFeature') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # + # Check if feature is installed and should be removed, or + # it is missing and should be installed + # + try { + $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument + $Result = $ResultOutput.State + } catch { + $ResultText = "Could not check status" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Continue + } + + # Feature will be removed, a reboot will be suppressed + If ($Result -eq "Enabled" -and $Finding.RecommendedValue -eq "Disabled") { + + try { + $Result = Disable-WindowsOptionalFeature -NoRestart -Online -FeatureName $Finding.MethodArgument + } catch { + $ResultText = "Could not be removed" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Continue + } + + $ResultText = "Feature removed" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } + # No changes required + ElseIf ($Result -eq "Disabled" -and $Finding.RecommendedValue -eq "Disabled") { + $ResultText = "Feature is not installed" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } + # Feature will be installed, a reboot will be suppressed + ElseIf ($Result -eq "Disabled" -and $Finding.RecommendedValue -eq "Enabled") { + + try { + $Result = Enable-WindowsOptionalFeature -NoRestart -Online -FeatureName $Finding.MethodArgument + } catch { + $ResultText = "Could not be installed" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "High" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + Continue + } + + $ResultText = "Feature installed" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } + # No changes required + ElseIf ($Result -eq "Enabled" -and $Finding.RecommendedValue -eq "Enabled") { + $ResultText = "Feature is already installed" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + + If ($Report) { + $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' + Add-MessageToFile -Text $Message -File $ReportFile + } + } + + # + # MpPreference + # Set a Windows Defender policy + # + If ($Finding.Method -eq 'MpPreference') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $ResultMethodArgument = $Finding.MethodArgument + $ResultRecommendedValue = $Finding.RecommendedValue + + Switch($ResultRecommendedValue) { + "True" { $ResultRecommendedValue = 1; Break } + "False" { $ResultRecommendedValue = 0; Break } + } + + $ResultCommand = "Set-MpPreference -$ResultMethodArgument $ResultRecommendedValue" + + $Result = Invoke-Expression $ResultCommand + + if($LastExitCode -eq 0) { + $ResultText = "Method value modified" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", " + $ResultText + $MessageSeverity = "Passed" + } else { + $ResultText = "Failed to change Method value" + $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", " + $ResultText + $MessageSeverity = "High" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + + # + # Microsoft Defender Preferences - Attack surface reduction rules (ASR rules) + # The values are saved from a PowerShell function into an object. + # The desired arguments can be accessed directly. + # + If ($Finding.Method -eq 'MpPreferenceAsr') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $ResultMethodArgument = $Finding.MethodArgument + $ResultRecommendedValue = $Finding.RecommendedValue + + Switch($ResultRecommendedValue) { + "True" { $ResultRecommendedValue = 1; Break } + "False" { $ResultRecommendedValue = 0; Break } + } + + $ResultCommand = "Add-MpPreference -AttackSurfaceReductionRules_Ids $ResultMethodArgument -AttackSurfaceReductionRules_Actions $ResultRecommendedValue" + $Result = Invoke-Expression $ResultCommand + + if($LastExitCode -eq 0) { + $ResultText = "ASR rule added to list" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.MethodArgument+", " + $ResultText + $MessageSeverity = "Passed" + } else { + $ResultText = "Failed to add ASR rule" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.MethodArgument+", " + $ResultText + $MessageSeverity = "High" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + + # + # Exploit protection + # Set exploit protection values + # + # I noticed irregularities when the process mitigations were set individually, + # in some cases settings that had already been set were then reset. Therefore, + # the settings are collected in an array and finally set at the end of the processing. + # + If ($Finding.Method -eq 'Processmitigation') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $SettingArgumentArray = $Finding.MethodArgument.Split(".") + + If ( $Finding.RecommendedValue -eq "ON") { + + If ( $SettingArgumentArray[1] -eq "Enable" ) { + $ProcessmitigationEnableArray += $SettingArgumentArray[0] + } Else { + $ProcessmitigationEnableArray += $SettingArgumentArray[1] + } + } + ElseIf ( $Finding.RecommendedValue -eq "OFF") { + + If ($SettingArgumentArray[1] -eq "TelemetryOnly") { + $ProcessmitigationDisableArray += "SEHOPTelemetry" + } + ElseIf ( $SettingArgumentArray[1] -eq "Enable" ) { + $ProcessmitigationDisableArray += $SettingArgumentArray[0] + } + Else { + $ProcessmitigationDisableArray += $SettingArgumentArray[1] + } + } + $ResultText = "setting added to list" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + + # + # bcdedit + # Force use of Data Execution Prevention, if it is not already set + # + If ($Finding.Method -eq 'bcdedit') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + # Check if Bcdedit binary is available, skip test if not + If (-Not (Test-Path $BinaryBcdedit)) { + Write-BinaryError $BinaryBcdedit $Finding.ID $Finding.Name $Finding.Method + Continue + } + + try { + + $ResultOutput = &$BinaryBcdedit + $ResultOutput = $ResultOutput | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" } + + If ($ResultOutput -match ' ([a-z,A-Z]+)') { + $Result = $Matches[1] + } Else { + $Result = $Finding.DefaultValue + } + + } catch { + $Result = $Finding.DefaultValue + } + + If ($Result -ne $Finding.RecommendedValue) { + + try { + + $ResultOutput = &$BinaryBcdedit "/set" $Finding.MethodArgument $Finding.RecommendedValue + + } catch { + + $ResultText = "Setting could not be enabled" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "High" + } + + $ResultText = "Setting enabled. Please restart the system to activate it" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } Else { + + $ResultText = "Setting is already set correct" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + + If ($Report) { + $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' + Add-MessageToFile -Text $Message -File $ReportFile + } + } + + # + # FirewallRule + # Create a firewall rule. First it will be checked if the rule already exists + # + If ($Finding.Method -eq 'FirewallRule') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Continue + } + + $FwRule = $Finding.MethodArgument + $FwRuleArray = $FwRule.Split("|") + + $FwDisplayName = $Finding.Name + $FwProfile = $FwRuleArray[0] + $FwDirection = $FwRuleArray[1] + $FwAction = $FwRuleArray[2] + $FwProtocol = $FwRuleArray[3] + $FwLocalPort = @($FwRuleArray[4]).Split(",") + $FwProgram = $FwRuleArray[5] + + # Check if rule already exists + try { + + $ResultOutput = Get-NetFirewallRule -PolicyStore ActiveStore -DisplayName $FwDisplayName 2> $null + $Result = $ResultOutput.Enabled + + } catch { + $Result = $Finding.DefaultValue + } + + # Go on if rule not exists + If (-Not $Result) { + + If ($FwProgram -eq "") { + + $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Protocol $FwProtocol -LocalPort $FwLocalPort + } + Else { + $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Program "$FwProgram" + } + + If ($ResultRule.PrimaryStatus -eq "OK") { + + # Excellent + $ResultText = "Rule created" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } + Else { + # Bogus + $ResultText = "Rule not created" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "High" + } + } + Else { + # Excellent + $ResultText = "Rule already exists" + $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $MessageSeverity = "Passed" + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + + If ($Report) { + $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' + Add-MessageToFile -Text $Message -File $ReportFile + } + } + } + + # + # After all items of the checklist have been run through, the process mitigation settings can now be set... + # + If ( $ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -gt 0) { + + $ResultText = "Process mitigation settings set" + $MessageSeverity = "Passed" + + try { + $Result = Set-Processmitigation -System -Enable $ProcessmitigationEnableArray -Disable $ProcessmitigationDisableArray + } + catch { + $ResultText = "Failed to set process mitigation settings" + $MessageSeverity = "High" + } + + $Message = "Starting Category Microsoft Defender Exploit Guard" + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + + $Message = $ResultText + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + ElseIf ($ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -eq 0) { + $ResultText = "Process mitigation settings set" + $MessageSeverity = "Passed" + + try { + $Result = Set-Processmitigation -System -Enable $ProcessmitigationEnableArray + } + catch { + $ResultText = "Failed to set process mitigation settings" + $MessageSeverity = "High" + } + + $Message = "Starting Category Microsoft Defender Exploit Guard" + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + + $Message = $ResultText + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + ElseIf ($ProcessmitigationEnableArray.Count -eq 0 -and $ProcessmitigationDisableArray.Count -gt 0) { + $ResultText = "Process mitigation settings set" + $MessageSeverity = "Passed" + + try { + $Result = Set-Processmitigation -System -Disable $ProcessmitigationDisableArray + } + catch { + $ResultText = "Failed to set process mitigation settings" + $MessageSeverity = "High" + } + + $Message = "Starting Category Microsoft Defender Exploit Guard" + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + + $Message = $ResultText + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + } + } + + Write-Output "`n" + Write-ProtocolEntry -Text "HardeningKitty is done" -LogLevel "Info" + + If ($Mode -eq "Audit") { + + # HardeningKitty Score + $StatsTotal = $StatsPassed + $StatsLow + $StatsMedium + $StatsHigh + $ScoreTotal = $StatsTotal * 4 + $ScoreAchived = $StatsPassed * 4 + $StatsLow * 2 + $StatsMedium + If ($ScoreTotal -ne 0 ) { + $HardeningKittyScore = ([int] $ScoreAchived / [int] $ScoreTotal) * 5 + 1 + } + $HardeningKittyScoreRounded = [math]::round($HardeningKittyScore,2) + + # Overwrite HardeningKitty Score if no finding is passed + If ($StatsPassed -eq 0 ) { + $HardeningKittyScoreRounded = 1.00 + } + + If ($Script:StatsError -gt 0) { + Write-ProtocolEntry -Text "During the execution of HardeningKitty errors occurred due to missing admin rights or tools. For a complete result, these errors should be resolved. Total errors: $Script:StatsError" -LogLevel "Error" + } + + Write-ProtocolEntry -Text "Your HardeningKitty score is: $HardeningKittyScoreRounded. HardeningKitty Statistics: Total checks: $StatsTotal - Passed: $StatsPassed, Low: $StatsLow, Medium: $StatsMedium, High: $StatsHigh." -LogLevel "Info" + } + Write-Output "`n" +} # SIG # Begin signature block -# MIIgMwYJKoZIhvcNAQcCoIIgJDCCICACAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB +# MIIgIgYJKoZIhvcNAQcCoIIgEzCCIA8CAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR -# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUIxs5BiXur93HIe9vhb4eVz05 -# EtOgghoFMIIF4DCCBMigAwIBAgIQeO1YDfU4t32dWmgwBkYSEDANBgkqhkiG9w0B +# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU1/uwAydIi/rPLppZWf9ALC2b +# Syagghn0MIIF4DCCBMigAwIBAgIQeO1YDfU4t32dWmgwBkYSEDANBgkqhkiG9w0B # AQsFADCBkTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl # cjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx # NzA1BgNVBAMTLkNPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNp @@ -2311,72 +2371,72 @@ # zM3uJ5rloMAMcofBbk1a0x7q8ETmMm8c6xdOlMN4ZSA7D0GqH+mhQZ3+sbigZSo0 # 4N6o+TzmwTC7wKBjLPxcFgCo0MR/6hGdHgbGpm0yXbQ4CStJB6r97DDa8acvz7f9 # +tCjhNknnvsBZne5VhDhIG7GrrH5trrINV0zdo7xfCAMKneutaIChrop7rRaALGM -# q+P5CslUXdS5anSevUiumDCCBwcwggTvoAMCAQICEQCMd6AAj/TRsMY9nzpIg41r +# q+P5CslUXdS5anSevUiumDCCBvYwggTeoAMCAQICEQCQOX+a0ko6E/K9kV8IOKlD # MA0GCSqGSIb3DQEBDAUAMH0xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy # IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28g # TGltaXRlZDElMCMGA1UEAxMcU2VjdGlnbyBSU0EgVGltZSBTdGFtcGluZyBDQTAe -# Fw0yMDEwMjMwMDAwMDBaFw0zMjAxMjIyMzU5NTlaMIGEMQswCQYDVQQGEwJHQjEb -# MBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgw -# FgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxLDAqBgNVBAMMI1NlY3RpZ28gUlNBIFRp -# bWUgU3RhbXBpbmcgU2lnbmVyICMyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC -# CgKCAgEAkYdLLIvB8R6gntMHxgHKUrC+eXldCWYGLS81fbvA+yfaQmpZGyVM6u9A -# 1pp+MshqgX20XD5WEIE1OiI2jPv4ICmHrHTQG2K8P2SHAl/vxYDvBhzcXk6Th7ia -# 3kwHToXMcMUNe+zD2eOX6csZ21ZFbO5LIGzJPmz98JvxKPiRmar8WsGagiA6t+/n -# 1rglScI5G4eBOcvDtzrNn1AEHxqZpIACTR0FqFXTbVKAg+ZuSKVfwYlYYIrv8azN -# h2MYjnTLhIdBaWOBvPYfqnzXwUHOrat2iyCA1C2VB43H9QsXHprl1plpUcdOpp0p -# b+d5kw0yY1OuzMYpiiDBYMbyAizE+cgi3/kngqGDUcK8yYIaIYSyl7zUr0QcloIi -# lSqFVK7x/T5JdHT8jq4/pXL0w1oBqlCli3aVG2br79rflC7ZGutMJ31MBff4I13E -# V8gmBXr8gSNfVAk4KmLVqsrf7c9Tqx/2RJzVmVnFVmRb945SD2b8mD9EBhNkbunh -# FWBQpbHsz7joyQu+xYT33Qqd2rwpbD1W7b94Z7ZbyF4UHLmvhC13ovc5lTdvTn8c -# xjwE1jHFfu896FF+ca0kdBss3Pl8qu/CdkloYtWL9QPfvn2ODzZ1RluTdsSD7oK+ -# LK43EvG8VsPkrUPDt2aWXpQy+qD2q4lQ+s6g8wiBGtFEp8z3uDECAwEAAaOCAXgw -# ggF0MB8GA1UdIwQYMBaAFBqh+GEZIA/DQXdFKI7RNV8GEgRVMB0GA1UdDgQWBBRp -# dTd7u501Qk6/V9Oa258B0a7e0DAOBgNVHQ8BAf8EBAMCBsAwDAYDVR0TAQH/BAIw -# ADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDBABgNVHSAEOTA3MDUGDCsGAQQBsjEB -# AgEDCDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzBEBgNV -# HR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29SU0FU -# aW1lU3RhbXBpbmdDQS5jcmwwdAYIKwYBBQUHAQEEaDBmMD8GCCsGAQUFBzAChjNo -# dHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FUaW1lU3RhbXBpbmdDQS5j -# cnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMA0GCSqGSIb3 -# DQEBDAUAA4ICAQBKA3iQQjPsexqDCTYzmFW7nUAGMGtFavGUDhlQ/1slXjvhOcRb -# uumVkDc3vd/7ZOzlgreVzFdVcEtO9KiH3SKFple7uCEn1KAqMZSKByGeir2nGvUC -# FctEUJmM7D66A3emggKQwi6Tqb4hNHVjueAtD88BN8uNovq4WpquoXqeE5MZVY8J -# kC7f6ogXFutp1uElvUUIl4DXVCAoT8p7s7Ol0gCwYDRlxOPFw6XkuoWqemnbdaQ+ -# eWiaNotDrjbUYXI8DoViDaBecNtkLwHHwaHHJJSjsjxusl6i0Pqo0bglHBbmwNV/ -# aBrEZSk1Ki2IvOqudNaC58CIuOFPePBcysBAXMKf1TIcLNo8rDb3BlKao0AwF7Ap -# FpnJqreISffoCyUztT9tr59fClbfErHD7s6Rd+ggE+lcJMfqRAtK5hOEHE3rDbW4 -# hqAwp4uhn7QszMAWI8mR5UIDS4DO5E3mKgE+wF6FoCShF0DV29vnmBCk8eoZG4BU -# +keJ6JiBqXXADt/QaJR5oaCejra3QmbL2dlrL03Y3j4yHiDk7JxNQo2dxzOZgjdE -# 1CYpJkCOeC+57vov8fGP/lC4eN0Ult4cDnCwKoVqsWxo6SrkECtuIf3TfJ035CoG -# 1sPx12jjTwd5gQgT/rJkXumxPObQeCOyCSziJmK/O6mXUczHRDKBsq/P3zGCBZgw -# ggWUAgEBMIGmMIGRMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5j -# aGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGlt -# aXRlZDE3MDUGA1UEAxMuQ09NT0RPIFJTQSBFeHRlbmRlZCBWYWxpZGF0aW9uIENv -# ZGUgU2lnbmluZyBDQQIQeO1YDfU4t32dWmgwBkYSEDAJBgUrDgMCGgUAoHgwGAYK -# KwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIB -# BDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAjBgkqhkiG9w0BCQQxFgQU -# 5vdRkm9FAxjUu+ovGe2kwgphaaEwDQYJKoZIhvcNAQEBBQAEggEAfKTA5UUMbBis -# Q6b+cFGitSwtnX4VmSIq0hsbC3y+ZEAo74qysA1vNS7G6DJQx3Km1ikCOX6qhw2F -# zuXVK3JEMgxuFTzn+9GtAA9QX0bUflWn2PR8WYDCexEez9h/tkN/oFI7PuoWZAtV -# JZxk0dXEtApkoQdMTUCahQ3Ony+2ZKLPTC8CMOvWZKW9YpSB25DN+gskzofj+wHk -# fQp8rl2Lk/eGBD686rbZMdIizI77SI0HPccmEsJ4qfy4y5fd8oArOUJUoFowR9ua -# i93WMoAeSR+d5yd09N+hCsNfEV3k3JpBDhNyV5xati75NFY8pfz5zanPZsncFbYu -# ZPrcaTCfBaGCA0wwggNIBgkqhkiG9w0BCQYxggM5MIIDNQIBATCBkjB9MQswCQYD -# VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT -# YWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxJTAjBgNVBAMTHFNlY3Rp -# Z28gUlNBIFRpbWUgU3RhbXBpbmcgQ0ECEQCMd6AAj/TRsMY9nzpIg41rMA0GCWCG -# SAFlAwQCAgUAoHkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B -# CQUxDxcNMjExMjI0MDkxMDUxWjA/BgkqhkiG9w0BCQQxMgQwu4GLYVumP1BVZv/Q -# CP6c4yZrbO14RXkkVkUUnDepv1oVApCCgLGBjDVbj/Vaf+amMA0GCSqGSIb3DQEB -# AQUABIICAExuDUibuyvfk7UBX0EHDnZQWl2MTq3sRxI6B0+cZY8qhy7Z5fNCrvWN -# /toDDZ/Exk0l9yr12bogmUYB9tETGmpc8pCm0zVR9SaXAG1lo1Go+NAd5AJqMvIn -# Iikz6tLYCAhWtiOGqoOk2AwtIwTO7APCPmylaOMa+AZILCHXETjrpNnjNIHI9lPI -# KMHPNn/NPJpdhsuw1g+IlRXMqgOxewTjQ+IZyDEJQvACKicOexiP6k8xlIu+KADm -# VgJrAInLfHBiaXTrRXUDjW0dlCRJykPP0EUNQEN4LeIKk2RGpyepYsvp0ZVnaf7L -# ZnNahuDQXbZFNKxpy0BsGam27E3WlGhzmFs2k+IOkjYeTtdDrg+842oWFp5COrpG -# Qet3yCaF/rwL0tcpP9YWDATSSOTj2ShJI+r/D6YZ2/qm3CTCL1vF1AdEGE90Zn/q -# jMWiEhGq8BDRoEFMq/njx7bpeaR57mIlks7UsuhnaYvSmQJsKUd4PhhdFRO7rn+8 -# y9OqXtFFXs/YLYDK9AMwZx+iJTOlBngHp2aK6XZaqa6xaVEexqruqIAZ6xCTGw7o -# PBrhTIZUapcMUygWBLKYpCg1NOGrHDwEzbMM7qydTDxFP1gwxWFoDutfGwIaag/I -# Ggf7VaGhW95AsaWUBRhe0r/8Kknt6INIhP/zRaufyjxtozWNyvAy +# Fw0yMjA1MTEwMDAwMDBaFw0zMzA4MTAyMzU5NTlaMGoxCzAJBgNVBAYTAkdCMRMw +# EQYDVQQIEwpNYW5jaGVzdGVyMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxLDAq +# BgNVBAMMI1NlY3RpZ28gUlNBIFRpbWUgU3RhbXBpbmcgU2lnbmVyICMzMIICIjAN +# BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkLJxP3nh1LmKF8zDl8KQlHLtWjpv +# AUN/c1oonyR8oDVABvqUrwqhg7YT5EsVBl5qiiA0cXu7Ja0/WwqkHy9sfS5hUdCM +# WTc+pl3xHl2AttgfYOPNEmqIH8b+GMuTQ1Z6x84D1gBkKFYisUsZ0vCWyUQfOV2c +# sJbtWkmNfnLkQ2t/yaA/bEqt1QBPvQq4g8W9mCwHdgFwRd7D8EJp6v8mzANEHxYo +# 4Wp0tpxF+rY6zpTRH72MZar9/MM86A2cOGbV/H0em1mMkVpCV1VQFg1LdHLuoCox +# /CYCNPlkG1n94zrU6LhBKXQBPw3gE3crETz7Pc3Q5+GXW1X3KgNt1c1i2s6cHvzq +# cH3mfUtozlopYdOgXCWzpSdoo1j99S1ryl9kx2soDNqseEHeku8Pxeyr3y1vGlRR +# bDOzjVlg59/oFyKjeUFiz/x785LaruA8Tw9azG7fH7wir7c4EJo0pwv//h1epPPu +# FjgrP6x2lEGdZB36gP0A4f74OtTDXrtpTXKZ5fEyLVH6Ya1N6iaObfypSJg+8kYN +# abG3bvQF20EFxhjAUOT4rf6sY2FHkbxGtUZTbMX04YYnk4Q5bHXgHQx6WYsuy/Rk +# LEJH9FRYhTflx2mn0iWLlr/GreC9sTf3H99Ce6rrHOnrPVrd+NKQ1UmaOh2DGld/ +# HAHCzhx9zPuWFcUCAwEAAaOCAYIwggF+MB8GA1UdIwQYMBaAFBqh+GEZIA/DQXdF +# KI7RNV8GEgRVMB0GA1UdDgQWBBQlLmg8a5orJBSpH6LfJjrPFKbx4DAOBgNVHQ8B +# Af8EBAMCBsAwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDBK +# BgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDCDAlMCMGCCsGAQUFBwIBFhdodHRwczov +# L3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAIwRAYDVR0fBD0wOzA5oDegNYYzaHR0 +# cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBVGltZVN0YW1waW5nQ0EuY3Js +# MHQGCCsGAQUFBwEBBGgwZjA/BggrBgEFBQcwAoYzaHR0cDovL2NydC5zZWN0aWdv +# LmNvbS9TZWN0aWdvUlNBVGltZVN0YW1waW5nQ0EuY3J0MCMGCCsGAQUFBzABhhdo +# dHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAc9rtaHLL +# wrlAoTG7tAOjLRR7JOe0WxV9qOn9rdGSDXw9NqBp2fOaMNqsadZ0VyQ/fg882fXD +# eSVsJuiNaJPO8XeJOX+oBAXaNMMU6p8IVKv/xH6WbCvTlOu0bOBFTSyy9zs7WrXB +# +9eJdW2YcnL29wco89Oy0OsZvhUseO/NRaAA5PgEdrtXxZC+d1SQdJ4LT03EqhOP +# l68BNSvLmxF46fL5iQQ8TuOCEmLrtEQMdUHCDzS4iJ3IIvETatsYL254rcQFtOiE +# CJMH+X2D/miYNOR35bHOjJRs2wNtKAVHfpsu8GT726QDMRB8Gvs8GYDRC3C5VV9H +# vjlkzrfaI1Qy40ayMtjSKYbJFV2Ala8C+7TRLp04fDXgDxztG0dInCJqVYLZ8roI +# ZQPl8SnzSIoJAUymefKithqZlOuXKOG+fRuhfO1WgKb0IjOQ5IRT/Cr6wKeXqOq1 +# jXrO5OBLoTOrC3ag1WkWt45mv1/6H8Sof6ehSBSRDYL8vU2Z7cnmbDb+d0OZuGkt +# fGEv7aOwSf5bvmkkkf+T/FdpkkvZBT9thnLTotDAZNI6QsEaA/vQ7ZohuD+vprJR +# VNVMxcofEo1XxjntXP/snyZ2rWRmZ+iqMODSrbd9sWpBJ24DiqN04IoJgm6/4/a3 +# vJ4LKRhogaGcP24WWUsUCQma5q6/YBXdhvUxggWYMIIFlAIBATCBpjCBkTELMAkG +# A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH +# U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNzA1BgNVBAMTLkNP +# TU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgQ0ECEHjt +# WA31OLd9nVpoMAZGEhAwCQYFKw4DAhoFAKB4MBgGCisGAQQBgjcCAQwxCjAIoAKA +# AKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO +# MAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFFCKbt4ZLGSGpxdSDRNAnZ+5 +# Ee7kMA0GCSqGSIb3DQEBAQUABIIBAGqdYDlT6e5qa3aj5sLFqCkIcn5VeUC5UnTh +# 85aRlA8e2mMWbgm55ftNzZ/Swu6HFMHwXIgUAxpLyu8PehFhEV20IIWi+BfTucKQ +# QEzEhZDCvTCN2zQgNWoolWQb8mbAZnHDexj0lGjuHmGtMSkW1gWaGnGs56etL0FW +# zk6Wn2oAs1v69+dWCBvxr2swVteghywyRVfzvo2yoNFs+7fPwLWYlS9EBh+i1j2+ +# Vx/8VTlWmBKKMyv9U6GrLPVQQCWR9S91qD46nOyqyeUcFka62TpKS7jQSeV0A4+d +# wDQ1F3mco/e+NYecb9s1Zy/NMOVlyxgq2r5YJQi/4knfJP+HKDOhggNMMIIDSAYJ +# KoZIhvcNAQkGMYIDOTCCAzUCAQEwgZIwfTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT +# EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMP +# U2VjdGlnbyBMaW1pdGVkMSUwIwYDVQQDExxTZWN0aWdvIFJTQSBUaW1lIFN0YW1w +# aW5nIENBAhEAkDl/mtJKOhPyvZFfCDipQzANBglghkgBZQMEAgIFAKB5MBgGCSqG +# SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDYzMDA1NDgz +# N1owPwYJKoZIhvcNAQkEMTIEMGL06yR2zyw7xueY65D37QTQnYpBwqdKDZGG8asK +# uuuhd5nAKov197FNH6s+neS+izANBgkqhkiG9w0BAQEFAASCAgB79n3BmJZYNJ7k +# xKOjcd6LWRSsXL8pbTbMtiqcUpgBd6ivf7hd1uT5QrtVMtI6mYrmEOz2xSu0lqzD +# PVb5pdFcERWO3etYo+mQre2lR0cegqBFZzGxbAzd4la4/wf9abpZIqy+u7JGJDAV +# FAUVKEBD1BZ7Y/K1sK+V5vwNZ9DHbZSnKx8UzFAaRV+Mb5wMXLanO3yJSQkFMfva +# ZUtMNttDzZeiVUtqKxA3sL7hBOkPhh6nbemMcFmFrr4fJYtbWFF68Xx3u79w48wX +# JBU6isSe2VBM36AYcMb/5YYWU+z2ZOhIpCBqFg+G8UBIciX9++/OyjbIdi9EXlzF +# AXla2ZAfnWP2o/Rlrv43BZGlxO2HesZGrBY3EP3JJNoYeeZ/3Fo6Xa0tnFIDUjvr +# PlLw8pn2nKdsFm1FUYs+I3H3xsnGbFKHY6fdZ/hjQnRPdBhZXuWcjEwFlx1UgmF/ +# y0CcHq70qWnjbBevUWWLApW6Uo7mZC/ZYCLKGX8d7guMy67E+N4T9y8R6GeOlrQX +# Cbn98VxK5F70laZRC85qphYJkT5v5eBVNfxpsejou+fCNxCMsuC36xsD6jY5SbUh +# m8G23AGb9aF7SHOvZVUAHBEE0gYfpf6d0PfKHj0icmO02kc3PQXJFyEA3Z0D2KoV +# vBB185B7ZcDcjtCYcronoWBgA13ddQ== # SIG # End signature block diff --git a/README.md b/README.md index 283bc15..00d9d3f 100644 --- a/README.md +++ b/README.md @@ -143,14 +143,24 @@ HardeningKitty can be used to audit systems against the following baselines / be | CIS Microsoft Windows 10 Enterprise (User) | 2004 | 1.9.1 | | CIS Microsoft Windows 10 Enterprise (Machine) | 20H2 | 1.10.1 | | CIS Microsoft Windows 10 Enterprise (User) | 20H2 | 1.10.1 | +| CIS Microsoft Windows 10 Enterprise (Machine) | 21H1 | 1.11.0 | +| CIS Microsoft Windows 10 Enterprise (User) | 21H1 | 1.11.0 | +| CIS Microsoft Windows 10 Enterprise (Machine) | 21H2 | 1.12.0 | +| CIS Microsoft Windows 10 Enterprise (User) | 21H2 | 1.12.0 | +| CIS Microsoft Windows 11 Enterprise (Machine) | 21H2 | 1.0.0 | +| CIS Microsoft Windows 11 Enterprise (User) | 21H2 | 1.0.0 | | CIS Microsoft Windows Server 2012 R2 (Machine) | R2 | 2.4.0 | | CIS Microsoft Windows Server 2012 R2 (User) | R2 | 2.4.0 | | CIS Microsoft Windows Server 2016 (Machine) | 1607 | 1.2.0 | | CIS Microsoft Windows Server 2016 (User) | 1607 | 1.2.0 | +| CIS Microsoft Windows Server 2016 (Machine) | 1607 | 1.3.0 | +| CIS Microsoft Windows Server 2016 (User) | 1607 | 1.3.0 | | CIS Microsoft Windows Server 2019 (Machine) | 1809 | 1.1.0 | | CIS Microsoft Windows Server 2019 (User) | 1809 | 1.1.0 | -| CIS Microsoft Windows Server 2019 (Machine) | 1809 | 1.2.0 | -| CIS Microsoft Windows Server 2019 (User) | 1809 | 1.2.0 | +| CIS Microsoft Windows Server 2019 (Machine) | 1809 | 1.2.1 | +| CIS Microsoft Windows Server 2019 (User) | 1809 | 1.2.1 | +| CIS Microsoft Windows Server 2022 (Machine) | 21H2 | 1.0.0 | +| CIS Microsoft Windows Server 2022 (User) | 21H2 | 1.0.0 | | DoD Microsoft Windows 10 STIG (Machine) | 20H2 | v2r1 | | DoD Microsoft Windows 10 STIG (User) | 20H2 | v2r1 | | DoD Windows Server 2019 Domain Controller STIG (Machine) | 20H2 | v2r1 | @@ -165,6 +175,8 @@ HardeningKitty can be used to audit systems against the following baselines / be | Microsoft Security baseline for Microsoft Edge | 93, 94 | Final | | Microsoft Security baseline for Microsoft Edge | 95 | Final | | Microsoft Security baseline for Microsoft Edge | 96 | Final | +| Microsoft Security baseline for Microsoft Edge | 97 | Final | +| Microsoft Security baseline for Microsoft Edge | 98, 99, 100, 101, 102, 103 | Final | | Microsoft Security baseline for Windows 10 | 2004 | Final | | Microsoft Security baseline for Windows 10 | 20H2, 21H1 | Final | | Microsoft Security baseline for Windows 10 | 21H2 | Final | @@ -181,5 +193,8 @@ HardeningKitty can be used to audit systems against the following baselines / be | Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User) | v2104, v2106 | Final | | Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine) | v2112 | Final | | Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User) | v2112 | Final | +| Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine) | v2206 | Final | +| Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User) | v2206 | Final | | Microsoft Windows Server TLS Settings | 1809 | 1.0 | | Microsoft Windows Server TLS Settings (Future Use with TLSv1.3) | 1903 | 1.0 | + diff --git a/lists/finding_list_0x6d69636b_machine.csv b/lists/finding_list_0x6d69636b_machine.csv index ae5c1eb..cf97364 100644 --- a/lists/finding_list_0x6d69636b_machine.csv +++ b/lists/finding_list_0x6d69636b_machine.csv @@ -154,7 +154,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1693,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,2,=,Medium 1694,"Administrative Templates: System","Security Settings: Enable svchost.exe mitigation options",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SCMConfig,EnableSvchostMitigationPolicy,,,,0,1,=,Medium 1695,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -1696,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +1696,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 1697,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 1698,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 1700,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -184,15 +184,15 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1721,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium 1722,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 1724,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -1725,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +1725,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 1726,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow device name to be sent in Windows diagnostic data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowDeviceNameInTelemetry,,,,1,0,=,Medium 1727,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,99,=,Medium -1728,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -1729,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -1730,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +1728,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +1729,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +1730,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 1731,"Administrative Templates: Windows Components","File Explorer: Allow the use of remote paths in file shortcut icons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,EnableShellShortcutIconRemotePath,,,,0,0,=,Medium 1732,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium -1800,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +1800,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 1801,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 1806,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions",Exclusions_Extensions,,,,,,=,Medium 1807,"Microsoft Defender Antivirus","Exclusions: List Extension Exclusions",MpPreferenceExclusion,ExclusionExtension,,,,,,,,=,Medium @@ -204,20 +204,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1900,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 1901,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 1916,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -1902,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -1917,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +1902,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +1917,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 1903,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 1918,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -1904,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -1919,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +1904,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +1919,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 1905,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 1920,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 1906,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 1921,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -1907,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -1922,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -1908,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,1,=,Medium -1923,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,1,=,Medium +1907,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +1922,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +1908,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,1,=,Medium +1923,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,1,=,Medium 1909,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 1924,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 1910,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -226,8 +226,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1926,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,1,=,Medium 1912,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 1927,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -1913,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -1928,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +1913,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +1928,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 1914,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 1929,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 1915,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium diff --git a/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv b/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv index 27f150a..1fabd4f 100644 --- a/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv +++ b/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv @@ -73,7 +73,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 31,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 32,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 36,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium -47,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +47,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 48,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium 49,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium 58,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium diff --git a/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv b/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv index 0bd7929..8ca2aa0 100644 --- a/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv +++ b/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv @@ -103,8 +103,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 267,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 268,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium 269,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium -270,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium -271,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium +270,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium +271,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium 272,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium 275,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium 276,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium @@ -203,7 +203,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 62,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium 63,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium 64,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium -65,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +65,"Administrative Templates: System","Group Policy: Configure security policy processing: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}",NoGPOListChanges,,,,1,0,=,Medium 68,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium 74,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium 81,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium @@ -214,7 +214,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 89,"Administrative Templates: System","Trusted Platform Module Services: Standard User Lockout Duration",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\TPM,StandardUserAuthorizationFailureDuration,,,,,30,=,Medium 90,"Administrative Templates: System","Trusted Platform Module Services: Standard User Total Lockout Threshold",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\TPM,StandardUserAuthorizationFailureTotalThreshold,,,,,5,=,Medium 88,"Administrative Templates: System","Trusted Platform Module Services: Ignore the default list of blocked TPM commands",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\TPM\BlockedCommands,IgnoreDefaultList,,,,,0,=,Medium -94,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +94,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 95,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 100,"Administrative Templates: Control Panel","Regional and Language Options: Handwriting personalization: Turn off automatic learning (RestrictImplicitInkCollection)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,RestrictImplicitInkCollection,,,,,1,=,Medium 100,"Administrative Templates: Control Panel","Regional and Language Options: Handwriting personalization: Turn off automatic learning (RestrictImplicitTextCollection)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,RestrictImplicitTextCollection,,,,,1,=,Medium @@ -229,7 +229,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 117,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 118,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 119,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium -120,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +120,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 121,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow device name to be sent in Windows diagnostic data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowDeviceNameInTelemetry,,,,1,0,=,Medium 124,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 127,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium @@ -255,7 +255,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 160,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,99,=,Medium 161,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 162,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -163,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +163,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 164,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium 165,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 167,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium @@ -263,18 +263,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 169,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 170,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 171,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -283,8 +283,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 172,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 173,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 174,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 174,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium @@ -294,11 +294,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 180,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium 183,PowerShell,"Turn on Script Execution (Execution Policy)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy,,,,,RemoteSigned,=,Medium 183,PowerShell,"Turn on Script Execution",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,EnableScripts,,,,,1,=,Medium -185,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +185,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium 185,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Configure automatic updating",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,AUOptions,,,,,4,=,Medium -186,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -187,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -188,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +186,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +187,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +188,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium 189,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium 191,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium 192,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium diff --git a/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv b/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv index 15b8ddb..bfa394d 100644 --- a/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv +++ b/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv @@ -89,8 +89,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 267,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 268,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium 269,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium -270,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium -271,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium +270,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium +271,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium 272,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium 275,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium 276,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium @@ -183,7 +183,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 89,"Administrative Templates: System","Trusted Platform Module Services: Standard User Lockout Duration",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\TPM,StandardUserAuthorizationFailureDuration,,,,,30,=,Medium 90,"Administrative Templates: System","Trusted Platform Module Services: Standard User Total Lockout Threshold",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\TPM,StandardUserAuthorizationFailureTotalThreshold,,,,,5,=,Medium 88,"Administrative Templates: System","Trusted Platform Module Services: Ignore the default list of blocked TPM commands",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\TPM\BlockedCommands,IgnoreDefaultList,,,,,0,=,Medium -94,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +94,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 95,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 100,"Administrative Templates: Control Panel","Regional and Language Options: Handwriting personalization: Turn off automatic learning (RestrictImplicitInkCollection)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,RestrictImplicitInkCollection,,,,,1,=,Medium 100,"Administrative Templates: Control Panel","Regional and Language Options: Handwriting personalization: Turn off automatic learning (RestrictImplicitTextCollection)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,RestrictImplicitTextCollection,,,,,1,=,Medium @@ -197,7 +197,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 117,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 118,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 119,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium -120,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +120,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 121,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow device name to be sent in Windows diagnostic data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowDeviceNameInTelemetry,,,,1,0,=,Medium 124,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 127,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium @@ -223,7 +223,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 160,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,99,=,Medium 161,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 162,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -163,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +163,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 164,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium 165,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 167,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium @@ -231,18 +231,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 169,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 170,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 171,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -251,8 +251,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 172,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -172,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +172,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 173,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 174,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 174,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium @@ -262,11 +262,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 180,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium 183,PowerShell,"Turn on Script Execution (Execution Policy)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy,,,,,RemoteSigned,=,Medium 183,PowerShell,"Turn on Script Execution",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,EnableScripts,,,,,1,=,Medium -185,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +185,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium 185,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Configure automatic updating",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,AUOptions,,,,,4,=,Medium -186,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -187,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -188,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +186,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +187,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +188,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium 189,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium 191,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium 192,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv index 2075e89..d340115 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv @@ -89,8 +89,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -222,7 +222,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium 9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium -9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low 9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low 9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low @@ -259,7 +259,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -378,7 +378,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.45.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.45.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.47.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.47.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.50.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.50.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -448,19 +448,19 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -516,18 +516,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 18.9.77.13.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 18.9.77.13.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 18.9.77.13.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 18.9.77.13.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 18.9.77.13.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 18.9.77.13.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 18.9.77.13.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 18.9.77.13.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 18.9.77.13.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -536,11 +536,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.13.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 18.9.77.13.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 18.9.77.13.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.78.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium 18.9.78.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium 18.9.78.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium @@ -571,14 +571,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv index dc1205b..c414e08 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv @@ -89,8 +89,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -222,7 +222,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium 9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium -9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low 9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low 9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low @@ -258,7 +258,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -377,7 +377,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -450,19 +450,19 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium 18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -518,18 +518,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 18.9.77.13.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 18.9.77.13.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 18.9.77.13.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 18.9.77.13.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 18.9.77.13.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 18.9.77.13.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 18.9.77.13.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 18.9.77.13.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 18.9.77.13.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -538,11 +538,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.13.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 18.9.77.13.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 18.9.77.13.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.78.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium 18.9.78.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium 18.9.78.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium @@ -573,14 +573,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv index dc1205b..c414e08 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv @@ -89,8 +89,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -222,7 +222,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium 9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium -9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low 9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low 9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low @@ -258,7 +258,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -377,7 +377,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -450,19 +450,19 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium 18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -518,18 +518,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 18.9.77.13.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 18.9.77.13.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 18.9.77.13.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 18.9.77.13.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 18.9.77.13.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 18.9.77.13.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 18.9.77.13.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 18.9.77.13.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 18.9.77.13.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -538,11 +538,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.13.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 18.9.77.13.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 18.9.77.13.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.78.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium 18.9.78.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium 18.9.78.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium @@ -573,14 +573,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv index bca5361..25e609b 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv @@ -90,8 +90,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -223,7 +223,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium 9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium -9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low 9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low 9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low @@ -259,7 +259,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -378,7 +378,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -448,19 +448,19 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium 18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -471,18 +471,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium 18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 18.9.45.4.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 18.9.45.4.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 18.9.45.4.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 18.9.45.4.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 18.9.45.4.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 18.9.45.4.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 18.9.45.4.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 18.9.45.4.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 18.9.45.4.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -491,8 +491,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.4.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 18.9.45.4.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 18.9.45.4.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium 18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium @@ -500,7 +500,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.45.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.46.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium 18.9.46.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium 18.9.46.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium @@ -570,14 +570,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv index 140c100..99e7161 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv @@ -90,8 +90,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -223,7 +223,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium 9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium -9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low 9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low 9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low @@ -259,7 +259,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -378,7 +378,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -449,19 +449,19 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium 18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -472,18 +472,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium 18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 18.9.45.4.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 18.9.45.4.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 18.9.45.4.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 18.9.45.4.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 18.9.45.4.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 18.9.45.4.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 18.9.45.4.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 18.9.45.4.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 18.9.45.4.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -492,8 +492,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.4.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 18.9.45.4.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 18.9.45.4.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium 18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium 18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium @@ -505,7 +505,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.45.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.46.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium 18.9.46.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium 18.9.46.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium @@ -575,14 +575,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_machine.csv new file mode 100644 index 0000000..9dfb37f --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_machine.csv @@ -0,0 +1,567 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Relax minimum password length limits",Registry,,HKLM:\System\CurrentControlSet\Control\SAM,RelaxMinimumPasswordLengthLimits,,,,0,1,=,Medium +1.1.7,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,5,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.3,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.4,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.5,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Allow log on through Remote Desktop Services",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.7,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.9,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.10,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.12,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.14.1,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14.2,"User Rights Assignment","Create symbolic links (Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,"NT VIRTUAL MACHINE\Virtual Machines;BUILTIN\Administrators",=,Medium +2.2.15,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.16,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"Guest;NT AUTHORITY\Local account",=,Medium +2.2.17,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.18,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.19,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.20,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.21,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.22,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.23,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.24,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.25,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.26,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.27,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.28,"User Rights Assignment","Log on as a batch job",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.29.1,"User Rights Assignment","Log on as a service",accesschk,SeServiceLogonRight,,,,,,"NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",,=,Medium +2.2.29.2,"User Rights Assignment","Log on as a service (Hyper-V)",accesschk,SeServiceLogonRight,,,,,,"S-1-5-83-0;NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE","NT VIRTUAL MACHINE\Virtual Machines",=,Medium +2.2.30,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.31,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.32,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.33,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.34,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.36,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.37,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.38,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Bluetooth Audio Gateway Service (BTAGService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\BTAGService,Start,,,,3,4,=,Medium +5.1.2,"System Services","Bluetooth Audio Gateway Service (BTAGService) (Service Startup type)",service,BTAGService,,,,,,Manual,Disabled,=,Medium +5.2.1,"System Services","Bluetooth Support Service (bthserv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\bthserv,Start,,,,3,4,=,Medium +5.2.2,"System Services","Bluetooth Support Service (bthserv) (Service Startup type)",service,bthserv,,,,,,Manual,Disabled,=|0,Medium +5.3.1,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=|0,Medium +5.3.2,"System Services","Computer Browser (Browser) (Service Startup type) (!Check for false positive for service ""bowser""!)",service,Browser,,,,,,Manual,Disabled,=|0,Medium +5.4.1,"System Services","Downloaded Maps Manager (MapsBroker)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker,Start,,,,2,4,=,Medium +5.4.2,"System Services","Downloaded Maps Manager (MapsBroker) (Service Startup type)",service,MapsBroker,,,,,,Automatic,Disabled,=,Medium +5.5.1,"System Services","Geolocation Service (lfsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc,Start,,,,3,4,=,Medium +5.5.2,"System Services","Geolocation Service (lfsvc) (Service Startup type)",service,lfsvc,,,,,,Manual,Disabled,=|0,Medium +5.6.1,"System Services","IIS Admin Service (IISADMIN)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN,Start,,,,,4,=|0,Medium +5.6.2,"System Services","IIS Admin Service (IISADMIN) (Service Startup type)",service,IISADMIN,,,,,,"",Disabled,=|0,Medium +5.7.1,"System Services","Infrared monitor service (irmon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\irmon,Start,,,,,4,=,Medium +5.7.2,"System Services","Infrared monitor service (irmon) (Service Startup type)",service,irmon,,,,,,,Disabled,=,Medium +5.8.1,"System Services","Internet Connection Sharing (ICS) (SharedAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess,Start,,,,3,4,=,Medium +5.8.2,"System Services","Internet Connection Sharing (ICS) (SharedAccess) (Service Startup type)",service,SharedAccess,,,,,,Manual,Disabled,=,Medium +5.9.1,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc,Start,,,,3,4,=,Medium +5.9.2,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc) (Service Startup type)",service,lltdsvc,,,,,,Manual,Disabled,=,Medium +5.10.1,"System Services","LxssManager (LxssManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager,Start,,,,"",4,=|0,Medium +5.10.2,"System Services","LxssManager (LxssManager) (Service Startup type)",service,LxssManager,,,,,,,Disabled,=|0,Medium +5.11.1,"System Services","Microsoft FTP Service (FTPSVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC,Start,,,,,4,=|0,Medium +5.11.2,"System Services","Microsoft FTP Service (FTPSVC) (Service Startup type)",service,FTPSVC,,,,,,"",Disabled,=|0,Medium +5.12.1,"System Services","Microsoft iSCSI Initiator Service (MSiSCSI)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI,Start,,,,3,4,=,Medium +5.12.2,"System Services","Microsoft iSCSI Initiator Service (MsiSCSI) (Service Startup type)",service,MsiSCSI,,,,,,Manual,Disabled,=,Medium +5.13.1,"System Services","OpenSSH SSH Server (sshd)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sshd,Start,,,,,4,=|0,Medium +5.13.2,"System Services","OpenSSH SSH Server (sshd) (Service Startup type)",service,sshd,,,,,,,Disabled,=|0,Medium +5.14.1,"System Services","Peer Name Resolution Protocol (PNRPsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc,Start,,,,3,4,=,Medium +5.14.2,"System Services","Peer Name Resolution Protocol (PNRPsvc) (Service Startup type)",service,PNRPsvc,,,,,,Manual,Disabled,=,Medium +5.15.1,"System Services","Peer Networking Grouping (p2psvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc,Start,,,,3,4,=,Medium +5.15.2,"System Services","Peer Networking Grouping (p2psvc) (Service Startup type)",service,p2psvc,,,,,,Manual,Disabled,=,Medium +5.16.1,"System Services","Peer Networking Identity Manager (p2pimsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc,Start,,,,3,4,=,Medium +5.16.2,"System Services","Peer Networking Identity Manager (p2pimsvc) (Service Startup type)",service,p2pimsvc,,,,,,Manual,Disabled,=,Medium +5.17.1,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg,Start,,,,3,4,=,Medium +5.17.2,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg) (Service Startup type)",service,PNRPAutoReg,,,,,,Manual,Disabled,=,Medium +5.18.1,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport,Start,,,,3,4,=,Medium +5.18.2,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport) (Service Startup type)",service,wercplsupport,,,,,,Manual,Disabled,=,Medium +5.19.1,"System Services","Remote Access Auto Connection Manager (RasAuto)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto,Start,,,,3,4,=,Medium +5.19.2,"System Services","Remote Access Auto Connection Manager (RasAuto) (Service Startup type)",service,RasAuto,,,,,,Manual,Disabled,=,Medium +5.20.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium +5.20.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium +5.21.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium +5.21.2,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.22.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium +5.22.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium +5.23.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium +5.23.2,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator) (Service Startup type)",service,RpcLocator,,,,,,Manual,Disabled,=,Medium +5.24.1,"System Services","Remote Registry (RemoteRegistry)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry,Start,,,,4,4,=,Medium +5.24.2,"System Services","Remote Registry (RemoteRegistry) (Service Startup type)",service,RemoteRegistry,,,,,,Disabled,Disabled,=,Medium +5.25.1,"System Services","Routing and Remote Access (RemoteAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess,Start,,,,4,4,=,Medium +5.25.2,"System Services","Routing and Remote Access (RemoteAccess) (Service Startup type)",service,RemoteAccess,,,,,,Disabled,Disabled,=,Medium +5.26.1,"System Services","Server (LanmanServer)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer,Start,,,,2,4,=,Medium +5.26.2,"System Services","Server (LanmanServer) (Service Startup type)",service,LanmanServer,,,,,,Automatic,Disabled,=,Medium +5.27.1,"System Services","Simple TCP/IP Services (simptcp)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\simptcp,Start,,,,,4,=|0,Medium +5.27.2,"System Services","Simple TCP/IP Services (simptcp) (Service Startup type)",service,simptcp,,,,,,"",Disabled,=|0,Medium +5.28.1,"System Services","SNMP Service (SNMP)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SNMP,Start,,,,,4,=|0,Medium +5.28.2,"System Services","SNMP Service (SNMP) (Service Startup type)",service,SNMP,,,,,,"",Disabled,=|0,Medium +5.29.1,"System Services","Special Administration Console Helper (sacsvr)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sacsvr,Start,,,,,4,=,Medium +5.29.2,"System Services","Special Administration Console Helper (sacsvr) (Service Startup type)",service,sacsvr,,,,,,,Disabled,=,Medium +5.30.1,"System Services","SSDP Discovery (SSDPSRV)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV,Start,,,,3,4,=,Medium +5.30.2,"System Services","SSDP Discovery (SSDPSRV) (Service Startup type)",service,SSDPSRV,,,,,,Manual,Disabled,=,Medium +5.31.1,"System Services","UPnP Device Host (upnphost)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\upnphost,Start,,,,3,4,=,Medium +5.31.2,"System Services","UPnP Device Host (upnphost) (Service Startup type)",service,upnphost,,,,,,Manual,Disabled,=,Medium +5.32.1,"System Services","Web Management Service (WMSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc,Start,,,,,4,=|0,Medium +5.32.2,"System Services","Web Management Service (WMSvc) (Service Startup type)",service,WMSvc,,,,,,"",Disabled,=|0,Medium +5.33.1,"System Services","Windows Error Reporting Service (WerSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc,Start,,,,3,4,=,Medium +5.33.2,"System Services","Windows Error Reporting Service (WerSvc) (Service Startup type)",service,WerSvc,,,,,,Manual,Disabled,=,Medium +5.34.1,"System Services","Windows Event Collector (Wecsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc,Start,,,,3,4,=,Medium +5.34.2,"System Services","Windows Event Collector (Wecsvc) (Service Startup type)",service,Wecsvc,,,,,,Manual,Disabled,=,Medium +5.35.1,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc,Start,,,,3,4,=,Medium +5.35.2,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc) (Service Startup type)",service,WMPNetworkSvc,,,,,,Manual,Disabled,=,Medium +5.36.1,"System Services","Windows Mobile Hotspot Service (icssvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\icssvc,Start,,,,3,4,=,Medium +5.36.2,"System Services","Windows Mobile Hotspot Service (icssvc) (Service Startup type)",service,icssvc,,,,,,Manual,Disabled,=,Medium +5.37.1,"System Services","Windows Push Notifications System Service (WpnService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WpnService,Start,,,,2,4,=,Medium +5.37.2,"System Services","Windows Push Notifications System Service (WpnService) (Service Startup type)",service,WpnService,,,,,,Automatic,Disabled,=,Medium +5.38.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium +5.38.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium +5.39.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium +5.39.2,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=|0,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=|0,Medium +5.41.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +5.41.2,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +5.42.1,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +5.42.2,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +5.43.1,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +5.43.2,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +5.44.1,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +5.44.2,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,{0CCE9216-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,{0CCE9215-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,{0CCE921C-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,{0CCE921B-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,{0CCE9244-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,{0CCE9224-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,{0CCE9227-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,{0CCE9245-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,{0CCE922F-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,{0CCE9230-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,{0CCE9231-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,{0CCE9232-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,{0CCE9234-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,{0CCE9228-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,{0CCE9213-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,{0CCE9214-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.13,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.1.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium +18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium +18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium +18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium +18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium +18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium +18.8.7.1.6,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off access to the Store",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoUseStoreOpenWith,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.5,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.6,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium +18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium +18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium +18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium +18.9.11.1.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Key",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryKey,,,,,2,=,Medium +18.9.11.1.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.1.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.1.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHardwareEncryption,,,,,1,=,Medium +18.9.11.1.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of passwords for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVPassphrase,,,,0,0,=,Medium +18.9.11.1.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowUserCert,,,,,1,=,Medium +18.9.11.1.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVEnforceUserCert,,,,0,1,=,Medium +18.9.11.2.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +18.9.11.2.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity,,,,0,1,=,Medium +18.9.11.2.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecovery,,,,0,1,=,Medium +18.9.11.2.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSManageDRA,,,,1,0,=,Medium +18.9.11.2.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryPassword,,,,,1,=,Medium +18.9.11.2.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryKey,,,,1,0,=,Medium +18.9.11.2.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHideRecoveryPage,,,,0,1,=,Medium +18.9.11.2.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,,,,0,1,=,Medium +18.9.11.2.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.2.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium +18.9.11.2.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium +18.9.11.2.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium +18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium +18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium +18.9.11.3.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryKey,,,,,0,=,Medium +18.9.11.3.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.3.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.3.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHardwareEncryption,,,,,1,=,Medium +18.9.11.3.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of passwords for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVPassphrase,,,,,0,=,Medium +18.9.11.3.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowUserCert,,,,,1,=,Medium +18.9.11.3.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVEnforceUserCert,,,,,1,=,Medium +18.9.11.3.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +18.9.11.3.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +18.9.11.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.13.1,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud optimized content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableCloudOptimizedContent,,,,0,1,=,Medium +18.9.13.2,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium +18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.45.4.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.45.4.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.45.4.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.45.4.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.45.4.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.45.4.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.45.4.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.45.4.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.45.4.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.45.4.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.45.4.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.45.4.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.45.4.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.45.4.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium +18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.46.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium +18.9.46.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium +18.9.46.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium +18.9.46.4,"Microsoft Defender Application Guard","Allow files to download and save to the host operating system from Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,SaveFilesToHost,,,,,0,=,Medium +18.9.46.5,"Microsoft Defender Application Guard","Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AppHVSIClipboardSettings,,,,,1,=,Medium +18.9.46.6,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,1,=,Medium +18.9.55.1,"Administrative Templates: Windows Components","News and interests: Enable news and interests on the taskbar",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds",EnableFeeds,,,,,0,=,Medium +18.9.56.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.62.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.63.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.63.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium +18.9.63.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.63.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.63.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.63.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.63.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.63.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.63.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.63.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.63.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.63.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium +18.9.63.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.63.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.64.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.65.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.65.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium +18.9.65.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium +18.9.65.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.65.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium +18.9.70.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.73.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium +18.9.73.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium +18.9.73.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium +18.9.73.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium +18.9.73.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium +18.9.81.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.81.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.81.2.1,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +18.9.81.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +18.9.83.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +18.9.85.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.85.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.86.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.86.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.86.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.87.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.96.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,0,=,Medium +18.9.96.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.98.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.98.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.98.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.98.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.98.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.98.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.98.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.99.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.100.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.103.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.103.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.103.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.103.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.103.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.103.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.103.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.103.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.103.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.103.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.103.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_user.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_user.csv new file mode 100644 index 0000000..967b8e3 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_user.csv @@ -0,0 +1,15 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,2,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,3,=,Medium +19.7.8.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,2,=,Medium +19.7.8.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.8.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.8.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.28.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.43.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.47.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv new file mode 100644 index 0000000..c1e58d8 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv @@ -0,0 +1,586 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,365,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Relax minimum password length limits",Registry,,HKLM:\System\CurrentControlSet\Control\SAM,RelaxMinimumPasswordLengthLimits,,,,0,1,=,Medium +1.1.7,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,5,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.3,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.4,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.5,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Allow log on through Remote Desktop Services",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.7,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.9,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.10,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.12,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.14.1,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14.2,"User Rights Assignment","Create symbolic links (Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,"NT VIRTUAL MACHINE\Virtual Machines;BUILTIN\Administrators",=,Medium +2.2.15,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.16,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.17,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.18,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.19,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.20,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.21,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.22,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.23,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.24,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.25,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.26,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.27,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.28,"User Rights Assignment","Log on as a batch job",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.29.1,"User Rights Assignment","Log on as a service",accesschk,SeServiceLogonRight,,,,,,"NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",,=,Medium +2.2.29.2,"User Rights Assignment","Log on as a service (Hyper-V)",accesschk,SeServiceLogonRight,,,,,,"S-1-5-83-0;NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE","NT VIRTUAL MACHINE\Virtual Machines",=,Medium +2.2.30,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.31,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.32,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.33,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.34,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.36,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.37,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.38,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Bluetooth Audio Gateway Service (BTAGService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\BTAGService,Start,,,,3,4,=,Medium +5.1.2,"System Services","Bluetooth Audio Gateway Service (BTAGService) (Service Startup type)",service,BTAGService,,,,,,Manual,Disabled,=,Medium +5.2.1,"System Services","Bluetooth Support Service (bthserv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\bthserv,Start,,,,3,4,=,Medium +5.2.2,"System Services","Bluetooth Support Service (bthserv) (Service Startup type)",service,bthserv,,,,,,Manual,Disabled,=|0,Medium +5.3.1,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=|0,Medium +5.3.2,"System Services","Computer Browser (Browser) (Service Startup type) (!Check for false positive for service ""bowser""!)",service,Browser,,,,,,Manual,Disabled,=|0,Medium +5.4.1,"System Services","Downloaded Maps Manager (MapsBroker)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker,Start,,,,2,4,=,Medium +5.4.2,"System Services","Downloaded Maps Manager (MapsBroker) (Service Startup type)",service,MapsBroker,,,,,,Automatic,Disabled,=,Medium +5.5.1,"System Services","Geolocation Service (lfsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc,Start,,,,3,4,=,Medium +5.5.2,"System Services","Geolocation Service (lfsvc) (Service Startup type)",service,lfsvc,,,,,,Manual,Disabled,=|0,Medium +5.6.1,"System Services","IIS Admin Service (IISADMIN)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN,Start,,,,,4,=|0,Medium +5.6.2,"System Services","IIS Admin Service (IISADMIN) (Service Startup type)",service,IISADMIN,,,,,,"",Disabled,=|0,Medium +5.7.1,"System Services","Infrared monitor service (irmon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\irmon,Start,,,,,4,=,Medium +5.7.2,"System Services","Infrared monitor service (irmon) (Service Startup type)",service,irmon,,,,,,,Disabled,=,Medium +5.8.1,"System Services","Internet Connection Sharing (ICS) (SharedAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess,Start,,,,3,4,=,Medium +5.8.2,"System Services","Internet Connection Sharing (ICS) (SharedAccess) (Service Startup type)",service,SharedAccess,,,,,,Manual,Disabled,=,Medium +5.9.1,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc,Start,,,,3,4,=,Medium +5.9.2,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc) (Service Startup type)",service,lltdsvc,,,,,,Manual,Disabled,=,Medium +5.10.1,"System Services","LxssManager (LxssManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager,Start,,,,"",4,=|0,Medium +5.10.2,"System Services","LxssManager (LxssManager) (Service Startup type)",service,LxssManager,,,,,,,Disabled,=|0,Medium +5.11.1,"System Services","Microsoft FTP Service (FTPSVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC,Start,,,,,4,=|0,Medium +5.11.2,"System Services","Microsoft FTP Service (FTPSVC) (Service Startup type)",service,FTPSVC,,,,,,"",Disabled,=|0,Medium +5.12.1,"System Services","Microsoft iSCSI Initiator Service (MSiSCSI)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI,Start,,,,3,4,=,Medium +5.12.2,"System Services","Microsoft iSCSI Initiator Service (MsiSCSI) (Service Startup type)",service,MsiSCSI,,,,,,Manual,Disabled,=,Medium +5.13.1,"System Services","OpenSSH SSH Server (sshd)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sshd,Start,,,,,4,=|0,Medium +5.13.2,"System Services","OpenSSH SSH Server (sshd) (Service Startup type)",service,sshd,,,,,,,Disabled,=|0,Medium +5.14.1,"System Services","Peer Name Resolution Protocol (PNRPsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc,Start,,,,3,4,=,Medium +5.14.2,"System Services","Peer Name Resolution Protocol (PNRPsvc) (Service Startup type)",service,PNRPsvc,,,,,,Manual,Disabled,=,Medium +5.15.1,"System Services","Peer Networking Grouping (p2psvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc,Start,,,,3,4,=,Medium +5.15.2,"System Services","Peer Networking Grouping (p2psvc) (Service Startup type)",service,p2psvc,,,,,,Manual,Disabled,=,Medium +5.16.1,"System Services","Peer Networking Identity Manager (p2pimsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc,Start,,,,3,4,=,Medium +5.16.2,"System Services","Peer Networking Identity Manager (p2pimsvc) (Service Startup type)",service,p2pimsvc,,,,,,Manual,Disabled,=,Medium +5.17.1,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg,Start,,,,3,4,=,Medium +5.17.2,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg) (Service Startup type)",service,PNRPAutoReg,,,,,,Manual,Disabled,=,Medium +5.18.1,"System Services","Print Spooler (Spooler)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Spooler,Start,,,,2,4,=,Medium +5.18.2,"System Services","Print Spooler (Spooler) (Service Startup type)",service,Spooler,,,,,,Automatic,Disabled,=,Medium +5.19.1,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport,Start,,,,3,4,=,Medium +5.19.2,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport) (Service Startup type)",service,wercplsupport,,,,,,Manual,Disabled,=,Medium +5.20.1,"System Services","Remote Access Auto Connection Manager (RasAuto)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto,Start,,,,3,4,=,Medium +5.20.2,"System Services","Remote Access Auto Connection Manager (RasAuto) (Service Startup type)",service,RasAuto,,,,,,Manual,Disabled,=,Medium +5.21.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium +5.21.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.23.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium +5.23.2,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium +5.24.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium +5.24.2,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator) (Service Startup type)",service,RpcLocator,,,,,,Manual,Disabled,=,Medium +5.25.1,"System Services","Remote Registry (RemoteRegistry)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry,Start,,,,4,4,=,Medium +5.25.2,"System Services","Remote Registry (RemoteRegistry) (Service Startup type)",service,RemoteRegistry,,,,,,Disabled,Disabled,=,Medium +5.26.1,"System Services","Routing and Remote Access (RemoteAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess,Start,,,,4,4,=,Medium +5.26.2,"System Services","Routing and Remote Access (RemoteAccess) (Service Startup type)",service,RemoteAccess,,,,,,Disabled,Disabled,=,Medium +5.27.1,"System Services","Server (LanmanServer)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer,Start,,,,2,4,=,Medium +5.27.2,"System Services","Server (LanmanServer) (Service Startup type)",service,LanmanServer,,,,,,Automatic,Disabled,=,Medium +5.28.1,"System Services","Simple TCP/IP Services (simptcp)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\simptcp,Start,,,,,4,=|0,Medium +5.28.2,"System Services","Simple TCP/IP Services (simptcp) (Service Startup type)",service,simptcp,,,,,,"",Disabled,=|0,Medium +5.29.1,"System Services","SNMP Service (SNMP)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SNMP,Start,,,,,4,=|0,Medium +5.29.2,"System Services","SNMP Service (SNMP) (Service Startup type)",service,SNMP,,,,,,"",Disabled,=|0,Medium +5.30.1,"System Services","Special Administration Console Helper (sacsvr)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sacsvr,Start,,,,,4,=,Medium +5.30.2,"System Services","Special Administration Console Helper (sacsvr) (Service Startup type)",service,sacsvr,,,,,,,Disabled,=,Medium +5.31.1,"System Services","SSDP Discovery (SSDPSRV)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV,Start,,,,3,4,=,Medium +5.31.2,"System Services","SSDP Discovery (SSDPSRV) (Service Startup type)",service,SSDPSRV,,,,,,Manual,Disabled,=,Medium +5.32.1,"System Services","UPnP Device Host (upnphost)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\upnphost,Start,,,,3,4,=,Medium +5.32.2,"System Services","UPnP Device Host (upnphost) (Service Startup type)",service,upnphost,,,,,,Manual,Disabled,=,Medium +5.33.1,"System Services","Web Management Service (WMSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc,Start,,,,,4,=|0,Medium +5.33.2,"System Services","Web Management Service (WMSvc) (Service Startup type)",service,WMSvc,,,,,,"",Disabled,=|0,Medium +5.34.1,"System Services","Windows Error Reporting Service (WerSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc,Start,,,,3,4,=,Medium +5.34.2,"System Services","Windows Error Reporting Service (WerSvc) (Service Startup type)",service,WerSvc,,,,,,Manual,Disabled,=,Medium +5.35.1,"System Services","Windows Event Collector (Wecsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc,Start,,,,3,4,=,Medium +5.35.2,"System Services","Windows Event Collector (Wecsvc) (Service Startup type)",service,Wecsvc,,,,,,Manual,Disabled,=,Medium +5.36.1,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc,Start,,,,3,4,=,Medium +5.36.2,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc) (Service Startup type)",service,WMPNetworkSvc,,,,,,Manual,Disabled,=,Medium +5.37.1,"System Services","Windows Mobile Hotspot Service (icssvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\icssvc,Start,,,,3,4,=,Medium +5.37.2,"System Services","Windows Mobile Hotspot Service (icssvc) (Service Startup type)",service,icssvc,,,,,,Manual,Disabled,=,Medium +5.38.1,"System Services","Windows Push Notifications System Service (WpnService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WpnService,Start,,,,2,4,=,Medium +5.38.2,"System Services","Windows Push Notifications System Service (WpnService) (Service Startup type)",service,WpnService,,,,,,Automatic,Disabled,=,Medium +5.39.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium +5.39.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium +5.40.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium +5.40.1,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.41.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=|0,Medium +5.41.2,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=|0,Medium +5.42.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +5.42.2,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +5.43.1,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +5.43.2,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +5.44.1,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +5.44.2,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +5.45.1,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +5.45.2,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,{0CCE9216-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,{0CCE9215-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,{0CCE921C-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,{0CCE921B-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,{0CCE9244-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,{0CCE9224-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,{0CCE9227-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,{0CCE9245-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,{0CCE922F-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,{0CCE9230-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,{0CCE9231-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,{0CCE9232-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,{0CCE9234-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,{0CCE9228-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,{0CCE9213-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,{0CCE9214-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium +18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.13,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Configure DNS over HTTPS (DoH) name resolution",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",DoHPolicy,,,,,2,>=,Medium +18.5.4.2,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.6.1,"Administrative Templates","Printers: Allow Print Spooler to accept client connections",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RegisterSpoolerRemoteRpcEndPoint,,,,1,2,=,Medium +18.6.2,"Administrative Templates","Printers: Point and Print Restrictions: When installing drivers for a new connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,Medium +18.6.3,"Administrative Templates","Printers: Point and Print Restrictions: When updating drivers for an existing connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",UpdatePromptSettings,,,,0,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,1,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.1.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium +18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium +18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium +18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium +18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium +18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium +18.8.7.1.6,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +18.8.7.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent device metadata retrieval from the Internet",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata",PreventDeviceMetadataFromNetwork,,,,,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off access to the Store",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoUseStoreOpenWith,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.5,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.6,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.48.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.48.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.50.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.53.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.53.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium +18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium +18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium +18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium +18.9.11.1.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Key",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryKey,,,,,2,=,Medium +18.9.11.1.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.1.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.1.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHardwareEncryption,,,,,0,=,Medium +18.9.11.1.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of passwords for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVPassphrase,,,,0,0,=,Medium +18.9.11.1.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowUserCert,,,,,1,=,Medium +18.9.11.1.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVEnforceUserCert,,,,0,1,=,Medium +18.9.11.2.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +18.9.11.2.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity,,,,0,1,=,Medium +18.9.11.2.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecovery,,,,0,1,=,Medium +18.9.11.2.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSManageDRA,,,,1,0,=,Medium +18.9.11.2.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryPassword,,,,,1,=,Medium +18.9.11.2.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryKey,,,,1,0,=,Medium +18.9.11.2.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHideRecoveryPage,,,,0,1,=,Medium +18.9.11.2.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,,,,0,1,=,Medium +18.9.11.2.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.2.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium +18.9.11.2.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium +18.9.11.2.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium +18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium +18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium +18.9.11.3.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryKey,,,,,0,=,Medium +18.9.11.3.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.3.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.3.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHardwareEncryption,,,,,1,=,Medium +18.9.11.3.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of passwords for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVPassphrase,,,,,0,=,Medium +18.9.11.3.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowUserCert,,,,,1,=,Medium +18.9.11.3.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVEnforceUserCert,,,,,1,=,Medium +18.9.11.3.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +18.9.11.3.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +18.9.11.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud consumer account state content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableConsumerAccountStateContent,,,,,1,=,Medium +18.9.14.2,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud optimized content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableCloudOptimizedContent,,,,0,1,=,Medium +18.9.14.3,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.17.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.17.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Disable OneSettings Downloads",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableOneSettingsDownloads,,,,,1,=,Medium +18.9.17.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.17.5,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Enable OneSettings Auditing",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,EnableOneSettingsAuditing,,,,,1,=,Medium +18.9.17.6,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Diagnostic Log Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDiagnosticLogCollection,,,,,1,=,Medium +18.9.17.7,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Dump Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDumpCollection,,,,,1,=,Medium +18.9.17.8,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.18.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium +18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.27.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.27.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.27.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.27.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.36.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium +18.9.41.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.45.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.46.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.47.4.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.47.5.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.47.5.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.47.5.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.47.5.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.47.5.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.47.5.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.47.5.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.47.5.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.47.5.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.47.5.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.47.5.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.47.5.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.47.5.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.47.5.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.47.5.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.47.5.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.47.5.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.47.5.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.47.5.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.47.5.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.47.5.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.47.5.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.47.5.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.47.5.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +18.9.47.5.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +18.9.47.5.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.47.6.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium +18.9.47.9.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +18.9.47.9.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +18.9.47.9.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium +18.9.47.9.4,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium +18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.47.15,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.47.16,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.48.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium +18.9.48.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium +18.9.48.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium +18.9.48.4,"Microsoft Defender Application Guard","Allow files to download and save to the host operating system from Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,SaveFilesToHost,,,,,0,=,Medium +18.9.48.5,"Microsoft Defender Application Guard","Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AppHVSIClipboardSettings,,,,,1,=,Medium +18.9.48.6,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,1,=,Medium +18.9.57.1,"Administrative Templates: Windows Components","News and interests: Enable news and interests on the taskbar",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds",EnableFeeds,,,,,0,=,Medium +18.9.58.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.64.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.65.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.65.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium +18.9.65.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Allow UI Automation redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",EnableUiaRedirection,,,,,0,=,Medium +18.9.65.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.65.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.65.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow location redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLocationRedir,,,,,1,=,Medium +18.9.65.3.3.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.65.3.3.6,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.65.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.65.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.65.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.65.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium +18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.67.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.67.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium +18.9.67.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium +18.9.67.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.67.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium +18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.75.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium +18.9.75.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium +18.9.75.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium +18.9.75.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium +18.9.75.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium +18.9.81.1,"Administrative Templates: Windows Components","Widgest: Allow widgets",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Dsh,AllowNewsAndInterests,,,,,0,=,Medium +18.9.85.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.85.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.85.2.1,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +18.9.85.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +18.9.87.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +18.9.89.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.89.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.90.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.90.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.90.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.91.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.100.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +18.9.100.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.102.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.102.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.102.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.102.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.102.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.102.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.103.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.104.1,"Administrative Templates: Windows Components","Windows Sandbox: Allow clipboard sharing with Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowClipboardRedirection,,,,,0,=,Medium +18.9.104.2,"Administrative Templates: Windows Components","Windows Sandbox: Allow networking in Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowNetworking,,,,,0,=,Medium +18.9.105.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.108.2.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.108.2.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.108.4.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.108.4.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.108.4.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.108.4.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,2,=,Low +18.9.108.4.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.108.4.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.108.4.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_user.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_user.csv new file mode 100644 index 0000000..24a3d62 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,2,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,3,=,Medium +19.7.8.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,2,=,Medium +19.7.8.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.8.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.8.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.8.5,"Administrative Templates: Windows Components","Cloud Content: Turn off Spotlight collection on Desktop",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableSpotlightCollectionOnDesktop,,,,,1,=,Medium +19.7.28.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.43.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.47.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv b/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv new file mode 100644 index 0000000..c1e58d8 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv @@ -0,0 +1,586 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,365,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Relax minimum password length limits",Registry,,HKLM:\System\CurrentControlSet\Control\SAM,RelaxMinimumPasswordLengthLimits,,,,0,1,=,Medium +1.1.7,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,5,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.3,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.4,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.5,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Allow log on through Remote Desktop Services",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.7,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.9,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.10,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.12,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.14.1,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14.2,"User Rights Assignment","Create symbolic links (Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,"NT VIRTUAL MACHINE\Virtual Machines;BUILTIN\Administrators",=,Medium +2.2.15,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.16,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.17,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.18,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.19,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.20,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.21,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.22,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.23,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.24,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.25,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.26,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.27,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.28,"User Rights Assignment","Log on as a batch job",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.29.1,"User Rights Assignment","Log on as a service",accesschk,SeServiceLogonRight,,,,,,"NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",,=,Medium +2.2.29.2,"User Rights Assignment","Log on as a service (Hyper-V)",accesschk,SeServiceLogonRight,,,,,,"S-1-5-83-0;NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE","NT VIRTUAL MACHINE\Virtual Machines",=,Medium +2.2.30,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.31,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.32,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.33,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.34,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.36,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.37,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.38,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Bluetooth Audio Gateway Service (BTAGService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\BTAGService,Start,,,,3,4,=,Medium +5.1.2,"System Services","Bluetooth Audio Gateway Service (BTAGService) (Service Startup type)",service,BTAGService,,,,,,Manual,Disabled,=,Medium +5.2.1,"System Services","Bluetooth Support Service (bthserv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\bthserv,Start,,,,3,4,=,Medium +5.2.2,"System Services","Bluetooth Support Service (bthserv) (Service Startup type)",service,bthserv,,,,,,Manual,Disabled,=|0,Medium +5.3.1,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=|0,Medium +5.3.2,"System Services","Computer Browser (Browser) (Service Startup type) (!Check for false positive for service ""bowser""!)",service,Browser,,,,,,Manual,Disabled,=|0,Medium +5.4.1,"System Services","Downloaded Maps Manager (MapsBroker)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker,Start,,,,2,4,=,Medium +5.4.2,"System Services","Downloaded Maps Manager (MapsBroker) (Service Startup type)",service,MapsBroker,,,,,,Automatic,Disabled,=,Medium +5.5.1,"System Services","Geolocation Service (lfsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc,Start,,,,3,4,=,Medium +5.5.2,"System Services","Geolocation Service (lfsvc) (Service Startup type)",service,lfsvc,,,,,,Manual,Disabled,=|0,Medium +5.6.1,"System Services","IIS Admin Service (IISADMIN)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN,Start,,,,,4,=|0,Medium +5.6.2,"System Services","IIS Admin Service (IISADMIN) (Service Startup type)",service,IISADMIN,,,,,,"",Disabled,=|0,Medium +5.7.1,"System Services","Infrared monitor service (irmon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\irmon,Start,,,,,4,=,Medium +5.7.2,"System Services","Infrared monitor service (irmon) (Service Startup type)",service,irmon,,,,,,,Disabled,=,Medium +5.8.1,"System Services","Internet Connection Sharing (ICS) (SharedAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess,Start,,,,3,4,=,Medium +5.8.2,"System Services","Internet Connection Sharing (ICS) (SharedAccess) (Service Startup type)",service,SharedAccess,,,,,,Manual,Disabled,=,Medium +5.9.1,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc,Start,,,,3,4,=,Medium +5.9.2,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc) (Service Startup type)",service,lltdsvc,,,,,,Manual,Disabled,=,Medium +5.10.1,"System Services","LxssManager (LxssManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager,Start,,,,"",4,=|0,Medium +5.10.2,"System Services","LxssManager (LxssManager) (Service Startup type)",service,LxssManager,,,,,,,Disabled,=|0,Medium +5.11.1,"System Services","Microsoft FTP Service (FTPSVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC,Start,,,,,4,=|0,Medium +5.11.2,"System Services","Microsoft FTP Service (FTPSVC) (Service Startup type)",service,FTPSVC,,,,,,"",Disabled,=|0,Medium +5.12.1,"System Services","Microsoft iSCSI Initiator Service (MSiSCSI)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI,Start,,,,3,4,=,Medium +5.12.2,"System Services","Microsoft iSCSI Initiator Service (MsiSCSI) (Service Startup type)",service,MsiSCSI,,,,,,Manual,Disabled,=,Medium +5.13.1,"System Services","OpenSSH SSH Server (sshd)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sshd,Start,,,,,4,=|0,Medium +5.13.2,"System Services","OpenSSH SSH Server (sshd) (Service Startup type)",service,sshd,,,,,,,Disabled,=|0,Medium +5.14.1,"System Services","Peer Name Resolution Protocol (PNRPsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc,Start,,,,3,4,=,Medium +5.14.2,"System Services","Peer Name Resolution Protocol (PNRPsvc) (Service Startup type)",service,PNRPsvc,,,,,,Manual,Disabled,=,Medium +5.15.1,"System Services","Peer Networking Grouping (p2psvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc,Start,,,,3,4,=,Medium +5.15.2,"System Services","Peer Networking Grouping (p2psvc) (Service Startup type)",service,p2psvc,,,,,,Manual,Disabled,=,Medium +5.16.1,"System Services","Peer Networking Identity Manager (p2pimsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc,Start,,,,3,4,=,Medium +5.16.2,"System Services","Peer Networking Identity Manager (p2pimsvc) (Service Startup type)",service,p2pimsvc,,,,,,Manual,Disabled,=,Medium +5.17.1,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg,Start,,,,3,4,=,Medium +5.17.2,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg) (Service Startup type)",service,PNRPAutoReg,,,,,,Manual,Disabled,=,Medium +5.18.1,"System Services","Print Spooler (Spooler)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Spooler,Start,,,,2,4,=,Medium +5.18.2,"System Services","Print Spooler (Spooler) (Service Startup type)",service,Spooler,,,,,,Automatic,Disabled,=,Medium +5.19.1,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport,Start,,,,3,4,=,Medium +5.19.2,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport) (Service Startup type)",service,wercplsupport,,,,,,Manual,Disabled,=,Medium +5.20.1,"System Services","Remote Access Auto Connection Manager (RasAuto)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto,Start,,,,3,4,=,Medium +5.20.2,"System Services","Remote Access Auto Connection Manager (RasAuto) (Service Startup type)",service,RasAuto,,,,,,Manual,Disabled,=,Medium +5.21.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium +5.21.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.23.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium +5.23.2,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium +5.24.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium +5.24.2,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator) (Service Startup type)",service,RpcLocator,,,,,,Manual,Disabled,=,Medium +5.25.1,"System Services","Remote Registry (RemoteRegistry)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry,Start,,,,4,4,=,Medium +5.25.2,"System Services","Remote Registry (RemoteRegistry) (Service Startup type)",service,RemoteRegistry,,,,,,Disabled,Disabled,=,Medium +5.26.1,"System Services","Routing and Remote Access (RemoteAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess,Start,,,,4,4,=,Medium +5.26.2,"System Services","Routing and Remote Access (RemoteAccess) (Service Startup type)",service,RemoteAccess,,,,,,Disabled,Disabled,=,Medium +5.27.1,"System Services","Server (LanmanServer)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer,Start,,,,2,4,=,Medium +5.27.2,"System Services","Server (LanmanServer) (Service Startup type)",service,LanmanServer,,,,,,Automatic,Disabled,=,Medium +5.28.1,"System Services","Simple TCP/IP Services (simptcp)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\simptcp,Start,,,,,4,=|0,Medium +5.28.2,"System Services","Simple TCP/IP Services (simptcp) (Service Startup type)",service,simptcp,,,,,,"",Disabled,=|0,Medium +5.29.1,"System Services","SNMP Service (SNMP)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SNMP,Start,,,,,4,=|0,Medium +5.29.2,"System Services","SNMP Service (SNMP) (Service Startup type)",service,SNMP,,,,,,"",Disabled,=|0,Medium +5.30.1,"System Services","Special Administration Console Helper (sacsvr)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sacsvr,Start,,,,,4,=,Medium +5.30.2,"System Services","Special Administration Console Helper (sacsvr) (Service Startup type)",service,sacsvr,,,,,,,Disabled,=,Medium +5.31.1,"System Services","SSDP Discovery (SSDPSRV)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV,Start,,,,3,4,=,Medium +5.31.2,"System Services","SSDP Discovery (SSDPSRV) (Service Startup type)",service,SSDPSRV,,,,,,Manual,Disabled,=,Medium +5.32.1,"System Services","UPnP Device Host (upnphost)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\upnphost,Start,,,,3,4,=,Medium +5.32.2,"System Services","UPnP Device Host (upnphost) (Service Startup type)",service,upnphost,,,,,,Manual,Disabled,=,Medium +5.33.1,"System Services","Web Management Service (WMSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc,Start,,,,,4,=|0,Medium +5.33.2,"System Services","Web Management Service (WMSvc) (Service Startup type)",service,WMSvc,,,,,,"",Disabled,=|0,Medium +5.34.1,"System Services","Windows Error Reporting Service (WerSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc,Start,,,,3,4,=,Medium +5.34.2,"System Services","Windows Error Reporting Service (WerSvc) (Service Startup type)",service,WerSvc,,,,,,Manual,Disabled,=,Medium +5.35.1,"System Services","Windows Event Collector (Wecsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc,Start,,,,3,4,=,Medium +5.35.2,"System Services","Windows Event Collector (Wecsvc) (Service Startup type)",service,Wecsvc,,,,,,Manual,Disabled,=,Medium +5.36.1,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc,Start,,,,3,4,=,Medium +5.36.2,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc) (Service Startup type)",service,WMPNetworkSvc,,,,,,Manual,Disabled,=,Medium +5.37.1,"System Services","Windows Mobile Hotspot Service (icssvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\icssvc,Start,,,,3,4,=,Medium +5.37.2,"System Services","Windows Mobile Hotspot Service (icssvc) (Service Startup type)",service,icssvc,,,,,,Manual,Disabled,=,Medium +5.38.1,"System Services","Windows Push Notifications System Service (WpnService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WpnService,Start,,,,2,4,=,Medium +5.38.2,"System Services","Windows Push Notifications System Service (WpnService) (Service Startup type)",service,WpnService,,,,,,Automatic,Disabled,=,Medium +5.39.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium +5.39.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium +5.40.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium +5.40.1,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.41.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=|0,Medium +5.41.2,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=|0,Medium +5.42.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +5.42.2,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +5.43.1,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +5.43.2,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +5.44.1,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +5.44.2,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +5.45.1,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +5.45.2,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,{0CCE9216-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,{0CCE9215-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,{0CCE921C-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,{0CCE921B-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,{0CCE9244-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,{0CCE9224-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,{0CCE9227-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,{0CCE9245-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,{0CCE922F-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,{0CCE9230-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,{0CCE9231-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,{0CCE9232-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,{0CCE9234-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,{0CCE9228-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,{0CCE9213-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,{0CCE9214-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium +18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.13,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Configure DNS over HTTPS (DoH) name resolution",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",DoHPolicy,,,,,2,>=,Medium +18.5.4.2,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.6.1,"Administrative Templates","Printers: Allow Print Spooler to accept client connections",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RegisterSpoolerRemoteRpcEndPoint,,,,1,2,=,Medium +18.6.2,"Administrative Templates","Printers: Point and Print Restrictions: When installing drivers for a new connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,Medium +18.6.3,"Administrative Templates","Printers: Point and Print Restrictions: When updating drivers for an existing connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",UpdatePromptSettings,,,,0,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,1,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.1.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium +18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium +18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium +18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium +18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium +18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium +18.8.7.1.6,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +18.8.7.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent device metadata retrieval from the Internet",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata",PreventDeviceMetadataFromNetwork,,,,,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off access to the Store",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoUseStoreOpenWith,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.5,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.6,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.48.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.48.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.50.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.53.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.53.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium +18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium +18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium +18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium +18.9.11.1.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Key",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryKey,,,,,2,=,Medium +18.9.11.1.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.1.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.1.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHardwareEncryption,,,,,0,=,Medium +18.9.11.1.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of passwords for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVPassphrase,,,,0,0,=,Medium +18.9.11.1.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowUserCert,,,,,1,=,Medium +18.9.11.1.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVEnforceUserCert,,,,0,1,=,Medium +18.9.11.2.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +18.9.11.2.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity,,,,0,1,=,Medium +18.9.11.2.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecovery,,,,0,1,=,Medium +18.9.11.2.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSManageDRA,,,,1,0,=,Medium +18.9.11.2.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryPassword,,,,,1,=,Medium +18.9.11.2.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryKey,,,,1,0,=,Medium +18.9.11.2.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHideRecoveryPage,,,,0,1,=,Medium +18.9.11.2.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,,,,0,1,=,Medium +18.9.11.2.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.2.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium +18.9.11.2.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium +18.9.11.2.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium +18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium +18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium +18.9.11.3.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryKey,,,,,0,=,Medium +18.9.11.3.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.3.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.3.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHardwareEncryption,,,,,1,=,Medium +18.9.11.3.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of passwords for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVPassphrase,,,,,0,=,Medium +18.9.11.3.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowUserCert,,,,,1,=,Medium +18.9.11.3.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVEnforceUserCert,,,,,1,=,Medium +18.9.11.3.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +18.9.11.3.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +18.9.11.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud consumer account state content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableConsumerAccountStateContent,,,,,1,=,Medium +18.9.14.2,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud optimized content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableCloudOptimizedContent,,,,0,1,=,Medium +18.9.14.3,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.17.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.17.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Disable OneSettings Downloads",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableOneSettingsDownloads,,,,,1,=,Medium +18.9.17.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.17.5,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Enable OneSettings Auditing",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,EnableOneSettingsAuditing,,,,,1,=,Medium +18.9.17.6,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Diagnostic Log Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDiagnosticLogCollection,,,,,1,=,Medium +18.9.17.7,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Dump Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDumpCollection,,,,,1,=,Medium +18.9.17.8,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.18.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium +18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.27.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.27.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.27.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.27.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.36.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium +18.9.41.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.45.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.46.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.47.4.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.47.5.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.47.5.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.47.5.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.47.5.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.47.5.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.47.5.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.47.5.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.47.5.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.47.5.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.47.5.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.47.5.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.47.5.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.47.5.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.47.5.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.47.5.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.47.5.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.47.5.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.47.5.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.47.5.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.47.5.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.47.5.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.47.5.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.47.5.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.47.5.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +18.9.47.5.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +18.9.47.5.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.47.6.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium +18.9.47.9.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +18.9.47.9.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +18.9.47.9.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium +18.9.47.9.4,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium +18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.47.15,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.47.16,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.48.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium +18.9.48.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium +18.9.48.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium +18.9.48.4,"Microsoft Defender Application Guard","Allow files to download and save to the host operating system from Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,SaveFilesToHost,,,,,0,=,Medium +18.9.48.5,"Microsoft Defender Application Guard","Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AppHVSIClipboardSettings,,,,,1,=,Medium +18.9.48.6,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,1,=,Medium +18.9.57.1,"Administrative Templates: Windows Components","News and interests: Enable news and interests on the taskbar",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds",EnableFeeds,,,,,0,=,Medium +18.9.58.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.64.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.65.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.65.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium +18.9.65.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Allow UI Automation redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",EnableUiaRedirection,,,,,0,=,Medium +18.9.65.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.65.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.65.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow location redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLocationRedir,,,,,1,=,Medium +18.9.65.3.3.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.65.3.3.6,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.65.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.65.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.65.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.65.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium +18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.67.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.67.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium +18.9.67.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium +18.9.67.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.67.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium +18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.75.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium +18.9.75.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium +18.9.75.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium +18.9.75.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium +18.9.75.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium +18.9.81.1,"Administrative Templates: Windows Components","Widgest: Allow widgets",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Dsh,AllowNewsAndInterests,,,,,0,=,Medium +18.9.85.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.85.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.85.2.1,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +18.9.85.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +18.9.87.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +18.9.89.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.89.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.90.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.90.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.90.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.91.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.100.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +18.9.100.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.102.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.102.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.102.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.102.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.102.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.102.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.103.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.104.1,"Administrative Templates: Windows Components","Windows Sandbox: Allow clipboard sharing with Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowClipboardRedirection,,,,,0,=,Medium +18.9.104.2,"Administrative Templates: Windows Components","Windows Sandbox: Allow networking in Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowNetworking,,,,,0,=,Medium +18.9.105.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.108.2.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.108.2.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.108.4.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.108.4.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.108.4.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.108.4.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,2,=,Low +18.9.108.4.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.108.4.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.108.4.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_user.csv b/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_user.csv new file mode 100644 index 0000000..24a3d62 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,2,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,3,=,Medium +19.7.8.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,2,=,Medium +19.7.8.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.8.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.8.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.8.5,"Administrative Templates: Windows Components","Cloud Content: Turn off Spotlight collection on Desktop",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableSpotlightCollectionOnDesktop,,,,,1,=,Medium +19.7.28.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.43.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.47.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv index bc61c61..4f46c54 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv @@ -102,8 +102,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,"netlogon samr lsarpc",=,Medium 2.3.10.7,"Security Options","Network access: Named Pipes that can be accessed anonymously (Member)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium @@ -187,7 +187,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium 18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium 18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium @@ -273,7 +273,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -294,13 +294,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.24.7,"Administrative Templates: Windows Components","EMET: System DEP",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\EMET\SysSettings,DEP,,,,,2,=,Medium 18.9.24.8,"Administrative Templates: Windows Components","EMET: System SEHOP",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\EMET\SysSettings,SEHOP,,,,,2,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -334,7 +334,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium -18.9.77.14,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.77.14,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 18.9.81.2.1,"Administrative Templates: Windows Components","Windows Error Reporting: Consent: Configure Default consent",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent",DefaultConsent,,,,,3,=,Medium @@ -353,6 +353,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium -18.9.102.1,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv index 2fe4968..3e501eb 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv @@ -102,8 +102,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,"netlogon samr lsarpc",=,Medium 2.3.10.7,"Security Options","Network access: Named Pipes that can be accessed anonymously (Member)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -190,7 +190,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -295,7 +295,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -310,18 +310,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -355,7 +355,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium @@ -375,13 +375,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv new file mode 100644 index 0000000..c1e6352 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv @@ -0,0 +1,391 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network (DC)",accesschk,SeNetworkLogonRight,,,,,,"NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Pre-Windows 2000 Compatible Access;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users;Everyone","NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users",=,Medium +2.2.3,"User Rights Assignment","Access this computer from the network (Member)",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Pre-Windows 2000 Compatible Access;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users;Everyone","BUILTIN\Administrators;NT AUTHORITY\Authenticated Users",=,Medium +2.2.4,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.5,"User Rights Assignment","Add workstations to domain (DC)",accesschk,SeMachineAccountPrivilege,,,,,,"NT AUTHORITY\Authenticated Users",BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.7,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Allow log on through Remote Desktop Services (DC)",accesschk,SeRemoteInteractiveLogonRight,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.9,"User Rights Assignment","Allow log on through Remote Desktop Services (Member)",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.10,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.12,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.15,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.16,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.17,"User Rights Assignment","Create symbolic links (DC)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.18.1,"User Rights Assignment","Create symbolic links (Member)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.18.2,"User Rights Assignment","Create symbolic links (Member, Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,"NT VIRTUAL MACHINE\Virtual Machines;BUILTIN\Administrators",=,Medium +2.2.19,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.20,"User Rights Assignment","Deny access to this computer from the network (DC)",accesschk,SeDenyNetworkLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.21,"User Rights Assignment","Deny access to this computer from the network (Member)",accesschk,SeDenyNetworkLogonRight,,,,,,BUILTIN\Guests,"BUILTIN\Guests;NT AUTHORITY\Local account and member of Administrators group",=,Medium +2.2.22,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.23,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.24,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.25,"User Rights Assignment","Deny log on through Remote Desktop Services (DC)",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.26,"User Rights Assignment","Deny log on through Remote Desktop Services (Member)",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.27,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation (DC)",accesschk,SeEnableDelegationPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.28,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation (Member)",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.29,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.30,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.31,"User Rights Assignment","Impersonate a client after authentication (DC)",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.32,"User Rights Assignment","Impersonate a client after authentication (Member)",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.33,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.34,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.36,"User Rights Assignment","Log on as a batch job (DC)",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.37.1,"User Rights Assignment","Manage auditing and security log (DC)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.37.2,"User Rights Assignment","Manage auditing and security log (DC and Exchange)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,"NT AUTHORITY\EXCHANGE SERVERS;BUILTIN\Administrators",=,Medium +2.2.38,"User Rights Assignment","Manage auditing and security log (Member)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.40,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.41,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.42,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.43,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.44,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.45,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.46,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.47,"User Rights Assignment","Synchronize directory service data (DC)",accesschk,SeSyncAgentPrivilege,,,,,,,,=,Medium +2.2.48,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status (Member)",localaccount,500,,,,,,True,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status (Member)",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.2,"Security Options","Domain controller: Allow vulnerable Netlogon secure channel connections",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,VulnerableChannelAllowList,,,,,,=,Medium +2.3.5.3,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium +2.3.5.4,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium +2.3.5.5,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.5,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,"netlogon samr lsarpc",=,Medium +2.3.10.7,"Security Options","Network access: Named Pipes that can be accessed anonymously (Member)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,{0CCE9216-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,{0CCE9215-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,{0CCE921C-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,{0CCE921B-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,{0CCE9244-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,{0CCE9224-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,{0CCE9227-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,{0CCE9245-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,{0CCE922F-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,{0CCE9230-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,{0CCE9231-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,{0CCE9232-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,{0CCE9234-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,{0CCE9228-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,{0CCE9213-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,{0CCE9214-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Member)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Credential Guard Configuration (DC)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,0,=,Medium +18.8.5.7,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.13.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.13.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers (Member)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.13.1,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium +18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.56.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.62.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.63.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.63.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.63.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.63.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.63.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.63.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.63.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.63.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.63.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.63.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.63.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.63.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium +18.9.63.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.63.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.63.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium +18.9.64.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.65.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.65.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.70.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.81.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.81.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.85.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.85.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.86.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.86.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.86.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.87.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.96.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,0,=,Medium +18.9.96.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.98.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.98.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.98.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.98.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.98.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.98.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.98.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.99.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.100.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.103.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.103.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.103.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.103.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.103.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.103.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.103.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.103.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.103.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.103.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_user.csv b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_user.csv similarity index 100% rename from lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_user.csv rename to lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_user.csv diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv index 14c81d4..ef8ca79 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv @@ -102,8 +102,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,"netlogon samr lsarpc",=,Medium 2.3.10.7,"Security Options","Network access: Named Pipes that can be accessed anonymously (Member)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -190,7 +190,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -297,7 +297,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -311,18 +311,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -356,18 +356,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 18.9.77.13.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 18.9.77.13.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 18.9.77.13.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 18.9.77.13.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 18.9.77.13.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 18.9.77.13.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 18.9.77.13.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 18.9.77.13.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 18.9.77.13.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -376,11 +376,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.77.13.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 18.9.77.13.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 18.9.77.13.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium @@ -400,13 +400,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_machine.csv similarity index 93% rename from lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_machine.csv rename to lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_machine.csv index 1152256..afadebf 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_machine.csv @@ -104,8 +104,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium 2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,"netlogon samr lsarpc",=,Medium 2.3.10.7,"Security Options","Network access: Named Pipes that can be accessed anonymously (Member)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,,=,Medium -2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium -2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium @@ -192,7 +192,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium @@ -298,7 +298,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium 18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium -18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium @@ -313,18 +313,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium -18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium 18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium -18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium 18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium 18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium -18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium 18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium 18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium @@ -334,18 +334,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium 18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium -18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 18.9.45.4.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 18.9.45.4.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium 18.9.45.4.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 18.9.45.4.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 18.9.45.4.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 18.9.45.4.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium -18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium 18.9.45.4.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 18.9.45.4.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium 18.9.45.4.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium @@ -354,8 +354,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.4.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium 18.9.45.4.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 18.9.45.4.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium -18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium 18.9.45.4.1.2.12.2,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium 18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium @@ -367,7 +367,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium 18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium -18.9.45.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.55.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 18.9.62.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium 18.9.62.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium @@ -407,13 +407,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium -18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium -18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium -18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium -18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium -18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium -18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_user.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_user.csv new file mode 100644 index 0000000..36fe372 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Force specific screen saver: Screen saver executable name",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",SCRNSAVE.EXE,,,,,scrnsave.scr,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.4,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,2,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,3,=,Medium +19.7.8.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,2,=,Medium +19.7.8.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.8.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.8.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.28.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.43.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.47.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine.csv new file mode 100644 index 0000000..fcccbd9 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine.csv @@ -0,0 +1,439 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,365,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Relax minimum password length limits",Registry,,HKLM:\System\CurrentControlSet\Control\SAM,RelaxMinimumPasswordLengthLimits,,,,0,1,=,Medium +1.1.7,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,5,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network (DC)",accesschk,SeNetworkLogonRight,,,,,,"NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Pre-Windows 2000 Compatible Access;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users;Everyone","NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users",=,Medium +2.2.3,"User Rights Assignment","Access this computer from the network (Member)",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Pre-Windows 2000 Compatible Access;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users;Everyone","BUILTIN\Administrators;NT AUTHORITY\Authenticated Users",=,Medium +2.2.4,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.5,"User Rights Assignment","Add workstations to domain (DC)",accesschk,SeMachineAccountPrivilege,,,,,,"NT AUTHORITY\Authenticated Users",BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.7,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Allow log on through Remote Desktop Services (DC)",accesschk,SeRemoteInteractiveLogonRight,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.9,"User Rights Assignment","Allow log on through Remote Desktop Services (Member)",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.10,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.12,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.15,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.16,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.17,"User Rights Assignment","Create symbolic links (DC)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.18.1,"User Rights Assignment","Create symbolic links (Member)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.18.2,"User Rights Assignment","Create symbolic links (Member, Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,"NT VIRTUAL MACHINE\Virtual Machines;BUILTIN\Administrators",=,Medium +2.2.19,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.20,"User Rights Assignment","Deny access to this computer from the network (DC)",accesschk,SeDenyNetworkLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.21,"User Rights Assignment","Deny access to this computer from the network (Member)",accesschk,SeDenyNetworkLogonRight,,,,,,BUILTIN\Guests,"BUILTIN\Guests;NT AUTHORITY\Local account and member of Administrators group",=,Medium +2.2.22,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.23,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.24,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.25,"User Rights Assignment","Deny log on through Remote Desktop Services (DC)",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.26,"User Rights Assignment","Deny log on through Remote Desktop Services (Member)",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.27,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation (DC)",accesschk,SeEnableDelegationPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.28,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation (Member)",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.29,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.30,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.31,"User Rights Assignment","Impersonate a client after authentication (DC)",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.32,"User Rights Assignment","Impersonate a client after authentication (Member)",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.33,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.34,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.36,"User Rights Assignment","Log on as a batch job (DC)",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.37.1,"User Rights Assignment","Manage auditing and security log (DC)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.37.2,"User Rights Assignment","Manage auditing and security log (DC and Exchange)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,"NT AUTHORITY\EXCHANGE SERVERS;BUILTIN\Administrators",=,Medium +2.2.38,"User Rights Assignment","Manage auditing and security log (Member)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.40,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.41,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.42,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.43,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.44,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.45,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.46,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.47,"User Rights Assignment","Synchronize directory service data (DC)",accesschk,SeSyncAgentPrivilege,,,,,,,,=,Medium +2.2.48,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status (Member)",localaccount,500,,,,,,True,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status (Member)",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.2,"Security Options","Domain controller: Allow vulnerable Netlogon secure channel connections",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,VulnerableChannelAllowList,,,,,,=,Medium +2.3.5.3,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium +2.3.5.4,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium +2.3.5.5,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.5,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,"netlogon samr lsarpc",=,Medium +2.3.10.7,"Security Options","Network access: Named Pipes that can be accessed anonymously (Member)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Print Spooler (Spooler) (DC only) ",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Spooler,Start,,,,2,4,=,Medium +5.1.2,"System Services","Print Spooler (Spooler) (Service Startup type) (DC only) ",service,Spooler,,,,,,Automatic,Disabled,=,Medium +5.2.1,"System Services","Print Spooler (Spooler) (MS only)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Spooler,Start,,,,2,4,=,Medium +5.2.2,"System Services","Print Spooler (Spooler) (Service Startup type) (MS only)",service,Spooler,,,,,,Automatic,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,{0CCE9216-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,{0CCE9215-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,{0CCE921C-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,{0CCE921B-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,{0CCE9244-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,{0CCE9224-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,{0CCE9227-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,{0CCE9245-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,{0CCE922F-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,{0CCE9230-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,{0CCE9231-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,{0CCE9232-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,{0CCE9234-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,{0CCE9228-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,{0CCE9213-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,{0CCE9214-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium +18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Configure DNS over HTTPS (DoH) name resolution",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",DoHPolicy,,,,,2,>=,Medium +18.5.4.2,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.6.1,"Administrative Templates","Printers: Allow Print Spooler to accept client connections",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RegisterSpoolerRemoteRpcEndPoint,,,,1,2,=,Medium +18.6.2,"Administrative Templates","Printers: Point and Print Restrictions: When installing drivers for a new connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,Medium +18.6.3,"Administrative Templates","Printers: Point and Print Restrictions: When updating drivers for an existing connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",UpdatePromptSettings,,,,0,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,1,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Member)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Credential Guard Configuration (DC)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,0,=,Medium +18.8.5.7,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent device metadata retrieval from the Internet",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata",PreventDeviceMetadataFromNetwork,,,,,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.13.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.13.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers (Member)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.40.1,"Administrative Templates: System","Security Account Manager: Configure validation of ROCA-vulnerable WHfB keys during authentication (DC only)",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM,SamNGCKeyROCAValidation,,,,,1,>=,Medium +18.8.48.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.48.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.50.1,"Administrative Templates: System","User Profiles: Turn off the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.53.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.53.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud consumer account state content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableConsumerAccountStateContent,,,,,1,=,Medium +18.9.14.2,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.17.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.17.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Disable OneSettings Downloads",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableOneSettingsDownloads,,,,,1,=,Medium +18.9.17.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.17.5,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Enable OneSettings Auditing",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,EnableOneSettingsAuditing,,,,,1,=,Medium +18.9.17.6,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Diagnostic Log Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDiagnosticLogCollection,,,,,1,=,Medium +18.9.17.7,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Dump Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDumpCollection,,,,,1,=,Medium +18.9.17.8,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.27.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.27.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.27.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.27.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.41.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.45.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.46.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.47.4.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.47.5.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.47.5.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.47.5.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.47.5.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.47.5.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.47.5.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.47.5.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.47.5.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.47.5.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.47.5.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.47.5.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.47.5.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.47.5.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.47.5.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.47.5.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.47.5.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.47.5.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.47.5.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.47.5.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.47.5.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.47.5.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.47.5.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.47.5.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.47.5.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +18.9.47.5.1.2.12.2,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +18.9.47.5.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.47.6.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium +18.9.47.9.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +18.9.47.9.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +18.9.47.9.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium +18.9.47.9.4,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium +18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.47.15,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.47.16,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.58.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.64.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.65.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.65.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.65.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Allow UI Automation redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",EnableUiaRedirection,,,,,0,=,Medium +18.9.65.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.65.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.65.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow location redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLocationRedir,,,,,1,=,Medium +18.9.65.3.3.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.65.3.3.6,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.65.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.65.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.65.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.65.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium +18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.65.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.67.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.67.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.85.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.85.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.89.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.89.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.90.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.90.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.90.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.91.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.100.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +18.9.100.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.102.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.102.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.102.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.102.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.102.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.102.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.103.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.105.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.108.2.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.108.4.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.108.4.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.108.4.2.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.108.4.2.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,2,=,Low +18.9.108.4.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.108.4.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.108.4.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_user.csv b/lists/finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_user.csv new file mode 100644 index 0000000..24a3d62 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,2,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,3,=,Medium +19.7.8.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,2,=,Medium +19.7.8.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.8.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.8.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.8.5,"Administrative Templates: Windows Components","Cloud Content: Turn off Spotlight collection on Desktop",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableSpotlightCollectionOnDesktop,,,,,1,=,Medium +19.7.28.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.43.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.47.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv index a1792f8..7dfbbba 100644 --- a/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv +++ b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv @@ -108,7 +108,7 @@ V-63507,"Advanced Audit Policy Configuration","Security State Change",auditpol,{ V-63513,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Medium "V-63515 / V-63517","Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Medium V-63545,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Medium -V-63549,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +V-63549,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low V-63597,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium V-74725,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium V-74723,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium @@ -166,11 +166,11 @@ V-94859,"Administrative Templates: Windows Components","BitLocker Drive Encrypti V-94859,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key and PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKeyPIN,,,,0,1,=,Medium V-71771,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Low V-63679,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -V-63683,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,2,=,Medium +V-63683,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,2,=,Medium V-65681,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -V-63519,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -V-63523,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,1024000,>=,Medium -V-63527,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +V-63519,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +V-63523,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,1024000,>=,Medium +V-63527,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium V-63709,"Microsoft Edge","Configure Password Manager",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,"FormSuggest Passwords",,,,,no,=,Medium V-63701,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium V-82139,"Microsoft Edge","Prevent certificate error overrides",Registry,,"HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings",PreventCertErrorOverrides,,,,,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv index eead4b9..9d19829 100644 --- a/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv +++ b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv @@ -112,7 +112,7 @@ V-93099,"Advanced Audit Policy Configuration","Authorization Policy Change",audi V-93113,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Medium V-93115,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Medium "V-93117 / V-93119","Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Medium -V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium V-93401,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,Medium @@ -142,11 +142,11 @@ V-93373,"Administrative Templates: Windows Components","AutoPlay Policies: Disal V-93375,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,High V-93377,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,High V-93517,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -V-93257,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,=,Medium +V-93257,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,=,Medium V-93259,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -V-93177,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -V-93179,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -V-93181,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +V-93177,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +V-93179,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +V-93181,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium V-93425,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium V-93533,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium V-93427,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv index 2bf62a4..2cfb928 100644 --- a/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv +++ b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv @@ -105,7 +105,7 @@ V-93099,"Advanced Audit Policy Configuration","Authorization Policy Change",audi V-93113,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Medium V-93115,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Medium "V-93117 / V-93119","Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Medium -V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low V-93519,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium @@ -138,11 +138,11 @@ V-93373,"Administrative Templates: Windows Components","AutoPlay Policies: Disal V-93375,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,High V-93377,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,High V-93517,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -V-93257,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,=,Medium +V-93257,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,=,Medium V-93259,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -V-93177,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -V-93179,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -V-93181,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +V-93177,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +V-93179,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +V-93181,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium V-93425,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium V-93533,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium V-93427,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium diff --git a/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv b/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv index 8e75327..a236140 100644 --- a/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv +++ b/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv @@ -15,16 +15,16 @@ V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected: Medium (2)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction",2,,,,,2,=,Medium V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected: High (4)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction",4,,,,,2,=,Medium V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected: Severe (5)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction",5,,,,,2,=,Medium -V-77967,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -V-77967,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +V-77967,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +V-77967,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium V-77969,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium V-77969,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium V-77975,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium V-77975,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -V-77971,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -V-77971,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium -V-77977,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -V-77977,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +V-77971,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +V-77971,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +V-77977,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +V-77977,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium V-77965,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium V-77965,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium V-77973,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_edge_97_machine.csv b/lists/finding_list_msft_security_baseline_edge_97_machine.csv new file mode 100644 index 0000000..59555c3 --- /dev/null +++ b/lists/finding_list_msft_security_baseline_edge_97_machine.csv @@ -0,0 +1,22 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1015,"Microsoft Edge","Allow unconfigured sites to be reloaded in Internet Explorer mode",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InternetExplorerIntegrationReloadInIEModeAllowed,,,,,0,=,Low +1000,"Microsoft Edge","Allow users to proceed from the HTTPS warning page",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SSLErrorOverrideAllowed,,,,1,0,=,Low +1018,"Microsoft Edge","Enable 3DES cipher suites in TLS",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TripleDESEnabled,,,,,0,=,Low +1019,"Microsoft Edge","Enable browser legacy extension point blocking",Registry,,HKLM:\Software\Policies\Microsoft\Edge,BrowserLegacyExtensionPointsBlockingEnabled,,,,,1,=,Low +1001,"Microsoft Edge","Enable site isolation for every site",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SitePerProcess,,,,0,1,=,Low +1023,"Microsoft Edge","Enhance images enabled",Registry,,HKLM:\Software\Policies\Microsoft\Edge,EdgeEnhanceImagesEnabled,,,,,0,=,Low +1002,"Microsoft Edge","Minimum TLS version enabled",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SSLVersionMin,,,,0,tls1.2,=,Medium +1021,"Microsoft Edge","Show the Reload in Internet Explorer mode button in the toolbar",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InternetExplorerModeToolbarButtonEnabled,,,,,0,=,Low +1017,"Microsoft Edge","Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SharedArrayBufferUnrestrictedAccessAllowed,,,,,0,=,Low +1020,"Microsoft Edge","Specifies whether the display-capture permissions-policy is checked or skipped",Registry,,HKLM:\Software\Policies\Microsoft\Edge,DisplayCapturePermissionsPolicyEnabled,,,,,1,=,Low +1004,"Microsoft Edge","Control which extensions cannot be installed",Registry,,HKLM:\Software\Policies\Microsoft\Edge\ExtensionInstallBlocklist,1,,,,0,*,=,Low +1012,"Microsoft Edge","Allow Basic authentication for HTTP",Registry,,HKLM:\Software\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,,,,,0,=,Low +1005,"Microsoft Edge","Supported authentication schemes",Registry,,HKLM:\Software\Policies\Microsoft\Edge,AuthSchemes,,,,0,"ntlm,negotiate",=,Low +1006,"Microsoft Edge","Allow user-level native messaging hosts (installed without admin permissions)",Registry,,HKLM:\Software\Policies\Microsoft\Edge,NativeMessagingUserLevelHosts,,,,1,0,=,Low +1007,"Microsoft Edge","Enable saving passwords to the password manager",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PasswordManagerEnabled,,,,1,0,=,Low +1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low +1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low +1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low +1022,"Microsoft Edge","Configure Edge TyposquattingChecker",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TyposquattingCheckerEnabled,,,,,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_98_machine.csv b/lists/finding_list_msft_security_baseline_edge_98_machine.csv new file mode 100644 index 0000000..5d1abfc --- /dev/null +++ b/lists/finding_list_msft_security_baseline_edge_98_machine.csv @@ -0,0 +1,23 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1015,"Microsoft Edge","Allow unconfigured sites to be reloaded in Internet Explorer mode",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InternetExplorerIntegrationReloadInIEModeAllowed,,,,,0,=,Low +1000,"Microsoft Edge","Allow users to proceed from the HTTPS warning page",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SSLErrorOverrideAllowed,,,,1,0,=,Low +1024,"Microsoft Edge","Allow using the deprecated U2F Security Key API (deprecated)",Registry,,HKLM:\Software\Policies\Microsoft\Edge,U2fSecurityKeyApiEnabled,,,,,0,=,Low +1018,"Microsoft Edge","Enable 3DES cipher suites in TLS",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TripleDESEnabled,,,,,0,=,Low +1019,"Microsoft Edge","Enable browser legacy extension point blocking",Registry,,HKLM:\Software\Policies\Microsoft\Edge,BrowserLegacyExtensionPointsBlockingEnabled,,,,,1,=,Low +1001,"Microsoft Edge","Enable site isolation for every site",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SitePerProcess,,,,0,1,=,Low +1023,"Microsoft Edge","Enhance images enabled",Registry,,HKLM:\Software\Policies\Microsoft\Edge,EdgeEnhanceImagesEnabled,,,,,0,=,Low +1002,"Microsoft Edge","Minimum TLS version enabled",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SSLVersionMin,,,,0,tls1.2,=,Medium +1021,"Microsoft Edge","Show the Reload in Internet Explorer mode button in the toolbar",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InternetExplorerModeToolbarButtonEnabled,,,,,0,=,Low +1017,"Microsoft Edge","Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SharedArrayBufferUnrestrictedAccessAllowed,,,,,0,=,Low +1020,"Microsoft Edge","Specifies whether the display-capture permissions-policy is checked or skipped",Registry,,HKLM:\Software\Policies\Microsoft\Edge,DisplayCapturePermissionsPolicyEnabled,,,,,1,=,Low +1004,"Microsoft Edge","Control which extensions cannot be installed",Registry,,HKLM:\Software\Policies\Microsoft\Edge\ExtensionInstallBlocklist,1,,,,0,*,=,Low +1012,"Microsoft Edge","Allow Basic authentication for HTTP",Registry,,HKLM:\Software\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,,,,,0,=,Low +1005,"Microsoft Edge","Supported authentication schemes",Registry,,HKLM:\Software\Policies\Microsoft\Edge,AuthSchemes,,,,0,"ntlm,negotiate",=,Low +1006,"Microsoft Edge","Allow user-level native messaging hosts (installed without admin permissions)",Registry,,HKLM:\Software\Policies\Microsoft\Edge,NativeMessagingUserLevelHosts,,,,1,0,=,Low +1007,"Microsoft Edge","Enable saving passwords to the password manager",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PasswordManagerEnabled,,,,1,0,=,Low +1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low +1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low +1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low +1022,"Microsoft Edge","Configure Edge TyposquattingChecker",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TyposquattingCheckerEnabled,,,,,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv new file mode 100644 index 0000000..1822dcc --- /dev/null +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv @@ -0,0 +1,195 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +6000,"Office 2016 / Office 365","IE Security: Add-on Management (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",excel.exe,,,,,1,=,Medium +6001,"Office 2016 / Office 365","IE Security: Add-on Management (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",exprwd.exe,,,,,1,=,Medium +6002,"Office 2016 / Office 365","IE Security: Add-on Management (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",groove.exe,,,,,1,=,Medium +6003,"Office 2016 / Office 365","IE Security: Add-on Management (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",msaccess.exe,,,,,1,=,Medium +6004,"Office 2016 / Office 365","IE Security: Add-on Management (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",mse7.exe,,,,,1,=,Medium +6005,"Office 2016 / Office 365","IE Security: Add-on Management (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",mspub.exe,,,,,1,=,Medium +6006,"Office 2016 / Office 365","IE Security: Add-on Management (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",onenote.exe,,,,,1,=,Medium +6007,"Office 2016 / Office 365","IE Security: Add-on Management (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",outlook.exe,,,,,1,=,Medium +6008,"Office 2016 / Office 365","IE Security: Add-on Management (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",powerpnt.exe,,,,,1,=,Medium +6009,"Office 2016 / Office 365","IE Security: Add-on Management (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",pptview.exe,,,,,1,=,Medium +6010,"Office 2016 / Office 365","IE Security: Add-on Management (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",spdesign.exe,,,,,1,=,Medium +6011,"Office 2016 / Office 365","IE Security: Add-on Management (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",visio.exe,,,,,1,=,Medium +6012,"Office 2016 / Office 365","IE Security: Add-on Management (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",winproj.exe,,,,,1,=,Medium +6013,"Office 2016 / Office 365","IE Security: Add-on Management (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management",winword.exe,,,,,1,=,Medium +6014,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",excel.exe,,,,,1,=,Medium +6015,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",exprwd.exe,,,,,1,=,Medium +6016,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",groove.exe,,,,,1,=,Medium +6017,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",msaccess.exe,,,,,1,=,Medium +6018,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",mse7.exe,,,,,1,=,Medium +6019,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",mspub.exe,,,,,1,=,Medium +6020,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",onenote.exe,,,,,1,=,Medium +6021,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",outlook.exe,,,,,1,=,Medium +6022,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",powerpnt.exe,,,,,1,=,Medium +6023,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",pptview.exe,,,,,1,=,Medium +6024,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",spdesign.exe,,,,,1,=,Medium +6025,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",visio.exe,,,,,1,=,Medium +6026,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",winproj.exe,,,,,1,=,Medium +6027,"Office 2016 / Office 365","IE Security: Consistent Mime Handling (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling",winword.exe,,,,,1,=,Medium +6028,"Office 2016 / Office 365","IE Security: Disable user name and password (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",excel.exe,,,,,1,=,Medium +6029,"Office 2016 / Office 365","IE Security: Disable user name and password (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",exprwd.exe,,,,,1,=,Medium +6030,"Office 2016 / Office 365","IE Security: Disable user name and password (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",groove.exe,,,,,1,=,Medium +6031,"Office 2016 / Office 365","IE Security: Disable user name and password (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",msaccess.exe,,,,,1,=,Medium +6032,"Office 2016 / Office 365","IE Security: Disable user name and password (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",mse7.exe,,,,,1,=,Medium +6033,"Office 2016 / Office 365","IE Security: Disable user name and password (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",mspub.exe,,,,,1,=,Medium +6034,"Office 2016 / Office 365","IE Security: Disable user name and password (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",onenote.exe,,,,,1,=,Medium +6035,"Office 2016 / Office 365","IE Security: Disable user name and password (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",outlook.exe,,,,,1,=,Medium +6036,"Office 2016 / Office 365","IE Security: Disable user name and password (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",powerpnt.exe,,,,,1,=,Medium +6037,"Office 2016 / Office 365","IE Security: Disable user name and password (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",pptview.exe,,,,,1,=,Medium +6038,"Office 2016 / Office 365","IE Security: Disable user name and password (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",spdesign.exe,,,,,1,=,Medium +6039,"Office 2016 / Office 365","IE Security: Disable user name and password (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",visio.exe,,,,,1,=,Medium +6040,"Office 2016 / Office 365","IE Security: Disable user name and password (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",winproj.exe,,,,,1,=,Medium +6041,"Office 2016 / Office 365","IE Security: Disable user name and password (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_disable",winword.exe,,,,,1,=,Medium +6042,"Office 2016 / Office 365","IE Security: Information Bar (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",excel.exe,,,,,1,=,Medium +6043,"Office 2016 / Office 365","IE Security: Information Bar (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",exprwd.exe,,,,,1,=,Medium +6044,"Office 2016 / Office 365","IE Security: Information Bar (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",groove.exe,,,,,1,=,Medium +6045,"Office 2016 / Office 365","IE Security: Information Bar (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",msaccess.exe,,,,,1,=,Medium +6046,"Office 2016 / Office 365","IE Security: Information Bar (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",mse7.exe,,,,,1,=,Medium +6047,"Office 2016 / Office 365","IE Security: Information Bar (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",mspub.exe,,,,,1,=,Medium +6048,"Office 2016 / Office 365","IE Security: Information Bar (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",onenote.exe,,,,,1,=,Medium +6049,"Office 2016 / Office 365","IE Security: Information Bar (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",outlook.exe,,,,,1,=,Medium +6050,"Office 2016 / Office 365","IE Security: Information Bar (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",powerpnt.exe,,,,,1,=,Medium +6051,"Office 2016 / Office 365","IE Security: Information Bar (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",pptview.exe,,,,,1,=,Medium +6052,"Office 2016 / Office 365","IE Security: Information Bar (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",spdesign.exe,,,,,1,=,Medium +6053,"Office 2016 / Office 365","IE Security: Information Bar (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",visio.exe,,,,,1,=,Medium +6054,"Office 2016 / Office 365","IE Security: Information Bar (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",winproj.exe,,,,,1,=,Medium +6055,"Office 2016 / Office 365","IE Security: Information Bar (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_securityband",winword.exe,,,,,1,=,Medium +6056,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",excel.exe,,,,,1,=,Medium +6057,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",exprwd.exe,,,,,1,=,Medium +6058,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",groove.exe,,,,,1,=,Medium +6059,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",msaccess.exe,,,,,1,=,Medium +6060,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",mse7.exe,,,,,1,=,Medium +6061,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",mspub.exe,,,,,1,=,Medium +6062,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",onenote.exe,,,,,1,=,Medium +6063,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",outlook.exe,,,,,1,=,Medium +6064,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",powerpnt.exe,,,,,1,=,Medium +6065,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",pptview.exe,,,,,1,=,Medium +6066,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",spdesign.exe,,,,,1,=,Medium +6067,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",visio.exe,,,,,1,=,Medium +6068,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",winproj.exe,,,,,1,=,Medium +6069,"Office 2016 / Office 365","IE Security: Local Machine Zone Lockdown Security (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown",winword.exe,,,,,1,=,Medium +6070,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",excel.exe,,,,,1,=,Medium +6071,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",exprwd.exe,,,,,1,=,Medium +6072,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",groove.exe,,,,,1,=,Medium +6073,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",msaccess.exe,,,,,1,=,Medium +6074,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",mse7.exe,,,,,1,=,Medium +6075,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",mspub.exe,,,,,1,=,Medium +6076,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",onenote.exe,,,,,1,=,Medium +6077,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",outlook.exe,,,,,1,=,Medium +6078,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",powerpnt.exe,,,,,1,=,Medium +6079,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",pptview.exe,,,,,1,=,Medium +6080,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",spdesign.exe,,,,,1,=,Medium +6081,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",visio.exe,,,,,1,=,Medium +6082,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",winproj.exe,,,,,1,=,Medium +6083,"Office 2016 / Office 365","IE Security: Mime Sniffing Safety Feature (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing",winword.exe,,,,,1,=,Medium +6084,"Office 2016 / Office 365","IE Security: Navigate URL (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",excel.exe,,,,,1,=,Medium +6085,"Office 2016 / Office 365","IE Security: Navigate URL (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",exprwd.exe,,,,,1,=,Medium +6086,"Office 2016 / Office 365","IE Security: Navigate URL (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",groove.exe,,,,,1,=,Medium +6087,"Office 2016 / Office 365","IE Security: Navigate URL (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",msaccess.exe,,,,,1,=,Medium +6088,"Office 2016 / Office 365","IE Security: Navigate URL (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",mse7.exe,,,,,1,=,Medium +6089,"Office 2016 / Office 365","IE Security: Navigate URL (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",mspub.exe,,,,,1,=,Medium +6090,"Office 2016 / Office 365","IE Security: Navigate URL (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",onenote.exe,,,,,1,=,Medium +6091,"Office 2016 / Office 365","IE Security: Navigate URL (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",outlook.exe,,,,,1,=,Medium +6092,"Office 2016 / Office 365","IE Security: Navigate URL (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",powerpnt.exe,,,,,1,=,Medium +6093,"Office 2016 / Office 365","IE Security: Navigate URL (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",pptview.exe,,,,,1,=,Medium +6094,"Office 2016 / Office 365","IE Security: Navigate URL (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",spdesign.exe,,,,,1,=,Medium +6095,"Office 2016 / Office 365","IE Security: Navigate URL (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",visio.exe,,,,,1,=,Medium +6096,"Office 2016 / Office 365","IE Security: Navigate URL (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",winproj.exe,,,,,1,=,Medium +6097,"Office 2016 / Office 365","IE Security: Navigate URL (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url",winword.exe,,,,,1,=,Medium +6098,"Office 2016 / Office 365","IE Security: Object Caching Protection (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",excel.exe,,,,,1,=,Medium +6099,"Office 2016 / Office 365","IE Security: Object Caching Protection (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",exprwd.exe,,,,,1,=,Medium +6100,"Office 2016 / Office 365","IE Security: Object Caching Protection (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",groove.exe,,,,,1,=,Medium +6101,"Office 2016 / Office 365","IE Security: Object Caching Protection (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",msaccess.exe,,,,,1,=,Medium +6102,"Office 2016 / Office 365","IE Security: Object Caching Protection (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",mse7.exe,,,,,1,=,Medium +6103,"Office 2016 / Office 365","IE Security: Object Caching Protection (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",mspub.exe,,,,,1,=,Medium +6104,"Office 2016 / Office 365","IE Security: Object Caching Protection (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",onenote.exe,,,,,1,=,Medium +6105,"Office 2016 / Office 365","IE Security: Object Caching Protection (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",outlook.exe,,,,,1,=,Medium +6106,"Office 2016 / Office 365","IE Security: Object Caching Protection (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",powerpnt.exe,,,,,1,=,Medium +6107,"Office 2016 / Office 365","IE Security: Object Caching Protection (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",pptview.exe,,,,,1,=,Medium +6108,"Office 2016 / Office 365","IE Security: Object Caching Protection (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",spdesign.exe,,,,,1,=,Medium +6109,"Office 2016 / Office 365","IE Security: Object Caching Protection (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",visio.exe,,,,,1,=,Medium +6110,"Office 2016 / Office 365","IE Security: Object Caching Protection (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",winproj.exe,,,,,1,=,Medium +6111,"Office 2016 / Office 365","IE Security: Object Caching Protection (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching",winword.exe,,,,,1,=,Medium +6112,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",excel.exe,,,,,1,=,Medium +6113,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",exprwd.exe,,,,,1,=,Medium +6114,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",groove.exe,,,,,1,=,Medium +6115,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",msaccess.exe,,,,,1,=,Medium +6116,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",mse7.exe,,,,,1,=,Medium +6117,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",mspub.exe,,,,,1,=,Medium +6118,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",onenote.exe,,,,,1,=,Medium +6119,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",outlook.exe,,,,,1,=,Medium +6120,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",powerpnt.exe,,,,,1,=,Medium +6121,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",pptview.exe,,,,,1,=,Medium +6122,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",spdesign.exe,,,,,1,=,Medium +6123,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",visio.exe,,,,,1,=,Medium +6124,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",winproj.exe,,,,,1,=,Medium +6125,"Office 2016 / Office 365","IE Security: Protection From Zone Elevation (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation",winword.exe,,,,,1,=,Medium +6126,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",excel.exe,,,,,1,=,Medium +6127,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",exprwd.exe,,,,,1,=,Medium +6128,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",groove.exe,,,,,1,=,Medium +6129,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",msaccess.exe,,,,,1,=,Medium +6130,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",mse7.exe,,,,,1,=,Medium +6131,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",mspub.exe,,,,,1,=,Medium +6132,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",onenote.exe,,,,,1,=,Medium +6133,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",outlook.exe,,,,,1,=,Medium +6134,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",powerpnt.exe,,,,,1,=,Medium +6135,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",pptview.exe,,,,,1,=,Medium +6136,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",spdesign.exe,,,,,1,=,Medium +6137,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",visio.exe,,,,,1,=,Medium +6138,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",winproj.exe,,,,,1,=,Medium +6139,"Office 2016 / Office 365","IE Security: Restrict ActiveX Install (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall",winword.exe,,,,,1,=,Medium +6140,"Office 2016 / Office 365","IE Security: Restrict File Download (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",excel.exe,,,,,1,=,Medium +6141,"Office 2016 / Office 365","IE Security: Restrict File Download (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",exprwd.exe,,,,,1,=,Medium +6142,"Office 2016 / Office 365","IE Security: Restrict File Download (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",groove.exe,,,,,1,=,Medium +6143,"Office 2016 / Office 365","IE Security: Restrict File Download (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",msaccess.exe,,,,,1,=,Medium +6144,"Office 2016 / Office 365","IE Security: Restrict File Download (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",mse7.exe,,,,,1,=,Medium +6145,"Office 2016 / Office 365","IE Security: Restrict File Download (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",mspub.exe,,,,,1,=,Medium +6146,"Office 2016 / Office 365","IE Security: Restrict File Download (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",onenote.exe,,,,,1,=,Medium +6147,"Office 2016 / Office 365","IE Security: Restrict File Download (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",outlook.exe,,,,,1,=,Medium +6148,"Office 2016 / Office 365","IE Security: Restrict File Download (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",powerpnt.exe,,,,,1,=,Medium +6149,"Office 2016 / Office 365","IE Security: Restrict File Download (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",pptview.exe,,,,,1,=,Medium +6150,"Office 2016 / Office 365","IE Security: Restrict File Download (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",spdesign.exe,,,,,1,=,Medium +6151,"Office 2016 / Office 365","IE Security: Restrict File Download (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",visio.exe,,,,,1,=,Medium +6152,"Office 2016 / Office 365","IE Security: Restrict File Download (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",winproj.exe,,,,,1,=,Medium +6153,"Office 2016 / Office 365","IE Security: Restrict File Download (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload",winword.exe,,,,,1,=,Medium +6154,"Office 2016 / Office 365","IE Security: Saved from URL (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",excel.exe,,,,,1,=,Medium +6155,"Office 2016 / Office 365","IE Security: Saved from URL (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",exprwd.exe,,,,,1,=,Medium +6156,"Office 2016 / Office 365","IE Security: Saved from URL (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",groove.exe,,,,,1,=,Medium +6157,"Office 2016 / Office 365","IE Security: Saved from URL (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",msaccess.exe,,,,,1,=,Medium +6158,"Office 2016 / Office 365","IE Security: Saved from URL (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",mse7.exe,,,,,1,=,Medium +6159,"Office 2016 / Office 365","IE Security: Saved from URL (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",mspub.exe,,,,,1,=,Medium +6160,"Office 2016 / Office 365","IE Security: Saved from URL (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",onenote.exe,,,,,1,=,Medium +6161,"Office 2016 / Office 365","IE Security: Saved from URL (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",outlook.exe,,,,,1,=,Medium +6162,"Office 2016 / Office 365","IE Security: Saved from URL (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",powerpnt.exe,,,,,1,=,Medium +6163,"Office 2016 / Office 365","IE Security: Saved from URL (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",pptview.exe,,,,,1,=,Medium +6164,"Office 2016 / Office 365","IE Security: Saved from URL (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",spdesign.exe,,,,,1,=,Medium +6165,"Office 2016 / Office 365","IE Security: Saved from URL (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",visio.exe,,,,,1,=,Medium +6166,"Office 2016 / Office 365","IE Security: Saved from URL (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",winproj.exe,,,,,1,=,Medium +6167,"Office 2016 / Office 365","IE Security: Saved from URL (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck",winword.exe,,,,,1,=,Medium +6168,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Excel)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",excel.exe,,,,,1,=,Medium +6169,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Expression Web Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",exprwd.exe,,,,,1,=,Medium +6170,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Groove)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",groove.exe,,,,,1,=,Medium +6171,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Access)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",msaccess.exe,,,,,1,=,Medium +6172,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Script Editor)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",mse7.exe,,,,,1,=,Medium +6173,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Publisher)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",mspub.exe,,,,,1,=,Medium +6174,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (OneNote)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",onenote.exe,,,,,1,=,Medium +6175,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Outlook)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",outlook.exe,,,,,1,=,Medium +6176,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (PowerPoint)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",powerpnt.exe,,,,,1,=,Medium +6177,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (PowerPoint Viewer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",pptview.exe,,,,,1,=,Medium +6178,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (SharePoint Designer)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",spdesign.exe,,,,,1,=,Medium +6179,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Visio)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",visio.exe,,,,,1,=,Medium +6180,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Project)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",winproj.exe,,,,,1,=,Medium +6181,"Office 2016 / Office 365","IE Security: Scripted Window Security Restrictions (Word)",Registry,,"HKLM:\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions",winword.exe,,,,,1,=,Medium +6182,"Office 2016 / Office 365","MS Security Guide: Block Flash activation in Office documents",Registry,,"HKLM:\SOFTWARE\Microsoft\Office\Common\COM Compatibility",Comment,,,,,"Block all Flash activation",=,Medium +6185,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Excel)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",excel.exe,,,,,69632,=,Medium +6186,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Publisher)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",mspub.exe,,,,,69632,=,Medium +6187,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (PowerPoint)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",powerpnt.exe,,,,,69632,=,Medium +6188,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (OneNote)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",onent.exe,,,,,69632,=,Medium +6189,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Visio)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",visio.exe,,,,,69632,=,Medium +6190,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Project)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winproj.exe,,,,,69632,=,Medium +6191,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Word)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winword.exe,,,,,69632,=,Medium +6192,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Outlook)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",outlook.exe,,,,,69632,=,Medium +6193,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Access)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",msaccess.exe,,,,,69632,=,Medium +6183,"Office 2016 / Office 365","Skype for Business: Configure SIP security mode",Registry,,HKLM:\software\policies\microsoft\office\16.0\lync,enablesiphighsecuritymode,,,,,1,=,Medium +6184,"Office 2016 / Office 365","Skype for Business: Disable HTTP fallback for SIP connection",Registry,,HKLM:\software\policies\microsoft\office\16.0\lync,disablehttpconnect,,,,,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_user.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_user.csv new file mode 100644 index 0000000..c86f1f9 --- /dev/null +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_user.csv @@ -0,0 +1,153 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +5000,"Office 2016 / Office 365","Microsoft Access: Block macros from running in Office files from the Internet",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,blockcontentexecutionfrominternet,,,,,1,=,Medium +5001,"Office 2016 / Office 365","Microsoft Access: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,notbpromptunsignedaddin,,,,,1,=,Medium +5002,"Office 2016 / Office 365","Microsoft Access: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,vbawarnings,,,,2,3,>=,Medium +5227,"Office 2016 / Office 365","Microsoft Access: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,vbadigsigtrustedpublishers,,,,,1,=,Medium +5003,"Office 2016 / Office 365","Microsoft Access: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\access\security\trusted locations",allownetworklocations,,,,,0,=,Medium +5010,"Office 2016 / Office 365","Microsoft Excel: Do not show data extraction options when opening corrupt workbooks",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options,extractdatadisableui,,,,,1,=,Medium +5011,"Office 2016 / Office 365","Microsoft Excel: Ask to update automatic links",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options\binaryoptions,fupdateext_78_1,,,,,0,=,Medium +5012,"Office 2016 / Office 365","Microsoft Excel: Load pictures from Web pages not created in Excel",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\internet,donotloadpictures,,,,,1,=,Medium +5013,"Office 2016 / Office 365","Microsoft Excel: Disable AutoRepublish",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options,disableautorepublish,,,,,1,=,Medium +5014,"Office 2016 / Office 365","Microsoft Excel: Do not show AutoRepublish warning alert",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options,disableautorepublishwarning,,,,,0,=,Medium +5015,"Office 2016 / Office 365","Microsoft Excel: Force file extension to match file type",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,extensionhardening,,,,,2,=,Medium +5016,"Office 2016 / Office 365","Microsoft Excel: Scan encrypted macros in Excel Open XML workbooks",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,excelbypassencryptedmacroscan,,,,,0,=,Medium +5017,"Office 2016 / Office 365","Microsoft Excel: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\filevalidation,enableonload,,,,,1,=,Medium +5018,"Office 2016 / Office 365","Microsoft Excel: WEBSERVICE Function Notification Settings",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,webservicefunctionwarnings,,,,,1,=,Medium +5019,"Office 2016 / Office 365","Microsoft Excel: Block macros from running in Office files from the Internet",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security,blockcontentexecutionfrominternet,,,,0,1,=,Medium +5020,"Office 2016 / Office 365","Microsoft Excel: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,notbpromptunsignedaddin,,,,,1,=,Medium +5021,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security,vbawarnings,,,,2,3,>=,Medium +5222,"Office 2016 / Office 365","Microsoft Excel: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,requireaddinsig,,,,,1,=,Medium +5231,"Office 2016 / Office 365","Microsoft Excel: Prevent Excel from running XLM macros",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,xl4macrooff,,,,,1,=,Medium +5224,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,vbadigsigtrustedpublishers,,,,,1,=,Medium +5022,"Office 2016 / Office 365","Microsoft Excel: Always prevent untrusted Microsoft Query files from opening",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",enableblockunsecurequeryfiles,,,,0,1,=,Medium +5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDEAllowed,,,,1,1,=,Medium +5024,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlookup,,,,0,1,=,Medium +5025,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: dBase III / IV files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,dbasefiles,,,,,2,=,Medium +5026,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Dif and Sylk files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,difandsylkfiles,,,,,2,=,Medium +5027,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 2 macrosheets and add-in files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl2macros,,,,,2,=,Medium +5028,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 2 worksheets",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl2worksheets,,,,,2,=,Medium +5029,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 3 macrosheets and add-in files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl3macros,,,,,2,=,Medium +5030,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 3 worksheets",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl3worksheets,,,,,2,=,Medium +5031,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 4 macrosheets and add-in files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl4macros,,,,,2,=,Medium +5032,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 4 workbooks",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl4workbooks,,,,,2,=,Medium +5033,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 4 worksheets",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl4worksheets,,,,,2,=,Medium +5034,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 95 workbooks",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl95workbooks,,,,,2,=,Medium +5035,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 95-97 workbooks and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl9597workbooksandtemplates,,,,,2,=,Medium +5036,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 97-2003 workbooks and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl97workbooksandtemplates,,,,,2,=,Medium +5037,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Set default file block behavior",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,openinprotectedview,,,,,0,=,Medium +5038,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Web pages and Excel 2003 XML spreadsheets",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,htmlandxmlssfiles,,,,,2,=,Medium +5039,"Office 2016 / Office 365","Microsoft Excel: Always open untrusted database files in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,enabledatabasefileprotectedview,,,,,1,=,Medium +5040,"Office 2016 / Office 365","Microsoft Excel: Do not open files from the Internet zone in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,disableinternetfilesinpv,,,,,0,=,Medium +5041,"Office 2016 / Office 365","Microsoft Excel: Do not open files in unsafe locations in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,disableunsafelocationsinpv,,,,,0,=,Medium +5042,"Office 2016 / Office 365","Microsoft Excel: Set document behavior if file validation fails (Open in Protected View)",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\filevalidation,disableeditfrompv,,,,,1,=,Medium +5043,"Office 2016 / Office 365","Microsoft Excel: Set document behavior if file validation fails (Allow edit in Protected View)",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\filevalidation,openinprotectedview,,,,,1,=,Medium +5044,"Office 2016 / Office 365","Microsoft Excel: Turn off Protected View for attachments opened from Outlook",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,disableattachmentsinpv,,,,,0,=,Medium +5045,"Office 2016 / Office 365","Microsoft Excel: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\trusted locations",allownetworklocations,,,,,0,=,Medium +5046,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Access)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\access,noextensibilitycustomizationfromdocument,,,,,1,=,Medium +5047,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Excel)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\excel,noextensibilitycustomizationfromdocument,,,,,1,=,Medium +5048,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Infopath)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\infopath,noextensibilitycustomizationfromdocument,,,,,1,=,Medium +5049,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Outlook)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\outlook,noextensibilitycustomizationfromdocument,,,,,1,=,Medium +5050,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (PowerPoint)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\powerpoint,noextensibilitycustomizationfromdocument,,,,,1,=,Medium +5051,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Project)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\project,noextensibilitycustomizationfromdocument,,,,,0,=,Medium +5052,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Publisher)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\publisher,noextensibilitycustomizationfromdocument,,,,,1,=,Medium +5053,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Visio)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\visio,noextensibilitycustomizationfromdocument,,,,,0,=,Medium +5054,"Office 2016 / Office 365","Global Options: Disable UI extending from documents and templates (Word)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\toolbars\word,noextensibilitycustomizationfromdocument,,,,,1,=,Medium +5070,"Office 2016 / Office 365","Security Settings: ActiveX Control Initialization",Registry,,HKCU:\software\policies\microsoft\office\common\security,uficontrols,,,,,6,=,Medium +5210,"Office 2016 / Office 365","Security Settings: Allow VBA to load typelib references by path from untrusted intranet locations",Registry,,HKCU:\software\policies\microsoft\vba\security,allowvbaintranetreferences,,,,,0,=,Medium +5071,"Office 2016 / Office 365","Security Settings: Automation Security",Registry,,HKCU:\software\policies\microsoft\office\common\security,automationsecurity,,,,,2,=,Medium +5211,"Office 2016 / Office 365","Security Settings: Control how Office handles form-based sign-in prompts",Registry,,HKCU:\software\policies\microsoft\office\16.0\common,fbabehavior,,,,,1,=,Medium +5212,"Office 2016 / Office 365","Security Settings: Control how Office handles form-based sign-in prompts (Hosts)",Registry,,HKCU:\software\policies\microsoft\office\16.0\common,fbaenabledhosts,,,,," ",=,Medium +5213,"Office 2016 / Office 365","Security Settings: Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine",Registry,,HKCU:\software\policies\microsoft\vba\security,disablestrictvbarefssecurity,,,,,0,=,Medium +5072,"Office 2016 / Office 365","Security Settings: Disable all Trust Bar notifications for security issues",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\trustcenter,trustbar,,,,,0,=,Medium +5073,"Office 2016 / Office 365","Security Settings: Encryption type for password protected Office 97-2003 files",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\security,defaultencryption12,,,,,"Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256",=,Medium +5074,"Office 2016 / Office 365","Security Settings: Encryption type for password protected Office Open XML files",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\security,openxmlencryption,,,,,"Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256",=,Medium +5075,"Office 2016 / Office 365","Security Settings: Load Controls in Forms3",Registry,,HKCU:\software\policies\microsoft\vba\security,loadcontrolsinforms,,,,,1,=,Medium +5214,"Office 2016 / Office 365","Security Settings: Macro Runtime Scan Scope",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\security,macroruntimescanscope,,,,,2,=,Medium +5077,"Office 2016 / Office 365","Security Settings: Protect document metadata for rights managed Office Open XML Files",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\security,drmencryptproperty,,,,,1,=,Medium +5078,"Office 2016 / Office 365","Security Settings: Allow mix of policy and user locations",Registry,,"HKCU:\software\policies\microsoft\office\16.0\common\security\trusted locations","allow user locations",,,,,0,=,Medium +5079,"Office 2016 / Office 365","Security Settings: Disable the Office client from polling the SharePoint Server for published links",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\portal,linkpublishingdisabled,,,,,1,=,Medium +5080,"Office 2016 / Office 365","Security Settings: Disable Smart Document's use of manifests",Registry,,"HKCU:\software\policies\microsoft\office\common\smart tag",neverloadmanifests,,,,,1,=,Medium +5090,"Office 2016 / Office 365","Microsoft Outlook: Authentication with Exchange Server",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,authenticationservice,,,,,16,=,Medium +5091,"Office 2016 / Office 365","Microsoft Outlook: Enable RPC encryption",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\rpc,enablerpcencryption,,,,,1,=,Medium +5092,"Office 2016 / Office 365","Microsoft Outlook: Do not allow Outlook object model scripts to run for public folders",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,publicfolderscript,,,,,0,=,Medium +5093,"Office 2016 / Office 365","Microsoft Outlook: Do not allow Outlook object model scripts to run for shared folders",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,sharedfolderscript,,,,,0,=,Medium +5094,"Office 2016 / Office 365","Microsoft Outlook: Use Unicode format when dragging e-mail message to file system",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\options\general,msgformat,,,,,0,=,Medium +5096,"Office 2016 / Office 365","Microsoft Outlook: Allow Active X One Off Forms",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,allowactivexoneoffforms,,,,,0,=,Medium +5097,"Office 2016 / Office 365","Microsoft Outlook: Prevent users from customizing attachment security settings",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook,disallowattachmentcustomization,,,,,1,=,Medium +5098,"Office 2016 / Office 365","Microsoft Outlook: Include Internet in Safe Zones for Automatic Picture Download",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\options\mail,internet,,,,,0,=,Medium +5100,"Office 2016 / Office 365","Microsoft Outlook: Minimum encryption settings",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,minenckey,,,,,168,=,Medium +5101,"Office 2016 / Office 365","Microsoft Outlook: Signature Warning",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,warnaboutinvalid,,,,,1,=,Medium +5102,"Office 2016 / Office 365","Microsoft Outlook: Retrieving CRLs (Certificate Revocation Lists)",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,usecrlchasing,,,,,1,=,Medium +5103,"Office 2016 / Office 365","Microsoft Outlook: Outlook Security Mode",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,adminsecuritymode,,,,,3,=,Medium +5104,"Office 2016 / Office 365","Microsoft Outlook: Allow users to demote attachments to Level 2",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,allowuserstolowerattachments,,,,,0,=,Medium +5105,"Office 2016 / Office 365","Microsoft Outlook: Display Level 1 attachments",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,showlevel1attach,,,,,0,=,Medium +5106,"Office 2016 / Office 365","Microsoft Outlook: Remove file extensions blocked as Level 1",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,fileextensionsremovelevel1,,,,,;,=,Medium +5107,"Office 2016 / Office 365","Microsoft Outlook: Remove file extensions blocked as Level 2",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,fileextensionsremovelevel2,,,,,;,=,Medium +5108,"Office 2016 / Office 365","Microsoft Outlook: Allow scripts in one-off Outlook forms",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,enableoneoffformscripts,,,,,0,=,Medium +5109,"Office 2016 / Office 365","Microsoft Outlook: Set Outlook object model custom actions execution prompt",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,promptoomcustomaction,,,,,0,=,Medium +5110,"Office 2016 / Office 365","Microsoft Outlook: Configure Outlook object model prompt when accessing an address book",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,promptoomaddressbookaccess,,,,,0,=,Medium +5111,"Office 2016 / Office 365","Microsoft Outlook: Configure Outlook object model prompt when accessing the Formula property of a UserProperty object",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,promptoomformulaaccess,,,,,0,=,Medium +5112,"Office 2016 / Office 365","Microsoft Outlook: Configure Outlook object model prompt when executing Save As",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,promptoomsaveas,,,,,0,=,Medium +5113,"Office 2016 / Office 365","Microsoft Outlook: Configure Outlook object model prompt when reading address information",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,promptoomaddressinformationaccess,,,,,0,=,Medium +5114,"Office 2016 / Office 365","Microsoft Outlook: Configure Outlook object model prompt when responding to meeting and task requests",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,promptoommeetingtaskrequestresponse,,,,,0,=,Medium +5115,"Office 2016 / Office 365","Microsoft Outlook: Configure Outlook object model prompt when sending mail",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,promptoomsend,,,,,0,=,Medium +5116,"Office 2016 / Office 365","Microsoft Outlook: Allow hyperlinks in suspected phishing e-mail messages",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\options\mail,junkmailenablelinks,,,,,0,=,Medium +5117,"Office 2016 / Office 365","Microsoft Outlook: Security setting for macros",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,level,,,,,3,=,Medium +5130,"Office 2016 / Office 365","Microsoft PowerPoint: Run Programs",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security,runprograms,,,,,0,=,Medium +5131,"Office 2016 / Office 365","Microsoft PowerPoint: Scan encrypted macros in PowerPoint Open XML presentations",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security,powerpointbypassencryptedmacroscan,,,,,0,=,Medium +5132,"Office 2016 / Office 365","Microsoft PowerPoint: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation,enableonload,,,,,1,=,Medium +5133,"Office 2016 / Office 365","Microsoft PowerPoint: Block macros from running in Office files from the Internet",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security,blockcontentexecutionfrominternet,,,,0,1,=,Medium +5134,"Office 2016 / Office 365","Microsoft PowerPoint: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security,notbpromptunsignedaddin,,,,,1,=,Medium +5223,"Office 2016 / Office 365","Microsoft PowerPoint: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security,requireaddinsig,,,,,1,=,Medium +5135,"Office 2016 / Office 365","Microsoft PowerPoint: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security,vbawarnings,,,,2,3,>=,Medium +5225,"Office 2016 / Office 365","Microsoft PowerPoint: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security,vbadigsigtrustedpublishers,,,,,1,=,Medium +5136,"Office 2016 / Office 365","Microsoft PowerPoint: PowerPoint 97-2003 presentations, shows, templates and add-in files",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\fileblock,binaryfiles,,,,,2,=,Medium +5137,"Office 2016 / Office 365","Microsoft PowerPoint: Set default file block behavior",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\fileblock,openinprotectedview,,,,,0,=,Medium +5138,"Office 2016 / Office 365","Microsoft PowerPoint: Do not open files from the Internet zone in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview,disableinternetfilesinpv,,,,,0,=,Medium +5139,"Office 2016 / Office 365","Microsoft PowerPoint: Do not open files in unsafe locations in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview,disableunsafelocationsinpv,,,,,0,=,Medium +5140,"Office 2016 / Office 365","Microsoft PowerPoint: Set document behavior if file validation fails (Open in Protected View)",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation,disableeditfrompv,,,,,1,=,Medium +5141,"Office 2016 / Office 365","Microsoft PowerPoint: Set document behavior if file validation fails (Allow edit in Protected View)",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation,openinprotectedview,,,,,1,=,Medium +5142,"Office 2016 / Office 365","Microsoft PowerPoint: Turn off Protected View for attachments opened from Outlook",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview,disableattachmentsinpv,,,,,0,=,Medium +5143,"Office 2016 / Office 365","Microsoft PowerPoint: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\trusted locations",allownetworklocations,,,,,0,=,Medium +5150,"Office 2016 / Office 365","Microsoft Project: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security\trusted locations",allownetworklocations,,,,,0,=,Medium +5151,"Office 2016 / Office 365","Microsoft Project: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",notbpromptunsignedaddin,,,,,1,=,Medium +5217,"Office 2016 / Office 365","Microsoft Project: Require that application add-ins are signed by Trusted Publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",requireaddinsig,,,,,1,=,Medium +5152,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy)",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbawarnings,,,,2,3,>=,Medium +5228,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbadigsigtrustedpublishers,,,,,1,=,Medium +5160,"Office 2016 / Office 365","Microsoft Publisher: Publisher Automation Security Level",Registry,,HKCU:\software\policies\microsoft\office\common\security,automationsecuritypublisher,,,,,2,=,Medium +5161,"Office 2016 / Office 365","Microsoft Publisher: Disable Trust Bar Notification for unsigned application add-ins",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,notbpromptunsignedaddin,,,,,1,=,Medium +5218,"Office 2016 / Office 365","Microsoft Publisher: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,requireaddinsig,,,,,1,=,Medium +5162,"Office 2016 / Office 365","Microsoft Publisher: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,vbawarnings,,,,2,3,>=,Medium +5229,"Office 2016 / Office 365","Microsoft Publisher: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,vbadigsigtrustedpublishers,,,,,1,=,Medium +5170,"Office 2016 / Office 365","Microsoft Visio: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\visio\security\trusted locations",allownetworklocations,,,,,0,=,Medium +5171,"Office 2016 / Office 365","Microsoft Visio: Block macros from running in Office files from the Internet",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,blockcontentexecutionfrominternet,,,,,1,=,Medium +5172,"Office 2016 / Office 365","Microsoft Visio: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,notbpromptunsignedaddin,,,,,1,=,Medium +5219,"Office 2016 / Office 365","Microsoft Visio: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,requireaddinsig,,,,,1,=,Medium +5173,"Office 2016 / Office 365","Microsoft Visio: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,vbawarnings,,,,2,3,>=,Medium +5230,"Office 2016 / Office 365","Microsoft Visio: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,vbadigsigtrustedpublishers,,,,,1,=,Medium +5174,"Office 2016 / Office 365","Microsoft Visio: File Block Settings: Visio 2000-2002 Binary Drawings, Templates and Stencils",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security\fileblock,visio2000files,,,,,2,=,Medium +5175,"Office 2016 / Office 365","Microsoft Visio: File Block Settings: Visio 2003-2010 Binary Drawings, Templates and Stencils",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security\fileblock,visio2003files,,,,,2,=,Medium +5176,"Office 2016 / Office 365","Microsoft Visio: File Block Settings: Visio 5.0 or earlier Binary Drawings, Templates and Stencils",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security\fileblock,visio50andearlierfiles,,,,,2,=,Medium +5190,"Office 2016 / Office 365","Microsoft Word: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\filevalidation,enableonload,,,,,1,=,Medium +5191,"Office 2016 / Office 365","Microsoft Word: Block macros from running in Office files from the Internet",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,blockcontentexecutionfrominternet,,,,0,1,=,Medium +5192,"Office 2016 / Office 365","Microsoft Word: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,notbpromptunsignedaddin,,,,,1,=,Medium +5220,"Office 2016 / Office 365","Microsoft Word: Dynamic Data Exchange",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,allowdde,,,,,0,=,Medium +5221,"Office 2016 / Office 365","Microsoft Word: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,requireaddinsig,,,,,1,=,Medium +5193,"Office 2016 / Office 365","Microsoft Word: Scan encrypted macros in Word Open XML documents",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,wordbypassencryptedmacroscan,,,,,0,=,Medium +5194,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbawarnings,,,,2,3,>=,Medium +5226,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbadigsigtrustedpublishers,,,,,1,=,Medium +5195,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Set default file block behavior",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,openinprotectedview,,,,,0,=,Medium +5196,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 2 and earlier binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word2files,,,,,2,=,Medium +5197,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 2000 binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word2000files,,,,,2,=,Medium +5198,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 2003 binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word2003files,,,,,2,=,Medium +5199,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 2007 and later binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word2007files,,,,,2,=,Medium +5200,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 6.0 binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word60files,,,,,2,=,Medium +5201,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 95 binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word95files,,,,,2,=,Medium +5202,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 97 binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word97files,,,,,2,=,Medium +5203,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word XP binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,wordxpfiles,,,,,2,=,Medium +5204,"Office 2016 / Office 365","Microsoft Word: Do not open files from the Internet zone in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\protectedview,disableinternetfilesinpv,,,,,0,=,Medium +5205,"Office 2016 / Office 365","Microsoft Word: Do not open files in unsafe locations in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\protectedview,disableunsafelocationsinpv,,,,,0,=,Medium +5206,"Office 2016 / Office 365","Microsoft Word: Set document behavior if file validation fails (Open in Protected View)",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\filevalidation,disableeditfrompv,,,,,1,=,Medium +5207,"Office 2016 / Office 365","Microsoft Word: Set document behavior if file validation fails (Allow edit in Protected View)",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\filevalidation,openinprotectedview,,,,,1,=,Medium +5208,"Office 2016 / Office 365","Microsoft Word: Turn off Protected View for attachments opened from Outlook",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\protectedview,disableattachmentsinpv,,,,,0,=,Medium +5209,"Office 2016 / Office 365","Microsoft Word: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\word\security\trusted locations",allownetworklocations,,,,,0,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv index f2bacd8..a963db5 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv @@ -128,7 +128,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10543,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium @@ -187,9 +187,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10759,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium 10760,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium 10762,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -343,20 +343,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11014,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11014,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11015,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,0,=,Low 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,0,=,Low 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -365,8 +365,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,0,=,Low diff --git a/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv index 7d3d2c1..a8bc5a5 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv @@ -128,7 +128,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10543,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium @@ -187,9 +187,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10759,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium 10760,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium 10762,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -348,20 +348,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11029,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -370,8 +370,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv index 90f9566..8f2a74a 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv @@ -129,7 +129,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10543,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium @@ -189,9 +189,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10759,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium 10760,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium 10762,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -338,20 +338,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11029,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -360,8 +360,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv b/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv index d7d1cf2..938c125 100644 --- a/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv @@ -128,7 +128,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10543,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium @@ -188,9 +188,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10759,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium 10760,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium 10762,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -332,20 +332,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11029,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -354,8 +354,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv index 735d3e1..ebd3585 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv @@ -106,7 +106,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium 10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium 10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium @@ -136,9 +136,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -287,20 +287,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11014,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11014,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11015,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,0,=,Low 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,0,=,Low 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -309,8 +309,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,0,=,Low diff --git a/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv index 53a4b3a..eed7e81 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv @@ -102,7 +102,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium @@ -136,9 +136,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -287,20 +287,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11014,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11014,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11015,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,0,=,Low 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,0,=,Low 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -309,8 +309,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,0,=,Low diff --git a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv index 0e946a4..3f09008 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv @@ -107,7 +107,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium 10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium 10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium @@ -138,9 +138,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -282,20 +282,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11029,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11020,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11021,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11022,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11023,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11022,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11023,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -304,8 +304,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11026,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11027,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11028,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11028,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11029,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv index 9e48527..a04c8ee 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv @@ -103,7 +103,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium @@ -138,9 +138,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -282,20 +282,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11029,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11020,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11021,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11022,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11023,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11022,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11023,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -304,8 +304,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11026,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11027,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11028,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11028,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11029,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv index 0ccc537..697dde3 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv @@ -106,7 +106,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium 10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium 10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium @@ -136,9 +136,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -292,20 +292,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11016,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11029,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -314,8 +314,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv index 2193c5d..115ab14 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv @@ -102,7 +102,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low -10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium 10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium @@ -136,9 +136,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium -10763,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -10764,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -10765,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium 10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium @@ -292,20 +292,20 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11016,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium -10979,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium -11029,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium 10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium -10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium -11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium 10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium 10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium -10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium -11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium -10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low -11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10985,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,0,=,Low +11020,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,0,=,Low 10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium 10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium @@ -314,8 +314,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11023,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,0,=,Low 10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium -10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium -11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium 10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium