Beruflich Dokumente
Kultur Dokumente
This guide has been created to assist IT professionals in effectively securing systems running Microsoft 7
Publisher: National Institute of Standards and Technology Send comments or suggestions to usgcb@nist.gov.
Table of Contents
1 -- Introduction
2 -- Security Guide Development 2.1 -- Windows 7 System Roles and Requirements 2.2 -- Security Categorization of Information and Information Systems 2.3 -- Baseline Security Controls and Threat Analysis Refinement 2.4 -- Environments and Security Controls Documentation 2.5 -- Implementation and Testing of Security Controls 2.6 -- Monitoring and Maintenance 2.7 -- Summary of Recommendations 3 -- Windows 7 Security Components Overview 3.1 -- New Features in Windows 7 3.2 -- Security Features Inherited from earlier Windows versions 3.3 -- Summary of Recommendations 4 -- Installation, Backup, and Patching 4.1 -- Performing a New Installation 4.2 -- Backing Up Systems 4.3 -- Updating Existing Systems 4.4 -- Identifying Security Issues 4.5 -- Summary of Recommendations 5 -- USGCB Security Settings 5.1 -- Account Policies Group 5.2 -- Local Policies Group 5.3 -- System Services Group 5.4 -- Advanced Audit Policy Settings 6 -- USGCB Other Settings 6.1 -- Computer Configuration - Administrative Templates - Network Settings 6.2 -- Printers 6.3 -- Computer Configuration - Administrative Templates - System Settings 7 -- Security Patches
1 - Introduction
threatening injuries. The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Each system should be protected based on the potential impact to the system of a loss of confidentiality, integrity, or availability. Protection measures (otherwise known as security controls) tend to fall into two categories. First, security weaknesses in the system need to be resolved. For example, if a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated. Second, the system should offer only the required functionality to each authorized user, so that no one can use functions that are not necessary. This principle is known as least privilege. Limiting functionality and resolving security weaknesses have a common goal: give attackers as few opportunities as possible to breach a system. Although each system should ideally be made as secure as possible, this is generally not feasible because the system needs to meet the functional requirements of the systems users. Another common problem with security controls is that they often make systems less convenient or more difficult to use. When usability is an issue, many users will attempt to circumvent security controls; for example, if passwords must be long and complex, users may write them down. Balancing security, functionality, and usability is often a challenge. This guide attempts to strike a proper balance and make recommendations that provide a reasonably secure solution while offering the functionality and usability that users require. Another fundamental principle endorsed by this guide is using multiple layers of security. For example, a host may be protected from external attack by several controls, including a network-based firewall, a host-based firewall, and OS patching. The motivation for having multiple layers is that if one layer fails or otherwise cannot counteract a certain threat, other layers might prevent the threat from successfully breaching the system. A combination of network-based and host-based controls is generally most effective at providing consistent protection for systems. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, proposes minimum baseline management, operational, and technical security controls for information systems. These controls are to be implemented based on the security categorizations proposed by FIPS 199, as described earlier in this section. This guidance should assist agencies in meeting baseline requirements for Windows 7 Enterprise systems deployed in their environments.
policy against writing down passwords (management control), educating users on the dangers of password exposure (operational control), and performing periodic physical audits to identify posted passwords (operational control) may all be helpful in reducing the risks posed by writing down
Physically secure removable storage devices and media, such as CD-ROMs, that contain valuable information. An individual who gains access to a workspace may find it easier to take removable media than attempt to get user-level access on a system.
standard strong protocols (e.g., Internet Protocol Security [IPsec], Secure Shell [SSH], Transport Layer Security [TLS]) for accessing and maintaining systems remotely. Use firewalls or packet filters to restrict access to each service to the authorized hosts only. This prevents unauthorized hosts from gaining access to the services and also prevents worms from propagating from one host to other hosts on the network. Enable logon banners containing a warning of the possible legal consequences of misuse.
when needed for specific maintenance tasks. Many instances of malware cannot successfully infect a system unless the current user has administrative privileges. Configure server and client software such as e-mail servers and clients, Web proxy servers and clients, and productivity applications to reduce exposure to malware. For example, email servers and clients could be configured to block e-mail attachments with certain file extensions. This should help to reduce the likelihood of infections. Configure systems, particularly in specialized security-limited functionality environments, so that the default file associations prevent automatic execution of active content files (e.g., Java, JavaScript, ActiveX).
2.4.1 - SOHO
SOHO, sometimes called standalone, describes small, informal computer installations that are used for home or business purposes. SOHO encompasses a variety of small-scale environments and devices, ranging from laptops, mobile devices, and home computers, to telecommuting systems located on broadband networks, to small businesses and small branch offices of a company. Figure 2-2 shows a typical SOHO network architecture. Historically, SOHO environments are the least secured and most trusting. Generally, the individuals performing SOHO system administration are less knowledgeable about security. This often results in environments that are less secure than they need to be because the focus is generally on functionality and ease of use. A SOHO system might not use any security software (e.g., antivirus software, personal firewall). In some instances, there are no network-based controls such as firewalls, so SOHO systems may be directly exposed to external attacks. Therefore, SOHO environments are frequently targeted for exploitationnot necessarily to acquire information, but more commonly to be used for attacking other computers, or incidentally as collateral damage from the propagation of a worm.
Figure 2-2. Typical SOHO Network Architecture Because the primary threats in SOHO environments are external, and SOHO computers generally have less restrictive security policies than enterprise or specialized security-limited functionality computers, they tend to be most vulnerable to attacks from remote threat categories. (Although remote threats are the primary concern for SOHO environments, it is still important to protect against other threats.) SOHO systems are typically threatened by attacks against network services and by malicious payloads (e.g., viruses, worms). These attacks are most likely to affect availability (e.g., crashing the system, consuming all network bandwidth, breaking functionality) but may also affect
integrity (e.g., infecting data files) and confidentiality (e.g., providing remote access to sensitive data, e-mailing data files to others). SOHO security is improving with the proliferation of small, inexpensive, hardware-based firewall routers that protect to some degree the SOHO machines behind them. The adoption of personal firewalls (e.g., BlackICE, ZoneAlarm, Windows Firewall) is also helping to better secure SOHO environments. Another key to SOHO security is strengthening the hosts on the SOHO network by patching vulnerabilities and altering settings to restrict unneeded functionality.
2.4.2 - Enterprise
The enterprise environment, also known as a managed environment, is typically comprised of large organizational systems with defined, organized suites of hardware and software configurations, usually consisting of centrally managed workstations and servers protected from threats on the Internet with firewalls and other network security devices. Figure 2-3 shows a typical enterprise network architecture. Enterprise environments generally have a group dedicated to supporting users and providing security. The combination of structure and skilled staff allows better security practices to be implemented during initial system deployment and in ongoing support and maintenance. Enterprise installations typically use a domain model to effectively manage a variety of settings and allow the sharing of resources (e.g., file servers, printers). The enterprise can enable only the services needed for normal business operations, with other possible avenues of exploit removed or disabled. Authentication, account, and policy management can be administered centrally to maintain a consistent security posture across an organization. The enterprise environment is more restrictive and provides less functionality than the SOHO environment. Managed environments typically have better control on the flow of various types of traffic, such as filtering traffic based on protocols and ports at the enterprises connections with external networks. Because of the supported and largely homogeneous nature of the enterprise environment, it is typically easier to use more functionally restrictive settings than it is in SOHO environments. Enterprise environments also tend to implement several layers of defense (e.g., firewalls, antivirus servers, intrusion detection systems, patch management systems, e-mail filtering), which provides greater protection for systems. In many enterprise environments, interoperability with legacy systems may not be a major requirement, further facilitating the use of more restrictive settings. In an enterprise environment, this guide should be used by advanced users and system administrators. The enterprise environment settings correspond to an enterprise security posture that will protect the information in a moderate risk environment. In the enterprise environment, systems are typically susceptible to local and remote threats. In fact, threats often encompass all the categories of threats defined in Section 2.3. Local attacks, such as unauthorized usage of another users workstation, most often lead to a loss of confidentiality (e.g., unauthorized access to data) but may also lead to a loss of integrity (e.g., data modification) or availability (e.g., theft of a system). Remote threats may be posed not only by attackers outside the organization, but also by internal users who are attacking other internal systems across the organizations network. Most security breaches caused by remote threats involve malicious payloads sent by external parties, such as viruses and worms acquired via e-mail or infected Web sites. Threats against network services tend to payloads and network service attacks are most likely to affect availability (e.g., crashing the system, consuming all network bandwidth, breaking functionality) but may also affect integrity (e.g., infecting data files) and confidentiality (e.g., providing remote access to sensitive data). Data disclosure threats tend to come from internal parties who are monitoring traffic on local networks, and they primarily affect confidentiality.
2.4.4 - Legacy
A legacy environment contains older systems or applications that use outdated communication mechanisms. This most often occurs when machines operating in a legacy environment need more open security settings so they can communicate to the appropriate resources. For example, a system may need to use services and applications that require insecure authentication mechanisms such as null user sessions or open pipes. Because of these special needs, the system does not fit into any of the standard environments; therefore, it should be classified as a legacy environment system. Legacy environments may exist within SOHO and enterprise environments, and in rare cases within specialized security-limited functionality environments as well. Depending on the situation, a legacy environment may face any combination of internal and external threats. The potential impact of the threats should be determined by considering the threats that the system faces (as described in the previous three sections) and then considering what additional risk the system has because of the legacy accommodations.
2.4.5 - SecurityDocumentation
An organization typically has many documents related to the security of Windows 7 systems. Foremost among the documents is a Windows 7 security configuration guide that specifies how Windows 7 systems should be configured and secured. As mentioned in Section 2.2, NIST SP 800-53 proposes management, operational, and technical security controls for systems, each of which should have associated documentation. In addition to documenting procedures for implementing and maintaining various controls, every environment should also have other securityrelated policies and documentation that affect the configuration, maintenance, and usage of systems and applications. Examples of such documents are as follows: Rules of behavior and acceptable use policy Configuration management policy, plan, and procedures Authorization to connect to the network IT contingency plans Security awareness and training for end users and administrators.
consensus settings from CIS, DISA, Microsoft, NIST, NSA, and USAF; the other NIST templates are based on Microsofts templates and recommendations. Although the guidance presented in this document has undergone considerable testing, every system is unique, so it is certainly possible for certain settings to cause unexpected problems. System administrators should perform their own testing, especially for the applications used by their organizations, to identify any functionality or usability problems before the guidance is deployed throughout organizations. It is also critical to confirm that the desired security settings have been implemented properly and are working as expected. See Section 4.4 for information on tools that can identify security-related misconfigurations and vulnerabilities on Windows 7 systems.
several new security features. This guide provides general descriptions of most of these features, with pointers or links to more detailed information whenever possible.
3.2.1 - Kerberos
In a domain, Windows 7 provides support for MIT Kerberos v.5 authentication, as defined in Internet Engineering Task Force (IETF) Request for Comment (RFC) 1510. The Kerberos protocol is composed of three subprotocols: Authentication Service (AS) Exchange, Ticket-Granting Service (TGS) Exchange, and Client/Server (CS) Exchange. The Kerberos v.5 standard can be used only in pure Windows domain environments. Windows domain members use Kerberos as the default network client/server authentication protocol, replacing the older and less secure NTLM and LanManager (LM) authentication methods. The older methods are still supported to allow legacy Windows clients to authenticate to a Windows domain environment. Windows 7 standalone workstations and members of NT domains do not use Kerberos to perform local authentication; they use the traditional NTLM. Because Kerberos provides stronger protection for logon credentials than older authentication methods, it should be used whenever possible. NIST recommends disabling LM and NTLM v1 in specialized security-limited functionality environments, and disabling LM in all other environments.
formatted volume. In addition, EFS now maintains encryption persistence, which means that any file or folder that has been designated as encrypted will remain encrypted when moved to another NTFS-formatted filesystem. Files are still transmitted unencrypted across the network (except when Web Distributed Authoring and Versioning [WebDAV] is used, which will transmit encrypted files across networks), so users should transfer the files through a separate encrypting protocol, such as TLS or IPsec. EFS is best used to provide local encryption for files and is particularly useful for laptops and other systems at high risk of physical attack.
discusses the risks of installing a new system on a network and the factors to consider when partitioning Windows 7 hard drives. It also describes various installation techniques and provides pointers to more information on performing them. Another important topic is the ability of Windows 7 to back up and restore data and system configuration information. This section also discusses how to update existing systems through Microsoft Update and other means to ensure that they are running the latest service packs and hotfixes. Advice is also presented on identifying missing patches and security misconfigurations on systems. Organizations should have sound configuration management policies that govern changes made to operating systems and applications, such as applying patches to an operating system or modifying application configuration settings to provide greater security. Configuration management policies should also address the initial installation of the operating system, the installation of each application, and the roles, responsibilities, and processes for performing and documenting system changes caused by upgrades, patches, and other methods of modification.
printers). See Section 7.5 for more information on network clients, services, and protocols. Consider disabling the following services: Client for Microsoft Networks (most users will require this service) Client Service for NetWare File and Printer Sharing for Microsoft Networks QoS Packet Scheduler NWLink IPX/SPX/NetBIOS Compatible Transport Protocol If possible, assign an Internet Protocol (IP) address, default gateway, and domain name system (DNS) server. Even if the computer will be joining a domain, choose to be in only a workgroup, and change the workgroup name to something other than the default of WORKGROUP. Set all environment-specific settings, such as the time zone. When the installation prompts for accounts to be added, only one account should be added initially. Other accounts can always been added later once the system is fully patched and configured. By default, the account created during the installation and the built-in Administrator account both belong to the Administrators group. After the initial post-installation boot, assign both accounts strong passwords. The next task is to install the latest service pack and hotfixes. Only after the machine has been brought up to current patch levels should it be connected to a regular network. Then, the networking configuration can be changed, such as joining the workstation to a domain, or assigning a workgroup to enable sharing of workgroup resources (e.g., shared directories, printers). Other services that were disabled during installation can be enabled if needed. It is also helpful to scan through the list of installed Windows components, determine which applications and utilities (e.g., Internet games) are not needed, and remove them.
4.1.2.2 - Sysprep
Sysprep is a tool that permits an image from a single Windows 7 computer installation, known as a gold system, to be cloned onto multiple systems in conjunction with a cloning software program such as Symantec Ghost or cloning hardware. This technique reduces user involvement in the installation process to approximately 5 to 10 minutes at the start of the installation. The Sysprep approach has several benefits. Because the standard image can be created with a strong security configuration, Sysprep reduces the possibility of human error during the installation process. In addition, the Windows 7 installation occurs more quickly with Sysprep. This is beneficial not only for building new systems, but also for reinstalling and reconfiguring the operating system and applications much more quickly when needed - for example, as a result of hardware failure or a virus infection. In preparing the gold image for Sysprep, the same guidelines used for a local installation should be used, with the addition of enabling any needed services and patching the system. It is also important to physically secure image media so that it is not inadvertently or purposely altered.
the Backup and Restore Center is used to both backup or restore files. It is very important to verify periodically that backups and restores can be performed successfully; backing up a system regularly may not be beneficial if the backups are corrupt or the wrong files are being backed up, for example. Organizations should have policies and procedures that address the entire backup and recovery process, as well as the protection and storage of backup media and recovery disks. Because backups may contain sensitive user data as well as system configuration and security information (e.g., passwords), backup media should be properly protected to prevent unauthorized access. Besides the backup wizards and utilities provided by Windows 7, there are also various third-party utilities for backing up and restoring files and systems. It is important to verify that the third-party software can properly back up and restore Windows 7 specific resources, such as the Windows registry and EFS-encrypted files and folders. Windows 7's built-in utilities also use a shadow copy backup technique when possible, which allows it to create backups of files that are in use. Third-party backup utilities used on Windows 7 systems should have good mechanisms for handling open files.
depth advice on establishing patching processes and testing and applying patches. For each patch that is released, the patch management team should research the associated vulnerabilities and prioritize the patch appropriately. It is not uncommon for several patches to be released in a relatively short time, and typically one or two of the patches are much more important to the organization than the others. Each patch should be tested with system configurations that are representative of the organizations systems. Once the team determines that the patch is suitable for deployment, the patch needs to be distributed through automated or manual means for installation on all appropriate systems. (There are several third-party applications available for patch management and distribution, which support many types of platforms and offer functionality that supports enterprise requirements.) Finally, the team needs to check systems periodically to confirm that the patch has been installed on each system, and to take actions to ensure that missing patches are applied. Microsoft offers the following command-line tools that may be helpful in hotfix deployment, as follows: The qchain.exe tool allows multiple hotfixes to be installed at one time, instead of installing a hotfix, rebooting, then installing another hotfix. The qfecheck.exe tool can be used to track and verify installed hotfixes.
CCE-9308-8
CCE-9136-3
CCE-9400-3
CCE-8912-8
CCE-9193-4
CCE-9330-2
CCE-9357-5
CCE-9370-8
Password Complexity
CCE-9260-1
If this setting is enabled, passwords will be stored in a decryptible format, putting them at higher risk of compromise. This setting should be disabled unless it is needed to support a legacy authentication protocol, such as Challenge Handshake Authentication Protocol (CHAP).
CCE-9253-6
CCE-9407-8 CCE-9068-8 CCE-9345-0 CCE-9107-4 CCE-9389-8 CCE-8414-5 CCE-8612-4 CCE-8423-6 CCE-9185-0 CCE-9215-5 CCE-8431-9 CCE-9254-4 CCE-8460-8 CCE-8583-7
CCE-9244-5 CCE-9212-2 CCE-9098-5 CCE-9239-5 CCE-9274-2 CCE-9336-9 CCE-9226-2 CCE-8467-3 CCE-9048-0 CCE-8999-5 CCE-9135-5 CCE-9289-0 CCE-9320-3 CCE-9461-5 CCE-9223-9 CCE-9149-6 CCE-9417-7 CCE-8475-6 CCE-9388-0 CCE-9419-3 CCE-9326-0 CCE-8732-0 CCE-9124-9 CCE-9014-2 CCE-9309-6
From The Network Deny Logon As A Batch Job Deny Logon As A Service Deny Logon Locally Deny Logon Through Remote Desktop Services Force Shutdown From A Remote System Generate Security Audits Impersonate a Client After Authentication Increase a Process Working Set Increase Scheduling Priority Load And Unload Device Drivers Lock Pages In Memory Log On As A Batch Job Log On As A Service Manage Auditing And Security Log Modify an object label Modify Firmware Environment Values Perform Volume Maintenance Tasks Profile Single Process Profile System Performance Remove Computer From Docking Station Replace A Process Level Token Restore Files And Directories Shut Down The System Take Ownership Of Files Or Other Objects
appropriately. Verify that the user right 'Deny Logon As A Batch Job' has been granted appropriately. Verify that the user right 'Deny Logon As A Service' has been granted appropriately. Verify that the user right 'Deny Logon Locally' has been granted appropriately. Verify that the user right 'Deny Logon Through Remote Desktop Services' has been granted appropriately. Verify that the user right 'Force Shutdown From A Remote System' has been granted appropriately. Verify that the user right 'Generate Security Audits' has been granted appropriately. Verify that the user right 'Impersonate a Client After Authentication' has been granted appropriately. The "Increase a Process Working Set" setting should be configured correctly. Verify that the user right 'Increase Scheduling Priority' has been granted appropriately. Verify that the user right 'Load And Unload Device Drivers' has been granted appropriately. Verify that the user right 'Lock Pages In Memory' has been granted appropriately. Verify that the user right 'Log On As A Batch Job' has been granted appropriately. Verify that the user right 'Log On As A Service' has been granted appropriately. Verify that the user right 'Manage Auditing And Security Log' has been granted appropriately. The "Modify an object label" user right should be assigned to the appropriate accounts. Verify that the user right 'Modify Firmware Environment Values' has been granted appropriately. Verify that the user right 'Perform Volume Maintenance Tasks' has been granted appropriately. Verify that the user right 'Profile Single Process' has been granted appropriately. Verify that the user right 'Profile System Performance' has been granted appropriately. Verify that the user right 'Remove Computer From Docking Station' has been granted appropriately. Verify that the user right 'Replace A Process Level Token' has been granted appropriately. Verify that the user right 'Restore Files And Directories' has been granted appropriately. Verify that the user right 'Shut Down The System' has been granted appropriately. Verify that the user right 'Take Ownership Of Files Or Other Objects' has been granted appropriately.
Restricting which types of network access may be performed Specifying which types of authentication may be used (e.g., NTLM v2). The Security Options settings can also be accessed and adjusted manually by performing the following steps: 1. 2. 3. 4. From the Start menu, choose Control Panel. Select Administrative Tools, and then choose Local Security Policy. Expand Local Policies and select Security Options. The right pane lists the security option and indicates the current setting for each. Make any necessary changes by doubleclicking on the appropriate security option, modifying the setting, and clicking OK to save the change.
Accounts: Administrator account status The Administrator account status is enabled to allow the administrator to perform configuration control of the system. A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned. This account is a member of the Everyone user group and has all the rights and permissions associated with that group, which could subsequently provide access to system resources to anonymous users. Ensure the built-in guest account is disabled. In Windows 7, accounts with null or blank passwords can only be used to log on at the physical systems logon screen. This means that accounts with blank or null passwords cannot be used over networks or with the secondary logon service (RunAs). This feature prevents attackers and malware from gaining remote access through blank passwords. Section 6 contains information on other recommended password settings. The Administrator account is created by default when installing Windows 7, but is disabled. Associating the Administrator SID with a different name may thwart a potential hacker who is targeting the built-in Administrator account. The Guest account is created by default when installing Windows 7, but is disabled. Associating the Guest SID with a different name may thwart a potential hacker who is targeting the built-in Guest account. Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL). Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if "Audit privilege use" audit policy is enabled. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings This setting determines who is allowed to install a printer driver as part of adding a network printer. Removable media devices (CD-ROM) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system. Removable media devices (floppy disks) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system. Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed.
CCE-9199-1
CCE-8714-8
CCE-9418-5
Accounts: Limit local account use to blank passwords to console logon only
CCE-8484-8
CCE-9229-6
CCE-9150-4
Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible)
CCE-8789-0
CCE-9432-6
CCE-9026-6
CCE-9304-7
CCE-9440-9
CCE-8974-8
CCE-9251-0
CCE-9375-7
CCE-9295-7
Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name
Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week. This setting controls the maximum password age that a machine account may have. This setting should be set to no more that 30 days, ensuring that the machine changes its password monthly. This setting controls the required strength of a session key. This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box. Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner. Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
CCE-9123-1
CCE-9387-2
CCE-9449-0
CCE-9317-9
CCE-8973-0 CCE-8740-3
Interactive logon: Message title for The logon banner should be titled with a warning label containing the name of the owning users attempting to log on organization. The default Windows 7 configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the users machine is disconnected from the network or domain controllers are not available. Even though the credential cache is well-protected, storing encrypted copies of users passwords on workstations do not always have the same physical protection required for domain controllers. If a workstation is attacked, the unauthorized individual may isolate the password to a domain user account using a password-cracking program, and gain access to the domain. This setting configures the system to display a warning to users telling them how many days are left before their password expires. By giving the user advanced warning, the user has time to construct a sufficiently strong password. This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. When the smart card for a logged-on user is removed from the smart card reader, the workstation should be locked. This check verifies that the client policy is set to always sign packets.
CCE-8487-1
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
CCE-9307-0
Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to thirdparty SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire
CCE-8818-7
CCE-9067-0 CCE-9327-8
CCE-9344-3
This check verifies that the client policy is set to sign packets if the server agrees. Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication. Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. This check verifies that the server policy is set to always sign packets. Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees. Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored.
CCE-9265-0
CCE-9406-0
CCE-9040-7
CCE-8825-2
CCE-9358-3
CCE-9531-5
Network access: Allow anonymous Determines if an anonymous user can request security identifier (SID) attributes for another user SID-Name translation or use a SID to get the corresponding username. Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of passwords and credentials for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously netlogon, lsarpc, samr, browser If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names, thus providing a map of potential points to attack the system. If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system. This setting controls the storage of authentication credentials or .NET passports on the local system. Such credentials should never be stored on the local machine as that may lead to account compromise. This setting helps define the permissions that anonymous users have. If this setting is enabled then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users should not have these permissions or rights. Network access: Named Pipes that can be accessed anonymously. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access. Network access: Remotely paths(System\CurrentControlSet\Control\ProductOptions; System\CurrentControlSet\Control\Server Applications; NT\CurrentVersion) accessible registry
CCE-9249-4
CCE-9156-1
CCE-8654-6
CCE-8936-7
CCE-9218-9
CCE-9121-5
Software\Microsoft\Windows
CCE-9386-4
Network access: Remotely accessible registry paths ("Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog")
CCE-9540-6
Network access: Restrict anonymous access to Named Pipes This check determines whether anonymous access is restricted to named pipes and shares. and Shares This setting controls which network shares may be accessed by an anonymous user. The default Network access: Shares that can be setting includes the shares, DFS$, and COMCFG. It is recommended that they be left as the accessed anonymously default setting. Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager hash value on next password change Network security: Force logoff when logon hours expire Windows 7 includes two network-sharing security models Classic and Guest only. It is recommended that the Classic mode be used. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed. The LAN Manager hash is a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, then this should be enforced. Windows network authentication has changed considerably as various security vulnerabilities have been identified and fixed. The original LAN Manager (or LM) password hash is considered very weak, but is still used by mo st Windows 9x clients. Using commercially available software, and off-the-shelf computers, most LM password hashes can be used to reveal the actual password in a matter of days, or hours. With the release of Windows NT 4.0, Microsoft developed NTLM authentication. Serious vulnerabilities made NTLM almost as easy to crack as LM, so NTLM version 2 (NTLMv2) was introduced. NTLMv2 provides significant improvements to security; when combined with strong password policy, accounts are well protected against brute force attacks. All of these authentication methods are incorporated into Windows 2000. All authentication models work with a hash of the password, not the password itself. This presents challenges with down-level compatibility between operating systems. In order to smooth the transition, when one computer attempts to authenticate with another, the default behavior is to send the basic LM hash along with the more secure NTLM hash. This setting improves control over the response to an authentication challenge: Send LM and NTLM responses, Send LM and NTLM, Use NTLMv2 session security if negotiated, Send NTLM response only, Send NTLMv2 response only, Send NTLMv2 response only\refuse LM, Send
CCE-9196-7
CCE-9503-4
CCE-8937-5
CCE-9704-8
CCE-8806-2
NTLMv2 response only\refuse LM and NTLM, The default, and weakest option, is the first: send LM and NTLM responses. As a result, using NTLM is ineffective because both protocols are sent together. In order to take a much more effective stand to protect network authentication, set LAN Manager Authentication Level to Send NTLMv2 response only\refuse LM and NTLM. Enabling this setting may have adverse effects on your ability to communicate with other Windows machines unless the change is made network-wide. If you find that you are unable to require a certain level of LM Authentication, back down to Send LM and NTLM Use NTLMv2 session security if negotiated and try your network authentication again. Communication with Windows 9x/Me machines requires the DSCLIENT.EXE utility from the Windows 2000 installation CD. Similar to the SMB protocol, the LDAP protocol supports signing. LDAP, Lightweight Directory Access Protocol, provides one means for the client to talk to active directory. LDAP protocol is text-based, but supports authentication to gain access to sensitive sections of the directory. Require signing to provide the assurance of mutual authentication for this communications channel. NTLM authentication can provide a security service to manage connection between various clients and servers, including through the Remote Procedure Call (RPC) service. Windows 2000 improved the security model for secure, authenticated client-server communications; this setting manages the new features for communications established by this workstation. Similar to "Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients", this setting manages features for communication services provided by this workstation to other computers. The Recovery Console, new to Windows 2000 and XP, provides a limited command-line access to an otherwise unbootable operating system. The console allows access to the NTFS file system, which does not natively allow access when the operating system becomes unbootable. Other third-party applications have been developed to perform this action as well, but the Recovery Console is part of the operating system. It can be installed from the Windows 2000 CD with the d:\i386\winnt32.exe /cmdcons command. It can also be run directly from the Windows 2000 installation CD. The Recovery Console does not grant full and unrestricted access to the operating system by default. It does require that you log on using the password of the default Administrator account. Keep in mind that this must be the local administrator account, not just a member of the local administrators group. Also, the policy for renaming the administrator account does not apply to the recovery console, and that password must be used. If configured, a boot to the recovery console could result in automatic logon, and bypass the need for the password of the administrator account. Since this gives administrator access to anyone who can reboot the computer, the setting is generally disabled. By default, the Recovery Console only allows access to the root folder of each drive, and the operating system folder (typically C:\Windows). The console also prevents copying files from the hard drive onto removable media. Although this protection can be bypassed by enabling floppy copy and drive access, the setting is enabled by default and should remain disabled.
CCE-9768-3
CCE-9534-9
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
CCE-9736-0
CCE-8807-0
CCE-8945-8
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
CCE-9707-1
Some systems run critical processes and should only be shut down by authorized users. Shutdown: Allow System to be Occasionally, special processes could be evoked during system startup, sometimes even Shut Down Without Having to Log trojaned processes. In environments where abnormal system reboots could cause problems, On require a logon prior to reboot. Virtual memory extends the physical memory available to the CPU. As data and applications fill the available physical memory, the operating system writes less-frequently used pages of memory out to disk, into the virtual memory pagefile. This greatly extends the amount of virtual memory available to the computer. Since the pagefile contains information that was in memory, it potentially holds a great deal of information useful for an attacker. Digging through the pagefile can reveal SSL web pages, queries set from the client to databases, sometimes even user ids and passwords from poorly written applications. The workstation does not clean this information from the pagefile on shutdown. Although the file can not be accessed when booted in Windows, anyone booting the workstation to an alternate operating system (e.g., from a boot CD) may access the page file. Enabling this options provides greater security by erasing the data during normal operations; however, this may also significantly increase the time required to shut down the computer. When enabled, the hibernation file (hiberfil.sys) is also cleaned on shutdown. System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing The Windows operating systems ignore case when accessing resources; for example, C:\Windows, C:\WINDOWS and c:\windows all refer to the same directory. However, the
CCE-9222-1
CCE-9266-8
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
CCE-9319-5
Windows kernel allows interfaces with other case-sensitive operating systems (e.g., Unix). Enabling this setting causes the interoperability features to be case-insensitive as well. This setting has no effect when the workstation communicates only with other Windows systems. This setting actually digs deep into the operating system behavior and should be left at the default setting (Enabled) unless explicitly required. Internal system objects are shared physical and logical resources such as semaphores and DOS device name; the objects all are created with access control lists (ACLs). When enabled, the ACL allows other non-administrative system processes to query internal system objects, but will not allow them to modify them. The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.
CCE-9191-8
System objects: Strengthen default permissions of internal system objects User Account Control: Admin Approval Mode for the Built-in Administrator account User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode User Account Control: Behavior of the elevation prompt for standard users User Account Control: Detect application installations and prompt for elevation User Account Control: Only elevate executables that are signed and validated User Account Control: Only elevate UIAccess applications that are installed in secure locations User Account Control: Run all administrators in Admin Approval Mode User Account Control: Switch to the secure desktop when prompting for elevation User Account Control: Virtualize file and registry write failures to per-user locations
CCE-8811-2
CCE-8958-1
The "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.
CCE-8813-8
The "User Account Control: Behavior of the elevation prompt for standard users" setting should be configured correctly. The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly. The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly. The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly. The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly. The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly. The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.
CCE-9616-4
CCE-9021-7
CCE-9801-2
CCE-9189-2
CCE-9395-5
CCE-8817-9
CCE-9342-7
CCE-9496-1
CCE-8513-4
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keepalive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime
CCE-9426-8
CCE-9439-1
Filtering (recommended) Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windowsbased systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The MSS: (NoNameReleaseOnDemand) NoNameReleaseOnDemand setting configures the system to refuse name release requests to Allow the computer to ignore release its SMB name. This setting prevents an attacker from sending a name release request to a NetBIOS name release requests server, causing the server to be inaccessible to legitimate clients. If this setting is configured on except from WINS servers a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key. MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for a DLL, the default search order is used to locate it. By default, the search order used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and .local 4. Application directory 5. Current working directory 6. System directories (%systemroot%, %systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that the current working directory is searched before the system directories can be used by someone with access to the file system to cause a program launched by a user to load a spoofed DLL. If a user launches a program by double-clicking a document, the current working directory is actually the location of the document. If a DLL in that directory has the same name as a system DLL in that location will then be loaded instead of the system DLL. This attack vector was actually used by the Nimda virus. To combat this, a new setting was created in Service Pack 3, which moves the current working directory to after the system directories in the search order. To avoid application compatibility issues, however, this switch was not turned on by default. To turn it on, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period.
CCE-8562-1
CCE-9458-1
CCE-9348-4
CCE-8591-0
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Microsoft network server: SPN Target name validation MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
CCE-9456-5
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
CCE-9501-8
Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generating a security audit in the security event log when the security log reaches a user defined threshold. Note: new to W2K3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.
CCE-8503-5
CCE-8655-3
Allowing source routed network traffic allows attackers to obscure their identity and location.
CCE-8560-5
MSS: (Hidden) Hide computer from the browse list (Not Recommended Hiding the computer from the Browse List removes one method attackers might use to gether except for highly secure information about computers on the network. environments) MSS: (TcpMaxDataRetransmissions
CCE-9487-0
IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Network security: Allow Local System to use computer identity for NTLM Network security: Allow LocalSystem NULL session fallback Network Security: Allow PKU2U authentication requests to this computer to use online identities Network Security: Configure encryption types allowed for Kerberos User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default).
CCE-9096-9
This policy setting allows services running as Local System to use the computer identity when negotiating NTLM authentication.
CCE-8804-7
This policy setting allows the system to fall back no a NULL session. Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. This policy setting allows you to specify tdhe allowed encryption types for Kerberos authentication. This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. It allows certain applications stored in secure folders, such as system32, to bypass the secure desktop so that they can function as designed. Enabling this setting will lower security slightly but enable Remote Assistance. For more information see http://technet.microsoft.com/enus/library/dd835564(WS.10).aspx.
CCE-9770-9
CCE-9532-3
CCE-9301-3
CCE-10661-7
CCE-10150-1
Fax Service
CCE-10543-7
HomeGroup Listener
CCE-9910-1
Homegroup Provider
CCE-10699-7 CCE-10311-9
Kerberos Authentication Service Kerberos Service Ticket Operation Other Account Logon Events
IPsec Main Mode IPsec Quick Mode Logoff Logon Network Policy Server Other Logon/Logoff Events Special Logon
Non Sensitive Privilege Use Other Privilege Use Events Sensitive Privilege Use
6.1 - Computer Configuration - Administrative Templates - Network Settings 6.1.1 - Link-Layer Topology Discovery
The Link Layer Topology Discovery (LLTD) specification describes how the LLTD protocol operates over wired (802.3 Ethernet) and wireless (802.11) media. LLTD enables device discovery via the data-link layer and determines the topology of a network. This specification also describes the Quality of Service (QoS) Extensions that enable stream prioritization and quality media streaming experiences, even on networks with limited bandwidth.
CCE-9783-2 Turn on Mapper I/O (LLTDIO) driver Turn on Responder (RSPNDR) driver This policy setting turns on the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. This policy setting turns on the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network.
CCE-10059-4
Note: You should not use Internet Connection Sharing in an existing network with Windows 2000 Server domain controllers, Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses. -- Internet Connection Firewall (ICF) -With ICF, the firewall checks all communications that cross the connection between your network and the Internet and is selective about which responses from the Internet it allows. ICF protects only the computer on which it is enabled. If ICF is enabled on the Internet Connection Sharing (ICS) host computer, however, ICS clients that use the shared Internet connection for Internet connectivity are protected because they cannot be seen from outside your network. For this reason, you should always enable ICF on the ICS host computer. In addition, if there are clients on your network with direct Internet connections, or if you have a stand-alone computer that is connected to the Internet, then you should enable ICF on those Internet connections as well. -- Network Bridge -Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. With Network Bridge, multiple LAN segments become a single IP subnet, even if the LAN segments are of mixed network media types. Network Bridge automates the configuration and management of the address allocation, routing, and name resolution that is typically required in a network that consists of multiple LAN segments. Caution If neither ICF nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either ICF or ICS is enabled, this risk is mitigated.
Prohibit installation and configuration of Network Bridge on your DNS domain network Require Domain users to elevate when setting a networks location Route all traffic through the internal network Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
CCE-9953-1
CCE-10359-8 CCE-10509-8
6.3 - Computer Configuration - Administrative Templates - System Settings 6.3.1 - Device Installation
CCE-10769-8 Allow remote access to the PnP interface Do not send a Windows Error Report when a generic driver is installed on a device Prevent creation of a system restore point during device activity that would normally promp creation of a restore point. Prevent device metadata retrieval from the internet Specify search order for device driver source locations Computer Configuration\Administrative Templates\System\Device Installation: Allow remote access to the PnP interface. Computer Configuration\Administrative Templates\System\Device Installation: Do not send a Windows Error Report when a generic driver is installed on a device.
CCE-9901-0
CCE-10553-6
Computer Configuration\Administrative Templates\System\Device Installation: Do not create system restore point when new device driver installed.
CCE-10165-9 CCE-9919-2
CCE-9819-4 CCE-10645-0
CCE-10645-0
CCE-10649-2
CCE-9674-3
CCE-10795-3 CCE-10061-0
CCE-10160-0
Communication
Microsoft.com
Management\Internet Communication settings: Turn Off Registration if URL Connection is Referring to Microsoft.com. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Search Companion content file updates. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off the "Order Prints" Picture Task.
CCE-10140-2 CCE-9823-6
Turn off Search Companion content file updates Turn off the "Order Prints" picture task
CCE-9643-8
Computer Configuration\Administrative Templates\System\Internet Communication Turn off the "Publish to Web" task Management\Internet Communication settings: Turn off the "Publish to Web" task for files and for files and folders folders. Turn off the Windows Messenger Customer Experience Improvement Program Turn off the Windows customer experience improvement program Turn Off Windows Error Reporting Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Error Reporting. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program.
CCE-9559-6
CCE-9831-9 CCE-10441-4
6.3.5 - Logon
CCE-10591-6 CCE-10154-3 Always Use Classic Logon Do not process the run once list Computer Configuration\Administrative Templates\System: Logon - Always Use Classic Logon. Computer Configuration\Administrative Templates\System: Logon - Do not process the run once list.
Computer_Configuration - Administrative_Templates - System: Remote Assistance - RPC Endpoint Mapper Client Authentication.
CCE-9842-6
Microsoft support diagnostic tool: turn on msdt interactive communication with support provider
CCE-10606-2
signed. If you disable or do not configure this setting, Window Turn Off User Installed Windows Sidebar Gidgets
6.3.11.9 - Netmeeting
CCE-10763-1 Disable remote desktop sharing
6.3.11.12 - Search
Search
CCE-10496-8 CCE-9866-5 Allow indexing of encrypted files Enable indexing uncached Exchange folders Allow indexing of encrypted files Prevent indexing uncached Exchange folders
CCE-9868-1
Reporting
detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.
Disable Windows Error Reporting Display Error Notification Do Not Send Additional Data
CCE-9908-5
CCE-9672-7
CCE-9464-9
6.3.13 - Local User Policy Settings 6.3.13.1 - Local User Policy: Control Panel 6.3.13.1.1 - Personalization
CCE-10051-1 CCE-9730-3 Enable screen saver Password protect the screen saver Determines whether screen savers used on the computer are password protected. If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds,
CCE-10148-5
6.3.13.2 - System 6.3.13.2.1 - Internet Communication Management 6.3.13.2.1.1 - Internet Communication Settings
CCE-10295-4 Turn off help ratings
6.3.13.2.2 - Power Management settings 6.3.13.3 - Windows Components 6.3.13.3.1 - Attachment Manager Settings
CCE-10166-7 Do not preserve zone information in file attachments Hide mechanisms to remove zone information Notify antivirus programs when opening attachments This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (i.e. restricted, Internet, intranet, local). This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the files property sheet or by using a check box in the security warning dialog. This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified.
CCE-9684-2
CCE-10076-8
7 - Security Patches
Securing a given computer has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and Microsoft Update. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments typically have a software change management control process or a patch management program that tests patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers, which provide approved security patches for use by the Automatic Updates feature.
Security Patches Up-To-Date All known security patches have been installed.