[go: up one dir, main page]
Scribd
Upload
128 views31 pages

Appendix: Recommendation Summary

The document is a recommendation summary table that lists various account, local policy, and security option controls for Windows. It provides the control name, level of importance (L1, L2), whether the control is set correctly or not, and whether the control can be automated or not. The table contains over 50 controls across different categories like password policy, user rights assignment, security options, and more.

Uploaded by

Tito Artiga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
128 views31 pages

Appendix: Recommendation Summary

The document is a recommendation summary table that lists various account, local policy, and security option controls for Windows. It provides the control name, level of importance (L1, L2), whether the control is set correctly or not, and whether the control can be automated or not. The table contains over 50 controls across different categories like password policy, user rights assignment, security options, and more.

Uploaded by

Tito Artiga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Appendix: Recommendation Summary

Table
Control Set
Correctly
Yes No
1 Account Policies
1.1 Password Policy
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more
password(s)' (Automated)
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer
days, but not 0' (Automated)
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more
day(s)' (Automated)
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or
more character(s)' (Automated)
1.1.5 (L1) Ensure 'Password must meet complexity requirements'
is set to 'Enabled' (Automated)
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is
set to 'Disabled' (Automated)
1.2 Account Lockout Policy
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more
minute(s)' (Automated)
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or
fewer invalid logon attempt(s), but not 0' (Automated)
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to
'15 or more minute(s)' (Automated)
2 Local Policies
2.1 Audit Policy
2.2 User Rights Assignment
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller'
is set to 'No One' (Automated)
2.2.2 (L1) Ensure 'Access this computer from the network' is set
to 'Administrators, Authenticated Users, ENTERPRISE
DOMAIN CONTROLLERS' (DC only) (Automated)
2.2.3 (L1) Ensure 'Access this computer from the network' is set
to 'Administrators, Authenticated Users' (MS only)
(Automated)
2.2.4 (L1) Ensure 'Act as part of the operating system' is set to 'No
One' (Automated)

944 | P a g e
Control Set
Correctly
Yes No
2.2.5 (L1) Ensure 'Add workstations to domain' is set to
'Administrators' (DC only) (Automated)
2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to
'Administrators, LOCAL SERVICE, NETWORK SERVICE'
(Automated)
2.2.7 (L1) Ensure 'Allow log on locally' is set to 'Administrators'
(Automated)
2.2.8 (L1) Ensure 'Allow log on through Remote Desktop Services'
is set to 'Administrators' (DC only) (Automated)
2.2.9 (L1) Ensure 'Allow log on through Remote Desktop Services'
is set to 'Administrators, Remote Desktop Users' (MS only)
(Automated)
2.2.10 (L1) Ensure 'Back up files and directories' is set to
'Administrators' (Automated)
2.2.11 (L1) Ensure 'Change the system time' is set to
'Administrators, LOCAL SERVICE' (Automated)
2.2.12 (L1) Ensure 'Change the time zone' is set to 'Administrators,
LOCAL SERVICE' (Automated)
2.2.13 (L1) Ensure 'Create a pagefile' is set to 'Administrators'
(Automated)
2.2.14 (L1) Ensure 'Create a token object' is set to 'No One'
(Automated)
2.2.15 (L1) Ensure 'Create global objects' is set to 'Administrators,
LOCAL SERVICE, NETWORK SERVICE, SERVICE'
(Automated)
2.2.16 (L1) Ensure 'Create permanent shared objects' is set to 'No
One' (Automated)
2.2.17 (L1) Ensure 'Create symbolic links' is set to 'Administrators'
(DC only) (Automated)
2.2.18 (L1) Ensure 'Create symbolic links' is set to 'Administrators,
NT VIRTUAL MACHINE\Virtual Machines' (MS only)
(Automated)
2.2.19 (L1) Ensure 'Debug programs' is set to 'Administrators'
(Automated)
2.2.20 (L1) Ensure 'Deny access to this computer from the
network' to include 'Guests' (DC only) (Automated)
2.2.21 (L1) Ensure 'Deny access to this computer from the
network' to include 'Guests, Local account and member of
Administrators group' (MS only) (Automated)
2.2.22 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'
(Automated)

945 | P a g e
Control Set
Correctly
Yes No
2.2.23 (L1) Ensure 'Deny log on as a service' to include 'Guests'
(Automated)
2.2.24 (L1) Ensure 'Deny log on locally' to include 'Guests'
(Automated)
2.2.25 (L1) Ensure 'Deny log on through Remote Desktop Services'
to include 'Guests' (DC only) (Automated)
2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services'
is set to 'Guests, Local account' (MS only) (Automated)
2.2.27 (L1) Ensure 'Enable computer and user accounts to be
trusted for delegation' is set to 'Administrators' (DC only)
(Automated)
2.2.28 (L1) Ensure 'Enable computer and user accounts to be
trusted for delegation' is set to 'No One' (MS only)
(Automated)
2.2.29 (L1) Ensure 'Force shutdown from a remote system' is set to
'Administrators' (Automated)
2.2.30 (L1) Ensure 'Generate security audits' is set to 'LOCAL
SERVICE, NETWORK SERVICE' (Automated)
2.2.31 (L1) Ensure 'Impersonate a client after authentication' is set
to 'Administrators, LOCAL SERVICE, NETWORK SERVICE,
SERVICE' (DC only) (Automated)
2.2.32 (L1) Ensure 'Impersonate a client after authentication' is set
to 'Administrators, LOCAL SERVICE, NETWORK SERVICE,
SERVICE' and (when the Web Server (IIS) Role with Web
Services Role Service is installed) 'IIS_IUSRS' (MS only)
(Automated)
2.2.33 (L1) Ensure 'Increase scheduling priority' is set to
'Administrators, Window Manager\Window Manager
Group' (Automated)
2.2.34 (L1) Ensure 'Load and unload device drivers' is set to
'Administrators' (Automated)
2.2.35 (L1) Ensure 'Lock pages in memory' is set to 'No One'
(Automated)
2.2.36 (L2) Ensure 'Log on as a batch job' is set to 'Administrators'
(DC Only) (Automated)
2.2.37 (L1) Ensure 'Manage auditing and security log' is set to
'Administrators' and (when Exchange is running in the
environment) 'Exchange Servers' (DC only) (Automated)
2.2.38 (L1) Ensure 'Manage auditing and security log' is set to
'Administrators' (MS only) (Automated)

946 | P a g e
Control Set
Correctly
Yes No
2.2.39 (L1) Ensure 'Modify an object label' is set to 'No One'
(Automated)
2.2.40 (L1) Ensure 'Modify firmware environment values' is set to
'Administrators' (Automated)
2.2.41 (L1) Ensure 'Perform volume maintenance tasks' is set to
'Administrators' (Automated)
2.2.42 (L1) Ensure 'Profile single process' is set to 'Administrators'
(Automated)
2.2.43 (L1) Ensure 'Profile system performance' is set to
'Administrators, NT SERVICE\WdiServiceHost' (Automated)
2.2.44 (L1) Ensure 'Replace a process level token' is set to 'LOCAL
SERVICE, NETWORK SERVICE' (Automated)
2.2.45 (L1) Ensure 'Restore files and directories' is set to
'Administrators' (Automated)
2.2.46 (L1) Ensure 'Shut down the system' is set to
'Administrators' (Automated)
2.2.47 (L1) Ensure 'Synchronize directory service data' is set to 'No
One' (DC only) (Automated)
2.2.48 (L1) Ensure 'Take ownership of files or other objects' is set
to 'Administrators' (Automated)
2.3 Security Options
2.3.1 Accounts
2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set
to 'Disabled' (MS only) (Automated)
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to
'Users can't add or log on with Microsoft accounts'
(Automated)
2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to
'Disabled' (MS only) (Automated)
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank
passwords to console logon only' is set to 'Enabled'
(Automated)
2.3.1.5 (L1) Configure 'Accounts: Rename administrator account'
(Automated)
2.3.1.6 (L1) Configure 'Accounts: Rename guest account'
(Automated)
2.3.2 Audit
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings
(Windows Vista or later) to override audit policy category
settings' is set to 'Enabled' (Automated)

947 | P a g e
Control Set
Correctly
Yes No
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable
to log security audits' is set to 'Disabled' (Automated)
2.3.3 DCOM
2.3.4 Devices
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject
removable media' is set to 'Administrators' (Automated)
2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer
drivers' is set to 'Enabled' (Automated)
2.3.5 Domain controller
2.3.5.1 (L1) Ensure 'Domain controller: Allow server operators to
schedule tasks' is set to 'Disabled' (DC only) (Automated)
2.3.5.2 (L1) Ensure 'Domain controller: Allow vulnerable Netlogon
secure channel connections' is set to 'Not Configured' (DC
Only) (Automated)
2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel
binding token requirements' is set to 'Always' (DC Only)
(Automated)
2.3.5.4 (L1) Ensure 'Domain controller: LDAP server signing
requirements' is set to 'Require signing' (DC only)
(Automated)
2.3.5.5 (L1) Ensure 'Domain controller: Refuse machine account
password changes' is set to 'Disabled' (DC only)
(Automated)
2.3.6 Domain member
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign
secure channel data (always)' is set to 'Enabled'
(Automated)
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure
channel data (when possible)' is set to 'Enabled'
(Automated)
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel
data (when possible)' is set to 'Enabled' (Automated)
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account
password changes' is set to 'Disabled' (Automated)
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account
password age' is set to '30 or fewer days, but not 0'
(Automated)
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows
2000 or later) session key' is set to 'Enabled' (Automated)
2.3.7 Interactive logon

948 | P a g e
Control Set
Correctly
Yes No
2.3.7.1 (L1) Ensure 'Interactive logon: Do not require
CTRL+ALT+DEL' is set to 'Disabled' (Automated)
2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in'
is set to 'Enabled' (Automated)
2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is
set to '900 or fewer second(s), but not 0' (Automated)
2.3.7.4 (L1) Configure 'Interactive logon: Message text for users
attempting to log on' (Automated)
2.3.7.5 (L1) Configure 'Interactive logon: Message title for users
attempting to log on' (Automated)
2.3.7.6 (L2) Ensure 'Interactive logon: Number of previous logons
to cache (in case domain controller is not available)' is set to
'4 or fewer logon(s)' (MS only) (Automated)
2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change
password before expiration' is set to 'between 5 and 14
days' (Automated)
2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller
Authentication to unlock workstation' is set to 'Enabled' (MS
only) (Automated)
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal
behavior' is set to 'Lock Workstation' or higher (Automated)
2.3.8 Microsoft network client
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign
communications (always)' is set to 'Enabled' (Automated)
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign
communications (if server agrees)' is set to 'Enabled'
(Automated)
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted
password to third-party SMB servers' is set to 'Disabled'
(Automated)
2.3.9 Microsoft network server
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time
required before suspending session' is set to '15 or fewer
minute(s)' (Automated)
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign
communications (always)' is set to 'Enabled' (Automated)
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign
communications (if client agrees)' is set to 'Enabled'
(Automated)
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients
when logon hours expire' is set to 'Enabled' (Automated)

949 | P a g e
Control Set
Correctly
Yes No
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target
name validation level' is set to 'Accept if provided by client'
or higher (MS only) (Automated)
2.3.10 Network access
2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name
translation' is set to 'Disabled' (Automated)
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous
enumeration of SAM accounts' is set to 'Enabled' (MS only)
(Automated)
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous
enumeration of SAM accounts and shares' is set to 'Enabled'
(MS only) (Automated)
2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of
passwords and credentials for network authentication' is set
to 'Enabled' (Automated)
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions
apply to anonymous users' is set to 'Disabled' (Automated)
2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be
accessed anonymously' (DC only) (Automated)
2.3.10.7 (L1) Configure 'Network access: Named Pipes that can be
accessed anonymously' (MS only) (Automated)
2.3.10.8 (L1) Configure 'Network access: Remotely accessible
registry paths' is configured (Automated)
2.3.10.9 (L1) Configure 'Network access: Remotely accessible
registry paths and sub-paths' is configured (Automated)
2.3.10.10 (L1) Ensure 'Network access: Restrict anonymous access to
Named Pipes and Shares' is set to 'Enabled' (Automated)
2.3.10.11 (L1) Ensure 'Network access: Restrict clients allowed to
make remote calls to SAM' is set to 'Administrators: Remote
Access: Allow' (MS only) (Automated)
2.3.10.12 (L1) Ensure 'Network access: Shares that can be accessed
anonymously' is set to 'None' (Automated)
2.3.10.13 (L1) Ensure 'Network access: Sharing and security model
for local accounts' is set to 'Classic - local users authenticate
as themselves' (Automated)
2.3.11 Network security
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use
computer identity for NTLM' is set to 'Enabled' (Automated)
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL
session fallback' is set to 'Disabled' (Automated)

950 | P a g e
Control Set
Correctly
Yes No
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication
requests to this computer to use online identities' is set to
'Disabled' (Automated)
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types
allowed for Kerberos' is set to 'AES128_HMAC_SHA1,
AES256_HMAC_SHA1, Future encryption types'
(Automated)
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager
hash value on next password change' is set to 'Enabled'
(Automated)
2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon
hours expire' is set to 'Enabled' (Manual)
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication
level' is set to 'Send NTLMv2 response only. Refuse LM &
NTLM' (Automated)
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing
requirements' is set to 'Negotiate signing' or higher
(Automated)
2.3.11.9 (L1) Ensure 'Network security: Minimum session security
for NTLM SSP based (including secure RPC) clients' is set to
'Require NTLMv2 session security, Require 128-bit
encryption' (Automated)
2.3.11.10 (L1) Ensure 'Network security: Minimum session security
for NTLM SSP based (including secure RPC) servers' is set to
'Require NTLMv2 session security, Require 128-bit
encryption' (Automated)
2.3.12 Recovery console
2.3.13 Shutdown
2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down
without having to log on' is set to 'Disabled' (Automated)
2.3.14 System cryptography
2.3.15 System objects
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for
non-Windows subsystems' is set to 'Enabled' (Automated)
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions
of internal system objects (e.g. Symbolic Links)' is set to
'Enabled' (Automated)
2.3.16 System settings
2.3.17 User Account Control

951 | P a g e
Control Set
Correctly
Yes No
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode
for the Built-in Administrator account' is set to 'Enabled'
(Automated)
2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the
elevation prompt for administrators in Admin Approval
Mode' is set to 'Prompt for consent on the secure desktop'
(Automated)
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the
elevation prompt for standard users' is set to 'Automatically
deny elevation requests' (Automated)
2.3.17.4 (L1) Ensure 'User Account Control: Detect application
installations and prompt for elevation' is set to 'Enabled'
(Automated)
2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess
applications that are installed in secure locations' is set to
'Enabled' (Automated)
2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in
Admin Approval Mode' is set to 'Enabled' (Automated)
2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure
desktop when prompting for elevation' is set to 'Enabled'
(Automated)
2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and
registry write failures to per-user locations' is set to
'Enabled' (Automated)
3 Event Log
4 Restricted Groups
5 System Services
6 Registry
7 File System
8 Wired Network (IEEE 802.3) Policies
9 Windows Firewall with Advanced Security
9.1 Domain Profile
9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is
set to 'On (recommended)' (Automated)
9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound
connections' is set to 'Block (default)' (Automated)
9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound
connections' is set to 'Allow (default)' (Automated)
9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a
notification' is set to 'No' (Automated)

952 | P a g e
Control Set
Correctly
Yes No
9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is
set to
'%SystemRoot%\System32\logfiles\firewall\domainfw.log'
(Automated)
9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit
(KB)' is set to '16,384 KB or greater' (Automated)
9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log
dropped packets' is set to 'Yes' (Automated)
9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log
successful connections' is set to 'Yes' (Automated)
9.2 Private Profile
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is
set to 'On (recommended)' (Automated)
9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound
connections' is set to 'Block (default)' (Automated)
9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound
connections' is set to 'Allow (default)' (Automated)
9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a
notification' is set to 'No' (Automated)
9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is
set to
'%SystemRoot%\System32\logfiles\firewall\privatefw.log'
(Automated)
9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit
(KB)' is set to '16,384 KB or greater' (Automated)
9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log
dropped packets' is set to 'Yes' (Automated)
9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log
successful connections' is set to 'Yes' (Automated)
9.3 Public Profile
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set
to 'On (recommended)' (Automated)
9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound
connections' is set to 'Block (default)' (Automated)
9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound
connections' is set to 'Allow (default)' (Automated)
9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a
notification' is set to 'No' (Automated)
9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local
firewall rules' is set to 'No' (Automated)

953 | P a g e
Control Set
Correctly
Yes No
9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local
connection security rules' is set to 'No' (Automated)
9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is
set to
'%SystemRoot%\System32\logfiles\firewall\publicfw.log'
(Automated)
9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit
(KB)' is set to '16,384 KB or greater' (Automated)
9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log
dropped packets' is set to 'Yes' (Automated)
9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log
successful connections' is set to 'Yes' (Automated)
10 Network List Manager Policies
11 Wireless Network (IEEE 802.11) Policies
12 Public Key Policies
13 Software Restriction Policies
14 Network Access Protection NAP Client Configuration
15 Application Control Policies
16 IP Security Policies
17 Advanced Audit Policy Configuration
17.1 Account Logon
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success
and Failure' (Automated)
17.1.2 (L1) Ensure 'Audit Kerberos Authentication Service' is set to
'Success and Failure' (DC Only) (Automated)
17.1.3 (L1) Ensure 'Audit Kerberos Service Ticket Operations' is
set to 'Success and Failure' (DC Only) (Automated)
17.2 Account Management
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to
'Success and Failure' (Automated)
17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to
include 'Success' (DC only) (Automated)
17.2.3 (L1) Ensure 'Audit Distribution Group Management' is set to
include 'Success' (DC only) (Automated)
17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set
to include 'Success' (DC only) (Automated)
17.2.5 (L1) Ensure 'Audit Security Group Management' is set to
include 'Success' (Automated)
17.2.6 (L1) Ensure 'Audit User Account Management' is set to
'Success and Failure' (Automated)
17.3 Detailed Tracking
954 | P a g e
Control Set
Correctly
Yes No
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success'
(Automated)
17.3.2 (L1) Ensure 'Audit Process Creation' is set to include
'Success' (Automated)
17.4 DS Access
17.4.1 (L1) Ensure 'Audit Directory Service Access' is set to include
'Failure' (DC only) (Automated)
17.4.2 (L1) Ensure 'Audit Directory Service Changes' is set to
include 'Success' (DC only) (Automated)
17.5 Logon/Logoff
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include
'Failure' (Automated)
17.5.2 (L1) Ensure 'Audit Group Membership' is set to include
'Success' (Automated)
17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success'
(Automated)
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure'
(Automated)
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to
'Success and Failure' (Automated)
17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success'
(Automated)
17.6 Object Access
17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include
'Failure' (Automated)
17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure'
(Automated)
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to
'Success and Failure' (Automated)
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and
Failure' (Automated)
17.7 Policy Change
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include
'Success' (Automated)
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to
include 'Success' (Automated)
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to
include 'Success' (Automated)
17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set
to 'Success and Failure' (Automated)

955 | P a g e
Control Set
Correctly
Yes No
17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to
include 'Failure' (Automated)
17.8 Privilege Use
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success
and Failure' (Automated)
17.9 System
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and
Failure' (Automated)
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success
and Failure' (Automated)
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include
'Success' (Automated)
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to
include 'Success' (Automated)
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and
Failure' (Automated)
18 Administrative Templates (Computer)
18.1 Control Panel
18.1.1 Personalization
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to
'Enabled' (Automated)
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set
to 'Enabled' (Automated)
18.1.2 Regional and Language Options
18.1.2.1 Handwriting personalization
18.1.2.2 (L1) Ensure 'Allow users to enable online speech
recognition services' is set to 'Disabled' (Automated)
18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled'
(Automated)
18.2 LAPS
18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed
(MS only) (Automated)
18.2.2 (L1) Ensure 'Do not allow password expiration time longer
than required by policy' is set to 'Enabled' (MS only)
(Automated)
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is
set to 'Enabled' (MS only) (Automated)
18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set
to 'Enabled: Large letters + small letters + numbers + special
characters' (MS only) (Automated)

956 | P a g e
Control Set
Correctly
Yes No
18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to
'Enabled: 15 or more' (MS only) (Automated)
18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set
to 'Enabled: 30 or fewer' (MS only) (Automated)
18.3 MS Security Guide
18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on
network logons' is set to 'Enabled' (MS only) (Automated)
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to
'Enabled: Disable driver (recommended)' (Automated)
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'
(Automated)
18.3.4 (L1) Ensure 'Enable Structured Exception Handling
Overwrite Protection (SEHOP)' is set to 'Enabled'
(Automated)
18.3.5 (L1) Ensure 'NetBT NodeType configuration' is set to
'Enabled: P-node (recommended)' (Automated)
18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'
(Automated)
18.4 MSS (Legacy)
18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic
Logon (not recommended)' is set to 'Disabled' (Automated)
18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source
routing protection level (protects against packet spoofing)'
is set to 'Enabled: Highest protection, source routing is
completely disabled' (Automated)
18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source
routing protection level (protects against packet spoofing)'
is set to 'Enabled: Highest protection, source routing is
completely disabled' (Automated)
18.4.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP
redirects to override OSPF generated routes' is set to
'Disabled' (Automated)
18.4.5 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive
packets are sent in milliseconds' is set to 'Enabled: 300,000
or 5 minutes (recommended)' (Automated)
18.4.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the
computer to ignore NetBIOS name release requests except
from WINS servers' is set to 'Enabled' (Automated)
18.4.7 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to
detect and configure Default Gateway addresses (could lead
to DoS)' is set to 'Disabled' (Automated)

957 | P a g e
Control Set
Correctly
Yes No
18.4.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL
search mode (recommended)' is set to 'Enabled'
(Automated)
18.4.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in
seconds before the screen saver grace period expires (0
recommended)' is set to 'Enabled: 5 or fewer seconds'
(Automated)
18.4.10 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How
many times unacknowledged data is retransmitted' is set to
'Enabled: 3' (Automated)
18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How
many times unacknowledged data is retransmitted' is set to
'Enabled: 3' (Automated)
18.4.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for
the security event log at which the system will generate a
warning' is set to 'Enabled: 90% or less' (Automated)
18.5 Network
18.5.1 Background Intelligent Transfer Service (BITS)
18.5.2 BranchCache
18.5.3 DirectAccess Client Experience Settings
18.5.4 DNS Client
18.5.4.1 (L1) Ensure 'Turn off multicast name resolution' is set to
'Enabled' (Automated)
18.5.5 Fonts
18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled'
(Automated)
18.5.6 Hotspot Authentication
18.5.7 Lanman Server
18.5.8 Lanman Workstation
18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to
'Disabled' (Automated)
18.5.9 Link-Layer Topology Discovery
18.5.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to
'Disabled' (Automated)
18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to
'Disabled' (Automated)
18.5.10 Microsoft Peer-to-Peer Networking Services
18.5.10.1 Peer Name Resolution Protocol
18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking
Services' is set to 'Enabled' (Automated)
18.5.11 Network Connections

958 | P a g e
Control Set
Correctly
Yes No
18.5.11.1 Windows Defender Firewall (formerly Windows Firewall)
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of
Network Bridge on your DNS domain network' is set to
'Enabled' (Automated)
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on
your DNS domain network' is set to 'Enabled' (Automated)
18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a
network's location' is set to 'Enabled' (Automated)
18.5.12 Network Connectivity Status Indicator
18.5.13 Network Isolation
18.5.14 Network Provider
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with
"Require Mutual Authentication" and "Require Integrity" set
for all NETLOGON and SYSVOL shares' (Automated)
18.5.15 Offline Files
18.5.16 QoS Packet Scheduler
18.5.17 SNMP
18.5.18 SSL Configuration Settings
18.5.19 TCPIP Settings
18.5.19.1 IPv6 Transition Technologies
18.5.19.2 Parameters
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter
'DisabledComponents' is set to '0xff (255)') (Automated)
18.5.20 Windows Connect Now
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using
Windows Connect Now' is set to 'Disabled' (Automated)
18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now
wizards' is set to 'Enabled' (Automated)
18.5.21 Windows Connection Manager
18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous
connections to the Internet or a Windows Domain' is set to
'Enabled: 3 = Prevent Wi-Fi when on Ethernet' (Automated)
18.5.21.2 (L2) Ensure 'Prohibit connection to non-domain networks
when connected to domain authenticated network' is set to
'Enabled' (MS only) (Automated)
18.6 Printers
18.7 Start Menu and Taskbar
18.7.1 Notifications
18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to
'Enabled' (Automated)

959 | P a g e
Control Set
Correctly
Yes No
18.8 System
18.8.1 Access-Denied Assistance
18.8.2 App-V
18.8.3 Audit Process Creation
18.8.3.1 (L1) Ensure 'Include command line in process creation
events' is set to 'Disabled' (Automated)
18.8.4 Credentials Delegation
18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to
'Enabled: Force Updated Clients' (Automated)
18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-
exportable credentials' is set to 'Enabled' (Automated)
18.8.5 Device Guard
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to
'Enabled' (Automated)
18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select
Platform Security Level' is set to 'Secure Boot and DMA
Protection' (Automated)
18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security:
Virtualization Based Protection of Code Integrity' is set to
'Enabled with UEFI lock' (Automated)
18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require
UEFI Memory Attributes Table' is set to 'True (checked)'
(Automated)
18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security:
Credential Guard Configuration' is set to 'Enabled with UEFI
lock' (MS Only) (Automated)
18.8.5.6 (NG) Ensure 'Turn On Virtualization Based Security:
Credential Guard Configuration' is set to 'Disabled' (DC
Only) (Automated)
18.8.5.7 (NG) Ensure 'Turn On Virtualization Based Security: Secure
Launch Configuration' is set to 'Enabled' (Automated)
18.8.6 Device Health Attestation Service
18.8.7 Device Installation
18.8.8 Device Redirection
18.8.9 Disk NV Cache
18.8.10 Disk Quotas
18.8.11 Display
18.8.12 Distributed COM
18.8.13 Driver Installation
18.8.14 Early Launch Antimalware

960 | P a g e
Control Set
Correctly
Yes No
18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to
'Enabled: Good, unknown and bad but critical' (Automated)
18.8.15 Enhanced Storage Access
18.8.16 File Classification Infrastructure
18.8.17 File Share Shadow Copy Agent
18.8.18 File Share Shadow Copy Provider
18.8.19 Filesystem (formerly NTFS Filesystem)
18.8.20 Folder Redirection
18.8.21 Group Policy
18.8.21.1 Logging and tracing
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not
apply during periodic background processing' is set to
'Enabled: FALSE' (Automated)
18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process
even if the Group Policy objects have not changed' is set to
'Enabled: TRUE' (Automated)
18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to
'Disabled' (Automated)
18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is
set to 'Disabled' (Automated)
18.8.22 Internet Communication Management
18.8.22.1 Internet Communication settings
18.8.22.1.1 (L1) Ensure 'Turn off downloading of print drivers over
HTTP' is set to 'Enabled' (Automated)
18.8.22.1.2 (L2) Ensure 'Turn off handwriting personalization data
sharing' is set to 'Enabled' (Automated)
18.8.22.1.3 (L2) Ensure 'Turn off handwriting recognition error
reporting' is set to 'Enabled' (Automated)
18.8.22.1.4 (L2) Ensure 'Turn off Internet Connection Wizard if URL
connection is referring to Microsoft.com' is set to 'Enabled'
(Automated)
18.8.22.1.5 (L1) Ensure 'Turn off Internet download for Web publishing
and online ordering wizards' is set to 'Enabled' (Automated)
18.8.22.1.6 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'
(Automated)
18.8.22.1.7 (L2) Ensure 'Turn off Registration if URL connection is
referring to Microsoft.com' is set to 'Enabled' (Automated)
18.8.22.1.8 (L2) Ensure 'Turn off Search Companion content file
updates' is set to 'Enabled' (Automated)
18.8.22.1.9 (L2) Ensure 'Turn off the "Order Prints" picture task' is set
to 'Enabled' (Automated)

961 | P a g e
Control Set
Correctly
Yes No
18.8.22.1.10 (L2) Ensure 'Turn off the "Publish to Web" task for files and
folders' is set to 'Enabled' (Automated)
18.8.22.1.11 (L2) Ensure 'Turn off the Windows Messenger Customer
Experience Improvement Program' is set to 'Enabled'
(Automated)
18.8.22.1.12 (L2) Ensure 'Turn off Windows Customer Experience
Improvement Program' is set to 'Enabled' (Automated)
18.8.22.1.13 (L2) Ensure 'Turn off Windows Error Reporting' is set to
'Enabled' (Automated)
18.8.23 iSCSI
18.8.24 KDC
18.8.25 Kerberos
18.8.25.1 (L2) Ensure 'Support device authentication using certificate'
is set to 'Enabled: Automatic' (Automated)
18.8.26 Kernel DMA Protection
18.8.26.1 (L1) Ensure 'Enumeration policy for external devices
incompatible with Kernel DMA Protection' is set to 'Enabled:
Block All' (Automated)
18.8.27 Locale Services
18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the
system account for sign-in' is set to 'Enabled' (Automated)
18.8.28 Logon
18.8.28.1 (L1) Ensure 'Block user from showing account details on
sign-in' is set to 'Enabled' (Automated)
18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to
'Enabled' (Automated)
18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domain-
joined computers' is set to 'Enabled' (Automated)
18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined
computers' is set to 'Disabled' (MS only) (Automated)
18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is
set to 'Enabled' (Automated)
18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to
'Enabled' (Automated)
18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to
'Disabled' (Automated)
18.8.29 Mitigation Options
18.8.30 Net Logon
18.8.31 OS Policies
18.8.31.1 (L2) Ensure 'Allow Clipboard synchronization across
devices' is set to 'Disabled' (Automated)

962 | P a g e
Control Set
Correctly
Yes No
18.8.31.2 (L2) Ensure 'Allow upload of User Activities' is set to
'Disabled' (Automated)
18.8.32 Performance Control Panel
18.8.33 PIN Complexity
18.8.34 Power Management
18.8.34.1 Button Settings
18.8.34.2 Energy Saver Settings
18.8.34.3 Hard Disk Settings
18.8.34.4 Notification Settings
18.8.34.5 Power Throttling Settings
18.8.34.6 Sleep Settings
18.8.34.6.1 (L2) Ensure 'Allow network connectivity during connected-
standby (on battery)' is set to 'Disabled' (Automated)
18.8.34.6.2 (L2) Ensure 'Allow network connectivity during connected-
standby (plugged in)' is set to 'Disabled' (Automated)
18.8.34.6.3 (L1) Ensure 'Require a password when a computer wakes
(on battery)' is set to 'Enabled' (Automated)
18.8.34.6.4 (L1) Ensure 'Require a password when a computer wakes
(plugged in)' is set to 'Enabled' (Automated)
18.8.35 Recovery
18.8.36 Remote Assistance
18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to
'Disabled' (Automated)
18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to
'Disabled' (Automated)
18.8.37 Remote Procedure Call
18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client
Authentication' is set to 'Enabled' (MS only) (Automated)
18.8.37.2 (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to
'Enabled: Authenticated' (MS only) (Automated)
18.8.38 Removable Storage Access
18.8.39 Scripts
18.8.40 Server Manager
18.8.41 Service Control Manager Settings
18.8.42 Shutdown
18.8.43 Shutdown Options
18.8.44 Storage Health
18.8.45 Storage Sense
18.8.46 System Restore
18.8.47 Troubleshooting and Diagnostics

963 | P a g e
Control Set
Correctly
Yes No
18.8.47.1 Application Compatibility Diagnostics
18.8.47.2 Corrupted File Recovery
18.8.47.3 Disk Diagnostic
18.8.47.4 Fault Tolerant Heap
18.8.47.5 Microsoft Support Diagnostic Tool
18.8.47.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on
MSDT interactive communication with support provider' is
set to 'Disabled' (Automated)
18.8.47.6 MSI Corrupted File Recovery
18.8.47.7 Scheduled Maintenance
18.8.47.8 Scripted Diagnostics
18.8.47.9 Windows Boot Performance Diagnostics
18.8.47.10 Windows Memory Leak Diagnosis
18.8.47.11 Windows Performance PerfTrack
18.8.47.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
(Automated)
18.8.48 Trusted Platform Module Services
18.8.49 User Profiles
18.8.49.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'
(Automated)
18.8.50 Windows File Protection
18.8.51 Windows HotStart
18.8.52 Windows Time Service
18.8.52.1 Time Providers
18.8.52.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'
(Automated)
18.8.52.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to
'Disabled' (MS only) (Automated)
18.9 Windows Components
18.9.1 Active Directory Federation Services
18.9.2 ActiveX Installer Service
18.9.3 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime
Upgrade)
18.9.4 App Package Deployment
18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data
between users' is set to 'Disabled' (Automated)
18.9.5 App Privacy
18.9.6 App runtime
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set
to 'Enabled' (Automated)

964 | P a g e
Control Set
Correctly
Yes No
18.9.7 Application Compatibility
18.9.8 AutoPlay Policies
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is
set to 'Enabled' (Automated)
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to
'Enabled: Do not execute any autorun commands'
(Automated)
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
(Automated)
18.9.9 Backup
18.9.10 Biometrics
18.9.10.1 Facial Features
18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to
'Enabled' (Automated)
18.9.11 BitLocker Drive Encryption
18.9.12 Camera
18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled'
(Automated)
18.9.13 Cloud Content
18.9.13.1 (L2) Ensure 'Turn off cloud optimized content' is set to
'Enabled' (Manual)
18.9.13.2 (L1) Ensure 'Turn off Microsoft consumer experiences' is set
to 'Enabled' (Automated)
18.9.14 Connect
18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First
Time' OR 'Enabled: Always' (Automated)
18.9.15 Credential User Interface
18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is
set to 'Enabled' (Automated)
18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on
elevation' is set to 'Disabled' (Automated)
18.9.16 Data Collection and Preview Builds
18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security
[Enterprise Only]' or 'Enabled: 1 - Basic' (Automated)
18.9.16.2 (L2) Ensure 'Configure Authenticated Proxy usage for the
Connected User Experience and Telemetry service' is set to
'Enabled: Disable Authenticated Proxy usage' (Automated)
18.9.16.3 (L1) Ensure 'Do not show feedback notifications' is set to
'Enabled' (Automated)
18.9.16.4 (L1) Ensure 'Toggle user control over Insider builds' is set
to 'Disabled' (Automated)
965 | P a g e
Control Set
Correctly
Yes No
18.9.17 Delivery Optimization
18.9.18 Desktop Gadgets
18.9.19 Desktop Window Manager
18.9.20 Device and Driver Compatibility
18.9.21 Device Registration (formerly Workplace Join)
18.9.22 Digital Locker
18.9.23 Edge UI
18.9.24 EMET
18.9.25 Event Forwarding
18.9.26 Event Log Service
18.9.26.1 Application
18.9.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when
the log file reaches its maximum size' is set to 'Disabled'
(Automated)
18.9.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size
(KB)' is set to 'Enabled: 32,768 or greater' (Automated)
18.9.26.2 Security
18.9.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the
log file reaches its maximum size' is set to 'Disabled'
(Automated)
18.9.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size
(KB)' is set to 'Enabled: 196,608 or greater' (Automated)
18.9.26.3 Setup
18.9.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the
log file reaches its maximum size' is set to 'Disabled'
(Automated)
18.9.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)'
is set to 'Enabled: 32,768 or greater' (Automated)
18.9.26.4 System
18.9.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the
log file reaches its maximum size' is set to 'Disabled'
(Automated)
18.9.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)'
is set to 'Enabled: 32,768 or greater' (Automated)
18.9.27 Event Logging
18.9.28 Event Viewer
18.9.29 Family Safety (formerly Parental Controls)
18.9.30 File Explorer (formerly Windows Explorer)
18.9.30.1 Previous Versions

966 | P a g e
Control Set
Correctly
Yes No
18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for
Explorer' is set to 'Disabled' (Automated)
18.9.30.3 (L1) Ensure 'Turn off heap termination on corruption' is set
to 'Disabled' (Automated)
18.9.30.4 (L1) Ensure 'Turn off shell protocol protected mode' is set
to 'Disabled' (Automated)
18.9.31 File History
18.9.32 Find My Device
18.9.33 Game Explorer
18.9.34 Handwriting
18.9.35 HomeGroup
18.9.36 Import Video
18.9.37 Internet Explorer
18.9.38 Internet Information Services
18.9.39 Location and Sensors
18.9.39.1 (L2) Ensure 'Turn off location' is set to 'Enabled'
(Automated)
18.9.40 Maintenance Scheduler
18.9.41 Maps
18.9.42 MDM
18.9.43 Messaging
18.9.43.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to
'Disabled' (Automated)
18.9.44 Microsoft account
18.9.44.1 (L1) Ensure 'Block all consumer Microsoft account user
authentication' is set to 'Enabled' (Automated)
18.9.45 Microsoft Defender Antivirus (formerly Windows Defender and
Windows Defender Antivirus)
18.9.45.1 Client Interface
18.9.45.2 Exclusions
18.9.45.3 MAPS
18.9.45.3.1 (L1) Ensure 'Configure local setting override for reporting
to Microsoft MAPS' is set to 'Disabled' (Automated)
18.9.45.3.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'
(Automated)
18.9.45.4 Microsoft Defender Exploit Guard (formerly Windows Defender
Exploit Guard)
18.9.45.4.1 Attack Surface Reduction
18.9.45.4.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set
to 'Enabled' (Automated)

967 | P a g e
Control Set
Correctly
Yes No
18.9.45.4.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set
the state for each ASR rule' is configured (Automated)
18.9.45.4.2 Controlled Folder Access
18.9.45.4.3 Network Protection
18.9.45.4.3.1 (L1) Ensure 'Prevent users and apps from accessing
dangerous websites' is set to 'Enabled: Block' (Automated)
18.9.45.5 MpEngine
18.9.45.5.1 (L2) Ensure 'Enable file hash computation feature' is set to
'Enabled' (Automated)
18.9.45.6 Network Inspection System
18.9.45.7 Quarantine
18.9.45.8 Real-time Protection
18.9.45.8.1 (L1) Ensure 'Scan all downloaded files and attachments' is
set to 'Enabled' (Automated)
18.9.45.8.2 (L1) Ensure 'Turn off real-time protection' is set to
'Disabled' (Automated)
18.9.45.8.3 (L1) Ensure 'Turn on behavior monitoring' is set to
'Enabled' (Automated)
18.9.45.9 Remediation
18.9.45.10 Reporting
18.9.45.10.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled'
(Automated)
18.9.45.11 Scan
18.9.45.11.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled'
(Automated)
18.9.45.11.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'
(Automated)
18.9.45.12 Security Intelligence Updates (formerly Signature Updates)
18.9.45.13 Threats
18.9.45.14 (L1) Ensure 'Configure detection for potentially unwanted
applications' is set to 'Enabled: Block' (Automated)
18.9.45.15 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to
'Disabled' (Automated)
18.9.46 Microsoft Defender Application Guard (formerly Windows
Defender Application Guard)
18.9.47 Microsoft Defender Exploit Guard (formerly Windows Defender
Exploit Guard)
18.9.48 Microsoft Edge
18.9.49 Microsoft FIDO Authentication
18.9.50 Microsoft Secondary Authentication Factor

968 | P a g e
Control Set
Correctly
Yes No
18.9.51 Microsoft User Experience Virtualization
18.9.52 NetMeeting
18.9.53 Network Access Protection
18.9.54 Network Projector
18.9.55 OneDrive (formerly SkyDrive)
18.9.55.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage'
is set to 'Enabled' (Automated)
18.9.56 Online Assistance
18.9.57 OOBE
18.9.58 Password Synchronization
18.9.59 Portable Operating System
18.9.60 Presentation Settings
18.9.61 Push To Install
18.9.62 Remote Desktop Services (formerly Terminal Services)
18.9.62.1 RD Licensing (formerly TS Licensing)
18.9.62.2 Remote Desktop Connection Client
18.9.62.2.1 RemoteFX USB Device Redirection
18.9.62.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to
'Enabled' (Automated)
18.9.62.3 Remote Desktop Session Host (formerly Terminal Server)
18.9.62.3.1 Application Compatibility
18.9.62.3.2 Connections
18.9.62.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a
single Remote Desktop Services session' is set to 'Enabled'
(Automated)
18.9.62.3.3 Device and Resource Redirection
18.9.62.3.3.1 (L2) Ensure 'Do not allow COM port redirection' is set to
'Enabled' (Automated)
18.9.62.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to
'Enabled' (Automated)
18.9.62.3.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to
'Enabled' (Automated)
18.9.62.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device
redirection' is set to 'Enabled' (Automated)
18.9.62.3.4 Licensing
18.9.62.3.5 Printer Redirection
18.9.62.3.6 Profiles
18.9.62.3.7 RD Connection Broker (formerly TS Connection Broker)
18.9.62.3.8 Remote Session Environment
18.9.62.3.9 Security

969 | P a g e
Control Set
Correctly
Yes No
18.9.62.3.9.1 (L1) Ensure 'Always prompt for password upon connection'
is set to 'Enabled' (Automated)
18.9.62.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to
'Enabled' (Automated)
18.9.62.3.9.3 (L1) Ensure 'Require use of specific security layer for
remote (RDP) connections' is set to 'Enabled: SSL'
(Automated)
18.9.62.3.9.4 (L1) Ensure 'Require user authentication for remote
connections by using Network Level Authentication' is set to
'Enabled' (Automated)
18.9.62.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to
'Enabled: High Level' (Automated)
18.9.62.3.10 Session Time Limits
18.9.62.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote
Desktop Services sessions' is set to 'Enabled: 15 minutes or
less, but not Never (0)' (Automated)
18.9.62.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set
to 'Enabled: 1 minute' (Automated)
18.9.62.3.11 Temporary folders
18.9.62.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to
'Disabled' (Automated)
18.9.62.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set
to 'Disabled' (Automated)
18.9.63 RSS Feeds
18.9.63.1 (L1) Ensure 'Prevent downloading of enclosures' is set to
'Enabled' (Automated)
18.9.64 Search
18.9.64.1 OCR
18.9.64.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable
Cloud Search' (Automated)
18.9.64.3 (L1) Ensure 'Allow indexing of encrypted files' is set to
'Disabled' (Automated)
18.9.65 Security Center
18.9.66 Server for NIS
18.9.67 Shutdown Options
18.9.68 Smart Card
18.9.69 Software Protection Platform
18.9.69.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is
set to 'Enabled' (Automated)
18.9.70 Sound Recorder
18.9.71 Speech
970 | P a g e
Control Set
Correctly
Yes No
18.9.72 Store
18.9.73 Sync your settings
18.9.74 Tablet PC
18.9.75 Task Scheduler
18.9.76 Text Input
18.9.77 Windows Calendar
18.9.78 Windows Color System
18.9.79 Windows Customer Experience Improvement Program
18.9.80 Windows Defender SmartScreen
18.9.80.1 Explorer
18.9.80.1.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is
set to 'Enabled: Warn and prevent bypass' (Automated)
18.9.81 Windows Error Reporting
18.9.82 Windows Game Recording and Broadcasting
18.9.83 Windows Hello for Business (formerly Microsoft Passport for
Work)
18.9.84 Windows Ink Workspace
18.9.84.1 (L2) Ensure 'Allow suggested apps in Windows Ink
Workspace' is set to 'Disabled' (Automated)
18.9.84.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to
'Enabled: On, but disallow access above lock' OR 'Disabled'
but not 'Enabled: On' (Automated)
18.9.85 Windows Installer
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to
'Disabled' (Automated)
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to
'Disabled' (Automated)
18.9.85.3 (L2) Ensure 'Prevent Internet Explorer security prompt for
Windows Installer scripts' is set to 'Disabled' (Automated)
18.9.86 Windows Logon Options
18.9.86.1 (L1) Ensure 'Sign-in and lock last interactive user
automatically after a restart' is set to 'Disabled' (Automated)
18.9.87 Windows Mail
18.9.88 Windows Media Center
18.9.89 Windows Media Digital Rights Management
18.9.90 Windows Media Player
18.9.91 Windows Meeting Space
18.9.92 Windows Messenger
18.9.93 Windows Mobility Center
18.9.94 Windows Movie Maker

971 | P a g e
Control Set
Correctly
Yes No
18.9.95 Windows PowerShell
18.9.95.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set
to 'Disabled' (Automated)
18.9.95.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to
'Disabled' (Automated)
18.9.96 Windows Reliability Analysis
18.9.97 Windows Remote Management (WinRM)
18.9.97.1 WinRM Client
18.9.97.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'
(Automated)
18.9.97.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'
(Automated)
18.9.97.1.3 (L1) Ensure 'Disallow Digest authentication' is set to
'Enabled' (Automated)
18.9.97.2 WinRM Service
18.9.97.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'
(Automated)
18.9.97.2.2 (L2) Ensure 'Allow remote server management through
WinRM' is set to 'Disabled' (Automated)
18.9.97.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'
(Automated)
18.9.97.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs
credentials' is set to 'Enabled' (Automated)
18.9.98 Windows Remote Shell
18.9.98.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'
(Automated)
18.9.99 Windows Security (formerly Windows Defender Security Center)
18.9.99.1 Account protection
18.9.99.2 App and browser protection
18.9.99.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to
'Enabled' (Automated)
18.9.100 Windows SideShow
18.9.101 Windows System Resource Manager
18.9.102 Windows Update
18.9.102.1 Windows Update for Business (formerly Defer Windows Updates)
18.9.102.1.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled:
Disable preview builds' (Automated)
18.9.102.1.2 (L1) Ensure 'Select when Preview Builds and Feature
Updates are received' is set to 'Enabled: Semi-Annual
Channel, 180 or more days' (Automated)

972 | P a g e
Control Set
Correctly
Yes No
18.9.102.1.3 (L1) Ensure 'Select when Quality Updates are received' is
set to 'Enabled: 0 days' (Automated)
18.9.102.2 (L1) Ensure 'Configure Automatic Updates' is set to
'Enabled' (Automated)
18.9.102.3 (L1) Ensure 'Configure Automatic Updates: Scheduled
install day' is set to '0 - Every day' (Automated)
18.9.102.4 (L1) Ensure 'No auto-restart with logged on users for
scheduled automatic updates installations' is set to
'Disabled' (Automated)
19 Administrative Templates (User)
19.1 Control Panel
19.1.1 Add or Remove Programs
19.1.2 Display
19.1.3 Personalization (formerly Desktop Themes)
19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled'
(Automated)
19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver
executable name' is set to 'Enabled: scrnsave.scr'
(Automated)
19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to
'Enabled' (Automated)
19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900
seconds or fewer, but not 0' (Automated)
19.2 Desktop
19.3 Network
19.4 Shared Folders
19.5 Start Menu and Taskbar
19.5.1 Notifications
19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen'
is set to 'Enabled' (Automated)
19.6 System
19.6.1 Ctrl+Alt+Del Options
19.6.2 Display
19.6.3 Driver Installation
19.6.4 Folder Redirection
19.6.5 Group Policy
19.6.6 Internet Communication Management
19.6.6.1 Internet Communication settings
19.6.6.1.1 (L2) Ensure 'Turn off Help Experience Improvement
Program' is set to 'Enabled' (Automated)

973 | P a g e
Control Set
Correctly
Yes No
19.7 Windows Components
19.7.1 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime
Upgrade)
19.7.2 App runtime
19.7.3 Application Compatibility
19.7.4 Attachment Manager
19.7.4.1 (L1) Ensure 'Do not preserve zone information in file
attachments' is set to 'Disabled' (Automated)
19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening
attachments' is set to 'Enabled' (Automated)
19.7.5 AutoPlay Policies
19.7.6 Backup
19.7.7 Calculator
19.7.8 Cloud Content
19.7.8.1 (L1) Ensure 'Configure Windows spotlight on lock screen' is
set to Disabled' (Automated)
19.7.8.2 (L1) Ensure 'Do not suggest third-party content in Windows
spotlight' is set to 'Enabled' (Automated)
19.7.8.3 (L2) Ensure 'Do not use diagnostic data for tailored
experiences' is set to 'Enabled' (Automated)
19.7.8.4 (L2) Ensure 'Turn off all Windows spotlight features' is set
to 'Enabled' (Automated)
19.7.9 Credential User Interface
19.7.10 Data Collection and Preview Builds
19.7.11 Desktop Gadgets
19.7.12 Desktop Window Manager
19.7.13 Digital Locker
19.7.14 Edge UI
19.7.15 File Explorer (formerly Windows Explorer)
19.7.16 File Revocation
19.7.17 IME
19.7.18 Import Video
19.7.19 Instant Search
19.7.20 Internet Explorer
19.7.21 Location and Sensors
19.7.22 Microsoft Edge
19.7.23 Microsoft Management Console
19.7.24 Microsoft User Experience Virtualization
19.7.25 Multitasking
19.7.26 NetMeeting

974 | P a g e

You might also like