StigData/Processed/WindowsServer-2012R2-DC-2.14.xml
<DISASTIG id="Windows_2012_DC_STIG" version="2.14" created="12/11/2018"> <AccountPolicyRule dscresourcemodule="SecurityPolicyDsc"> <Rule id="V-1097" severity="medium" conversionstatus="pass" title="Bad Logon Attempts" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '3' -and '{0}' -ne '0'</OrganizationValueTestString> <PolicyName>Account lockout threshold</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.</RawString> </Rule> <Rule id="V-1098" severity="medium" conversionstatus="pass" title="Bad Logon Counter Reset" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '15'</OrganizationValueTestString> <PolicyName>Reset account lockout counter after</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</RawString> </Rule> <Rule id="V-1099" severity="medium" conversionstatus="pass" title="Lockout Duration" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '15' -or '{0}' -eq '0'</OrganizationValueTestString> <PolicyName>Account lockout duration</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.</RawString> </Rule> <Rule id="V-1104" severity="medium" conversionstatus="pass" title="Maximum Password Age " dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '60' -and '{0}' -ne '0'</OrganizationValueTestString> <PolicyName>Maximum password age</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.</RawString> </Rule> <Rule id="V-1105" severity="medium" conversionstatus="pass" title="Minimum Password Age" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ne '0'</OrganizationValueTestString> <PolicyName>Minimum password age</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding.</RawString> </Rule> <Rule id="V-1107" severity="medium" conversionstatus="pass" title="Password Uniqueness" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '24'</OrganizationValueTestString> <PolicyName>Enforce password history</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</RawString> </Rule> <Rule id="V-1150" severity="medium" conversionstatus="pass" title="Microsoft Strong Password Filtering" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <PolicyName>Password must meet complexity requirements</PolicyName> <PolicyValue>Enabled</PolicyValue> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.</RawString> </Rule> <Rule id="V-2372" severity="high" conversionstatus="pass" title="Reversible Password Encryption" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <PolicyName>Store passwords using reversible encryption</PolicyName> <PolicyValue>Disabled</PolicyValue> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-2376" severity="medium" conversionstatus="pass" title="Kerberos-User Logon Restrictions" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <PolicyName>Enforce user logon restrictions</PolicyName> <PolicyValue>Enabled</PolicyValue> <RawString>Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.</RawString> </Rule> <Rule id="V-2377" severity="medium" conversionstatus="pass" title="Kerberos-Service Ticket Lifetime" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '600' -and '{0}' -ne '0'</OrganizationValueTestString> <PolicyName>Maximum lifetime for service ticket</PolicyName> <PolicyValue /> <RawString>Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding.</RawString> </Rule> <Rule id="V-2378" severity="medium" conversionstatus="pass" title="Kerberos - User Ticket Lifetime" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '10' -and '{0}' -ne '0'</OrganizationValueTestString> <PolicyName>Maximum lifetime for user ticket</PolicyName> <PolicyValue /> <RawString>Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding.</RawString> </Rule> <Rule id="V-2379" severity="medium" conversionstatus="pass" title="Kerberos-User Ticket Renewal" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '7'</OrganizationValueTestString> <PolicyName>Maximum lifetime for user ticket renewal</PolicyName> <PolicyValue /> <RawString>Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding.</RawString> </Rule> <Rule id="V-2380" severity="medium" conversionstatus="pass" title="Kerberos - Computer Clock Sync" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '5'</OrganizationValueTestString> <PolicyName>Maximum tolerance for computer clock synchronization</PolicyName> <PolicyValue /> <RawString>Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the "Maximum tolerance for computer clock synchronization" is greater than "5" minutes, this is a finding.</RawString> </Rule> <Rule id="V-6836" severity="medium" conversionstatus="pass" title="Minimum Password Length" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '14'</OrganizationValueTestString> <PolicyName>Minimum password length</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for the "Minimum password length," is less than "14" characters, this is a finding.</RawString> </Rule> </AccountPolicyRule> <AuditPolicyRule dscresourcemodule="AuditPolicyDsc"> <Rule id="V-26529" severity="medium" conversionstatus="pass" title="Audit - Credential Validation - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Logon -> Credential Validation - Success</RawString> <Subcategory>Credential Validation</Subcategory> </Rule> <Rule id="V-26530" severity="medium" conversionstatus="pass" title="Audit - Credential Validation - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Logon -> Credential Validation - Failure</RawString> <Subcategory>Credential Validation</Subcategory> </Rule> <Rule id="V-26531" severity="medium" conversionstatus="pass" title="Audit - Computer Account Management - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management >> Computer Account Management - Success</RawString> <Subcategory>Computer Account Management</Subcategory> </Rule> <Rule id="V-26533" severity="medium" conversionstatus="pass" title="Audit - Other Account Management Events - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> Other Account Management Events - Success</RawString> <Subcategory>Other Account Management Events</Subcategory> </Rule> <Rule id="V-26535" severity="medium" conversionstatus="pass" title="Audit - Security Group Management - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> Security Group Management - Success</RawString> <Subcategory>Security Group Management</Subcategory> </Rule> <Rule id="V-26537" severity="medium" conversionstatus="pass" title="Audit - User Account Management - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> User Account Management - Success</RawString> <Subcategory>User Account Management</Subcategory> </Rule> <Rule id="V-26538" severity="medium" conversionstatus="pass" title="Audit - User Account Management - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> User Account Management - Failure</RawString> <Subcategory>User Account Management</Subcategory> </Rule> <Rule id="V-26539" severity="medium" conversionstatus="pass" title="Audit - Process Creation - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Detailed Tracking -> Process Creation - Success</RawString> <Subcategory>Process Creation</Subcategory> </Rule> <Rule id="V-26540" severity="medium" conversionstatus="pass" title="Audit - Logoff - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Logoff - Success</RawString> <Subcategory>Logoff</Subcategory> </Rule> <Rule id="V-26541" severity="medium" conversionstatus="pass" title="Audit - Logon - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Logon - Success</RawString> <Subcategory>Logon</Subcategory> </Rule> <Rule id="V-26542" severity="medium" conversionstatus="pass" title="Audit - Logon - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Logon - Failure</RawString> <Subcategory>Logon</Subcategory> </Rule> <Rule id="V-26543" severity="medium" conversionstatus="pass" title="Audit - Special Logon - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Special Logon - Success</RawString> <Subcategory>Special Logon</Subcategory> </Rule> <Rule id="V-26546" severity="medium" conversionstatus="pass" title="Audit - Audit Policy Change - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Audit Policy Change - Success</RawString> <Subcategory>Audit Policy Change</Subcategory> </Rule> <Rule id="V-26547" severity="medium" conversionstatus="pass" title="Audit - Audit Policy Change - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Audit Policy Change - Failure</RawString> <Subcategory>Audit Policy Change</Subcategory> </Rule> <Rule id="V-26548" severity="medium" conversionstatus="pass" title="Audit - Authentication Policy Change - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Authentication Policy Change - Success</RawString> <Subcategory>Authentication Policy Change</Subcategory> </Rule> <Rule id="V-26549" severity="medium" conversionstatus="pass" title="Audit - Sensitive Privilege Use - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Privilege Use -> Sensitive Privilege Use - Success</RawString> <Subcategory>Sensitive Privilege Use</Subcategory> </Rule> <Rule id="V-26550" severity="medium" conversionstatus="pass" title="Audit - Sensitive Privilege Use - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Privilege Use -> Sensitive Privilege Use - Failure</RawString> <Subcategory>Sensitive Privilege Use</Subcategory> </Rule> <Rule id="V-26551" severity="medium" conversionstatus="pass" title="Audit - IPSec Driver - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> IPsec Driver - Success</RawString> <Subcategory>IPsec Driver</Subcategory> </Rule> <Rule id="V-26552" severity="medium" conversionstatus="pass" title="Audit - IPSec Driver - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> IPsec Driver - Failure</RawString> <Subcategory>IPsec Driver</Subcategory> </Rule> <Rule id="V-26553" severity="medium" conversionstatus="pass" title="Audit - Security State Change - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> Security State Change - Success</RawString> <Subcategory>Security State Change</Subcategory> </Rule> <Rule id="V-26555" severity="medium" conversionstatus="pass" title="Audit - Security System Extension - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> Security System Extension - Success</RawString> <Subcategory>Security System Extension</Subcategory> </Rule> <Rule id="V-26557" severity="medium" conversionstatus="pass" title="Audit - System Integrity - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> System Integrity - Success</RawString> <Subcategory>System Integrity</Subcategory> </Rule> <Rule id="V-26558" severity="medium" conversionstatus="pass" title="Audit - System Integrity - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> System Integrity - Failure</RawString> <Subcategory>System Integrity</Subcategory> </Rule> <Rule id="V-33663" severity="medium" conversionstatus="pass" title="Audit Directory Service Access - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Access - Success</RawString> <Subcategory>Directory Service Access</Subcategory> </Rule> <Rule id="V-33664" severity="medium" conversionstatus="pass" title="Audit - Directory Service Access - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Access - Failure</RawString> <Subcategory>Directory Service Access</Subcategory> </Rule> <Rule id="V-33665" severity="medium" conversionstatus="pass" title="Audit - Directory Service Changes - Success" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Changes - Success</RawString> <Subcategory>Directory Service Changes</Subcategory> </Rule> <Rule id="V-33666" severity="medium" conversionstatus="pass" title="Audit - Directory Service Changes - Failure" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Changes - Failure</RawString> <Subcategory>Directory Service Changes</Subcategory> </Rule> <Rule id="V-36667" severity="medium" conversionstatus="pass" title="WINAU-000016" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access >> Removable Storage - Failure Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.</RawString> <Subcategory>Removable Storage</Subcategory> </Rule> <Rule id="V-36668" severity="medium" conversionstatus="pass" title="WINAU-000017" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access >> Removable Storage - Success Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.</RawString> <Subcategory>Removable Storage</Subcategory> </Rule> <Rule id="V-40200" severity="medium" conversionstatus="pass" title="WNAU-000060" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access -> Central Policy Staging - Failure</RawString> <Subcategory>Central Policy Staging</Subcategory> </Rule> <Rule id="V-40202" severity="medium" conversionstatus="pass" title="WNAU-000059" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access -> Central Policy Staging - Success</RawString> <Subcategory>Central Policy Staging</Subcategory> </Rule> <Rule id="V-57633" severity="medium" conversionstatus="pass" title="WINAU-000089" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Authorization Policy Change - Success</RawString> <Subcategory>Authorization Policy Change</Subcategory> </Rule> <Rule id="V-78057" severity="medium" conversionstatus="pass" title="WINAU-000501" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff >> Account Lockout - Success</RawString> <Subcategory>Account Lockout</Subcategory> </Rule> <Rule id="V-78059" severity="medium" conversionstatus="pass" title="WINAU-000502" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff >> Account Lockout - Failure</RawString> <Subcategory>Account Lockout</Subcategory> </Rule> <Rule id="V-78061" severity="medium" conversionstatus="pass" title="WINAU-000907" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System >> Other System Events - Success</RawString> <Subcategory>Other System Events</Subcategory> </Rule> <Rule id="V-78063" severity="medium" conversionstatus="pass" title="WINAU-000908" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System >> Other System Events - Failure</RawString> <Subcategory>Other System Events</Subcategory> </Rule> </AuditPolicyRule> <DocumentRule dscresourcemodule="None"> <Rule id="V-1072" severity="medium" conversionstatus="pass" title="Shared User Accounts" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. If unapproved shared accounts exist, this is a finding.</RawString> </Rule> <Rule id="V-1112" severity="low" conversionstatus="pass" title="Dormant Accounts" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "PowerShell". Member servers and standalone systems: Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Domain Controllers: Enter the following command in PowerShell. "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. Review the list of accounts returned by the above queries to determine the finding validity for each account reported. Exclude the following accounts: Built-in administrator account (Renamed, SID ending in 500) Built-in guest account (Renamed, Disabled, SID ending in 501) Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString> </Rule> <Rule id="V-1120" severity="medium" conversionstatus="pass" title="Prohibited FTP Logins" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If FTP is not installed on the system, this is NA. Determine the IP address and port number assigned to FTP sites from documentation or configuration. If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". Select "Sites" under the server name. For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. Open a "Command Prompt". Attempt to log on as the user "anonymous" with the following commands: Note: Returned results may vary depending on the FTP server software. C:\> "ftp" ftp> "Open IP Address Port" (Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) (Connected to IP Address 220 Microsoft FTP Service) User (IP Address): "anonymous" (331 Anonymous access allowed, send identity (e-mail name) as password.) Password: "password" (230 User logged in.) ftp> If the response indicates that an anonymous FTP login was permitted, this is a finding. If accounts with administrator privileges are used to access FTP, this is a CAT I finding.</RawString> </Rule> <Rule id="V-1121" severity="high" conversionstatus="pass" title="FTP System File Access" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If FTP is not installed on the system, this is NA. Determine the IP address and port number assigned to FTP sites from documentation or configuration. If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". Select "Sites" under the server name. For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. Open a "Command Prompt". Access the FTP site and review accessible directories with the following commands: Note: Returned results may vary depending on the FTP server software. C:\> "ftp" ftp> "Open IP Address Port" (Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) (Connected to IP Address 220 Microsoft FTP Service) User (IP Address): "FTP User" (Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) (331 Password required) Password: "Password" (Substituting [Password] with password for the account attempting access.) (230 User ftpuser logged in.) ftp> "Dir" If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding.</RawString> </Rule> <Rule id="V-1168" severity="medium" conversionstatus="pass" title="Members of the Backup Operators Group" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If no accounts are members of the Backup Operators group, this is NA. Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding.</RawString> </Rule> <Rule id="V-3289" severity="medium" conversionstatus="pass" title="Intrusion Detection System" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether there is a host-based Intrusion Detection System on each server. If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. If a host-based Intrusion Detection System is not installed on the system, this is a finding.</RawString> </Rule> <Rule id="V-3487" severity="medium" conversionstatus="pass" title="Unnecessary Services" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. Individual services specifically required to be disabled per the STIG are identified in separate requirements. If the site has not documented the services required for their system(s), this is a finding. The following can be used to view the services on a system: Run "Services.msc". Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. Default Installation Name - Startup Type Application Experience - Manual (Trigger Start) Application Identity - Manual (Trigger Start) Application Information - Manual Application Layer Gateway Service - Manual Application Management - Manual Background Intelligent Transfer Service - Automatic (Delayed Start) Background Tasks Infrastructure Service - Automatic Base Filtering Engine - Automatic Certificate Propagation - Manual CNG Key Isolation - Manual (Trigger Start) COM+ Event System - Automatic COM+ System Application - Manual Computer Browser - Disabled Credential Manager - Manual Cryptographic Services - Automatic DCOM Server Process Launcher - Automatic Device Association Service - Manual (Trigger Start) Device Install Service - Manual (Trigger Start) Device Setup Manager - Manual (Trigger Start) DHCP Client - Automatic Diagnostic Policy Service - Automatic (Delayed Start) Diagnostic Service Host - Manual Diagnostic System Host - Manual Distributed Link Tracking Client - Automatic Distributed Transaction Coordinator - Automatic (Delayed Start) DNS Client - Automatic (Trigger Start) Encrypting File System (EFS) - Manual (Trigger Start) Extensible Authentication Protocol - Manual Function Discovery Provider Host - Manual Function Discovery Resource Publication - Manual Group Policy Client - Automatic (Trigger Start) Health Key and Certificate Management - Manual Human Interface Device Access - Manual (Trigger Start) Hyper-V Data Exchange Service - Manual (Trigger Start) Hyper-V Guest Shutdown Service - Manual (Trigger Start) Hyper-V Heartbeat Service - Manual (Trigger Start) Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) Hyper-V Time Synchronization Service - Manual (Trigger Start) Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) Interactive Services Detection - Manual Internet Connection Sharing (ICS) - Disabled IP Helper - Automatic IPsec Policy Agent - Manual (Trigger Start) KDC Proxy Server service (KPS) - Manual KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) Link-Layer Topology Discovery Mapper - Manual Local Session Manager - Automatic Microsoft iSCSI Initiator Service - Manual Microsoft Software Shadow Copy Provider - Manual Multimedia Class Scheduler - Manual Net.Tcp Port Sharing Service - Disabled Netlogon - Manual Network Access Protection Agent - Manual Network Connections - Manual Network Connectivity Assistant - Manual (Trigger Start) Network List Service - Manual Network Location Awareness - Automatic Network Store Interface Service - Automatic Optimize drives - Manual Performance Counter DLL Host - Manual Performance Logs & Alerts - Manual Plug and Play - Manual Portable Device Enumerator Service - Manual (Trigger Start) Power - Automatic Print Spooler - Automatic Printer Extensions and Notifications - Manual Problem Reports and Solutions Control Panel Support - Manual Remote Access Auto Connection Manager - Manual Remote Access Connection Manager - Manual Remote Desktop Configuration - Manual Remote Desktop Services - Manual Remote Desktop Services UserMode Port Redirector - Manual Remote Procedure Call (RPC) - Automatic Remote Procedure Call (RPC) Locator - Manual Remote Registry - Automatic (Trigger Start) Resultant Set of Policy Provider - Manual Routing and Remote Access - Disabled RPC Endpoint Mapper - Automatic Secondary Logon - Manual Secure Socket Tunneling Protocol Service - Manual Security Accounts Manager - Automatic Server - Automatic Shell Hardware Detection - Automatic Smart Card - Disabled Smart Card Removal Policy - Manual SNMP Trap - Manual Software Protection - Automatic (Delayed Start, Trigger Start) Special Administration Console Helper - Manual Spot Verifier - Manual (Trigger Start) SSDP Discovery - Disabled Superfetch - Manual System Event Notification Service - Automatic Task Scheduler - Automatic TCP/IP NetBIOS Helper - Automatic (Trigger Start) Telephony - Manual Themes - Automatic Thread Ordering Server - Manual UPnP Device Host - Disabled User Access Logging Service - Automatic (Delayed Start) User Profile Service - Automatic Virtual Disk - Manual Volume Shadow Copy - Manual Windows All-User Install Agent - Manual (Trigger Start) Windows Audio - Manual Windows Audio Endpoint Builder - Manual Windows Color System - Manual Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) Windows Error Reporting Service - Manual (Trigger Start) Windows Event Collector - Manual Windows Event Log - Automatic Windows Firewall - Automatic Windows Font Cache Service - Automatic Windows Installer - Manual Windows Licensing Monitoring Service - Automatic Windows Management Instrumentation - Automatic Windows Modules Installer - Manual Windows Remote Management (WS-Management) - Automatic Windows Store Service (WSService) - Manual (Trigger Start) Windows Time - Manual (Trigger Start) Windows Update - Manual WinHTTP Web Proxy Auto-Discovery Service - Manual Wired AutoConfig - Manual WMI Performance Adapter - Manual Workstation - Automatic</RawString> </Rule> <Rule id="V-14783" severity="medium" conversionstatus="pass" title="Replication Encryption – Classification Factor" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. Determine the classification level of the Windows domain controller. If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.</RawString> </Rule> <Rule id="V-15823" severity="medium" conversionstatus="pass" title="Software Certificate Installation Files" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.</RawString> </Rule> <Rule id="V-26683" severity="high" conversionstatus="pass" title="Directory PKI Certificate Source - Users" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Open "PowerShell" as Administrator. Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize". Review the User Principal Name (UPN) of user accounts, including administrators. Exclude the built-in accounts such as Administrator and Guest. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNET certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verify these with the organization. NIPRNET Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.</RawString> </Rule> <Rule id="V-32272" severity="medium" conversionstatus="pass" title="WINPK-000001" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 NotAfter: 12/5/2029 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. DoD Root CA 2 Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 Valid to: Wednesday, December 5, 2029 DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041</RawString> </Rule> <Rule id="V-33673" severity="high" conversionstatus="pass" title="Group Policy Objects Access Control" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the permissions on Group Policy objects. Open "Group Policy Management". (Available from various menus or run "gpmc.msc".) Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the Delegation tab in the right pane. Select the Advanced button. If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below meet this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button. Authenticated Users - Read, Apply group policy, Special permissions The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects. The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO.</RawString> </Rule> <Rule id="V-36658" severity="medium" conversionstatus="pass" title="WIN00-000005-01" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding.</RawString> </Rule> <Rule id="V-39333" severity="high" conversionstatus="pass" title="WINAD-000005-DC" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verifying the permissions on domain defined OUs. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right click the OU and select Properties. Select the Security tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button. Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO.</RawString> </Rule> <Rule id="V-40173" severity="low" conversionstatus="pass" title="WN00-000017" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</RawString> </Rule> <Rule id="V-73523.a" severity="medium" conversionstatus="pass" title="WIN00-000180" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ Type: REG_DWORD Value Name: Start Value: 0x00000004 (4)</RawString> </Rule> <Rule id="V-73523.b" severity="medium" conversionstatus="pass" title="WIN00-000180" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ Type: REG_MULTI_SZ Value Name: DependOnService Value: Default values after removing MRxSmb10 include the following, which are not a finding:</RawString> </Rule> </DocumentRule> <ManualRule dscresourcemodule="None"> <Rule id="V-1070" severity="medium" conversionstatus="pass" title="Physical security" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding.</RawString> </Rule> <Rule id="V-1074" severity="high" conversionstatus="pass" title="WIN00-000100" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding.</RawString> </Rule> <Rule id="V-1076" severity="low" conversionstatus="pass" title="System Recovery Backups" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</RawString> </Rule> <Rule id="V-1119" severity="medium" conversionstatus="pass" title="Booting into Multiple Operating Systems" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the local system boots directly into Windows. Open Control Panel. Select "System". Select the "Advanced System Settings" link. Select the "Advanced" tab. Click the "Startup and Recovery" Settings button. If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding.</RawString> </Rule> <Rule id="V-1127" severity="high" conversionstatus="pass" title="Restricted Administrator Group Membership" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding.</RawString> </Rule> <Rule id="V-1128" severity="low" conversionstatus="pass" title="Security Configuration Tools" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable.</RawString> </Rule> <Rule id="V-1135" severity="low" conversionstatus="pass" title="Printer Share Permissions" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Open "Devices and Printers" in Control Panel or through Search. If there are no printers configured, this is NA. For each configured printer: Right click on the printer. Select "Printer Properties". Select the "Sharing" tab. View whether "Share this printer" is checked. For any printers with "Share this printer" selected: Select the Security tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. Standard users will typically be given "Print" permission through the Everyone group. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.</RawString> </Rule> <Rule id="V-2907" severity="medium" conversionstatus="pass" title="System File Changes" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement.</RawString> </Rule> <Rule id="V-3245" severity="medium" conversionstatus="pass" title="File share ACLs" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) Run "Computer Management". Navigate to System Tools >> Shared Folders >> Shares. Right click any non-system-created shares. Select "Properties". Select the "Share Permissions" tab. If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the "Security" tab. If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.</RawString> </Rule> <Rule id="V-3472" severity="low" conversionstatus="pass" title="Windows Time Service - Configure NTP Client" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Domain-joined systems are automatically configured with a "Type" of "NT5DS" to synchronize with domain controllers and would not be a finding. If systems are configured with a "Type" of "NTP", including standalone systems and the forest root domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding. (See V-8557 in the Active Directory Forest STIG for the time source requirement of the forest root domain PDC emulator.) If an alternate time synchronization tool is used and is not enabled or not configured to synchronize with a DoD time source, this is a finding. The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.</RawString> </Rule> <Rule id="V-6840" severity="medium" conversionstatus="pass" title="Password Expiration" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the password never expires status for enabled user accounts. Open "Windows PowerShell" with elevated privileges (run as administrator). Domain Controllers: Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled". Exclude application accounts and disabled accounts (e.g., Guest). Domain accounts requiring smart card (CAC/PIV) may also be excluded. If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. Member servers and standalone systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. Exclude application accounts and disabled accounts (e.g., Guest). If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.</RawString> </Rule> <Rule id="V-7002" severity="high" conversionstatus="pass" title="Password Requirement" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the password required status for enabled user accounts. Open "Windows PowerShell". Domain Controllers: Enter "Get-ADUser -Filter * -Properties PasswordNotRequired | Where PasswordNotRequired -eq True | FT Name, PasswordNotRequired, Enabled". Exclude disabled accounts (e.g., Guest). If "PasswordNotRequired" is "True" for any enabled user account, this is a finding. Member servers and standalone systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.</RawString> </Rule> <Rule id="V-8317" severity="medium" conversionstatus="pass" title="Directory Server Data File Locations" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Refer to the AD database location obtained in check V-8316. Note the logical drive (e.g., C:) on which the files are located. Determine if the server is currently providing file sharing services to users with the following command. Enter "net share" at a command prompt. Note the logical drive(s) or file system partition for any site-created data shares. Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. If user shares are located on the same logical partition as the directory server data files, this is a finding.</RawString> </Rule> <Rule id="V-8326" severity="medium" conversionstatus="pass" title="Directory Server Host Dedication" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the roles and services the domain controller is running. Run "services.msc" to display the Services console. Determine if any running services are application components. Examples of services indicating the presence of applications are: -DHCP Server for DHCP server -IIS Admin Service for IIS web server -Microsoft Exchange System Attendant for Exchange -MSSQLServer for SQL Server. If any application-related components have the "Started" status, this is a finding. Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.) Determine if any additional server roles are installed. A basic domain controller set up will include the following: -Active Directory Domain Services -DNS Server -File and Storage Services If any roles not requiring installation on a domain controller are installed, this is a finding. Supplemental Notes: A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.</RawString> </Rule> <Rule id="V-14225" severity="medium" conversionstatus="pass" title="Administrator Account Password Changes" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the password last set date for the built-in Administrator account. Domain controllers: Open "Windows PowerShell". Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet". If the "PasswordLastSet" date is greater than one year old, this is a finding. Member servers and standalone systems: Open "Windows PowerShell" or "Command Prompt". Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. (The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) If the "PasswordLastSet" date is greater than one year old, this is a finding.</RawString> </Rule> <Rule id="V-14797" severity="low" conversionstatus="pass" title="Anonymous Access to Non-Public Root DSE Data" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers. The following can be used to verify anonymous access is allowed. Open a command prompt (not elevated). Run "ldp.exe". From the Connection menu, select Bind. Clear the User, Password, and Domain fields. Select Simple bind for the Bind type, Click OK. RootDSE attributes should display, such as various namingContexts. Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'</RawString> </Rule> <Rule id="V-14798" severity="high" conversionstatus="pass" title="Anonymous Access to Non-Public Data " dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify anonymous access is not allowed to the AD domain naming context. Open a command prompt (not elevated). Run "ldp.exe". From the Connection menu, select Bind. Clear the User, Password, and Domain fields. Select Simple bind for the Bind type, Click OK. Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' From the Browse menu, select Search. In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. Clear the Attributes field and select Run. Error messages should display related to bind and user not authenticated. If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.</RawString> </Rule> <Rule id="V-14820" severity="high" conversionstatus="pass" title="Directory PKI Certificate Source - Server" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the source of the domain controller's server certificate. Run "mmc". Select "Add/Remove Snap-in" from the File menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account", click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the Issued By field for the certificate to determine the issuing CA. If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. http://iase.disa.mil/pki-pke/function_pages/tools.html</RawString> </Rule> <Rule id="V-14831" severity="low" conversionstatus="pass" title="Inactive Server Connections" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the value for MaxConnIdleTime. Open an elevated command prompt. Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]". (Where [host-name] is the computer name of the domain controller.) At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, this is a finding. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. Alternately, Dsquery can be used to display MaxConnIdleTime: Open an elevated command prompt. Enter the following command (on a single line). dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).</RawString> </Rule> <Rule id="V-15488" severity="medium" conversionstatus="pass" title="PKI Authentication Req" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify active directory user accounts, including administrators, have "Smart card is required for interactive logon" selected. Run "PowerShell". Enter the following: "Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" ("DistinguishedName" may be substituted for "Name" for more detailed output.) If any user accounts are listed, this is a finding. Alternately: To view sample accounts in "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"): Select the Organizational Unit (OU) where the User accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) Right click the sample User account and select "Properties". Select the "Account" tab. If any User accounts do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.</RawString> </Rule> <Rule id="V-32274" severity="medium" conversionstatus="pass" title="WINPK-000003" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F NotAfter: 9/6/2019 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 NotAfter: 9/23/2018 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 NotAfter: 2/17/2019 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. Issued To: DoD Root CA 2 Issued By: DoD Interoperability Root CA 1 Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F Valid to: Friday, September 6, 2019 Issued To: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 Valid to: Sunday, September 23, 2018 Issued To: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 Valid to: Sunday, February 17, 2019</RawString> </Rule> <Rule id="V-36451" severity="high" conversionstatus="pass" title="Accounts with administrative privileges Internet access" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.</RawString> </Rule> <Rule id="V-36659" severity="high" conversionstatus="pass" title="WIN00-000005-02" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.</RawString> </Rule> <Rule id="V-36661" severity="medium" conversionstatus="pass" title="WIN00-000010-01" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding.</RawString> </Rule> <Rule id="V-36662" severity="medium" conversionstatus="pass" title="WIN00-000010-02" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if manually managed application/service accounts exist. If none exist, this is NA. If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. Identify manually managed application/service accounts. To determine the date a password was last changed: Domain controllers: Open "Windows PowerShell". Enter "Get-ADUser -Identity [application account name] -Properties PasswordLastSet | FL Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. If the "PasswordLastSet" date is more than one year old, this is a finding. Member servers and standalone systems: Open "Windows PowerShell" or "Command Prompt". Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. If the "Password Last Set" date is more than one year old, this is a finding.</RawString> </Rule> <Rule id="V-36666" severity="medium" conversionstatus="pass" title="WIN00-000014" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding.</RawString> </Rule> <Rule id="V-36670" severity="medium" conversionstatus="pass" title="WINAU-000100" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding.</RawString> </Rule> <Rule id="V-36671" severity="medium" conversionstatus="pass" title="WINAU-000101" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding.</RawString> </Rule> <Rule id="V-36672" severity="medium" conversionstatus="pass" title="WINAU-000102" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.</RawString> </Rule> <Rule id="V-36733" severity="low" conversionstatus="pass" title="WINGE-000027" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</RawString> </Rule> <Rule id="V-36734" severity="medium" conversionstatus="pass" title="WINGE-000028" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If it does not, this is a finding.</RawString> </Rule> <Rule id="V-36735" severity="medium" conversionstatus="pass" title="WINGE-000029" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding.</RawString> </Rule> <Rule id="V-36736" severity="medium" conversionstatus="pass" title="WINGE-000030" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.</RawString> </Rule> <Rule id="V-39332" severity="high" conversionstatus="pass" title="WINAD-000004-DC" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Select Advanced Features in the View menu if not previously selected. Navigate to the Domain Controllers OU (folder in folder icon). Right click the OU and select Properties. Select the Security tab. If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry, and the Edit button. SELF - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions</RawString> </Rule> <Rule id="V-39334" severity="medium" conversionstatus="pass" title="WINPK-000005-DC" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the domain controller has a PKI server certificate. Run "mmc". Select "Add/Remove Snap-in" from the File menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account", click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. If no certificate for the domain controller exists in the right pane, this is a finding.</RawString> </Rule> <Rule id="V-40172" severity="low" conversionstatus="pass" title="WN00-000016" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding.</RawString> </Rule> <Rule id="V-40198" severity="medium" conversionstatus="pass" title="WN00-000009-02" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If no accounts are members of the Backup Operators group, this is NA. Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.</RawString> </Rule> <Rule id="V-40237" severity="medium" conversionstatus="pass" title="WINPK-000004" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 NotAfter: 3/9/2019 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E NotAfter: 9/27/2019 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. Issued To: DoD Root CA 2 Issued By: US DoD CCEB Interoperability Root CA 1 Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 Valid to: Saturday, March 9, 2019 Issued To: DoD Root CA 3 Issuer by: US DoD CCEB Interoperability Root CA 2 Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E Valid: Friday, September 27, 2019</RawString> </Rule> <Rule id="V-42420" severity="medium" conversionstatus="pass" title="WINFW-000001" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.</RawString> </Rule> <Rule id="V-57637" severity="medium" conversionstatus="pass" title="WIN00-000018" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is applicable to unclassified systems; for other systems this is NA. Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If an application whitelisting program is not in use on the system, this is a finding. Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Open PowerShell. If the AppLocker PowerShell module has not been previously imported, execute the following first: Import-Module AppLocker Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm</RawString> </Rule> <Rule id="V-57641" severity="medium" conversionstatus="pass" title="WIN00-000019" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding.</RawString> </Rule> <Rule id="V-57645" severity="medium" conversionstatus="pass" title="WIN00-000020" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding.</RawString> </Rule> <Rule id="V-57653" severity="medium" conversionstatus="pass" title="WINGE-000056" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. Review temporary user accounts for expiration dates. Open "PowerShell". Domain Controllers: Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) If any accounts identified as temporary are not listed, this is a finding. For any temporary accounts returned by the previous query: Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. Member servers and standalone systems: Enter "Net User [username]", where [username] is the name of the temporary user account. If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)</RawString> </Rule> <Rule id="V-57655" severity="medium" conversionstatus="pass" title="WINGE-000057" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. Domain Controllers: Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) If any accounts identified as emergency administrator accounts are not listed, this is a finding. For any emergency administrator accounts returned by the previous query: Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. Member servers and standalone systems: Enter "Net User [username]", where [username] is the name of the emergency administrator accounts. If "Account expires" has not been defined within 72 hours for any emergency administrator accounts, this is a finding. If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)</RawString> </Rule> <Rule id="V-57719" severity="medium" conversionstatus="pass" title="WINAU-000203" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding.</RawString> </Rule> <Rule id="V-75915" severity="medium" conversionstatus="pass" title="WIN00-000190" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the effective User Rights setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding.</RawString> </Rule> <Rule id="V-80473" severity="medium" conversionstatus="pass" title="WIN00-000200" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Open "Windows PowerShell". Enter "$PSVersionTable". If the value for "PSVersion" is not 4.0 or 5.x, this is a finding. Windows 2012 R2 includes PowerShell 4.0 by default. Windows 2012 must be updated. If PowerShell 4.0 is used, the required patch for script block logging will be verified with the requirement to have that enabled.</RawString> </Rule> </ManualRule> <PermissionRule dscresourcemodule="AccessControlDsc"> <Rule id="V-1152" severity="high" conversionstatus="pass" title="Anonymous Access to the Registry" dscresource="RegistryAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Backup Operators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key Only</Inheritance> <Rights>ReadKey</Rights> </Entry> <Entry> <Type> </Type> <Principal>LOCAL SERVICE</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\</Path> <RawString>Run "Regedit". Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ If the key does not exist, this is a finding. Right-click on "winreg" and select "Permissions…". Select "Advanced". If the permissions are not as restrictive as the defaults listed below, this is a finding. The following are the same for each permission listed: Type - Allow Inherited from - None Columns: Principal - Access - Applies to Administrators - Full Control - This key and subkeys Backup Operators - Read - This key only LOCAL SERVICE - Read - This key and subkeys</RawString> </Rule> <Rule id="V-8316" severity="high" conversionstatus="pass" title="Data File Access Permissions" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>NT AUTHORITY\SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>BUILTIN\Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\NTDS\*.*</Path> <RawString>Verify the permissions on the content of the NTDS directory. Open the registry editor (regedit). Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. Note the directory locations in the values for: Database log files path DSA Database file By default they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. Open an elevated command prompt (Win+x, Command Prompt (Admin)). Navigate to the NTDS directory (\Windows\NTDS by default). Run "icacls *.*". If the permissions on each file are not at least as restrictive as the following, this is a finding. NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder.</RawString> </Rule> <Rule id="V-26070" severity="high" conversionstatus="pass" title="Winlogon Registry Permissions" dscresource="RegistryAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>TrustedInstaller</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\</Path> <RawString>Run "Regedit". Navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Right-click on "WinLogon" and select "Permissions…". Select "Advanced". If the permissions are not as restrictive as the defaults listed below, this is a finding. The following are the same for each permission listed: Type - Allow Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Applies to - This key and subkeys Columns: Principal - Access TrustedInstaller - Full Control SYSTEM - Full Control Administrators - Full Control Users - Read ALL APPLICATION PACKAGES - Read</RawString> </Rule> <Rule id="V-32282" severity="high" conversionstatus="pass" title="WINRG-000001 Active Setup\Installed Components Registry Permissions" dscresource="RegistryAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>ReadKey</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subkeys Only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>ReadKey</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\</Path> <RawString>Run "Regedit". Navigate to the following registry keys and review the permissions: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) If the default permissions listed below have been changed, this is a finding. Users - Read Administrators - Full Control SYSTEM - Full Control CREATOR OWNER - Full Control (Subkeys only) ALL APPLICATION PACKAGES - Read</RawString> </Rule> <Rule id="V-36722" severity="medium" conversionstatus="pass" title="WINAU-000204" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Eventlog</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\SYSTEM32\WINEVT\LOGS\Application.evtx</Path> <RawString>Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</RawString> </Rule> <Rule id="V-36723" severity="medium" conversionstatus="pass" title="WINAU-000205" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Eventlog</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\SYSTEM32\WINEVT\LOGS\Security.evtx</Path> <RawString>Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</RawString> </Rule> <Rule id="V-36724" severity="medium" conversionstatus="pass" title="WINAU-000206" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Eventlog</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\SYSTEM32\WINEVT\LOGS\System.evtx</Path> <RawString>Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</RawString> </Rule> <Rule id="V-39325" severity="medium" conversionstatus="fail" title="WINAU-000207-DC" dscresource=""> <AccessControlEntry> <Entry> <Type>Fail</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights> </Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights> </Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights> </Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path /> <RawString>Review the auditing configuration for all Group Policy objects. Open "Group Policy Management". (Available from various menus, or run "gpmc.msc".) Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy Object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects</RawString> </Rule> <Rule id="V-39326" severity="medium" conversionstatus="pass" title="WINAU-000208-DC" dscresource="ActiveDirectoryAuditRuleEntry"> <AccessControlEntry> <Entry> <Type>Fail</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>blank</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Domain Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>AllExtendedRights</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>AllExtendedRights</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>WriteallProperties,ModifyPermissions,ModifyOwner</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>{Domain}</Path> <RawString>Verify the auditing configuration for the Domain object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select the domain being reviewed in the left pane. Right click the domain name and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)</RawString> </Rule> <Rule id="V-39327" severity="medium" conversionstatus="pass" title="WINAU-000209-DC" dscresource="ActiveDirectoryAuditRuleEntry"> <AccessControlEntry> <Entry> <Type>Fail</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>WriteallProperties,AllExtendedRights,ChangeInfrastructureMaster</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>blank</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>CN=Infrastructure,{Domain}</Path> <RawString>Verify the auditing configuration for Infrastructure object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select the domain being reviewed in the left pane. Right click the Infrastructure object in the right pane and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)</RawString> </Rule> <Rule id="V-39328" severity="medium" conversionstatus="pass" title="WINAU-000210-DC" dscresource="ActiveDirectoryAuditRuleEntry"> <AccessControlEntry> <Entry> <Type>Fail</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>Createallchildobjects,Delete,ModifyPermissions</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>WriteallProperties</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>blank</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>OU=Domain Controllers,{Domain}</Path> <RawString>Verify the auditing configuration for the Domain Controller OU object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select the Domain Controllers OU under the domain being reviewed in the left pane. Right click the Domain Controllers OU object and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object and all descendant objects The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects</RawString> </Rule> <Rule id="V-39329" severity="medium" conversionstatus="pass" title="WINAU-000211-DC" dscresource="ActiveDirectoryAuditRuleEntry"> <AccessControlEntry> <Entry> <Type>Fail</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>WriteallProperties,ModifyPermissions,ModifyOwner</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>blank</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>CN=AdminSDHolder,CN=System,{Domain}</Path> <RawString>Verify the auditing configuration for the AdminSDHolder object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select System under the domain being reviewed in the left pane. Right click the AdminSDHolder object in the right pane and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the AdminSDHolder object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects</RawString> </Rule> <Rule id="V-39330" severity="medium" conversionstatus="pass" title="WINAU-000212-DC" dscresource="ActiveDirectoryAuditRuleEntry"> <AccessControlEntry> <Entry> <Type>Fail</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>WriteallProperties,AllExtendedRights,ChangeRIDMaster</Rights> </Entry> <Entry> <Type>Success</Type> <Principal>Everyone</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>blank</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>CN=RID Manager$,CN=System,{Domain}</Path> <RawString>Verify the auditing configuration for the RID Manager$ object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select System under the domain being reviewed in the left pane. Right-click the RID Manager$ object in the right pane and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the RID Manager$ object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)</RawString> </Rule> <Rule id="V-39331" severity="high" conversionstatus="pass" title="WINAD-000002-DC" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type>Allow</Type> <Principal>Authenticated Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type>Allow</Type> <Principal>Server Operators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type>Allow</Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>AppendData,ChangePermissions,CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,ExecuteFile,ListDirectory,Modify,Read,ReadAndExecute,ReadAttributes,ReadData,ReadExtendedAttributes,ReadPermissions,Synchronize,TakeOwnership,Traverse,Write,WriteAttributes,WriteData,WriteExtendedAttributes</Rights> </Entry> <Entry> <Type>Allow</Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type>Allow</Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type>Allow</Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\sysvol</Path> <RawString>Verify the permissions on the SYSVOL directory. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. Open File Explorer. Navigate to \Windows\SYSVOL (or the directory noted previously if different). Right click the directory and select properties. Select the Security tab. Click Advanced. If any standard user accounts or groups have greater than read & execute permissions, this is a finding. The default permissions noted below meet this requirement. Type - Allow Principal - Authenticated Users Access - Read & execute Inherited from - None Applies to - This folder, subfolder and files Type - Allow Principal - Server Operators Access - Read & execute Inherited from - None Applies to - This folder, subfolder and files Type - Allow Principal - Administrators Access - Special Inherited from - None Applies to - This folder only (Access - Special - Basic Permissions: all selected except Full control) Type - Allow Principal - CREATOR OWNER Access - Full control Inherited from - None Applies to - Subfolders and files only Type - Allow Principal - Administrators Access - Full control Inherited from - None Applies to - Subfolders and files only Type - Allow Principal - SYSTEM Access - Full control Inherited from - None Applies to - This folder, subfolders and files Alternately, use Icacls.exe to view the permissions of the SYSVOL directory. Open a command prompt. Run "icacls c:\Windows\SYSVOL The following results should be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M,WDAC,WO) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes.</RawString> </Rule> <Rule id="V-40177.a" severity="medium" conversionstatus="pass" title="WNGE-000007" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>TrustedInstaller</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder and subfolders</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%ProgramFiles(x86)%</Path> <RawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default Permissions: \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately, use Icacls: Open a Command prompt (admin). Enter icacls followed by the directory: icacls "c:\program files" icacls "c:\program files (x86)" The following results should be displayed as each is entered: c:\program files NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files </RawString> </Rule> <Rule id="V-40177.b" severity="medium" conversionstatus="pass" title="WNGE-000007" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>TrustedInstaller</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder and subfolders</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%ProgramFiles%</Path> <RawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default Permissions: \Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately, use Icacls: Open a Command prompt (admin). Enter icacls followed by the directory: icacls "c:\program files" icacls "c:\program files (x86)" The following results should be displayed as each is entered: c:\program files NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files </RawString> </Rule> <Rule id="V-40178" severity="medium" conversionstatus="pass" title="WNGE-000006" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder and subfolders</Inheritance> <Rights>CreateDirectories,AppendData</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders only</Inheritance> <Rights>CreateFiles,WriteData</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%SystemDrive%\</Path> <RawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: View the Properties of system drive root directory. Select the "Security" tab, and the "Advanced" button. C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders and files Administrators - Full control - This folder, subfolders and files Users - Read & execute - This folder, subfolders and files Users - Create folders / append data - This folder and subfolders Users - Create files / write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Alternately, use Icacls: Open a Command prompt (admin). Enter icacls followed by the directory: icacls c:\ The following results should be displayed: c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files</RawString> </Rule> <Rule id="V-40179" severity="medium" conversionstatus="pass" title="WNGE-000008" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>TrustedInstaller</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder and subfolders</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%</Path> <RawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: View the Properties of the folder. Select the "Security" tab, and the "Advanced" button. Default Permissions: \Windows Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately, use Icacls: Open a Command prompt (admin). Enter icacls followed by the directory: icacls c:\windows The following results should be displayed: c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files</RawString> </Rule> <Rule id="V-57721" severity="medium" conversionstatus="pass" title="WINAU-000213" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>TrustedInstaller</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>ReadAndExecute</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\SYSTEM32\eventvwr.exe</Path> <RawString>Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. Navigate to "%SystemRoot%\SYSTEM32". View the permissions on "Eventvwr.exe". The default permissions below satisfy this requirement. TrustedInstaller - Full Control Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute</RawString> </Rule> </PermissionRule> <RegistryRule dscresourcemodule="xPSDesiredStateConfiguration"> <Rule id="V-1075" severity="low" conversionstatus="pass" title="Display Shutdown Button" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ShutdownWithoutLogon Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ShutdownWithoutLogon</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1089" severity="medium" conversionstatus="pass" title="Legal Notice Display" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ Value: See message text below You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</RawString> <ValueData>You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</ValueData> <ValueName>LegalNoticeText</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-1090" severity="low" conversionstatus="pass" title="Caching of logon credentials" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '4'</OrganizationValueTestString> <RawString>If the system is not a member of a domain, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value Type: REG_SZ Value: 4 (or less)</RawString> <ValueData /> <ValueName>CachedLogonsCount</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-1093" severity="high" conversionstatus="pass" title="Anonymous shares are not restricted" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RestrictAnonymous</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1136" severity="low" conversionstatus="pass" title="Forcibly Disconnect when Logon Hours Expire" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableForcedLogoff Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableForcedLogoff</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1141" severity="medium" conversionstatus="pass" title="Unencrypted Password is Sent to SMB Server." dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnablePlainTextPassword</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1145" severity="medium" conversionstatus="pass" title="Disable Automatic Logon" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: AutoAdminLogon Type: REG_SZ Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AutoAdminLogon</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-1151" severity="low" conversionstatus="pass" title="Secure Print Driver Installation" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ Value Name: AddPrinterDrivers Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>AddPrinterDrivers</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1153" severity="high" conversionstatus="pass" title="LanMan Authentication Level" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 5</RawString> <ValueData>5</ValueData> <ValueName>LmCompatibilityLevel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1154" severity="medium" conversionstatus="pass" title="Ctrl+Alt+Del Security Attention Sequence" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableCAD Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableCAD</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1157" severity="medium" conversionstatus="pass" title="Smart Card Removal Option " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -match '1|2'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: SCRemoveOption Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff) If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.</RawString> <ValueData /> <ValueName>SCRemoveOption</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-1162" severity="medium" conversionstatus="pass" title="SMB Server Packet Signing (if client agrees)" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1163" severity="medium" conversionstatus="pass" title="Encryption of Secure Channel Traffic" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value Type: REG_DWORD Value: 1 If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).</RawString> <ValueData>1</ValueData> <ValueName>SealSecureChannel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1164" severity="medium" conversionstatus="pass" title="Signing of Secure Channel Traffic" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 1 If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).</RawString> <ValueData>1</ValueData> <ValueName>SignSecureChannel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1165" severity="low" conversionstatus="pass" title="Computer Account Password Reset" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisablePasswordChange</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1166" severity="medium" conversionstatus="pass" title="SMB Client Packet Signing (if server agrees)" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1171" severity="medium" conversionstatus="pass" title="Format and Eject Removable Media" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: AllocateDASD Value Type: REG_SZ Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllocateDASD</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-1172" severity="low" conversionstatus="pass" title="Password Expiration Warning" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '14'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning Value Type: REG_DWORD Value: 14 (or greater)</RawString> <ValueData /> <ValueName>PasswordExpiryWarning</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1173" severity="low" conversionstatus="pass" title="Global System Objects Permission Strength" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>ProtectionMode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-1174" severity="low" conversionstatus="pass" title="Idle Time Before Suspending a Session." dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '15'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: autodisconnect Value Type: REG_DWORD Value: 0x0000000f (15) (or less)</RawString> <ValueData /> <ValueName>autodisconnect</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-2374" severity="high" conversionstatus="pass" title="Disable Media Autoplay" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Type: REG_DWORD Value: 0x000000ff (255)</RawString> <ValueData>255</ValueData> <ValueName>NoDriveTypeAutoRun</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3338" severity="high" conversionstatus="pass" title="Anonymous Access to Named Pipes" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionPipes Value Type: REG_MULTI_SZ Value: netlogon, samr, lsarpc The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries. Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</RawString> <ValueData>netlogon;samr;lsarpc</ValueData> <ValueName>NullSessionPipes</ValueName> <ValueType>MultiString</ValueType> </Rule> <Rule id="V-3339" severity="high" conversionstatus="pass" title="Remotely Accessible Registry Paths" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ Value Name: Machine Value Type: REG_MULTI_SZ Value: see below System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</RawString> <ValueData>System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion</ValueData> <ValueName>Machine</ValueName> <ValueType>MultiString</ValueType> </Rule> <Rule id="V-3340" severity="high" conversionstatus="pass" title="Anonymous Access to Network Shares" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>True</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist, this is not a finding: If the following registry value does exist and is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionShares Value Type: REG_MULTI_SZ Value: (Blank)</RawString> <ValueData> </ValueData> <ValueName>NullSessionShares</ValueName> <ValueType>MultiString</ValueType> </Rule> <Rule id="V-3343" severity="high" conversionstatus="pass" title="Remote Assistance - Solicit Remote Assistance" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>fAllowToGetHelp</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3344" severity="high" conversionstatus="pass" title="Limit Blank Passwords" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>LimitBlankPasswordUse</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3373" severity="low" conversionstatus="pass" title="Maximum Machine Account Password Age" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '30' -and {0} -gt '0'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value Type: REG_DWORD Value: 30 (or less, but not 0)</RawString> <ValueData /> <ValueName>MaximumPasswordAge</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3374" severity="medium" conversionstatus="pass" title="Strong Session Key" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 1 This setting may prevent a system from being joined to a domain if not configured consistently between systems.</RawString> <ValueData>1</ValueData> <ValueName>RequireStrongKey</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3376" severity="medium" conversionstatus="pass" title="Storage of Passwords and Credentials" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: DisableDomainCreds Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableDomainCreds</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3377" severity="medium" conversionstatus="pass" title="Everyone Anonymous rights" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EveryoneIncludesAnonymous</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3378" severity="medium" conversionstatus="pass" title="Sharing and Security Model for Local Accounts" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: ForceGuest Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ForceGuest</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3379" severity="high" conversionstatus="pass" title="LAN Manager Hash stored" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoLMHash</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3381" severity="medium" conversionstatus="pass" title="LDAP Client Signing" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>LDAPClientIntegrity</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3382" severity="medium" conversionstatus="pass" title="Session Security for NTLM SSP Based Clients" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200)</RawString> <ValueData>537395200</ValueData> <ValueName>NTLMMinClientSec</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3383" severity="medium" conversionstatus="pass" title="FIPS Compliant Algorithms " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 1 Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.</RawString> <ValueData>1</ValueData> <ValueName>Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3385" severity="medium" conversionstatus="pass" title="Case Insensitivity for Non-Windows" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ Value Name: ObCaseInsensitive Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>ObCaseInsensitive</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3449" severity="medium" conversionstatus="pass" title="TS/RDS - Session Limit" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fSingleSessionPerUser Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fSingleSessionPerUser</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3453" severity="medium" conversionstatus="pass" title="TS/RDS - Password Prompting" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fPromptForPassword</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3454" severity="medium" conversionstatus="pass" title="TS/RDS - Set Encryption Level" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Type: REG_DWORD Value: 3</RawString> <ValueData>3</ValueData> <ValueName>MinEncryptionLevel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3455" severity="medium" conversionstatus="pass" title="TS/RDS - Do Not Use Temp Folders" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: PerSessionTempDir Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>PerSessionTempDir</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3456" severity="medium" conversionstatus="pass" title="TS/RDS - Delete Temp Folders" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DeleteTempDirsOnExit Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DeleteTempDirsOnExit</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3469" severity="medium" conversionstatus="pass" title="Group Policy - Do Not Turn off Background Refresh" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the registry. If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): If the following registry value exists but is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ Value Name: DisableBkGndGroupPolicy Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableBkGndGroupPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3470" severity="medium" conversionstatus="pass" title="Remote Assistance - Offer Remote Assistance" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowUnsolicited Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>fAllowUnsolicited</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3479" severity="medium" conversionstatus="pass" title="Safe DLL Search Mode" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: SafeDllSearchMode Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>SafeDllSearchMode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3480" severity="medium" conversionstatus="pass" title="Media Player - Disable Automatic Updates" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows Media Player is not installed by default. If it is not installed, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: DisableAutoupdate Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableAutoupdate</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3481" severity="medium" conversionstatus="pass" title="Media Player - Prevent Codec Download" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: PreventCodecDownload Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>PreventCodecDownload</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-3666" severity="medium" conversionstatus="pass" title="Session Security for NTLM SSP based Servers" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value Type: REG_DWORD Value: 0x20080000 (537395200)</RawString> <ValueData>537395200</ValueData> <ValueName>NTLMMinServerSec</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4108" severity="low" conversionstatus="pass" title="Audit Log Warning Level" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '90'</OrganizationValueTestString> <RawString>If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ Value Name: WarningLevel Value Type: REG_DWORD Value: 90 (or less)</RawString> <ValueData /> <ValueName>WarningLevel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4110" severity="low" conversionstatus="pass" title="Disable IP Source Routing" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>DisableIPSourceRouting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4111" severity="low" conversionstatus="pass" title="Disable ICMP Redirect" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableICMPRedirect</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4112" severity="low" conversionstatus="pass" title="Disable Router Discovery" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: PerformRouterDiscovery Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>PerformRouterDiscovery</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4113" severity="low" conversionstatus="pass" title="TCP Connection Keep-Alive Time" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '300000'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: KeepAliveTime Value Type: REG_DWORD Value: 300000 (or less)</RawString> <ValueData /> <ValueName>KeepAliveTime</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4116" severity="low" conversionstatus="pass" title="Name-Release Attacks" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoNameReleaseOnDemand</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4407" severity="medium" conversionstatus="pass" title="LDAP Signing Requirements" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity Value Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>LDAPServerIntegrity</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4408" severity="low" conversionstatus="pass" title="Computer Account Password Change" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>RefusePasswordChange</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4438" severity="low" conversionstatus="pass" title="TCP Data Retransmissions" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '3'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: TcpMaxDataRetransmissions Value Type: REG_DWORD Value: 3 (or less)</RawString> <ValueData /> <ValueName>TcpMaxDataRetransmissions</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4442" severity="low" conversionstatus="pass" title="Screen Saver Grace Period" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '5'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ScreenSaverGracePeriod Value Type: REG_SZ Value: 5 (or less)</RawString> <ValueData /> <ValueName>ScreenSaverGracePeriod</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-4443" severity="high" conversionstatus="pass" title="Remotely Accessible Registry Paths and Sub-Paths" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ Value Name: Machine Value Type: REG_MULTI_SZ Value: see below Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Perflib Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration System\CurrentControlSet\Services\Eventlog System\CurrentControlSet\Services\Sysmonlog Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</RawString> <ValueData>Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Perflib;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;System\CurrentControlSet\Services\Eventlog;System\CurrentControlSet\Services\Sysmonlog</ValueData> <ValueName>Machine</ValueName> <ValueType>MultiString</ValueType> </Rule> <Rule id="V-4445" severity="low" conversionstatus="pass" title="Optional Subsystems" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>True</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ Value Name: Optional Value Type: REG_MULTI_SZ Value: (Blank)</RawString> <ValueData> </ValueData> <ValueName>Optional</ValueName> <ValueType>MultiString</ValueType> </Rule> <Rule id="V-4447" severity="medium" conversionstatus="pass" title="TS/RDS - Secure RPC Connection." dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fEncryptRPCTraffic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-4448" severity="medium" conversionstatus="pass" title="Group Policy - Registry Policy Processing" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ Value Name: NoGPOListChanges Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>NoGPOListChanges</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-6831" severity="medium" conversionstatus="pass" title="Encrypting and Signing of Secure Channel Traffic" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RequireSignOrSeal</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-6832" severity="medium" conversionstatus="pass" title="SMB Client Packet Signing (Always)" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RequireSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-6833" severity="medium" conversionstatus="pass" title="SMB Server Packet Signing (Always)" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RequireSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-6834" severity="high" conversionstatus="pass" title="Anonymous Access to Named Pipes and Shares" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RestrictNullSessAccess</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-8322.a" severity="medium" conversionstatus="pass" title="Time Synchronization" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Type: REG_DWORD Value Name: Enabled Value: 1</RawString> <ValueData>1</ValueData> <ValueName>Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-8322.b" severity="medium" conversionstatus="pass" title="Time Synchronization" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$'</OrganizationValueTestString> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Type: REG_SZ Value Name: Type Value: NT5DS (preferred), NTP or Allsync</RawString> <ValueData /> <ValueName>Type</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-8324" severity="low" conversionstatus="pass" title="Time Synchronization Source Logging" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -match '2|3'</OrganizationValueTestString> <RawString>Verify logging is configured to capture time source switches. If the Windows Time Service is used, verify the following registry value. If it is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ Value Name: EventLogFlags Type: REG_DWORD Value: 2 or 3 If another time synchronization tool is used, review the available configuration options and logs. If the tool has time source logging capability and it is not enabled, this is a finding.</RawString> <ValueData /> <ValueName>EventLogFlags</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-11806" severity="low" conversionstatus="pass" title="Display of Last User Name" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DontDisplayLastUserName Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DontDisplayLastUserName</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14228" severity="medium" conversionstatus="pass" title="Audit Access of Global System Objects" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: AuditBaseObjects Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AuditBaseObjects</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14229" severity="medium" conversionstatus="pass" title="Audit Backup and Restore Privileges" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: FullPrivilegeAuditing Value Type: REG_BINARY Value: 0</RawString> <ValueData>0</ValueData> <ValueName>FullPrivilegeAuditing</ValueName> <ValueType>Binary</ValueType> </Rule> <Rule id="V-14230" severity="medium" conversionstatus="pass" title="Audit Policy Subcategory Setting" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>SCENoApplyLegacyAuditPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14232" severity="low" conversionstatus="pass" title="IPSec Exemptions" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\IPSEC\ Value Name: NoDefaultExempt Value Type: REG_DWORD Value: 3</RawString> <ValueData>3</ValueData> <ValueName>NoDefaultExempt</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14234" severity="medium" conversionstatus="pass" title="UAC - Admin Approval Mode" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>FilterAdministratorToken</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14235" severity="medium" conversionstatus="pass" title="UAC - Admin Elevation Prompt" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '4'</OrganizationValueTestString> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value Type: REG_DWORD Value: 4 (Prompt for consent) 3 (Prompt for credentials) 2 (Prompt for consent on the secure desktop) 1 (Prompt for credentials on the secure desktop)</RawString> <ValueData /> <ValueName>ConsentPromptBehaviorAdmin</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14236" severity="medium" conversionstatus="pass" title="UAC - User Elevation Prompt" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ConsentPromptBehaviorUser</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14237" severity="medium" conversionstatus="pass" title="UAC - Application Installations" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableInstallerDetection</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14239" severity="medium" conversionstatus="pass" title="UAC - UIAccess Application Elevation" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableSecureUIAPaths</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14240" severity="medium" conversionstatus="pass" title="UAC - All Admin Approval Mode" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableLUA</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14241" severity="medium" conversionstatus="pass" title="UAC - Secure Desktop Mode" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: PromptOnSecureDesktop Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>PromptOnSecureDesktop</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14242" severity="medium" conversionstatus="pass" title="UAC - Non UAC Compliant Application Virtualization" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableVirtualization</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14243" severity="medium" conversionstatus="pass" title="Enumerate Administrator Accounts on Elevation" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ Value Name: EnumerateAdministrators Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>EnumerateAdministrators</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14247" severity="medium" conversionstatus="pass" title="TS/RDS - Prevent Password Saving" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisablePasswordSaving</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14249" severity="medium" conversionstatus="pass" title="TS/RDS - Drive Redirection" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fDisableCdm</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14259" severity="medium" conversionstatus="pass" title="Printing Over HTTP" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableHTTPPrinting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14260" severity="medium" conversionstatus="pass" title="HTTP Printer Drivers" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableWebPnPDownload</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14261" severity="medium" conversionstatus="pass" title="Windows Update Device Drive Searching" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: DontSearchWindowsUpdate Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DontSearchWindowsUpdate</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14268" severity="medium" conversionstatus="pass" title="Attachment Mgr - Preserve Zone Info" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: SaveZoneInformation Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>SaveZoneInformation</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14269" severity="medium" conversionstatus="pass" title="Attachment Mgr - Hide Mech to Remove Zone Info" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: HideZoneInfoOnProperties Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>HideZoneInfoOnProperties</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-14270" severity="medium" conversionstatus="pass" title="Attachment Mgr - Scan with Antivirus" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: ScanWithAntiVirus Type: REG_DWORD Value: 3</RawString> <ValueData>3</ValueData> <ValueName>ScanWithAntiVirus</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15666" severity="medium" conversionstatus="pass" title="Windows Peer to Peer Networking " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Peernet\ Value Name: Disabled Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>Disabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15667" severity="medium" conversionstatus="pass" title="Prohibit Network Bridge" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ Value Name: NC_AllowNetBridge_NLA Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>NC_AllowNetBridge_NLA</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15672" severity="low" conversionstatus="pass" title="Event Viewer Events.asp Links" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\EventViewer\ Value Name: MicrosoftEventVwrDisableLinks Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>MicrosoftEventVwrDisableLinks</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15674" severity="medium" conversionstatus="pass" title="Internet File Association Service " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoInternetOpenWith Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoInternetOpenWith</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15682" severity="medium" conversionstatus="pass" title="RSS Attachment Downloads" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableEnclosureDownload</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15683" severity="medium" conversionstatus="pass" title="Windows Explorer – Shell Protocol Protected Mode " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>PreXPSP2ShellProtocolBehavior</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15684" severity="medium" conversionstatus="pass" title="Windows Installer – IE Security Prompt" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>SafeForScripting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15685" severity="medium" conversionstatus="pass" title="Windows Installer – User Control " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableUserControl</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15686" severity="low" conversionstatus="pass" title="Windows Installer – Vendor Signed Updates" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: DisableLUAPatching Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableLUAPatching</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15687" severity="low" conversionstatus="pass" title="Media Player – First Use Dialog Boxes " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows Media Player is not installed by default. If it is not installed, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: GroupPrivacyAcceptance Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>GroupPrivacyAcceptance</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15696.a" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: AllowLLTDIOOndomain Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowLLTDIOOndomain</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15696.b" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: AllowLLTDIOOnPublicNet Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowLLTDIOOnPublicNet</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15696.c" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: EnableLLTDIO Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableLLTDIO</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15696.d" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: ProhibitLLTDIOOnPrivateNet Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ProhibitLLTDIOOnPrivateNet</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15697.a" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: AllowRspndrOndomain Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowRspndrOndomain</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15697.b" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: AllowRspndrOnPublicNet Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowRspndrOnPublicNet</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15697.c" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: EnableRspndr Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableRspndr</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15697.d" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Type: REG_DWORD Value Name: ProhibitRspndrOnPrivateNet Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ProhibitRspndrOnPrivateNet</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15698.a" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ Type: REG_DWORD Value Name: DisableFlashConfigRegistrar Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableFlashConfigRegistrar</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15698.b" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ Type: REG_DWORD Value Name: DisableInBand802DOT11Registrar Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableInBand802DOT11Registrar</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15698.c" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ Type: REG_DWORD Value Name: DisableUPnPRegistrar Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableUPnPRegistrar</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15698.d" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ Type: REG_DWORD Value Name: DisableWPDRegistrar Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableWPDRegistrar</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15698.e" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ Type: REG_DWORD Value Name: EnableRegistrars Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableRegistrars</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15699" severity="medium" conversionstatus="pass" title="Network – Windows Connect Now Wizards " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ Value Name: DisableWcnUi Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableWcnUi</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15700" severity="medium" conversionstatus="pass" title="Device Install – PnP Interface Remote Access " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: AllowRemoteRPC Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowRemoteRPC</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15701" severity="low" conversionstatus="pass" title="Device Install – Drivers System Restore Point" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: DisableSystemRestore Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableSystemRestore</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15702" severity="low" conversionstatus="pass" title="Device Install – Generic Driver Error Report" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: DisableSendGenericDriverNotFoundToWER Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableSendGenericDriverNotFoundToWER</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15703" severity="low" conversionstatus="pass" title="Driver Install – Device Driver Search Prompt" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: DontPromptForWindowsUpdate Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DontPromptForWindowsUpdate</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15704" severity="low" conversionstatus="pass" title="Handwriting Recognition Error Reporting" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ Value Name: PreventHandwritingErrorReports Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>PreventHandwritingErrorReports</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15705" severity="medium" conversionstatus="pass" title="Power Mgmt – Password Wake on Battery" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DCSettingIndex</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15706" severity="medium" conversionstatus="pass" title="Power Mgmt – Password Wake When Plugged In" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>ACSettingIndex</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15707" severity="low" conversionstatus="pass" title="Remote Assistance – Session Logging" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: LoggingEnabled Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>LoggingEnabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15713" severity="medium" conversionstatus="pass" title="Defender – SpyNet Reporting" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -notmatch '1|2'</OrganizationValueTestString> <RawString>If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding: If the registry value does not exist, this is not a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\ Value Name: SpyNetReporting Type: REG_DWORD Value: 1 or 2 = a Finding</RawString> <ValueData /> <ValueName>SpyNetReporting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15718" severity="low" conversionstatus="pass" title="Windows Explorer – Heap Termination" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>NoHeapTerminationOnCorruption</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15722" severity="medium" conversionstatus="pass" title="Media DRM – Internet Access" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\WMDRM\ Value Name: DisableOnline Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableOnline</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15727" severity="medium" conversionstatus="pass" title="User Network Sharing" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoInPlaceSharing Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoInPlaceSharing</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15991" severity="medium" conversionstatus="pass" title="UAC - UIAccess Secure Desktop" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableUIADesktopToggle</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15997" severity="medium" conversionstatus="pass" title="TS/RDS – COM Port Redirection" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCcm Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fDisableCcm</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15998" severity="medium" conversionstatus="pass" title="TS/RDS – LPT Port Redirection" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableLPT Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fDisableLPT</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-15999" severity="medium" conversionstatus="pass" title="TS/RDS - PNP Device Redirection" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisablePNPRedir Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fDisablePNPRedir</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-16000" severity="medium" conversionstatus="pass" title="TS/RDS – Smart Card Device Redirection" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEnableSmartCard Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fEnableSmartCard</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-16008" severity="medium" conversionstatus="pass" title="UAC - Application Elevations" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ValidateAdminCodeSignatures Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ValidateAdminCodeSignatures</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-16020" severity="medium" conversionstatus="pass" title="Windows Customer Experience Improvement Program " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ Value Name: CEIPEnable Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>CEIPEnable</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-16021" severity="medium" conversionstatus="pass" title="Help Experience Improvement Program " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ Value Name: NoImplicitFeedback Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoImplicitFeedback</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-16048" severity="medium" conversionstatus="pass" title="Help Ratings" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ Value Name: NoExplicitFeedback Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoExplicitFeedback</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21950" severity="medium" conversionstatus="pass" title="SPN Target Name Validation Level" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SmbServerNameHardeningLevel Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>SmbServerNameHardeningLevel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21951" severity="medium" conversionstatus="pass" title="Computer Identity Authentication for NTLM" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>UseMachineId</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21952" severity="medium" conversionstatus="pass" title="NTLM NULL Session Fallback" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>allownullsessionfallback</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21953" severity="medium" conversionstatus="pass" title="PKU2U Online Identities Authentication" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowOnlineID</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21954" severity="medium" conversionstatus="pass" title="Kerberos Encryption Types" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640) Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.</RawString> <ValueData>2147483640</ValueData> <ValueName>SupportedEncryptionTypes</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21955" severity="low" conversionstatus="pass" title="IPv6 Source Routing" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIPSourceRouting Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>DisableIPSourceRouting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21956" severity="low" conversionstatus="pass" title="IPv6 TCP Data Retransmissions" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '3'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: TcpMaxDataRetransmissions Value Type: REG_DWORD Value: 3 (or less)</RawString> <ValueData /> <ValueName>TcpMaxDataRetransmissions</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21960" severity="low" conversionstatus="pass" title="Elevate when setting a network’s location" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ Value Name: NC_StdDomainUserSetLocation Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NC_StdDomainUserSetLocation</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21961" severity="low" conversionstatus="pass" title="Direct Access – Route Through Internal Network" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ Value Name: Force_Tunneling Type: REG_SZ Value: Enabled</RawString> <ValueData>Enabled</ValueData> <ValueName>Force_Tunneling</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-21963" severity="low" conversionstatus="pass" title="Windows Update Point and Print Driver Search" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DoNotInstallCompatibleDriverFromWindowsUpdate</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21964" severity="low" conversionstatus="pass" title="Prevent device metadata retrieval from Internet" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ Value Name: PreventDeviceMetadataFromNetwork Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>PreventDeviceMetadataFromNetwork</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21965" severity="low" conversionstatus="pass" title="Prevent Windows Update for device driver search" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: SearchOrderConfig Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>SearchOrderConfig</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21967" severity="low" conversionstatus="pass" title="MSDT Interactive Communication" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ Value Name: DisableQueryRemoteServer Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisableQueryRemoteServer</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21969" severity="low" conversionstatus="pass" title="Windows Online Troubleshooting Service" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ Value Name: EnableQueryRemoteServer Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableQueryRemoteServer</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21970" severity="low" conversionstatus="pass" title="Disable PerfTrack" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ Value Name: ScenarioExecutionEnabled Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ScenarioExecutionEnabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21971" severity="low" conversionstatus="pass" title="Application Compatibility Program Inventory" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableInventory</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21973" severity="high" conversionstatus="pass" title="Autoplay for non-volume devices" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoAutoplayfornonVolume</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-21980" severity="medium" conversionstatus="pass" title="Explorer Data Execution Prevention" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>NoDataExecutionPrevention</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-22692" severity="high" conversionstatus="pass" title="Default Autorun Behavior" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoAutorun</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26283" severity="high" conversionstatus="pass" title="Restrict Anonymous SAM Enumeration" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RestrictAnonymousSAM</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26359" severity="low" conversionstatus="pass" title="Legal Banner Dialog Box Title" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required.</RawString> <ValueData /> <ValueName>LegalNoticeCaption</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-26575" severity="medium" conversionstatus="pass" title="6to4 State" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ Value Name: 6to4_State Type: REG_SZ Value: Disabled</RawString> <ValueData>Disabled</ValueData> <ValueName>6to4_State</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-26576" severity="medium" conversionstatus="pass" title="IP-HTTPS State" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\ Value Name: IPHTTPS_ClientState Type: REG_DWORD Value: 3</RawString> <ValueData>3</ValueData> <ValueName>IPHTTPS_ClientState</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26577" severity="medium" conversionstatus="pass" title="ISATAP State" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ Value Name: ISATAP_State Type: REG_SZ Value: Disabled</RawString> <ValueData>Disabled</ValueData> <ValueName>ISATAP_State</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-26578" severity="medium" conversionstatus="pass" title="Teredo State" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ Value Name: Teredo_State Type: REG_SZ Value: Disabled</RawString> <ValueData>Disabled</ValueData> <ValueName>Teredo_State</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-26579" severity="medium" conversionstatus="pass" title="Maximum Log Size - Application" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString> <RawString>If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)</RawString> <ValueData /> <ValueName>MaxSize</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26580" severity="medium" conversionstatus="pass" title="Maximum Log Size - Security" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '196608'</OrganizationValueTestString> <RawString>If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Type: REG_DWORD Value: 0x00030000 (196608) (or greater)</RawString> <ValueData /> <ValueName>MaxSize</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26581" severity="medium" conversionstatus="pass" title="Maximum Log Size - Setup" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString> <RawString>If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)</RawString> <ValueData /> <ValueName>MaxSize</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26582" severity="medium" conversionstatus="pass" title="Maximum Log Size - System" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString> <RawString>If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)</RawString> <ValueData /> <ValueName>MaxSize</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-28504" severity="low" conversionstatus="pass" title="Device Install Software Request Error Report" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: DisableSendRequestAdditionalSoftwareToWER Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableSendRequestAdditionalSoftwareToWER</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-34974" severity="high" conversionstatus="pass" title="Always Install with Elevated Privileges Disabled" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AlwaysInstallElevated</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36656" severity="medium" conversionstatus="pass" title="WINUC-000001" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaveActive Type: REG_SZ Value: 1 Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: -The logon session does not have administrator rights. -The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.</RawString> <ValueData>1</ValueData> <ValueName>ScreenSaveActive</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-36657" severity="medium" conversionstatus="pass" title="WINUC-000003" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaverIsSecure Type: REG_SZ Value: 1</RawString> <ValueData>1</ValueData> <ValueName>ScreenSaverIsSecure</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-36673" severity="low" conversionstatus="pass" title="WINCC-000011" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableIPAutoConfigurationLimits Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableIPAutoConfigurationLimits</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36677" severity="low" conversionstatus="pass" title="WINCC-000018" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ Value Name: UseWindowsUpdate Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>UseWindowsUpdate</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36678" severity="low" conversionstatus="pass" title="WINCC-000025" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: DriverServerSelection Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DriverServerSelection</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36679" severity="medium" conversionstatus="pass" title="WINCC-000027" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ Value Name: DriverLoadPolicy Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DriverLoadPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36680" severity="medium" conversionstatus="pass" title="WINCC-000030" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoUseStoreOpenWith Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoUseStoreOpenWith</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36681" severity="medium" conversionstatus="pass" title="WINCC-000048" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Control Panel\International\ Value Name: BlockUserInputMethodsForSignIn Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>BlockUserInputMethodsForSignIn</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36684" severity="medium" conversionstatus="pass" title="WINCC-000051" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnumerateLocalUsers</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36687" severity="medium" conversionstatus="pass" title="WINCC-000052" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\System\ Value Name: DisableLockScreenAppNotifications Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableLockScreenAppNotifications</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36696" severity="low" conversionstatus="pass" title="WINCC-000065" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ Value Name: DisablePcaUI Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisablePcaUI</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36697" severity="low" conversionstatus="pass" title="WINCC-000070" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Appx\ Value Name: AllowAllTrustedApps Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>AllowAllTrustedApps</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36698" severity="medium" conversionstatus="pass" title="WINCC-000075" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ Value Name: Enabled Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36700" severity="medium" conversionstatus="pass" title="WINCC-000076" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ Value Name: DisablePasswordReveal Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisablePasswordReveal</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36707" severity="medium" conversionstatus="pass" title="WINCC-000088" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -match '1|2'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Type: REG_DWORD Value: 1 (Give user a warning…) Or 2 (Require approval…)</RawString> <ValueData /> <ValueName>EnableSmartScreen</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36708" severity="medium" conversionstatus="pass" title="WINCC-000095" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ Value Name: DisableLocation Type: REG_DWORD Value: 1 (Enabled) If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO.</RawString> <ValueData>1</ValueData> <ValueName>DisableLocation</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36709" severity="medium" conversionstatus="pass" title="WINCC-000106" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowBasicAuthInClear</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36710.a" severity="low" conversionstatus="pass" title="WINCC-000109" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ Type: REG_DWORD Value Name: AutoDownload Value: 0x00000002 (2)</RawString> <ValueData>2</ValueData> <ValueName>AutoDownload</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36710.b" severity="low" conversionstatus="pass" title="WINCC-000109" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ Type: REG_DWORD Value Name: AutoDownload Value: 0x00000002 (2)</RawString> <ValueData>2</ValueData> <ValueName>AutoDownload</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36711" severity="medium" conversionstatus="pass" title="WINCC-000110" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ Value Name: RemoveWindowsStore Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RemoveWindowsStore</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36712" severity="high" conversionstatus="pass" title="WINCC-000123" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowBasic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36713" severity="medium" conversionstatus="pass" title="WINCC-000124" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowUnencryptedTraffic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36714" severity="medium" conversionstatus="pass" title="WINCC-000125" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowDigest</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36718" severity="high" conversionstatus="pass" title="WINCC-000126" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowBasic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36719" severity="medium" conversionstatus="pass" title="WINCC-000127" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowUnencryptedTraffic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36720" severity="medium" conversionstatus="pass" title="WINCC-000128" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableRunAs</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36773" severity="medium" conversionstatus="pass" title="WINSO-000021" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '900' -and {0} -gt '0'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value Type: REG_DWORD Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)</RawString> <ValueData /> <ValueName>InactivityTimeoutSecs</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36776" severity="low" conversionstatus="pass" title="WINUC-000005" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ Value Name: NoCloudApplicationNotification Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoCloudApplicationNotification</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-36777" severity="low" conversionstatus="pass" title="WINUC-000006" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ Value Name: NoToastApplicationNotificationOnLockScreen Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoToastApplicationNotificationOnLockScreen</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-40204" severity="medium" conversionstatus="pass" title="WNCC-000136" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: RedirectOnlyDefaultClientPrinter Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RedirectOnlyDefaultClientPrinter</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-43238" severity="medium" conversionstatus="pass" title="WINCC-000138" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoLockScreenSlideshow</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-43239" severity="medium" conversionstatus="pass" title="WINCC-000139" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled Value Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>ProcessCreationIncludeCmdLine_Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-43240" severity="medium" conversionstatus="pass" title="WINCC-000140" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DontDisplayNetworkSelectionUI</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-43241" severity="low" conversionstatus="pass" title="WINCC-000141" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: MSAOptional Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>MSAOptional</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-43245" severity="medium" conversionstatus="pass" title="WINCC-000145" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableAutomaticRestartSignOn</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-57639" severity="medium" conversionstatus="pass" title="WINSO-000092" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>ForceKeyProtection</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72753" severity="medium" conversionstatus="pass" title="WINCC-000150" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ Value Name: UseLogonCredential Type: REG_DWORD Value: 0x00000000 (0) Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2.</RawString> <ValueData>0</ValueData> <ValueName>UseLogonCredential</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-73519" severity="medium" conversionstatus="pass" title="WIN00-000170" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SMB1 Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>SMB1</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-80475" severity="medium" conversionstatus="pass" title="WIN00-000210" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 0x00000001 (1) PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. If the patch is not installed on systems with PowerShell 4.0, this is a finding. PowerShell 5.x does not require the installation of an additional patch.</RawString> <ValueData>1</ValueData> <ValueName>EnableScriptBlockLogging</ValueName> <ValueType>Dword</ValueType> </Rule> </RegistryRule> <SecurityOptionRule dscresourcemodule="SecurityPolicyDsc"> <Rule id="V-1113" severity="medium" conversionstatus="pass" title="Disable Guest Account" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Accounts: Guest account status</OptionName> <OptionValue>Disabled</OptionValue> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-1114" severity="medium" conversionstatus="pass" title="Rename Built-in Guest Account" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Accounts: Rename guest account</OptionName> <OptionValue /> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ne 'Guest'</OrganizationValueTestString> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding.</RawString> </Rule> <Rule id="V-1115" severity="medium" conversionstatus="pass" title="Rename Built-in Administrator Account" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Accounts: Rename administrator account</OptionName> <OptionValue /> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ne 'Administrator'</OrganizationValueTestString> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.</RawString> </Rule> <Rule id="V-3337" severity="high" conversionstatus="pass" title="Anonymous SID/Name Translation" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Network access: Allow anonymous SID/Name translation</OptionName> <OptionValue>Disabled</OptionValue> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-3380" severity="medium" conversionstatus="pass" title="Force Logoff When Logon Hours Expire" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Network security: Force logoff when logon hours expire</OptionName> <OptionValue>Enabled</OptionValue> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.</RawString> </Rule> </SecurityOptionRule> <ServiceRule dscresourcemodule="xPSDesiredStateConfiguration"> <Rule id="V-8327.a" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>NTDS</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.b" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>DFSR</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.c" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>Dnscache</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.d" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>DNS</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.e" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>gpsvc</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.f" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>IsmServ</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.g" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>Kdc</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.h" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>NetLogon</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-8327.i" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.</RawString> <ServiceName>W32Time</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-15505" severity="medium" conversionstatus="pass" title="HBSS McAfee Agent" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Services.msc". Verify the McAfee Agent service is running, depending on the version installed. Version - Service Name McAfee Agent v5.x - McAfee Agent Service McAfee Agent v4.x - McAfee Framework Service If the service is not listed or does not have a Status of "Started", this is a finding.</RawString> <ServiceName>masvc</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> <Rule id="V-26600" severity="medium" conversionstatus="pass" title="Fax Service Disabled " dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the Fax (fax) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Fax (fax)</RawString> <ServiceName>fax</ServiceName> <ServiceState>Stopped</ServiceState> <StartupType>Disabled</StartupType> </Rule> <Rule id="V-26602" severity="medium" conversionstatus="pass" title="Microsoft FTP Service Disabled" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the server has the role of an FTP server, this is NA. Run "Services.msc". If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding.</RawString> <ServiceName>FTPSVC</ServiceName> <ServiceState>Stopped</ServiceState> <StartupType>Disabled</StartupType> </Rule> <Rule id="V-26604" severity="medium" conversionstatus="pass" title="Peer Networking Identity Manager Service Disabled" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Peer Networking Identity Manager (p2pimsvc)</RawString> <ServiceName>p2pimsvc</ServiceName> <ServiceState>Stopped</ServiceState> <StartupType>Disabled</StartupType> </Rule> <Rule id="V-26605" severity="medium" conversionstatus="pass" title="Simple TCP/IP Services Disabled" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Simple TCP/IP Services (simptcp)</RawString> <ServiceName>simptcp</ServiceName> <ServiceState>Stopped</ServiceState> <StartupType>Disabled</StartupType> </Rule> <Rule id="V-26606" severity="medium" conversionstatus="pass" title="Telnet Service Disabled" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the Telnet (tlntsvr) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Telnet (tlntsvr)</RawString> <ServiceName>tlntsvr</ServiceName> <ServiceState>Stopped</ServiceState> <StartupType>Disabled</StartupType> </Rule> <Rule id="V-40206" severity="medium" conversionstatus="pass" title="WNSV-000106" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the Smart Card Removal Policy service is configured to "Automatic". Run "Services.msc". If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding.</RawString> <ServiceName>SCPolicySvc</ServiceName> <ServiceState>Running</ServiceState> <StartupType>Automatic</StartupType> </Rule> </ServiceRule> <UserRightRule dscresourcemodule="SecurityPolicyDsc"> <Rule id="V-1102" severity="high" conversionstatus="pass" title="User Right - Act as part of OS" dscresource="UserRightsAssignment"> <Constant>SeTcbPrivilege</Constant> <DisplayName>Act as part of the operating system</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-1155" severity="medium" conversionstatus="pass" title="Deny Access from the Network" dscresource="UserRightsAssignment"> <Constant>SeDenyNetworkLogonRight</Constant> <DisplayName>Deny access to this computer from the network</DisplayName> <Force>False</Force> <Identity>Guests</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: Guests Group</RawString> </Rule> <Rule id="V-18010" severity="high" conversionstatus="pass" title="User Right - Debug Programs" dscresource="UserRightsAssignment"> <Constant>SeDebugPrivilege</Constant> <DisplayName>Debug programs</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26469" severity="medium" conversionstatus="pass" title="Access Credential Manager as a trusted caller" dscresource="UserRightsAssignment"> <Constant>SeTrustedCredManAccessPrivilege</Constant> <DisplayName>Access Credential Manager as a trusted caller</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.</RawString> </Rule> <Rule id="V-26470" severity="medium" conversionstatus="pass" title="Access this computer from the network" dscresource="UserRightsAssignment"> <Constant>SeNetworkLogonRight</Constant> <DisplayName>Access this computer from the network</DisplayName> <Force>True</Force> <Identity>Administrators,Authenticated Users,Enterprise Domain Controllers</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding: Administrators Authenticated Users Enterprise Domain Controllers</RawString> </Rule> <Rule id="V-26472" severity="medium" conversionstatus="pass" title="Allow log on locally" dscresource="UserRightsAssignment"> <Constant>SeInteractiveLogonRight</Constant> <DisplayName>Allow log on locally</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26473" severity="medium" conversionstatus="pass" title="Allow log on through Remote Desktop Services" dscresource="UserRightsAssignment"> <Constant>SeRemoteInteractiveLogonRight</Constant> <DisplayName>Allow log on through Remote Desktop Services</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26474" severity="medium" conversionstatus="pass" title="Back up files and directories" dscresource="UserRightsAssignment"> <Constant>SeBackupPrivilege</Constant> <DisplayName>Back up files and directories</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26478" severity="medium" conversionstatus="pass" title="Create a pagefile" dscresource="UserRightsAssignment"> <Constant>SeCreatePagefilePrivilege</Constant> <DisplayName>Create a pagefile</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26479" severity="high" conversionstatus="pass" title="Create a token object" dscresource="UserRightsAssignment"> <Constant>SeCreateTokenPrivilege</Constant> <DisplayName>Create a token object</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create a token object" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26480" severity="medium" conversionstatus="pass" title="Create global objects" dscresource="UserRightsAssignment"> <Constant>SeCreateGlobalPrivilege</Constant> <DisplayName>Create global objects</DisplayName> <Force>True</Force> <Identity>Administrators,Service,Local Service,Network Service</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: Administrators Service Local Service Network Service If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26481" severity="medium" conversionstatus="pass" title="Create permanent shared objects" dscresource="UserRightsAssignment"> <Constant>SeCreatePermanentPrivilege</Constant> <DisplayName>Create permanent shared objects</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding.</RawString> </Rule> <Rule id="V-26482" severity="medium" conversionstatus="pass" title="Create symbolic links" dscresource="UserRightsAssignment"> <Constant>SeCreateSymbolicLinkPrivilege</Constant> <DisplayName>Create symbolic links</DisplayName> <Force>True</Force> <Identity>Administrators,{Hyper-V}</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'</OrganizationValueTestString> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: Administrators Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding.</RawString> </Rule> <Rule id="V-26483" severity="medium" conversionstatus="pass" title="Deny log on as a batch job" dscresource="UserRightsAssignment"> <Constant>SeDenyBatchLogonRight</Constant> <DisplayName>Deny log on as a batch job</DisplayName> <Force>False</Force> <Identity>Guests</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: Guests Group</RawString> </Rule> <Rule id="V-26484" severity="medium" conversionstatus="pass" title="Deny log on as service " dscresource="UserRightsAssignment"> <Constant>SeDenyServiceLogonRight</Constant> <DisplayName>Deny log on as a service</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding.</RawString> </Rule> <Rule id="V-26485" severity="medium" conversionstatus="pass" title="Deny log on locally" dscresource="UserRightsAssignment"> <Constant>SeDenyInteractiveLogonRight</Constant> <DisplayName>Deny log on locally</DisplayName> <Force>False</Force> <Identity>Guests</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: Guests Group</RawString> </Rule> <Rule id="V-26486" severity="medium" conversionstatus="pass" title="Deny log on through Remote Desktop \ Terminal Services" dscresource="UserRightsAssignment"> <Constant>SeDenyRemoteInteractiveLogonRight</Constant> <DisplayName>Deny log on through Remote Desktop Services</DisplayName> <Force>False</Force> <Identity>Guests</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: Guests Group</RawString> </Rule> <Rule id="V-26487" severity="medium" conversionstatus="pass" title="Enable accounts to be trusted for delegation" dscresource="UserRightsAssignment"> <Constant>SeEnableDelegationPrivilege</Constant> <DisplayName>Enable computer and user accounts to be trusted for delegation</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26488" severity="medium" conversionstatus="pass" title="Force shutdown from a remote system" dscresource="UserRightsAssignment"> <Constant>SeRemoteShutdownPrivilege</Constant> <DisplayName>Force shutdown from a remote system</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26489" severity="medium" conversionstatus="pass" title="Generate security audits" dscresource="UserRightsAssignment"> <Constant>SeAuditPrivilege</Constant> <DisplayName>Generate security audits</DisplayName> <Force>True</Force> <Identity>Local Service,Network Service</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: Local Service Network Service If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26490" severity="medium" conversionstatus="pass" title="Impersonate a client after authentication" dscresource="UserRightsAssignment"> <Constant>SeImpersonatePrivilege</Constant> <DisplayName>Impersonate a client after authentication</DisplayName> <Force>True</Force> <Identity>Administrators,Service,Local Service,Network Service</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: Administrators Service Local Service Network Service If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26492" severity="medium" conversionstatus="pass" title="Increase scheduling priority" dscresource="UserRightsAssignment"> <Constant>SeIncreaseBasePriorityPrivilege</Constant> <DisplayName>Increase scheduling priority</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26493" severity="medium" conversionstatus="pass" title="Load and unload device drivers" dscresource="UserRightsAssignment"> <Constant>SeLoadDriverPrivilege</Constant> <DisplayName>Load and unload device drivers</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26494" severity="medium" conversionstatus="pass" title="Lock pages in memory" dscresource="UserRightsAssignment"> <Constant>SeLockMemoryPrivilege</Constant> <DisplayName>Lock pages in memory</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26496" severity="medium" conversionstatus="pass" title="Manage auditing and security log" dscresource="UserRightsAssignment"> <Constant>SeSecurityPrivilege</Constant> <DisplayName>Manage auditing and security log</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: Administrators If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26498" severity="medium" conversionstatus="pass" title="Modify firmware environment values" dscresource="UserRightsAssignment"> <Constant>SeSystemEnvironmentPrivilege</Constant> <DisplayName>Modify firmware environment values</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26499" severity="medium" conversionstatus="pass" title="Perform volume maintenance tasks" dscresource="UserRightsAssignment"> <Constant>SeManageVolumePrivilege</Constant> <DisplayName>Perform volume maintenance tasks</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26500" severity="medium" conversionstatus="pass" title="Profile single process" dscresource="UserRightsAssignment"> <Constant>SeProfileSingleProcessPrivilege</Constant> <DisplayName>Profile single process</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-26504" severity="medium" conversionstatus="pass" title="Restore files and directories" dscresource="UserRightsAssignment"> <Constant>SeRestorePrivilege</Constant> <DisplayName>Restore files and directories</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-26506" severity="medium" conversionstatus="pass" title="Take ownership of files or other objects" dscresource="UserRightsAssignment"> <Constant>SeTakeOwnershipPrivilege</Constant> <DisplayName>Take ownership of files or other objects</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).</RawString> </Rule> <Rule id="V-30016" severity="medium" conversionstatus="pass" title="Add workstations to domain" dscresource="UserRightsAssignment"> <Constant>SeMachineAccountPrivilege</Constant> <DisplayName>Add workstations to domain</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding: Administrators</RawString> </Rule> </UserRightRule> <WindowsFeatureRule dscresourcemodule="PSDesiredStateConfiguration"> <Rule id="V-73805" severity="medium" conversionstatus="pass" title="WIN00-000160" dscresource="WindowsFeature"> <FeatureName>SMB1Protocol</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement applies to Windows 2012 R2, it is NA for Windows 2012 (see V-73519 and V-73523 for 2012 requirements). Different methods are available to disable SMBv1 on Windows 2012 R2. This is the preferred method, however if V-73519 and V-73523 are configured, this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol If "State : Enabled" is returned, this is a finding. Alternately: Search for "Features". Select "Turn Windows features on or off". If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.</RawString> </Rule> <Rule id="V-80477" severity="medium" conversionstatus="pass" title="WIN00-000220" dscresource="WindowsFeature"> <FeatureName>PowerShell-v2</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows PowerShell 2.0 is not installed by default. Open "Windows PowerShell". Enter "Get-WindowsFeature -Name PowerShell-v2". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.</RawString> </Rule> </WindowsFeatureRule> <WmiRule dscresourcemodule="PSDesiredStateConfiguration"> <Rule id="V-1073" severity="high" conversionstatus="pass" title="Unsupported Service Packs" dscresource="Script"> <IsNullOrEmpty>False</IsNullOrEmpty> <Operator>-ge</Operator> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Property>Version</Property> <Query>SELECT * FROM Win32_OperatingSystem</Query> <RawString>Run "winver.exe". If the "About Windows" dialog box does not display "Microsoft Windows Server Version 6.2 (Build 9200)" or greater, this is a finding. No preview versions will be used in a production environment. Unsupported Service Packs/Releases: Windows 2012 - any release candidates or versions prior to the initial release.</RawString> <Value>6.2.9200</Value> </Rule> <Rule id="V-1081" severity="high" conversionstatus="pass" title="NTFS Requirement" dscresource="Script"> <IsNullOrEmpty>False</IsNullOrEmpty> <Operator>-match</Operator> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Property>FileSystem</Property> <Query>SELECT * FROM Win32_LogicalDisk WHERE DriveType = '3'</Query> <RawString>Open "Computer Management". Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. "ReFS" (Resilient File System) is also acceptable and would not be a finding. This does not apply to system partitions such as the Recovery and EFI System Partition.</RawString> <Value>NTFS|ReFS</Value> </Rule> </WmiRule> </DISASTIG> |