Windows 8 / 8.1 Security Technical Implementation Guide

V1R8 2014-10-22       U_Windows_8_V1R8_STIG_SCAP_1-0_Benchmark-xccdf.xml
The Windows 8 / 8.1 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-48016r1_rule WN08-GE-000001 CCI-002605 HIGH Systems must be maintained at a supported service pack level. Systems at unsupported service packs or releases will not receive security updates for new vulnerabilities which leaves them subject to exploitation. Systems must be maintained at a service pack level supported by the vendor with new security updates.VIVM-1
SV-48018r1_rule WN08-SO-000073 CCI-000366 LOW The shutdown option must be available from the logon dialog box. Preventing display of the shutdown button in the logon dialog box may encourage a hard shut down with the power button. (However, displaying the shutdown button may allow individuals to shut down a system anonymously.)ECSC-1
SV-48023r1_rule WN08-SO-000024 CCI-000366 LOW Caching of logon credentials must be limited. The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well-protected, storing encrypted copies of users' passwords on workstations does not always have the same physical protection required for domain controllers. If a workstation is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.ECSC-1
SV-48024r1_rule WN08-SO-000010 CCI-000140 LOW The system must not halt when the security event log has reached its maximum size. A system that is configured to halt if an event log becomes full can create a denial of service situation on a workstation.ECRR-1
SV-48025r1_rule WN08-SO-000052 CCI-001090 HIGH Anonymous enumeration of shares must be restricted. Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.ECSC-1, PRNK-1
SV-48026r1_rule WN08-AC-000002 CCI-000044 MEDIUM The number of allowed bad logon attempts must meet minimum requirements. The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.ECLO-1, ECLO-2
SV-48027r1_rule WN08-AC-000003 CCI-000044 MEDIUM The period of time before the bad logon counter is reset must meet minimum requirements. The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to 0. The smaller this value is, the less effective the account lockout feature will be in protecting the local system.ECLO-1, ECLO-2
SV-48028r1_rule WN08-AC-000001 CCI-002238 MEDIUM The lockout duration must be configured to require an administrator to unlock an account. The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts. A value of 0 will require an administrator to unlock the account.ECLO-1, ECLO-2
SV-48029r1_rule WN08-UR-000003 CCI-002235 HIGH No accounts must be granted the Act as part of the operating system user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that user is authorized to access. Any accounts with this right can take complete control of a system.ECLP-1
SV-48030r1_rule WN08-AC-000005 CCI-000199 MEDIUM The maximum password age must meet requirements. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.IAIA-1, IAIA-2
SV-48031r1_rule WN08-AC-000006 CCI-000198 MEDIUM The minimum password age must meet requirements. Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.IAIA-1, IAIA-2
SV-48032r1_rule WN08-AC-000004 CCI-000200 MEDIUM The password uniqueness must meet minimum requirements. A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes.IAIA-1, IAIA-2
SV-48034r1_rule WN08-SO-000003 CCI-000804 MEDIUM The built-in guest account must be disabled. A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.IAAC-1
SV-48035r1_rule WN08-SO-000006 CCI-000366 MEDIUM The built-in guest account must be renamed. The built-in guest account is a well known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.IAAC-1
SV-48036r1_rule WN08-SO-000005 CCI-000366 MEDIUM The built-in administrator account must be renamed. The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.IAAC-1
SV-48042r1_rule WN08-SO-000034 CCI-001133 LOW Users must be forcibly disconnected when their logon hours expire. Users must not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored. Forcibly disconnecting users when logon hours expire protects critical and sensitive network data from exposure to unauthorized personnel with physical access to the computer.ECSC-1
SV-48043r1_rule WN08-SO-000030 CCI-000197 MEDIUM Unencrypted passwords must not be sent to third-party SMB Server. Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the vendor of the SMB server to see if there is a way to support encrypted password authentication.ECCT-1, ECCT-2
SV-48044r1_rule WN08-SO-000036 CCI-002038 MEDIUM Automatic logons must be disabled. Allowing a system to automatically log on when the machine is booted could give access to any unauthorized individual who restarts the computer. Automatic logon with administrator privileges would give full access to an unauthorized individual.If the DefaultName or DefaultDomainName in the same registry path contain an administrator account name and the DefaultPassword contains a value, this is a CAT I finding.ECSC-1
SV-48046r1_rule WN08-AC-000008 CCI-000192 LOW The built-in Microsoft password complexity filter must be enabled. The use of complex passwords increases their strength against guessing and brute-force attacks. This setting configures the system to verify that newly created passwords conform to the Windows password complexity policy.IAIA-1, IAIA-2
SV-48048r1_rule WN08-SO-000067 CCI-000366 HIGH The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to stand-alone computers that are running later versions.IAIA-1, IAIA-2
SV-48049r1_rule WN08-SO-000019 CCI-000366 MEDIUM The Ctrl+Alt+Del security attention sequence for logons must be enabled. Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner.ECSC-1
SV-48050r2_rule WN08-UR-000017 CCI-000213 MEDIUM The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Deny Access from the Network" right defines the accounts that are prevented from logging on from the network. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. Local administrator accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. The Guests group must be assigned this right to prevent unauthenticated access.ECLP-1
SV-48051r1_rule WN08-SO-000027 CCI-000366 MEDIUM The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.ECSC-1
SV-48052r1_rule WN08-SO-000072 CCI-000366 LOW The Recovery Console SET command must be disabled. The Recovery Console SET command allows environment variables to be set in the Recovery Console. This permits access to all drives and folders and the copying of files to removable media which could expose sensitive information.ECCD-1, ECCD-2
SV-48053r1_rule WN08-SO-000071 CCI-002038 HIGH The Recovery Console option must be set to prevent automatic logon to the system. If this option is enabled, the Recovery Console does not require a password and automatically logs on to the system. This could allow unauthorized administrative access to the system.ECCD-1, ECCD-2
SV-48054r1_rule WN08-SO-000033 CCI-002418 MEDIUM The Windows SMB server must perform SMB packet signing when possible. The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.ECSC-1
SV-48055r1_rule WN08-SO-000013 CCI-002418 MEDIUM Outgoing secure channel traffic must be encrypted when possible. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.If the value for Domain Member: Digitally encrypt or sign secure channel data (always) is set to Enabled, this would not be a finding.ECCT-1, ECCT-2
SV-48056r1_rule WN08-SO-000014 CCI-002418 MEDIUM Outgoing secure channel traffic must be signed when possible. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.If the value for Domain Member: Digitally encrypt or sign secure channel data (always) is set to Enabled, this would not be a finding.DCNR-1
SV-48057r1_rule WN08-SO-000015 CCI-000366 LOW The computer account password must not be prevented from being reset. Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. A new password for the computer account will be generated every 30 days.IAIA-1, IAIA-2
SV-48058r1_rule WN08-SO-000029 CCI-002418 MEDIUM The Windows SMB client must be enabled to perform SMB packet signing when possible. The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.ECSC-1
SV-48060r1_rule WN08-SO-000011 CCI-000366 MEDIUM Ejection of removable NTFS media must be restricted to Administrators. Removable hard drives can be formatted and ejected by others who are not members of the Administrators Group, if they are not properly configured. Formatting and ejecting removable NTFS media must only be done by administrators.ECLP-1
SV-48061r1_rule WN08-SO-000025 CCI-000366 LOW Users must be warned in advance of their passwords expiring. Creating strong passwords that can be remembered by users requires some thought. By giving the user advance warning, the user has time to construct a sufficiently strong password. This setting configures the system to display a warning to users telling them how many days are left before their password expires.ECSC-1
SV-48062r1_rule WN08-SO-000076 CCI-000366 LOW The default permissions of global system objects must be increased. Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create.ECSC-1
SV-48063r1_rule WN08-SO-000031 CCI-001133 LOW The amount of idle time required before suspending a session must be properly set. Open sessions can increase the avenues of attack on a system. This setting is used to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically re-established. This protects critical and sensitive network data from exposure to unauthorized personnel with physical access to the computer.ECSC-1
SV-48064r1_rule WN08-AC-000009 CCI-000196 HIGH Reversible password encryption must be disabled. Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.IAIA-1, IAIA-2
SV-48065r1_rule WN08-CC-000074 CCI-001764 HIGH Autoplay must be disabled for all drives. Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or music on audio media may start. By default, autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. If you enable this policy, you can also disable autoplay on all drives.ECSC-1
SV-48069r1_rule WN08-SO-000055 CCI-001090 HIGH Named pipes that can be accessed anonymously must be configured to contain no values. Named pipes that can be accessed anonymously provide the potential for gaining unauthorized system access. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access.ECSC-1
SV-48070r1_rule WN08-SO-000056 CCI-001090 HIGH Unauthorized remotely accessible registry paths must not be configured. The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths are accessible from a remote computer. These registry paths must be limited, as they could give unauthorized individuals access to the registry.ECCD-1, ECCD-2
SV-48071r1_rule WN08-SO-000059 CCI-001090 HIGH Network shares that can be accessed anonymously must not be allowed. Anonymous access to network shares provides the potential for gaining unauthorized system access by network users. This could lead to the exposure or corruption of sensitive data.ECCD-1, ECCD-2
SV-48072r1_rule WN08-CC-000059 CCI-001090 HIGH Solicited Remote Assistance must not be allowed. Remote assistance allows another user to view or take control of the local session of a user. Solicited assistance is help that is specifically requested by the local user. This may allow unauthorized parties access to the resources on the computer.ECSC-1
SV-48073r1_rule WN08-SO-000004 CCI-000366 HIGH Local accounts with blank passwords must be restricted to prevent access from the network. An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password did exist, enabling this setting will prevent network access, limiting the account to local console logon only.IAIA-1
SV-48075r1_rule WN08-SO-000016 CCI-000366 LOW The maximum age for machine account passwords must be set to requirements. Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This setting must be set to no more than 30 days, ensuring the machine changes its password monthly.IAIA-1, IAIA-2
SV-48076r1_rule WN08-SO-000017 CCI-002418 MEDIUM The system must be configured to require a strong session key. A computer connecting to a domain controller will establish a secure channel. Requiring strong session keys enforces 128-bit encryption between systems. ECSC-1
SV-48077r1_rule WN08-SO-000026 CCI-000366 LOW Domain Controller authentication must not be required to unlock the workstation. This setting controls the behavior of the system when there is an attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. This may cause a denial of service if the workstation loses connectivity to the domain controller.ECSC-1
SV-48078r1_rule WN08-SO-000053 CCI-002038 MEDIUM The system must be configured to prevent the storage of passwords and credentials. This setting controls the storage of passwords and credentials for network authentication on the local system. Such credentials must not be stored on the local machine as that may lead to account compromise.ECSC-1
SV-48079r1_rule WN08-SO-000054 CCI-000366 MEDIUM The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Access by anonymous users must be restricted. If this setting is enabled, then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.ECCD-1, ECCD-2, ECLP-1, ECSC-1
SV-48080r1_rule WN08-SO-000060 CCI-001090 MEDIUM The system must be configured to use the Classic security model. Windows includes two network-sharing security models - Classic and Guest only. With the Classic model, local accounts must be password protected; otherwise, anyone can use guest user accounts to access shared system resources.ECLO-1
SV-48081r1_rule WN08-SO-000065 CCI-000196 HIGH The system must be configured to prevent the storage of the LAN Manager hash of passwords. The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed. ECSC-1, IAIA-1, IAIA-2
SV-48082r1_rule WN08-SO-000066 CCI-001133 MEDIUM The system must be configured to force users to log off when their allowed logon hours expire. Limiting logon hours can help protect data by only allowing access during specified times. This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, then this must be enforced.ECSC-1
SV-48083r1_rule WN08-SO-000068 CCI-000366 MEDIUM The system must be configured to the required LDAP client signing level. This setting controls the signing requirements for LDAP clients. This setting must be set to Negotiate signing or Require signing, depending on the environment and type of LDAP server in use.ECSC-1
SV-48084r1_rule WN08-SO-000069 CCI-000366 MEDIUM The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.ECCT-1, ECCT-2
SV-48085r1_rule WN08-SO-000074 CCI-002450 MEDIUM The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. This setting ensures that the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.ECCT-1, ECCT-2
SV-48086r1_rule WN08-SO-000075 CCI-000366 MEDIUM The system must be configured to require case insensitivity for non-Windows subsystems. This setting controls the behavior of non-Windows subsystems when dealing with the case of arguments or commands. Case sensitivity could lead to the access of files or commands that must be restricted. To prevent this from happening, case insensitivity restrictions must be required.ECSC-1
SV-48088r1_rule WN08-CC-000099 CCI-002038 MEDIUM Remote Desktop Services must always prompt a client for passwords upon connection. This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.IAIA-1, IAIA-2
SV-48089r1_rule WN08-CC-000100 CCI-000068 MEDIUM Remote Desktop Services must be configured with the client connection encryption set to the required level. Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.ECCT-1, ECCT-2
SV-48090r1_rule WN08-CC-000104 CCI-000366 MEDIUM Remote Desktop Services must be configured to use session-specific temporary folders. If a communal temporary folder is used for remote desktop sessions, it might be possible for users to access other users' temporary folders. If this setting is enabled, only one temporary folder is used for all remote desktop sessions. Per session temporary folders must be established.ECRC-1
SV-48092r1_rule WN08-CC-000103 CCI-000366 MEDIUM Remote Desktop Services must delete temporary folders when a session is terminated. Remote desktop session temporary folders must always be deleted after a session is over to prevent hard disk clutter and potential leakage of information. This setting controls the deletion of the temporary folders when the session is terminated.ECRC-1
SV-48094r1_rule WN08-CC-000102 CCI-001133 MEDIUM Remote Desktop Services must be configured to set a time limit for disconnected sessions. This setting controls how long a session will remain open if it is unexpectedly terminated. Such sessions use system resources and must be terminated as soon as possible.ECSC-1
SV-48097r1_rule WN08-CC-000101 CCI-001133 MEDIUM Remote Desktop Services must be configured to disconnect an idle session after the specified time period. This setting controls how long a session may be idle before it is automatically disconnected from the server. Users must disconnect if they plan on being away from their terminals for extended periods of time. Idle sessions must be disconnected after 15 minutes.ECSC-1
SV-48114r1_rule WN08-CC-000058 CCI-001090 MEDIUM The system must be configured to prevent unsolicited remote assistance offers. Remote assistance allows another user to view or take control of the local session of a user. Unsolicited remote assistance is help that is offered by the remote user. This may allow unauthorized parties access to the resources on the computer.WN08-CC-000058-Users must be trained to include the following: -Users must know who they can accept an assistance offer from. The offer must be in response to a help desk request or confirmed with the help desk if an unsolicited offer comes through. -Users must know how to accept a request, allow view or control, and disconnect a remote assistance session. -Users must monitor the assistance activity at the workstation while it is occurring. -The support personnel allowed to offer assistance (helpers) must be limited and documented. -Port 3389 must be blocked at the perimeter to prevent other access. Accounts and groups authorized to offer remote assistance (helpers) are identified in the following registry key: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\ Each Account or group will be listed under a separate value name, with the value equaling the value name as in the following examples: Value Name: Administrators Type: REG_SZ Value: Administrators Value Name: TestUser Type: REG_SZ Value: TestUserECSC-1
SV-48115r1_rule WN08-CC-000046 CCI-000366 MEDIUM The system must be configured to prevent automatic forwarding of error information. This setting controls the reporting of errors to Microsoft and, if defined, a corporate error reporting site. This does not interfere with the reporting of errors to the local user. Since the contents of memory are included in this error report, sensitive information may be transmitted to Microsoft. This feature must be disabled to prevent the release of such information.ECSC-1
SV-48117r1_rule WN08-SO-000045 CCI-000366 MEDIUM The system must be configured to use Safe DLL Search Mode. The default search behavior, when an application calls a function in a Dynamic Link Library (DLL), is to search the current directory, followed by the directories contained in the system's path environment variable. An unauthorized DLL, inserted into an application's working directory, could allow malicious code to be run on the system. Setting this policy value forces the system to search the %Systemroot% for the DLL before searching the current directory or the rest of the path.ECSC-1
SV-48118r2_rule WN08-CC-000122 CCI-001812 MEDIUM Media Player must be configured to prevent automatic checking for updates. Uncontrolled system updates can introduce issues to a system. The automatic check for updates performed by Windows Media Player must be disabled to ensure a constant platform and to prevent the introduction of unknown\untested software on the system.DCSL-1
SV-48120r1_rule WN08-SO-000070 CCI-000366 MEDIUM The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.ECCT-1, ECCT-2
SV-48121r1_rule WN08-SO-000049 CCI-001855 LOW The system must generate an audit event when the audit log reaches a percentage of full threshold. When the audit log reaches a given percent full, an audit event is written to the security log. An event is recorded as a success audit under the category of System. This option may be especially useful if the audit logs are set to be cleared manually. A recommended setting would be 90 percent.ECRR-1
SV-48122r1_rule WN08-SO-000038 CCI-000366 LOW The system must be configured to prevent IP source routing. Configuring the system to disable IP source routing protects against spoofing.ECSC-1
SV-48123r1_rule WN08-SO-000039 CCI-000366 LOW The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first.ECSC-1
SV-48544r1_rule WN08-SO-000044 CCI-002385 LOW The system must be configured to disable the Internet Router Discovery Protocol (IRDP). The Internet Router Discovery Protocol (IRDP) is used to detect and configure default gateway addresses on the computer. If a router is impersonated on a network, traffic could be routed through the compromised system.ECSC-1
SV-48125r1_rule WN08-SO-000041 CCI-002385 LOW The system must be configured to limit how often keep-alive packets are sent. This setting controls how often TCP sends a keep-alive packet in attempting to verify that an idle connection is still intact. A higher value could allow an attacker to cause a denial of service with numerous connections.ECSC-1
SV-48126r1_rule WN08-SO-000043 CCI-002385 LOW The system must be configured to ignore NetBIOS name release requests except from WINS servers. Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.ECSC-1
SV-48127r1_rule WN08-SO-000048 CCI-002385 LOW The system must limit how many times unacknowledged TCP data is retransmitted. In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a server, and the server leaves the half-open connections open until it is overwhelmed and is no longer able to respond to legitimate requests.ECSC-1
SV-48128r1_rule WN08-SO-000046 CCI-000366 LOW The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active. Allowing more than several seconds makes the computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect.PESL-1
SV-48129r2_rule WN08-SO-000057 CCI-001090 HIGH Unauthorized remotely accessible registry paths and sub-paths must not be configured. The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths and sub-paths are accessible from a remote computer. These registry paths must be limited, as they could give unauthorized individuals access to the registry.ECCD-1, ECCD-2
SV-48552r1_rule WN08-CC-000130 CCI-001453 MEDIUM The Remote Desktop Session Host must require secure RPC communications. Allowing unsecure RPC communication exposes the system to man in the middle attacks and data disclosure attacks. A man in the middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information.ECSC-1
SV-48130r2_rule WN08-CC-000028 CCI-000366 MEDIUM Group Policy objects must be reprocessed even if they have not changed. Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.ECSC-1
SV-48131r1_rule WN08-SO-000012 CCI-002418 MEDIUM Outgoing secure channel traffic must be encrypted or signed. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.ECCT-1, ECCT-2
SV-48132r1_rule WN08-SO-000028 CCI-002418 MEDIUM The Windows SMB client must be configured to always perform SMB packet signing. The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.ECSC-1
SV-48133r1_rule WN08-SO-000032 CCI-002418 MEDIUM The Windows SMB server must be configured to always perform SMB packet signing. The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.ECSC-1
SV-48160r2_rule WN08-SO-000058 CCI-001090 HIGH Anonymous access to Named Pipes and Shares must be restricted. Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.ECSC-1
SV-48161r1_rule WN08-AC-000007 CCI-000205 MEDIUM Passwords must, at a minimum, be 14 characters. Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network. IAIA-1, IAIA-2
SV-48164r1_rule WN08-SO-000018 CCI-000366 LOW The system must be configured to prevent the display of the last username on the logon screen. Displaying the username of the last logged on user provides half of the userid/password equation that an unauthorized person would need to gain access. The username of the last user to log onto a system must not be displayed.ECSC-1
SV-48167r2_rule WN08-SO-000007 CCI-001095 MEDIUM Auditing Access of Global System Objects must be turned off. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting prevents the system from setting up a default system access control list for certain system objects, which could create a very large number of security events, filling the security log in Windows and making it difficult to identify actual issues.ECSC-1
SV-48168r1_rule WN08-SO-000008 CCI-001095 MEDIUM Auditing of Backup and Restore Privileges must be turned off. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting prevents the system from generating audit events for every file backed up or restored which could fill the security log in Windows, making it difficult to identify actual issues.ECSC-1
SV-48169r2_rule WN08-SO-000009 CCI-000169 MEDIUM Audit policy using subcategories must be enabled. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.ECSC-1
SV-48170r2_rule WN08-SO-000040 CCI-000366 LOW The system must be configured to hide the computer from the browse list. Identifying the computer name on a network could provide an attacker with information useful in gaining access. This setting prevents the computer name from displaying in the browse list.ECSC-1
SV-48171r2_rule WN08-SO-000042 CCI-000366 LOW IPSec Exemptions must be limited. IPSec exemption filters allow specific traffic that may be needed by the system for such things as Kerberos authentication. This setting configures Windows for specific IPSec exemptions.ECSC-1
SV-48172r2_rule WN08-SO-000077 CCI-002038 MEDIUM User Account Control approval mode for the built-in Administrator must be enabled. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.ECCD-1, ECCD-2
SV-48173r2_rule WN08-SO-000078 CCI-001084 MEDIUM User Account Control must, at minimum, prompt administrators for consent on the secure desktop. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged on administrators to complete a task that requires raised privileges.ECCD-1, ECCD-2
SV-48174r2_rule WN08-SO-000079 CCI-002038 MEDIUM User Account Control must, at minimum, prompt users for credentials on the secure desktop. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.ECCD-1, ECCD-2
SV-48197r2_rule WN08-SO-000080 CCI-001084 MEDIUM User Account Control must be configured to detect application installations and prompt for elevation. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.ECCD-1, ECCD-2
SV-48198r2_rule WN08-SO-000082 CCI-001084 MEDIUM User Account Control must only elevate UIAccess applications that are installed in secure locations. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.ECCD-1, ECCD-2
SV-48199r2_rule WN08-SO-000083 CCI-002038 MEDIUM User Account Control must run all administrators in Admin Approval Mode, enabling UAC. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.ECCD-1, ECCD-2
SV-48200r2_rule WN08-SO-000084 CCI-001084 MEDIUM User Account Control must switch to the secure desktop when prompting for elevation. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting ensures that the elevation prompt is only used in secure desktop mode.ECCD-1, ECCD-2
SV-48201r2_rule WN08-SO-000085 CCI-001084 MEDIUM User Account Control must virtualize file and registry write failures to per-user locations. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.ECCD-1, ECCD-2
SV-48202r2_rule WN08-CC-000077 CCI-001084 MEDIUM The system must require username and password to elevate a running application. Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.ECSC-1
SV-48203r1_rule WN08-CC-000096 CCI-002038 MEDIUM Passwords must not be saved in the Remote Desktop Client. Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.ECSC-1
SV-48204r2_rule WN08-CC-000097 CCI-002314 MEDIUM Users must be prevented from connecting using Remote Desktop Services. Allowing a remote desktop session to a workstation enables another avenue of access that could be exploited. The system must be configured to prevent users from connecting to a computer using Remote Desktop Services.ECSC-1
SV-48205r2_rule WN08-CC-000098 CCI-001090 MEDIUM Local drives must be prevented from sharing with Remote Desktop Session Hosts. Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data.ECSC-1
SV-48207r1_rule WN08-CC-000064 CCI-001967 MEDIUM Unauthenticated RPC clients must be restricted from connecting to the RPC server. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.ECSC-1
SV-48208r1_rule WN08-CC-000063 CCI-001967 MEDIUM Client computers must be required to authenticate for RPC communication. Configuring RPC to require authentication to the RPC Endpoint Mapper will force clients to provide authentication before RPC communication is established.ECSC-1
SV-48210r1_rule WN08-CC-000037 CCI-000381 MEDIUM Web publishing and online ordering wizards must be prevented from downloading a list of providers. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents Windows from downloading a list of providers for the Web publishing and online ordering wizards.ECSC-1
SV-48213r1_rule WN08-CC-000039 CCI-000381 MEDIUM Printing over HTTP must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.ECSC-1
SV-48214r1_rule WN08-CC-000032 CCI-000381 MEDIUM Downloading print driver packages over HTTP must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.ECSC-1
SV-48215r1_rule WN08-CC-000047 CCI-001812 MEDIUM Windows must be prevented from using Windows Update to search for drivers. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents Windows from searching Windows Update for device drivers when no local drivers for a device are present.DCSL-1
SV-48220r1_rule WN08-CC-000003 CCI-000381 MEDIUM Windows Peer-to-Peer networking services must be turned off. Peer-to-Peer applications can allow unauthorized access to a system and exposure of sensitive data. This setting will turn off the Microsoft Peer-to-Peer Networking Service.ECSC-1
SV-48221r1_rule WN08-CC-000004 CCI-000381 MEDIUM Network Bridges must be prohibited in Windows. A Network Bridge can connect two or more network segments allowing unauthorized access or exposure of sensitive data. This setting prevents a Network Bridge from being installed and configured. ECSC-1
SV-48222r1_rule WN08-CC-000031 CCI-000185 LOW Root Certificates must not be updated automatically from the Microsoft site. Root Certificate updates must be controlled in the enterprise to ensure a proper validation chain is maintained. This setting prevents root certificates from being updated automatically from the Microsoft site.ECSC-1
SV-48223r1_rule WN08-CC-000033 CCI-000381 LOW Event Viewer Events.asp links must be turned off. Viewing events is a function of administrators, who must not access the internet with privileged accounts. This setting will disable Events.asp hyperlinks in Event Viewer to prevent links to the internet from within events.ECSC-1
SV-48225r1_rule WN08-CC-000038 CCI-000381 MEDIUM The Internet File Association service must be turned off. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents unhandled file associations from using the Microsoft Web service to find an application.ECSC-1
SV-48227r1_rule WN08-CC-000042 CCI-000381 LOW The Order Prints Online wizard must be turned off. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures the "Order Prints Online" task is not available in File Explorer.ECSC-1
SV-48228r1_rule WN08-CC-000049 CCI-000366 LOW The classic logon screen must be required for user logons. The classic logon screen requires users to enter a logon name and password to access a system. The simple logon screen or Welcome screen displays usernames for selection, providing part of the necessary logon information.ECSC-1
SV-48229r1_rule WN08-CC-000105 CCI-000366 MEDIUM Attachments must be prevented from being downloaded from RSS feeds. Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.ECSC-1
SV-48230r1_rule WN08-CC-000091 CCI-000366 MEDIUM File Explorer shell protocol must run in protected mode. The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open, to a limited set of folders, increases the security of Windows.ECSC-1
SV-48231r1_rule WN08-CC-000117 CCI-000366 MEDIUM Users must be notified if a web-based program attempts to install software. Users must be aware of attempted program installations. This setting ensures users are notified if a web-based program attempts to install software. ECSC-1
SV-48232r1_rule WN08-CC-000115 CCI-001812 MEDIUM Users must be prevented from changing installation options. Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.ECSC-1
SV-48233r1_rule WN08-CC-000118 CCI-001812 LOW Non-administrators must be prevented from applying vendor-signed updates. Uncontrolled system updates can introduce issues to a system. This setting will prevent users from applying vendor-signed updates (though they may be from a trusted source).ECSC-1
SV-48234r1_rule WN08-CC-000121 CCI-000366 LOW Users must not be presented with Privacy and Installation options on first use of Windows Media Player. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from being presented with Privacy and Installation options on first use of Windows Media Player which could enable some communication with the vendor.ECSC-1
SV-48235r2_rule WN08-CC-000001 CCI-000381 MEDIUM The Mapper I/O network protocol (LLTDIO) driver must be disabled. The Mapper I/O network protocol (LLTDIO) driver allows the discovery of the connected network and allows various options to be enabled. Disabling this helps protect the system from potentially discovering and connecting to unauthorized devices.ECSC-1
SV-48236r2_rule WN08-CC-000002 CCI-000381 MEDIUM The Responder network protocol driver must be disabled. The Responder network protocol driver allows a computer to be discovered and located on a network. Disabling this helps protect the system from potentially being discovered and connected to by unauthorized devices.ECSC-1
SV-48237r2_rule WN08-CC-000012 CCI-000381 MEDIUM The configuration of wireless devices using Windows Connect Now must be disabled. Windows Connect Now allows the discovery and configuration of devices over wireless. Wireless devices must be managed. If a rogue device is connected to a system, there is potential for sensitive information to be compromised.ECSC-1
SV-48238r2_rule WN08-CC-000013 CCI-000381 MEDIUM The Windows Connect Now wizards must be disabled. Windows Connect Now provides wizards for tasks such as "Set up a wireless router or access point" and must not be available to users. Functions such as these may allow unauthorized connections to a system and the potential for sensitive information to be compromised.ECSC-1
SV-48239r2_rule WN08-CC-000019 CCI-000381 MEDIUM Remote access to the Plug and Play interface must be disabled for device installation. Remote access to the Plug and Play interface could potentially allow connections by unauthorized devices. This setting configures remote access to the Plug and Play interface and must be disabled.ECSC-1
SV-48240r2_rule WN08-CC-000021 CCI-000366 LOW A system restore point must be created when a new device driver is installed. A system restore point allows a rollback if an issue is encountered when a new device driver is installed.ECSC-1
SV-48241r2_rule WN08-CC-000020 CCI-000381 LOW An Error Report must not be sent when a generic device driver is installed. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents an error report from being sent when a generic device driver is installed.ECSC-1
SV-48242r2_rule WN08-CC-000026 CCI-001812 LOW Users must not be prompted to search Windows Update for device drivers. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from being prompted to search Windows Update for device drivers.ECSC-1
SV-48243r2_rule WN08-CC-000035 CCI-000381 LOW Errors in handwriting recognition on tablet PCs must not be reported to Microsoft. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents errors in handwriting recognition on tablet PCs from being reported to Microsoft.ECSC-1
SV-48244r2_rule WN08-CC-000054 CCI-002038 MEDIUM Users must be prompted for a password on resume from sleep (on battery). Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).ECSC-1
SV-48245r2_rule WN08-CC-000055 CCI-002038 MEDIUM The user must be prompted for a password on resume from sleep (plugged in). Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).ECSC-1
SV-48246r2_rule WN08-CC-000062 CCI-000366 LOW Remote Assistance log files must be generated. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. This setting will turn on session logging for Remote Assistance connections.ECSC-1
SV-48248r2_rule WN08-CC-000092 CCI-000366 LOW Game explorer information must not be downloaded from Windows Metadata Services. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents game information from being downloaded from Windows Metadata Services.ECSC-1
SV-48249r2_rule WN08-CC-000107 CCI-000381 MEDIUM Indexing of encrypted files must be turned off. Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.ECSC-1
SV-48250r2_rule WN08-CC-000108 CCI-000381 LOW Indexing of mail items in Exchange Folder when Outlook is running in uncached mode must be turned off. Indexing of encrypted items may expose sensitive data. This setting prevents mail items in a Microsoft Exchange folder from being indexed when Outlook is running in uncached mode.ECSC-1
SV-48251r2_rule WN08-CC-000111 CCI-000381 MEDIUM Windows Defender SpyNet membership must be disabled. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting disables SpyNet membership and reporting.ECSC-1
SV-48252r2_rule WN08-CC-000112 CCI-001312 LOW Error Reporting events must be logged in the system event log. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. This setting ensures that Error Reporting events will be logged in the system event log.ECSC-1
SV-48253r2_rule WN08-CC-000114 CCI-000381 LOW Additional data requests in response to Error Reporting must be declined. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents additional data requests in response to Error Reporting.ECSC-1
SV-48254r2_rule WN08-CC-000090 CCI-002385 LOW Turning off File Explorer heap termination on corruption must be disabled. Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.ECSC-1
SV-48255r2_rule WN08-CC-000119 CCI-000366 LOW Users must be notified if the logon server was inaccessible and cached credentials were used. Notifying a user whether cached credentials were used may make them aware of connection issues. ECSC-1
SV-48545r2_rule WN08-CC-000120 CCI-000381 MEDIUM Windows Media Digital Rights Management must be prevented from accessing the Internet. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This check verifies that Windows Media DRM will be prevented from accessing the Internet.ECSC-1
SV-48546r1_rule WN08-GE-000020 CCI-000366 MEDIUM Software certificate installation files must be removed from a system. Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates. ECSC-1
SV-48259r2_rule WN08-SO-000081 CCI-001084 MEDIUM Windows must elevate all applications in User Account Control, not just signed ones. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures whether Windows elevates all applications, not just signed ones.ECCD-1, ECCD-2
SV-48260r2_rule WN08-CC-000045 CCI-000381 MEDIUM The Windows Customer Experience Improvement Program must be disabled. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures the Windows Customer Experience Improvement Program is disabled so information is not passed to the vendor.ECSC-1
SV-48262r1_rule WN08-SO-000001 CCI-000764 MEDIUM The built-in administrator account must be disabled. The built-in administrator account is a well-known account subject to attack. It also provides no accountability to individual administrators on a system. It must be disabled to prevent its use.IAAC-1
SV-48415r1_rule WN08-UR-000016 CCI-002235 HIGH Unauthorized accounts must not have the Debug programs user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Debug Programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.ECLP-1
SV-48416r2_rule WN08-SO-000035 CCI-000366 MEDIUM The service principal name (SPN) target name validation level must be configured to Accept if provided by client. If a service principle name (SPN) is provided by the client, it is validated against the server's list of SPNs, aiding in the prevention of spoofing.ECSC-1
SV-48419r2_rule WN08-SO-000061 CCI-000778 MEDIUM Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously vs. using the computer identity.ECSC-1
SV-48422r2_rule WN08-SO-000062 CCI-000366 MEDIUM NTLM must be prevented from falling back to a Null session. NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.ECSC-1
SV-48424r2_rule WN08-SO-000063 CCI-000366 MEDIUM PKU2U authentication using online identities must be prevented. PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.ECSC-1
SV-48426r2_rule WN08-SO-000064 CCI-000803 MEDIUM Kerberos encryption types must be configured to prevent the use of DES encryption suites. Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites.ECSC-1
SV-48430r2_rule WN08-SO-000037 CCI-000366 LOW IPv6 source routing must be configured to highest protection. Configuring the system to disable IPv6 source routing protects against spoofing.ECSC-1
SV-48433r2_rule WN08-SO-000047 CCI-002385 LOW IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted. Configuring Windows to limit the number of times that IPv6 TCP retransmits unacknowledged data segments before aborting the attempt helps prevent resources from becoming exhausted.ECSC-1
SV-48437r2_rule WN08-CC-000005 CCI-001084 LOW Domain users must be required to elevate when setting a networks location. Selecting an incorrect network location may allow greater exposure of a system. Elevation is required by default on non-domain systems to change network location. This setting configures elevation to also be required on domain-joined systems.ECSC-1
SV-48443r2_rule WN08-CC-000006 CCI-000366 LOW All Direct Access traffic must be routed through the internal network. Routing all Direct Access traffic through the internal network allows monitoring and prevents split tunneling.ECSC-1
SV-48548r2_rule WN08-CC-000016 CCI-001812 LOW Windows Update must be prevented from searching for point and print drivers. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from searching Windows Update for point and print drivers. Only the local driver store and server driver cache will be searched.ECSC-1
SV-48449r2_rule WN08-CC-000022 CCI-000381 LOW Device metadata retrieval from the Internet must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from retrieving device metadata from the Internet.ECSC-1
SV-48451r2_rule WN08-CC-000024 CCI-001812 LOW Device driver searches using Windows Update must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the system from searching Windows Update for device drivers.ECSC-1
SV-48454r2_rule WN08-CC-000034 CCI-000381 LOW Handwriting personalization data sharing with Microsoft must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents data from the handwriting recognition personalization tool being shared with Microsoft.ECSC-1
SV-48459r2_rule WN08-CC-000066 CCI-000381 LOW Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the MSDT from communicating with and sending collected data to Microsoft, the default support provider.ECSC-1
SV-48463r2_rule WN08-CC-000067 CCI-000381 LOW Access to Windows Online Troubleshooting Service (WOTS) must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from searching troubleshooting content on Microsoft servers. Only local content will be available.ECSC-1
SV-48468r2_rule WN08-CC-000068 CCI-000381 LOW Responsiveness events must be prevented from being aggregated and sent to Microsoft. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents responsiveness events from being aggregated and sent to Microsoft.ECSC-1
SV-48471r2_rule WN08-CC-000071 CCI-000381 LOW The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.ECSC-1
SV-48473r2_rule WN08-CC-000072 CCI-001764 HIGH Autoplay must be turned off for non-volume devices. Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable autoplay for non-volume devices (such as Media Transfer Protocol (MTP) devices).ECSC-1
SV-48477r2_rule WN08-CC-000093 CCI-001812 LOW Downloading of game update information must be turned off. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the system from downloading game update information from Windows Metadata Services.ECSC-1
SV-48479r2_rule WN08-CC-000094 CCI-000381 MEDIUM The system must be prevented from joining a homegroup. Homegroups are a method of sharing data and printers on a home network. This setting will prevent a system from being joined to a homegroup. ECSC-1
SV-48482r2_rule WN08-CC-000089 CCI-002824 MEDIUM Explorer Data Execution Prevention must be enabled. Data Execution Prevention (DEP) provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.ECSC-1
SV-48485r2_rule WN08-CC-000073 CCI-001764 HIGH The default autorun behavior must be configured to prevent autorun commands. Allowing autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents autorun commands from executing.ECSC-1
SV-48508r2_rule WN08-SO-000051 CCI-000366 HIGH Anonymous enumeration of SAM accounts must not be allowed. Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.ECSC-1
SV-48533r2_rule WN08-UR-000006 CCI-000213 MEDIUM Unauthorized accounts must not have the Allow log on through Remote Desktop Services user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Allow log on through Remote Desktop Services" user right can access a system through Remote Desktop.ECLP-1
SV-48531r2_rule WN08-UR-000012 CCI-002235 HIGH No accounts must have the Create a token object user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.ECLP-1
SV-48491r2_rule WN08-UR-000014 CCI-002235 MEDIUM Unauthorized accounts must not have the Create permanent shared objects user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.ECLP-1
SV-48495r1_rule WN08-UR-000018 CCI-000213 MEDIUM The Deny log on as a batch job user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Deny log on as a batch job" right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. The Guests group must be assigned to prevent unauthenticated access.ECLP-1
SV-48503r1_rule WN08-UR-000019 CCI-000213 MEDIUM The Deny log on as a service user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Deny log on as a service" right defines accounts that are denied log on as a service. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. Incorrect configurations could prevent services from starting and result in a DoS.ECLP-1
SV-48506r2_rule WN08-UR-000020 CCI-000213 MEDIUM The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Deny log on locally" right defines accounts that are prevented from logging on interactively. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. The Guests group must be assigned this right to prevent unauthenticated access.ECLP-1
SV-48524r2_rule WN08-UR-000021 CCI-000213 MEDIUM The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Deny log on through Remote Desktop Services" right defines the accounts that are prevented from logging on using Remote Desktop Services. If Remote Desktop Services is not used by the organization, the Everyone group must be assigned this right to prevent all access. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. Local administrator accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. The Guests group must be assigned this right to prevent unauthenticated access.ECLP-1
SV-48528r2_rule WN08-UR-000022 CCI-002235 MEDIUM Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could potentially allow unauthorized users to impersonate other users.ECLP-1
SV-48540r2_rule WN08-UR-000029 CCI-002235 MEDIUM Unauthorized accounts must not have the Lock pages in memory user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a DoS.ECLP-1
SV-48541r2_rule WN08-UR-000030 CCI-000213 MEDIUM Unauthorized accounts must not have the Log on as a batch job user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Log on as a batch job" user right allows accounts to log on using the task scheduler service, which must be restricted.ECLP-1
SV-48523r2_rule WN08-UR-000033 CCI-002235 MEDIUM Unauthorized accounts must not have the Modify an object label user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Modify an object label" user right can change the integrity label of an object. This could potentially be used to execute code at a higher privilege.ECLP-1
SV-48512r2_rule WN08-UR-000039 CCI-002235 MEDIUM Unauthorized accounts must not have the Replace a process level token user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Replace a process level token" user right allows one process or service to start another process or service with a different security access token. A user with this right could use this to impersonate another account.ECLP-1
SV-48505r2_rule WN08-AU-000002 CCI-000172 MEDIUM The system must be configured to audit Account Logon - Credential Validation successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon. ECAR-2, ECAR-3
SV-48489r2_rule WN08-AU-000001 CCI-000172 MEDIUM The system must be configured to audit Account Logon - Credential Validation failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon. ECAR-2, ECAR-3
SV-48486r2_rule WN08-AU-000004 CCI-000172 MEDIUM The system must be configured to audit Account Management - Other Account Management Events successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Other Account Management records events such as the access of a password hash or the Password Policy Checking API being called.ECAR-2, ECAR-3
SV-48492r2_rule WN08-AU-000003 CCI-000172 MEDIUM The system must be configured to audit Account Management - Other Account Management Events failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Other Account Management records events such as the access of a password hash or the Password Policy Checking API being called.ECAR-2, ECAR-3
SV-48475r2_rule WN08-AU-000006 CCI-000172 MEDIUM The system must be configured to audit Account Management - Security Group Management successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security Group Management records events such as creating, deleting or changing of security groups, including changes in group members.ECAR-2, ECAR-3
SV-48472r2_rule WN08-AU-000005 CCI-000172 MEDIUM The system must be configured to audit Account Management - Security Group Management failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security Group Management records events such as creating, deleting or changing of security groups, including changes in group members.ECAR-2, ECAR-3
SV-48470r2_rule WN08-AU-000008 CCI-000172 MEDIUM The system must be configured to audit Account Management - User Account Management successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.ECAR-2, ECAR-3
SV-48469r2_rule WN08-AU-000007 CCI-000172 MEDIUM The system must be configured to audit Account Management - User Account Management failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.ECAR-2, ECAR-3
SV-48467r2_rule WN08-AU-000009 CCI-000172 MEDIUM The system must be configured to audit Detailed Tracking - Process Creation successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Process creation records events related to the creation of a process and the source.ECAR-2, ECAR-3
SV-48490r2_rule WN08-AU-000010 CCI-000172 MEDIUM The system must be configured to audit Logon/Logoff - Logoff successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.ECAR-2, ECAR-3
SV-48447r2_rule WN08-AU-000012 CCI-000172 MEDIUM The system must be configured to audit Logon/Logoff - Logon successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.ECAR-2, ECAR-3
SV-48446r2_rule WN08-AU-000011 CCI-000172 MEDIUM The system must be configured to audit Logon/Logoff - Logon failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.ECAR-2, ECAR-3
SV-48423r2_rule WN08-AU-000013 CCI-000172 MEDIUM The system must be configured to audit Logon/Logoff - Special Logon successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Special Logon records special logons which have administrative privileges and can be used to elevate processes.ECAR-2, ECAR-3
SV-48421r2_rule WN08-AU-000014 CCI-000172 MEDIUM The system must be configured to audit Object Access - File System failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. File System auditing under Object Access is used to enable the recording of events related to the access and changing of files and directories. Auditing must also be enabled on the specific file system objects to be audited.ECAR-2, ECAR-3
SV-48420r2_rule WN08-AU-000015 CCI-000172 MEDIUM The system must be configured to audit Object Access - Registry failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Registry auditing under Object Access is used to enable the recording of events related to the access and changing of the registry. Auditing must also be enabled on the specific registry objects to be audited.ECAR-2, ECAR-3
SV-48418r2_rule WN08-AU-000019 CCI-000172 MEDIUM The system must be configured to audit Policy Change - Audit Policy Change successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Audit Policy Change records events related to changes in audit policy.ECAR-2, ECAR-3
SV-48417r2_rule WN08-AU-000018 CCI-000172 MEDIUM The system must be configured to audit Policy Change - Audit Policy Change failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Audit Policy Change records events related to changes in audit policy.ECAR-2, ECAR-3
SV-48414r2_rule WN08-AU-000020 CCI-000172 MEDIUM The system must be configured to audit Policy Change - Authentication Policy Change successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Authentication Policy Change records events related to changes in authentication policy including Kerberos policy and Trust changes.ECAR-2, ECAR-3
SV-48412r2_rule WN08-AU-000022 CCI-000172 MEDIUM The system must be configured to audit Privilege Use - Sensitive Privilege Use successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".ECAR-2, ECAR-3
SV-48411r2_rule WN08-AU-000021 CCI-000172 MEDIUM The system must be configured to audit Privilege Use - Sensitive Privilege Use failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".ECAR-2, ECAR-3
SV-48409r2_rule WN08-AU-000024 CCI-000172 MEDIUM The system must be configured to audit System - IPSec Driver successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. IPSec Driver records events related to the IPSec Driver such as dropped packets.ECAR-2, ECAR-3
SV-48408r2_rule WN08-AU-000023 CCI-000172 MEDIUM The system must be configured to audit System - IPSec Driver failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. IPSec Driver records events related to the IPSec Driver such as dropped packets.ECAR-2, ECAR-3
SV-48406r2_rule WN08-AU-000026 CCI-000172 MEDIUM The system must be configured to audit System - Security State Change successes. "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security State Change records events related to changes in the security state, such as startup and shutdown of the system."ECAR-2, ECAR-3
SV-48405r2_rule WN08-AU-000025 CCI-000172 MEDIUM The system must be configured to audit System - Security State Change failures. "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security State Change records events related to changes in the security state such as startup and shutdown of the system."ECAR-2, ECAR-3
SV-48365r2_rule WN08-AU-000028 CCI-000172 MEDIUM The system must be configured to audit System - Security System Extension successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security System Extension records events related to extension code being loaded by the security subsystem.ECAR-2, ECAR-3
SV-48364r2_rule WN08-AU-000027 CCI-000172 MEDIUM The system must be configured to audit System - Security System Extension failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security System Extension records events related to extension code being loaded by the security subsystem.ECAR-2, ECAR-3
SV-48363r2_rule WN08-AU-000030 CCI-000172 MEDIUM The system must be configured to audit System - System Integrity successes. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. System Integrity records events related to violations of integrity to the security subsystem.ECAR-2, ECAR-3
SV-48361r2_rule WN08-AU-000029 CCI-000172 MEDIUM The system must be configured to audit System - System Integrity failures. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. System Integrity records events related to violations of integrity to the security subsystem.ECAR-2, ECAR-3
SV-48359r3_rule WN08-CC-000007 CCI-000381 MEDIUM The 6to4 IPv6 transition technology must be disabled. IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.ECSC-1
SV-48355r3_rule WN08-CC-000008 CCI-000381 MEDIUM The IP-HTTPS IPv6 transition technology must be disabled. IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.ECSC-1
SV-48353r3_rule WN08-CC-000009 CCI-000381 MEDIUM The ISATAP IPv6 transition technology must be disabled. IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.ECSC-1
SV-48349r3_rule WN08-CC-000010 CCI-000382 MEDIUM The Teredo IPv6 transition technology must be disabled. IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.ECSC-1
SV-48345r2_rule WN08-CC-000084 CCI-001849 MEDIUM The Application event log must be configured to a minimum size requirement. Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel.ECRR-1
SV-48343r2_rule WN08-CC-000085 CCI-001849 MEDIUM The Security event log must be configured to a minimum size requirement. Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel.ECRR-1
SV-48339r2_rule WN08-CC-000086 CCI-001849 MEDIUM The Setup event log must be configured to a minimum size requirement. Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel.ECRR-1
SV-48336r2_rule WN08-CC-000087 CCI-001849 MEDIUM The System event log must be configured to a minimum size requirement. Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel.ECRR-1
SV-48334r2_rule WN08-UR-000031 CCI-000213 MEDIUM Unauthorized users must not have the Log on as a service user right. Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Log on as a service" user right are able to launch network services or register a process as a service on a system.ECLP-1
SV-48494r2_rule WN08-CC-000023 CCI-000381 LOW Windows must be prevented from sending an error report when a device driver requests additional software during installation. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from sending an error report to Microsoft when a device driver requests additional software during installation.ECSC-1
SV-48347r1_rule WN08-CC-000116 CCI-001812 HIGH The Windows Installer Always install with elevated privileges must be disabled. Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.ECLP-1
SV-48291r2_rule WN08-CC-000014 CCI-000366 MEDIUM Simultaneous connections to the Internet or a Windows domain must be limited. Multiple network connections can provide additional attack vectors to a system and must be limited.ECSC-1
SV-48292r2_rule WN08-CC-000015 CCI-000366 MEDIUM Connections to non-domain networks when connected to a domain authenticated network must be blocked. Multiple network connections can provide additional attack vectors to a system and should be limited. When connected to a domain, communication must go through the domain connection.ECSC-1
SV-48293r2_rule WN08-CC-000017 CCI-000366 LOW Users must only be allowed to point and print to machines in their forest. Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Configuring this setting will restrict, but allow users to obtain print drivers for printers in their forest.ECSC-1
SV-48296r2_rule WN08-CC-000018 CCI-001812 LOW Optional component installation and component repair must be prevented from using Windows Update. Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Optional component installation or repair must be obtained from an internal source.ECSC-1
SV-48297r2_rule WN08-CC-000025 CCI-001812 LOW Device driver updates must only search managed servers, not Windows Update. Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Device driver updates must be obtained from an internal source.ECSC-1
SV-48299r2_rule WN08-CC-000027 CCI-000366 MEDIUM Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown. Compromised boot drivers can introduce malware prior to some protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.ECVP-1
SV-48300r2_rule WN08-CC-000030 CCI-000366 MEDIUM Access to the Windows Store must be turned off. Uncontrolled installation of applications can introduce various issues, including system instability and allow access to sensitive information. Installation of applications must be controlled by the enterprise. Turning off access to the Windows Store will limit access to publicly available applications.ECSC-1
SV-48301r2_rule WN08-CC-000048 CCI-000381 MEDIUM Copying of user input methods to the system account for sign-in must be prevented. Allowing different input methods for sign-in could open different avenues of attack. User input methods must be restricted to those enabled for the system account at sign-in.ECSC-1
SV-48303r2_rule WN08-CC-000050 CCI-000381 MEDIUM Connected users on domain-joined computers must not be enumerated. The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to unauthorized personnel.ECSC-1
SV-48304r3_rule WN08-CC-000051 CCI-000381 MEDIUM Local users on domain-joined computers must not be enumerated. The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.ECSC-1
SV-48310r2_rule WN08-CC-000052 CCI-000381 MEDIUM App notifications on the lock screen must be turned off. App notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.ECSC-1
SV-48312r2_rule WN08-CC-000053 CCI-000381 MEDIUM Signing in using a PIN must be turned off. Strong sign-on must be used to protect a system. The PIN feature is limited to 4 numbers and caches the domain password in the system vault.IAIA-1
SV-48313r2_rule WN08-CC-000056 CCI-000366 LOW The display must turn off after 20 minutes of inactivity when the system is running on battery. Turning off an inactive display supports energy saving initiatives. It may also extend availability on systems running on a battery.ECSC-1
SV-48314r2_rule WN08-CC-000057 CCI-000366 LOW The display must turn off after 20 minutes of inactivity when the system is plugged in. Turning off an inactive display supports energy saving initiatives.ECSC-1
SV-48315r2_rule WN08-CC-000060 CCI-000366 LOW Remote assistance must display a warning message when allowing helpdesk personnel to control a system. Requiring warning text to display when allowing helpdesk personnel to control remote assistance sessions ensures personnel of the activity and enforces the need to monitor the activity.ECWM-1
SV-48317r2_rule WN08-CC-000061 CCI-000366 LOW Remote assistance must display a warning message when allowing helpdesk personnel to connect to a system. Requiring warning text to display when allowing helpdesk personnel to connect to a system with remote assistance ensures personnel are aware of the activity and enforces the need to monitor the activity.ECWM-1
SV-48319r2_rule WN08-CC-000065 CCI-000381 LOW The detection of compatibility issues for applications and drivers must be turned off. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system.ECSC-1
SV-48321r2_rule WN08-CC-000070 CCI-000366 LOW Trusted app installation must be enabled to allow for signed enterprise line of business apps. Enabling trusted app installation allows for enterprise line of business Windows 8 type apps. A trusted app package is one that is signed with a certificate chain that can be successfully validated in the enterprise. Configuring this ensures enterprise line of business apps are accessible.ECSC-1
SV-48322r2_rule WN08-CC-000075 CCI-000381 MEDIUM The use of biometrics must be disabled. Allowing biometrics may bypass required authentication methods. Biometrics may only be used as an additional authentication factor where an enhanced strength of identity credential is necessary or desirable. Additional factors must be met per DoD policy.IAIA-1
SV-48325r2_rule WN08-CC-000076 CCI-000206 MEDIUM The password reveal button must not be displayed. Visible passwords may be seen by nearby persons, compromising them. The password reveal button can be used to display an entered password and must not be allowed.IAIA-1
SV-48326r5_rule WN08-CC-000078 CCI-002824 MEDIUM The Enhanced Mitigation Experience Toolkit (EMET) system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In. Attackers are constantly looking for vulnerabilities in systems and applications. The Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP) on the system and applications adding additional levels of protection.ECVP-1
SV-48328r4_rule WN08-CC-000079 CCI-002824 MEDIUM The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Internet Explorer must be enabled. Attackers are constantly looking for vulnerabilities in systems and applications. The Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP) on the system and applications adding additional levels of protection.ECVP-1
SV-48329r4_rule WN08-CC-000080 CCI-002824 MEDIUM The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled. Attackers are constantly looking for vulnerabilities in systems and applications. The Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP) on the system and applications adding additional levels of protection.ECVP-1
SV-48331r4_rule WN08-CC-000081 CCI-002824 MEDIUM The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled. Attackers are constantly looking for vulnerabilities in systems and applications. The Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP) on the system and applications adding additional levels of protection.ECVP-1
SV-48332r5_rule WN08-CC-000082 CCI-002824 MEDIUM The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out. Attackers are constantly looking for vulnerabilities in systems and applications. The Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP) on the system and applications adding additional levels of protection.ECVP-1
SV-48335r5_rule WN08-CC-000083 CCI-002824 MEDIUM The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out. Attackers are constantly looking for vulnerabilities in systems and applications. The Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP) on the system and applications adding additional levels of protection.ECVP-1
SV-48337r2_rule WN08-CC-000088 CCI-000381 LOW The Windows SmartScreen must be turned off. Some features may send system information to the vendor. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise.ECSC-1
SV-48338r2_rule WN08-CC-000095 CCI-000381 MEDIUM The location feature must be turned off. The location service on mobile devices may allow sensitive data to be used by applications on the system. This should be turned off unless explicitly allowed for approved systems/applications.ECSC-1
SV-48340r2_rule WN08-CC-000106 CCI-000381 MEDIUM Basic authentication for RSS feeds over HTTP must be turned off. Basic authentication uses plain text passwords that could be used to compromise a system.ECSC-1
SV-48341r2_rule WN08-CC-000109 CCI-000366 LOW Automatic download of updates from the Windows Store must be turned off. Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially allow sensitive information outside of the enterprise. Application updates must be obtained from an internal source.ECSC-1
SV-48344r2_rule WN08-CC-000110 CCI-000366 MEDIUM The Windows Store application must be turned off. Uncontrolled installation of applications can introduce various issues including system instability, and provide access to sensitive information. Installation of applications must be controlled by the enterprise. Turning off access to the Windows Store will limit access to publicly available applications.ECSC-1
SV-48348r2_rule WN08-CC-000123 CCI-000877 HIGH The Windows Remote Management (WinRM) client must not use Basic authentication. Basic authentication uses plain text passwords that could be used to compromise a system.IAIA-1
SV-48350r2_rule WN08-CC-000124 CCI-003123 MEDIUM The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.ECCT-1
SV-48352r2_rule WN08-CC-000125 CCI-000877 MEDIUM The Windows Remote Management (WinRM) client must not use Digest authentication. Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.IAIA-1
SV-48366r2_rule WN08-CC-000126 CCI-000877 HIGH The Windows Remote Management (WinRM) service must not use Basic authentication. Basic authentication uses plain text passwords that could be used to compromise a system. ECSC-1
SV-48367r2_rule WN08-CC-000127 CCI-003123 MEDIUM The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.ECCT-1
SV-48368r2_rule WN08-CC-000128 CCI-002038 MEDIUM The Windows Remote Management (WinRM) service must not store RunAs credentials. Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.ECLP-1
SV-48456r3_rule WN08-RG-000003 CCI-001084 MEDIUM Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for built-in administrator accounts will prevent the elevated privileges of these accounts from being used over the network.ECCD-1
SV-50953r3_rule WN08-GE-000100 CCI-000366 MEDIUM The Enhanced Mitigation Experience Toolkit (EMET) V4.1 Update 1 or later must be installed on the system. Attackers are constantly looking for vulnerabilities in systems and applications. The Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP) on the system and applications adding additional levels of protection.ECVP-1
SV-58423r2_rule WN08-GE-000200 CCI-000366 LOW A group named DenyNetworkAccess must be defined on domain systems to include all local administrator accounts. (Windows 8) Several user rights on domain systems require that local administrator accounts be assigned to them. Defining a consistent group name allows compliance to be more easily determined.ECLP-1