From a7a47f9a26d56d0c6c6818a79796fc097ad45b8e Mon Sep 17 00:00:00 2001 From: Brian Wilhite Date: Wed, 14 Aug 2019 10:44:28 -0400 Subject: [PATCH] fixed AuditSetting SP Rule on Windows STIGs --- CHANGELOG.md | 1 + .../Convert/AuditSettingRule.Convert.psm1 | 2 +- StigData/Processed/WindowsClient-10-1.17.xml | 4 +- StigData/Processed/WindowsClient-10-1.18.xml | 44 +-- .../WindowsServer-2012R2-DC-2.16.xml | 4 +- .../WindowsServer-2012R2-DC-2.17.xml | 4 +- .../WindowsServer-2012R2-MS-2.15.xml | 28 +- .../WindowsServer-2012R2-MS-2.16.xml | 362 +++++++++--------- .../Processed/WindowsServer-2016-DC-1.7.xml | 4 +- .../Processed/WindowsServer-2016-DC-1.8.xml | 4 +- .../Processed/WindowsServer-2016-MS-1.7.xml | 4 +- .../Processed/WindowsServer-2016-MS-1.8.xml | 4 +- .../AuditSettingRule.Integration.tests.ps1 | 6 +- Tests/Unit/Module/HardCodedRule.tests.ps1 | 4 +- 14 files changed, 238 insertions(+), 237 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 51c32df5f..d01c19265 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +* Fixed [#476](https://github.com/microsoft/PowerStig/issues/476): AuditSetting Rule for Windows STIGs has an incorrect operator when evaluating Service Pack information * Added support for Dot Net Framework 4.0 STIG, Version 1, Release 8 [#447](https://github.com/microsoft/PowerStig/issues/447) * Added support for Windows 10 STIG, Version 1, Release 17 & 18: [#466](https://github.com/microsoft/PowerStig/issues/466) * Added support for Windows 2012 Server DNS STIG, Version 1, Release 12 [#464](https://github.com/microsoft/PowerStig/issues/464) diff --git a/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 b/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 index cd185350b..ec6afa703 100644 --- a/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 +++ b/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 @@ -47,7 +47,7 @@ Class AuditSettingRuleConvert : AuditSettingRule Write-Verbose "[$($MyInvocation.MyCommand.Name)] Service Pack" $this.Query = 'SELECT * FROM Win32_OperatingSystem' $this.Property = 'Version' - $this.Operator = '-ge' + $this.Operator = '-le' $this.rawString -match "(?:Version\s*)(\d+(\.\d+)?)" | Out-Null diff --git a/StigData/Processed/WindowsClient-10-1.17.xml b/StigData/Processed/WindowsClient-10-1.17.xml index 6c0efc5b3..16bbdc0bf 100644 --- a/StigData/Processed/WindowsClient-10-1.17.xml +++ b/StigData/Processed/WindowsClient-10-1.17.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -908,7 +908,7 @@ A separate servicing branch intended for special purpose systems is the Long-Ter 10.0.15063 False - -ge + -le False Version diff --git a/StigData/Processed/WindowsClient-10-1.18.xml b/StigData/Processed/WindowsClient-10-1.18.xml index 15a1acc6d..1169f9c26 100644 --- a/StigData/Processed/WindowsClient-10-1.18.xml +++ b/StigData/Processed/WindowsClient-10-1.18.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -277,7 +277,7 @@ Plug and Play activity records events related to the successful connection of ex False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -319,7 +319,7 @@ Account Lockout events can be used to identify potentially malicious logon attem False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -340,7 +340,7 @@ Audit Group Membership records information related to the group membership of a False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -638,7 +638,7 @@ Audit Other System Events records information related to cryptographic key opera False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -659,7 +659,7 @@ Audit Other System Events records information related to cryptographic key opera False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -787,7 +787,7 @@ Authorization Policy Change records events related to changes in user rights, su False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -908,7 +908,7 @@ A separate servicing branch intended for special purpose systems is the Long-Ter 10.0.15063 False - -ge + -le False Version @@ -987,7 +987,7 @@ Copy the lines below to the PowerShell window and enter. if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -1053,7 +1053,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1386,7 +1386,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1448,7 +1448,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1514,7 +1514,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1674,7 +1674,7 @@ Under "System Summary", if "BIOS Mode" does not display "UEFI", this is finding. False False - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows 10 hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows 10 hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. @@ -1698,7 +1698,7 @@ Technical means such as application whitelisting can be used to enforce the poli The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. -Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. @@ -4332,7 +4332,7 @@ Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp - + Value Type: REG_DWORD Value: 0 0 @@ -4465,7 +4465,7 @@ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 1 - + Warning: This setting may prevent a system from being joined to a domain if not configured consistently between systems. 1 RequireStrongKey @@ -4573,7 +4573,7 @@ Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ -Value: +Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: @@ -4708,7 +4708,7 @@ If an organization is using v1709 or later of Windows 10 this may be configured If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount @@ -5562,7 +5562,7 @@ Value Name: Enabled Value Type: REG_DWORD Value: 1 - + Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS otherwise the browser will not be able to connect to a secure site. 1 Enabled @@ -5830,7 +5830,7 @@ Enabling "Include command line data for process creation events" will record the If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -5853,7 +5853,7 @@ Enabling PowerShell script block logging will record detailed information from t If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging diff --git a/StigData/Processed/WindowsServer-2012R2-DC-2.16.xml b/StigData/Processed/WindowsServer-2012R2-DC-2.16.xml index b2736e677..c24f48737 100644 --- a/StigData/Processed/WindowsServer-2012R2-DC-2.16.xml +++ b/StigData/Processed/WindowsServer-2012R2-DC-2.16.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1013,7 +1013,7 @@ System >> Other System Events - Failure 6.2.9200 False - -ge + -le False Version diff --git a/StigData/Processed/WindowsServer-2012R2-DC-2.17.xml b/StigData/Processed/WindowsServer-2012R2-DC-2.17.xml index d433d94ea..c5c21453d 100644 --- a/StigData/Processed/WindowsServer-2012R2-DC-2.17.xml +++ b/StigData/Processed/WindowsServer-2012R2-DC-2.17.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1013,7 +1013,7 @@ System >> Other System Events - Failure 6.2.9200 False - -ge + -le False Version diff --git a/StigData/Processed/WindowsServer-2012R2-MS-2.15.xml b/StigData/Processed/WindowsServer-2012R2-MS-2.15.xml index 83d1bb700..4aad6d6af 100644 --- a/StigData/Processed/WindowsServer-2012R2-MS-2.15.xml +++ b/StigData/Processed/WindowsServer-2012R2-MS-2.15.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -818,7 +818,7 @@ System >> Other System Events - Failure 6.2.9200 False - -ge + -le False Version @@ -2897,18 +2897,18 @@ By using this IS (which includes any device attached to this IS), you consent to -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. - You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. LegalNoticeText String diff --git a/StigData/Processed/WindowsServer-2012R2-MS-2.16.xml b/StigData/Processed/WindowsServer-2012R2-MS-2.16.xml index eb0209226..6d0f97ed9 100644 --- a/StigData/Processed/WindowsServer-2012R2-MS-2.16.xml +++ b/StigData/Processed/WindowsServer-2012R2-MS-2.16.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -151,7 +151,7 @@ Credential validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -172,7 +172,7 @@ Credential validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -193,7 +193,7 @@ Other Account Management Events records events such as the access of a password False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -214,7 +214,7 @@ Security Group Management records events such as creating, deleting, or changing False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -235,7 +235,7 @@ User Account Management records events such as creating, changing, deleting, ren False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -256,7 +256,7 @@ User Account Management records events such as creating, changing, deleting, ren False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -277,7 +277,7 @@ Process Creation records events related to the creation of a process and the sou False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -298,7 +298,7 @@ Logoff records user logoffs. If this is an interactive logoff, it is recorded o False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -319,7 +319,7 @@ Logon records user logons. If this is an interactive logon, it is recorded on t False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -340,7 +340,7 @@ Logon records user logons. If this is an interactive logon, it is recorded on t False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -361,7 +361,7 @@ Special Logon records special logons which have administrative privileges and ca False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -382,7 +382,7 @@ Audit Policy Change records events related to changes in audit policy.</VulnD False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -403,7 +403,7 @@ Audit Policy Change records events related to changes in audit policy.</VulnD False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -424,7 +424,7 @@ Authentication Policy Change records events related to changes in authentication False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -445,7 +445,7 @@ Sensitive Privilege Use records events related to use of sensitive privileges, s False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -466,7 +466,7 @@ Sensitive Privilege Use records events related to use of sensitive privileges, s False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -487,7 +487,7 @@ IPsec Driver records events related to the IPSec Driver such as dropped packets. False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -508,7 +508,7 @@ IPsec Driver records events related to the IPsec Driver such as dropped packets. False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -529,7 +529,7 @@ Security State Change records events related to changes in the security state, s False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -550,7 +550,7 @@ Security System Extension records events related to extension code being loaded False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -571,7 +571,7 @@ System Integrity records events related to violations of integrity to the securi False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -592,7 +592,7 @@ System Integrity records events related to violations of integrity to the securi False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -613,7 +613,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -636,7 +636,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -659,7 +659,7 @@ Central Access Policy Staging auditing under Object Access is used to enable the False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -680,7 +680,7 @@ Central Access Policy Staging auditing under Object Access is used to enable the False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -701,7 +701,7 @@ Authorization Policy Change records events related to changes in user rights, su False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -731,7 +731,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -804,7 +804,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -818,19 +818,19 @@ System >> Other System Events - Failure 6.2.9200 False - -ge + -le False Version SELECT * FROM Win32_OperatingSystem - Run "winver.exe". + Run "winver.exe". -If the "About Windows" dialog box does not display -"Microsoft Windows Server +If the "About Windows" dialog box does not display +"Microsoft Windows Server Version 6.2 (Build 9200)" -or greater, this is a finding. - -No preview versions will be used in a production environment. +or greater, this is a finding. + +No preview versions will be used in a production environment. Unsupported Service Packs/Releases: Windows 2012 - any release candidates or versions prior to the initial release. @@ -979,7 +979,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -1061,7 +1061,7 @@ For any sites that reference FTP, view the Binding information for IP address an Open a "Command Prompt". -Access the FTP site and review accessible directories with the following commands: +Access the FTP site and review accessible directories with the following commands: Note: Returned results may vary depending on the FTP server software. @@ -1099,9 +1099,9 @@ Any accounts that are members of the Backup Operators group, including applicati False False - Determine whether there is a host-based Intrusion Detection System on each server. + Determine whether there is a host-based Intrusion Detection System on each server. -If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. +If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. @@ -1280,7 +1280,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1363,9 +1363,9 @@ Valid to: Friday, June 14, 2041 If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding. - <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. -Information system and security-related documentation contains information pertaining to system configuration and security settings. +Information system and security-related documentation contains information pertaining to system configuration and security settings. Backups shall be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1419,9 +1419,9 @@ Value: Default values after removing MRxSmb10 include the following, which are n If there is no anti-virus solution installed on the system, this is a finding. - <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. -System-level information includes system-state information, operating system and application software, and licenses. +System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1436,13 +1436,13 @@ Backups must be consistent with organizational recovery time and recovery point False False - Verify the local system boots directly into Windows. + Verify the local system boots directly into Windows. Open Control Panel. Select "System". Select the "Advanced System Settings" link. Select the "Advanced" tab. -Click the "Startup and Recovery" Settings button. +Click the "Startup and Recovery" Settings button. If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding. @@ -1460,7 +1460,7 @@ Standard user accounts must not be members of the built-in Administrators group. Review the local Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. -For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. +For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. Standard user accounts must not be members of the local Administrator group. @@ -1490,13 +1490,13 @@ If an alternate method is used to configure a system (e.g., manually using the D If there are no printers configured, this is NA. For each configured printer: -Right click on the printer. -Select "Printer Properties". -Select the "Sharing" tab. -View whether "Share this printer" is checked. +Right click on the printer. +Select "Printer Properties". +Select the "Sharing" tab. +View whether "Share this printer" is checked. -For any printers with "Share this printer" selected: -Select the Security tab. +For any printers with "Share this printer" selected: +Select the Security tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. Standard users will typically be given "Print" permission through the Everyone group. @@ -1594,7 +1594,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1662,7 +1662,7 @@ Technical means such as application whitelisting can be used to enforce the poli The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. -Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. @@ -1672,7 +1672,7 @@ If accounts with administrative privileges are not prevented from using applicat False False - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. @@ -1747,7 +1747,7 @@ If the "Password Last Set" date is more than one year old, this is a finding.Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding. - <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. @@ -1798,7 +1798,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -2857,7 +2857,7 @@ Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ShutdownWithoutLogon @@ -2878,7 +2878,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -2948,7 +2948,7 @@ Value: 4 (or less) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -2969,7 +2969,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableForcedLogoff @@ -3032,7 +3032,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ Value Name: AddPrinterDrivers @@ -3074,7 +3074,7 @@ Value: 5 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableCAD @@ -3095,9 +3095,9 @@ Value: 0 '{0}' -match '1|2' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - + Value Name: SCRemoveOption Value Type: REG_SZ @@ -3118,7 +3118,7 @@ If configuring this on servers causes issues such as terminating users' remote s If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature @@ -3185,7 +3185,7 @@ If the value for "Domain Member: Digitally encrypt or sign secure channel data ( If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -3206,7 +3206,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -3227,7 +3227,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: AllocateDASD @@ -3248,7 +3248,7 @@ Value: 0 '{0}' -ge '14' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning @@ -3269,7 +3269,7 @@ Value: 14 (or greater) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -3332,7 +3332,7 @@ Value: 0x000000ff (255) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionPipes @@ -3356,7 +3356,7 @@ Legitimate applications may add entries to this registry value. If an applicatio If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ Value Name: Machine @@ -3364,8 +3364,8 @@ Value Name: Machine Value Type: REG_MULTI_SZ Value: see below -System\CurrentControlSet\Control\ProductOptions -System\CurrentControlSet\Control\Server Applications +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. @@ -3385,7 +3385,7 @@ Legitimate applications may add entries to this registry value. If an applicati If the following registry value does exist and is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionShares @@ -3407,12 +3407,12 @@ Value: (Blank) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp - -Type: REG_DWORD + +Type: REG_DWORD Value: 0 0 fAllowToGetHelp @@ -3428,7 +3428,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse @@ -3449,7 +3449,7 @@ Value: 1 '{0}' -le '30' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -3470,14 +3470,14 @@ Value: 30 (or less, but not 0) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 1 - + This setting may prevent a system from being joined to a domain if not configured consistently between systems. 1 RequireStrongKey @@ -3493,7 +3493,7 @@ This setting may prevent a system from being joined to a domain if not configure If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -3514,7 +3514,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: ForceGuest @@ -3535,7 +3535,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -3556,7 +3556,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -3577,7 +3577,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -3605,7 +3605,7 @@ Value Name: Enabled Value Type: REG_DWORD Value: 1 - + Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site. 1 Enabled @@ -3621,7 +3621,7 @@ Warning: Clients with this setting enabled will not be able to communicate via d If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ Value Name: ObCaseInsensitive @@ -3640,14 +3640,14 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ -Value Name: fSingleSessionPerUser +Value Name: fSingleSessionPerUser -Type: REG_DWORD +Type: REG_DWORD Value: 1 1 fSingleSessionPerUser @@ -3791,7 +3791,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: SafeDllSearchMode @@ -3833,7 +3833,7 @@ Value: 1 HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ @@ -3856,7 +3856,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -3879,7 +3879,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ Value Name: WarningLevel @@ -3900,7 +3900,7 @@ Value: 90 (or less) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting @@ -3921,7 +3921,7 @@ Value: 2 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect @@ -3942,7 +3942,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: PerformRouterDiscovery @@ -3963,7 +3963,7 @@ Value: 0 '{0}' -le '300000' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: KeepAliveTime @@ -4026,7 +4026,7 @@ Value: 3 (or less) '{0}' -le '5' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ScreenSaverGracePeriod @@ -4047,7 +4047,7 @@ Value: 5 (or less) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ Value Name: Machine @@ -4082,7 +4082,7 @@ Legitimate applications may add entries to this registry value. If an applicatio If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ Value Name: Optional @@ -4146,7 +4146,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -4167,7 +4167,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -4188,7 +4188,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -4209,7 +4209,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -4230,7 +4230,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DontDisplayLastUserName @@ -4252,7 +4252,7 @@ This setting prevents the system from setting up a default system access control If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: AuditBaseObjects @@ -4264,7 +4264,7 @@ Value: 0 Dword - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting prevents the system from generating audit events for every file backed up or restored, which could fill the security log in Windows, making it difficult to identify actual issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -4274,7 +4274,7 @@ This setting prevents the system from generating audit events for every file bac If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: FullPrivilegeAuditing @@ -4286,7 +4286,7 @@ Value: 0 Binary - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -4296,7 +4296,7 @@ This setting allows administrators to enable more precise auditing capabilities. If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy @@ -4317,7 +4317,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\IPSEC\ Value Name: NoDefaultExempt @@ -4340,7 +4340,7 @@ Value: 3 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -4363,7 +4363,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin @@ -4389,7 +4389,7 @@ Value: 4 (Prompt for consent) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser @@ -4412,7 +4412,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection @@ -4435,7 +4435,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths @@ -4458,7 +4458,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA @@ -4481,7 +4481,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: PromptOnSecureDesktop @@ -4504,7 +4504,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization @@ -4600,7 +4600,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -4622,7 +4622,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -4644,7 +4644,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents Windows from searching Windows Update for device drivers when no local drivers for a device are present.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -4792,7 +4792,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents unhandled file associations from using the Microsoft Web service to find an application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -4919,7 +4919,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from being presented with Privacy and Installation options on first use of Windows Media Player, which could enable some communication with the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5227,7 +5227,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents an error report from being sent when a generic device driver is installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5249,7 +5249,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from being prompted to search Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5271,7 +5271,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents errors in handwriting recognition on tablet PCs from being reported to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5377,7 +5377,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This check verifies that Windows Media DRM will be prevented from accessing the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5431,7 +5431,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle @@ -5450,7 +5450,7 @@ Value: 0 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -5471,7 +5471,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -5492,7 +5492,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -5513,7 +5513,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -5538,7 +5538,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ValidateAdminCodeSignatures @@ -5550,7 +5550,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures the Windows Customer Experience Improvement Program is disabled so information is not passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5572,7 +5572,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures the Windows Help Experience Improvement Program is disabled to prevent information from being passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5594,7 +5594,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures users cannot provide ratings feedback to Microsoft for Help content.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5809,7 +5809,7 @@ Value: Enabled String - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from searching Windows Update for point and print drivers. Only the local driver store and server driver cache will be searched.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5831,7 +5831,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from retrieving device metadata from the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5853,7 +5853,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the system from searching Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5875,7 +5875,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the MSDT from communicating with and sending collected data to Microsoft, the default support provider.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5897,7 +5897,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from searching troubleshooting content on Microsoft servers. Only local content will be available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5919,7 +5919,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents responsiveness events from being aggregated and sent to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5941,7 +5941,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6035,7 +6035,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -6056,7 +6056,7 @@ Value: 1 '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -6064,7 +6064,7 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. @@ -6250,7 +6250,7 @@ Value: 0x00008000 (32768) (or greater) Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from sending an error report to Microsoft when a device driver requests additional software during installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6293,7 +6293,7 @@ Value: 0 Dword - <VulnDiscussion>A compromised local administrator account can provide means for an attacker to move laterally between domain systems. + <VulnDiscussion>A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6302,8 +6302,8 @@ With User Account Control enabled, filtering the privileged token for local admi HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System False - If the system is not a member of a domain, this is NA. -If the following registry value does not exist or is not configured as specified, this is a finding: + If the system is not a member of a domain, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ @@ -6337,8 +6337,8 @@ Type: REG_SZ Value: 1 Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: - --The logon session does not have administrator rights. + +-The logon session does not have administrator rights. -The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area. 1 ScreenSaveActive @@ -6879,7 +6879,7 @@ Value: 1 '{0}' -le '900' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -6940,7 +6940,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -6965,7 +6965,7 @@ Value: 1 Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow @@ -6990,7 +6990,7 @@ Enabling "Include command line data for process creation events" will record the Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -7013,7 +7013,7 @@ Value: 0x00000001 (1) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI @@ -7036,7 +7036,7 @@ Value: 1 Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: MSAOptional @@ -7059,7 +7059,7 @@ Value: 1 Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn @@ -7161,7 +7161,7 @@ PowerShell 5.x supports script block logging. PowerShell 4.0 with the addition o If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging @@ -7169,7 +7169,7 @@ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 0x00000001 (1) -PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. +PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. If the patch is not installed on systems with PowerShell 4.0, this is a finding. @@ -7318,7 +7318,7 @@ If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disab False False - Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. + Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. Run "Services.msc". @@ -7336,7 +7336,7 @@ Peer Networking Identity Manager (p2pimsvc) False False - Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. + Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. Run "Services.msc". @@ -7354,7 +7354,7 @@ Simple TCP/IP Services (simptcp) False False - Verify the Telnet (tlntsvr) service is not installed or is disabled. + Verify the Telnet (tlntsvr) service is not installed or is disabled. Run "Services.msc". @@ -7386,7 +7386,7 @@ Telnet (tlntsvr) False False - Verify the Smart Card Removal Policy service is configured to "Automatic". + Verify the Smart Card Removal Policy service is configured to "Automatic". Run "Services.msc". @@ -7610,7 +7610,7 @@ If any accounts or groups other than the following are granted the "Allow log on Administrators -If the system serves the Remote Desktop Services role, the Remote Desktop Users group or another more restrictive group may be included. +If the system serves the Remote Desktop Services role, the Remote Desktop Users group or another more restrictive group may be included. Organizations may grant this to other groups, such as more restrictive groups with administrative or management functions, if required. Remote Desktop Services access must be restricted to the accounts that require it. This must be documented with the ISSO. @@ -7775,7 +7775,7 @@ Systems that have the Hyper-V role will also have "Virtual Machines" given this SeDenyBatchLogonRight <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job such, as Task Scheduler. +The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job such, as Task Scheduler. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. @@ -7805,7 +7805,7 @@ Guests Group SeDenyServiceLogonRight <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on as a service" user right defines accounts that are denied log on as a service. +The "Deny log on as a service" user right defines accounts that are denied log on as a service. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. @@ -7833,7 +7833,7 @@ If any accounts or groups are defined for the "Deny log on as a service" user ri SeDenyInteractiveLogonRight <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. +The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. @@ -7894,7 +7894,7 @@ Local account (see Note below) All Systems: Guests group -Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts. +Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts. Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012. diff --git a/StigData/Processed/WindowsServer-2016-DC-1.7.xml b/StigData/Processed/WindowsServer-2016-DC-1.7.xml index 47deeaf5f..8ef73bc97 100644 --- a/StigData/Processed/WindowsServer-2016-DC-1.7.xml +++ b/StigData/Processed/WindowsServer-2016-DC-1.7.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1314,7 +1314,7 @@ Object Access >> Other Object Access Events - Failure 10.0.14393 False - -ge + -le False Version diff --git a/StigData/Processed/WindowsServer-2016-DC-1.8.xml b/StigData/Processed/WindowsServer-2016-DC-1.8.xml index a8a361200..9ee58729d 100644 --- a/StigData/Processed/WindowsServer-2016-DC-1.8.xml +++ b/StigData/Processed/WindowsServer-2016-DC-1.8.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented. @@ -1329,7 +1329,7 @@ Object Access >> Other Object Access Events - Failure 10.0.14393 False - -ge + -le False Version diff --git a/StigData/Processed/WindowsServer-2016-MS-1.7.xml b/StigData/Processed/WindowsServer-2016-MS-1.7.xml index 17e83f6f9..4a191667c 100644 --- a/StigData/Processed/WindowsServer-2016-MS-1.7.xml +++ b/StigData/Processed/WindowsServer-2016-MS-1.7.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1039,7 +1039,7 @@ Object Access >> Other Object Access Events - Failure 10.0.14393 False - -ge + -le False Version diff --git a/StigData/Processed/WindowsServer-2016-MS-1.8.xml b/StigData/Processed/WindowsServer-2016-MS-1.8.xml index 954637d8b..e15b1fd55 100644 --- a/StigData/Processed/WindowsServer-2016-MS-1.8.xml +++ b/StigData/Processed/WindowsServer-2016-MS-1.8.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1054,7 +1054,7 @@ Object Access >> Other Object Access Events - Failure 10.0.14393 False - -ge + -le False Version diff --git a/Tests/Integration/AuditSettingRule.Integration.tests.ps1 b/Tests/Integration/AuditSettingRule.Integration.tests.ps1 index f424c38cc..6ec27effd 100644 --- a/Tests/Integration/AuditSettingRule.Integration.tests.ps1 +++ b/Tests/Integration/AuditSettingRule.Integration.tests.ps1 @@ -23,7 +23,7 @@ try query = "SELECT * FROM Win32_OperatingSystem" property = 'Version' desiredvalue = '10.0.14393' - operator = '-ge' + operator = '-le' checkContent = 'Open "Command Prompt". Enter "winver.exe". @@ -36,7 +36,7 @@ try query = "SELECT * FROM Win32_OperatingSystem" property = 'Version' desiredvalue = '10.0.14393' - operator = '-ge' + operator = '-le' checkContent = 'Run "winver.exe". If the "About Windows" dialog box does not display: @@ -65,7 +65,7 @@ try query = "SELECT * FROM Win32_OperatingSystem" property = 'Version' desiredvalue = '6.2.9200' - operator = '-ge' + operator = '-le' checkContent = 'Run "winver.exe". If the "About Windows" dialog box does not display diff --git a/Tests/Unit/Module/HardCodedRule.tests.ps1 b/Tests/Unit/Module/HardCodedRule.tests.ps1 index e2a38bf7a..5270b77e5 100644 --- a/Tests/Unit/Module/HardCodedRule.tests.ps1 +++ b/Tests/Unit/Module/HardCodedRule.tests.ps1 @@ -26,10 +26,10 @@ try }, @{ RuleType = 'AuditSettingRule' - CheckContent = "HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = '6.2.9200'; Operator = '-ge'; Property = 'Version'; Query = 'SELECT * FROM Win32_OperatingSystem'}" + CheckContent = "HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = '6.2.9200'; Operator = '-le'; Property = 'Version'; Query = 'SELECT * FROM Win32_OperatingSystem'}" DscResource = 'AuditSetting' DesiredValue = '6.2.9200' - Operator = '-ge' + Operator = '-le' Property = 'Version' Query = 'SELECT * FROM Win32_OperatingSystem' },