|
|
|
|
|
|
|
| |
|
|
Account Lockout Policy Settings
|
Section Score: 0.63 of 0.63 |
|
1. |
|
Account Lockout Duration (CCE-9308)
|
|
2. |
|
Account Lockout Threshold (CCE-9136)
|
|
3. |
|
Reset Account Lockout Counter After (CCE-9400)
|
|
|
|
Password Policy Settings
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Enforce Password History (CCE-8912)
|
|
2. |
|
Maximum Password Age (CCE-9193)
|
|
3. |
|
Minimum Password Age (CCE-9330)
|
|
4. |
|
Minimum Password Length (CCE-9357)
|
|
5. |
|
Password Complexity (CCE-9370)
|
|
6. |
|
Reversible Password Encryption (CCE-9260)
|
|
|
|
User Rights Assignments
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Access This Computer From The Network (CCE-9253)
|
|
2. |
|
Act As Part Of The Operating System (CCE-9407)
|
|
3. |
|
Adjust Memory Quotas For A Process (CCE-9068)
|
|
4. |
|
Log On Locally (CCE-9345)
|
|
5. |
|
Log On Through Terminal Services (CCE-9107)
|
|
6. |
|
Back Up Files and Directories (CCE-9389)
|
|
7. |
|
Bypass Traverse Checking (CCE-8414)
|
|
8. |
|
Change the System Time (CCE-8612)
|
|
9. |
|
Change the time zone (CCE-8423)
|
|
10. |
|
Create A Pagefile (CCE-9185)
|
|
11. |
|
Create A Token Object (CCE-9215)
|
|
12. |
|
Create Global Objects (CCE-8431)
|
|
13. |
|
Create Permanent Shared Objects (CCE-9254)
|
|
14. |
|
Create symbolic links (CCE-8460)
|
|
15. |
|
Debug Programs (CCE-8583)
|
|
16. |
|
Deny Access To This Computer From The Network (CCE-9244)
|
|
17. |
|
Deny Logon As A Batch Job (CCE-9212)
|
|
18. |
|
Deny Logon As A Service (CCE-9098)
|
|
19. |
|
Deny Logon Locally (CCE-9239)
|
|
20. |
|
Deny Logon Through Remote Desktop Services (CCE-9274)
|
|
21. |
|
Force Shutdown From A Remote System (CCE-9336)
|
|
22. |
|
Generate Security Audits (CCE-9226)
|
|
23. |
|
Impersonate a Client After Authentication (CCE-8467)
|
|
24. |
|
Increase a Process Working Set (CCE-9048)
|
|
25. |
|
Increase Scheduling Priority (CCE-8999)
|
|
26. |
|
Load And Unload Device Drivers (CCE-9135)
|
|
27. |
|
Lock Pages In Memory (CCE-9289)
|
|
28. |
|
Log On As A Batch Job (CCE-9320)
|
|
29. |
|
Log On As A Service (CCE-9461)
|
|
30. |
|
Manage Auditing And Security Log (CCE-9223)
|
|
31. |
|
Modify an object label (CCE-9149)
|
|
32. |
|
Modify Firmware Environment Values (CCE-9417)
|
|
33. |
|
Perform Volume Maintenance Tasks (CCE-8475)
|
|
34. |
|
Profile Single Process (CCE-9388)
|
|
35. |
|
Profile System Performance (CCE-9419)
|
|
36. |
|
Remove Computer From Docking Station (CCE-9326)
|
|
37. |
|
Replace A Process Level Token (CCE-8732)
|
|
38. |
|
Restore Files And Directories (CCE-9124)
|
|
39. |
|
Shut Down The System (CCE-9014)
|
|
40. |
|
Take Ownership Of Files Or Other Objects" (CCE-9309)
|
|
|
|
Security Options Settings
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Accounts: Administrator account status (CCE-9199)
|
|
2. |
|
Accounts: Guest account status (CCE-8714)
|
|
3. |
|
Accounts: Limit local account use to blank passwords to console logon only (CCE-9418)
|
|
4. |
|
Accounts: Rename administrator account (CCE-8484)
|
|
5. |
|
Accounts: Rename guest account (CCE-9229)
|
|
6. |
|
Audit: Audit the access of global system objects (CCE-9150)
|
|
7. |
|
Audit: Audit the use of Backup and Restore privilege (CCE-8789)
|
|
8. |
|
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (CCE-9432)
|
|
9. |
|
Devices: Prevent users from installing printer drivers (CCE-9026)
|
|
10. |
|
Devices: Restrict CD-ROM access to locally logged-on user only" (CCE-9304)
|
|
11. |
|
Devices: Restrict floppy access to locally logged-on user only (CCE-9440)
|
|
12. |
|
Domain member: Digitally encrypt or sign secure channel data (always) (CCE-8974)
|
|
13. |
|
Domain member: Digitally encrypt secure channel data (when possible) (CCE-9251)
|
|
14. |
|
Domain member: Digitally sign secure channel data (when possible) (CCE-9375)
|
|
15. |
|
Domain member: Disable machine account password changes (CCE-9295)
|
|
16. |
|
Domain member: Maximum machine account password age (CCE-9123)
|
|
17. |
|
Domain member: Require strong (Windows 2000 or later) session key (CCE-9387)
|
|
18. |
|
Interactive logon: Do not display last user name (CCE-9449)
|
|
19. |
|
Interactive logon: Do not require CTRL+ALT+DEL (CCE-9317)
|
|
20. |
|
Interactive logon: Message text for users attempting to log on (CCE-8973)
|
|
21. |
|
Interactive logon: Message title for users attempting to log on (CCE-8740)
|
|
22. |
|
Interactive logon: Number of previous logons to cache (in case domain controller is not available) (CCE-8487)
|
|
23. |
|
Interactive logon: Prompt user to change password before expiration (CCE-9307)
|
|
24. |
|
Interactive logon: Require Domain Controller authentication to unlock workstation (CCE-8818)
|
|
25. |
|
Interactive logon: Smart card removal behavior (CCE-9067)
|
|
26. |
|
Microsoft network client: Digitally sign communications (always) (CCE-9327)
|
|
27. |
|
Microsoft network client: Digitally sign communications (if server agrees) (CCE-9344)
|
|
28. |
|
Microsoft network client: Send unencrypted password to third-party SMB servers (CCE-9265)
|
|
29. |
|
Microsoft network server: Amount of idle time required before suspending session (CCE-9406)
|
|
30. |
|
Microsoft network server: Digitally sign communications (always) (CCE-9040)
|
|
31. |
|
Microsoft network server: Digitally sign communications (if client agrees) (CCE-8825)
|
|
32. |
|
Microsoft network server: Disconnect clients when logon hours expire (CCE-9358)
|
|
33. |
|
Microsoft network server: SPN Target name validation (CCE-8503)
|
|
34. |
|
Network access: Allow anonymous SID-Name translation (CCE-9531)
|
|
35. |
|
Network access: Do not allow anonymous enumeration of SAM accounts (CCE-9249)
|
|
36. |
|
Network access: Do not allow anonymous enumeration of SAM accounts and shares (CCE-9156)
|
|
37. |
|
Network access: Do not allow storage of passwords and credentials for network authentication (CCE-8654)
|
|
38. |
|
Network access: Let Everyone permissions apply to anonymous users (CCE-8936)
|
|
39. |
|
Network access: Named Pipes that can be accessed anonymously - netlogon, lsarpc, samr, browser (CCE-9218)
|
|
40. |
|
Network access: Remotely accessible registry paths (CCE-9121)
|
|
41. |
|
Network access: Remotely accessible registry paths and sub paths (CCE-9386)
|
|
42. |
|
Network access: Restrict anonymous access to Named Pipes and Shares (CCE-9540)
|
|
43. |
|
Network access: Shares that can be accessed anonymously (CCE-9196)
|
|
44. |
|
Network access: Sharing and security model for local accounts (CCE-9503)
|
|
45. |
|
Network security: Allow Local System to use computer identity for NTLM (CCE-9096)
|
|
46. |
|
Network security: Allow LocalSystem NULL session fallback (CCE-8804)
|
|
47. |
|
Network Security: Allow PKU2U authentication requests to this computer to use online identities (CCE-9770)
|
|
48. |
|
Network Security: Configure encryption types allowed for Kerberos (CCE-9532)
|
|
49. |
|
Network security: Do not store LAN Manager hash value on next password changes (CCE-8937)
|
|
50. |
|
Network security: Force logoff when logon hours expire (CCE-9704)
|
|
51. |
|
Network security: LAN Manager Authentication Level (CCE-8806)
|
|
52. |
|
Network security: LDAP client signing requirements (CCE-9768)
|
|
53. |
|
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (CCE-9534)
|
|
54. |
|
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (CCE-9736)
|
|
55. |
|
Recovery Console: Allow Automatic Administrative Logon (CCE-8807)
|
|
56. |
|
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders (CCE-8945)
|
|
57. |
|
Shutdown: Allow System to be Shut Down Without Having to Log On (CCE-9707)
|
|
58. |
|
Shutdown: Clear Virtual Memory Pagefile (CCE-9222)
|
|
59. |
|
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (CCE-9266)
|
|
60. |
|
System objects: Require case insensitivity for non-Windows subsystems (CCE-9319)
|
|
61. |
|
System objects: Strengthen default permissions of internal system objects (CCE-9191)
|
|
62. |
|
User Account Control: Admin Approval Mode for the Built-in Administrator account (CCE-8811)
|
|
63. |
|
User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop (CCE-9301)
|
|
64. |
|
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (CCE-8958)
|
|
65. |
|
User Account Control: Behavior of the elevation prompt for standard users (CCE-8813)
|
|
66. |
|
User Account Control: Detect application installations and prompt for elevation (CCE-9616)
|
|
67. |
|
User Account Control: Only elevate executables that are signed and validated (CCE-9021)
|
|
68. |
|
User Account Control: Only elevate UIAccess applications that are installed in secure locations (CCE-9801)
|
|
69. |
|
User Account Control: Run all administrators in Admin Approval Mode (CCE-9189)
|
|
70. |
|
User Account Control: Switch to the secure desktop when prompting for elevation (CCE-9395)
|
|
71. |
|
User Account Control: Virtualize file and registry write failures to per-user locations (CCE-8817)
|
|
72. |
|
MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended) (CCE-9342)
|
|
73. |
|
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (CCE-9496)
|
|
74. |
|
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) (CCE-8655)
|
|
75. |
|
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (CCE-8513)
|
|
76. |
|
MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments) (CCE-8560)
|
|
77. |
|
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds (CCE-9426)
|
|
78. |
|
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) (CCE-9439)
|
|
79. |
|
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (CCE-8562)
|
|
80. |
|
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) (CCE-9458)
|
|
81. |
|
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) (CCE-9348)
|
|
82. |
|
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) (CCE-8591)
|
|
83. |
|
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (CCE-9456)
|
|
84. |
|
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (CCE-9487)
|
|
85. |
|
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (CCE-9501)
|
|
|
|
System Services Settings
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Bluetooth Support Service (CCE-10661)
|
|
2. |
|
Fax Service (CCE-10150)
|
|
3. |
|
HomeGroup Listener (CCE-10543)
|
|
4. |
|
Homegroup Provider (CCE-9910)
|
|
5. |
|
Media Center Extender (CCE-10699)
|
|
6. |
|
Parental Controls Service (CCE-10311)
|
|
|
|
Audit Policy Settings
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Application Group Management (CCE-8822)
|
|
2. |
|
Computer Account Management (CCE-9498)
|
|
3. |
|
Distribution Group Management (CCE-9644)
|
|
4. |
|
Other Account Management Events (CCE-9657)
|
|
5. |
|
Security Group Management (CCE-9692)
|
|
6. |
|
User Account Management (CCE-9542)
|
|
7. |
|
DPAPI Activity (CCE-9735)
|
|
8. |
|
Process Creation (CCE-9562)
|
|
9. |
|
Process Termination (CCE-9227)
|
|
10. |
|
RPC Events (CCE-9492)
|
|
11. |
|
Detailed Directory Service Replication (CCE-9628)
|
|
12. |
|
Directory Service Access (CCE-9765)
|
|
13. |
|
Directory Service Changes (CCE-9734)
|
|
14. |
|
Directory Service Replication (CCE-9637)
|
|
15. |
|
Account Lockout (CCE-8853)
|
|
16. |
|
IPsec Extended Mode (CCE-9661)
|
|
17. |
|
IPsec Main Mode (CCE-10939)
|
|
18. |
|
IPsec Quick Mode (CCE-9632)
|
|
19. |
|
Logoff (CCE-8856)
|
|
20. |
|
Logon (CCE-9683)
|
|
21. |
|
Other Logon/Logoff Events (CCE-9622)
|
|
22. |
|
Special Logon (CCE-9763)
|
|
23. |
|
Application Generated (CCE-9816)
|
|
24. |
|
Certification Services (CCE-9460)
|
|
25. |
|
File Share (CCE-9376)
|
|
26. |
|
File System (CCE-9217)
|
|
27. |
|
Filtering Platform Connection (CCE-9728)
|
|
28. |
|
Filtering Platform Packet Drop (CCE-9133)
|
|
29. |
|
Handle Manipulation (CCE-9789)
|
|
30. |
|
Kernel Object (CCE-9803)
|
|
31. |
|
Other Object Access Events (CCE-9455)
|
|
32. |
|
Registry (CCE-9737)
|
|
33. |
|
SAM (CCE-9856)
|
|
34. |
|
Audit Policy Change (CCE-10021)
|
|
35. |
|
Authentication Policy Change (CCE-9976)
|
|
36. |
|
Authorization Policy Change (CCE-9633)
|
|
37. |
|
Filtering Platform Policy Change (CCE-9902)
|
|
38. |
|
MPSSVC Rule-Level Policy Change (CCE-9153)
|
|
39. |
|
Other Policy Change Events (CCE-9596)
|
|
40. |
|
Non Sensitive Privilege Use (CCE-9190)
|
|
41. |
|
Other Privilege Use Events (CCE-9988)
|
|
42. |
|
Sensitive Privilege Use (CCE-9878)
|
|
43. |
|
IPsec Driver (CCE-9925)
|
|
44. |
|
Other System Events (CCE-9586)
|
|
45. |
|
Security State Change (CCE-9850)
|
|
46. |
|
Security System Extension (CCE-9863)
|
|
47. |
|
System Integrity (CCE-9520)
|
|
|
|
Computer Configuration - Administrative Templates - Network Connections
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Turn on Mapper I/O (LLTDIO) driver (CCE-9783)
|
|
2. |
|
Turn on Responder (RSPNDR) driver (CCE-10059)
|
|
3. |
|
Turn Off Microsoft Peer-to-Peer Networking Services (CCE-10438)
|
|
4. |
|
Prohibit installation and configuration of Network Bridge on your DNS domain network (CCE-9953)
|
|
5. |
|
Require Domain users to elevate when setting a networks location (CCE-10359)
|
|
6. |
|
Route all traffic through the internal network (CCE-10509)
|
|
7. |
|
_6to4 State (CCE-10266)
|
|
8. |
|
ISATAP State (CCE-10130)
|
|
9. |
|
Teredo State (CCE-10011)
|
|
10. |
|
IP HTTPS (CCE-10764)
|
|
11. |
|
Configuration of Wireless Settings Using Windows Connect Now (CCE-9879)
|
|
12. |
|
Prohibit Access of the Windows Connect Now Wizards (CCE-10778)
|
|
13. |
|
Extend point and print connection to search Windows update and use alternate connection if needed (CCE-10782)
|
|
|
|
Computer Configuration - Administrative Templates - System Settings
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Allow remote access to the PnP interface (CCE-10769)
|
|
2. |
|
Do not send a Windows Error Report when a generic driver is installed on a device (CCE-9901)
|
|
3. |
|
Prevent creation of a system restore point during device activity that would normally promp creation of a restore point. (CCE-10553)
|
|
4. |
|
Prevent device metadata retrieval from the internet (CCE-10165)
|
|
5. |
|
Specify search order for device driver source locations (CCE-9919)
|
|
6. |
|
Registry Policy (CCE-9361)
|
|
7. |
|
Turn off downloading of print drivers over HTTP (CCE-9195)
|
|
8. |
|
Turn off event views (Events.asp) links (CCE-9819)
|
|
9. |
|
Turn off handwriting personalization data sharing (CCE-10645)
|
|
10. |
|
Turn off handwriting recognition error reporting (CCE-10645)
|
|
11. |
|
Turn off Internet connection wizard if URL connection is referring to Microsoft.com (CCE-10649)
|
|
12. |
|
Turn off Internet download for Web publishing and online ordering wizards (CCE-9674)
|
|
13. |
|
Turn off Internet file association service (CCE-10795)
|
|
14. |
|
Turn off printing over HTTP (CCE-10061)
|
|
15. |
|
Turn off registration if URL connection is referring to Microsoft.com (CCE-10160)
|
|
16. |
|
Turn off Search Companion content file updates (CCE-10140)
|
|
17. |
|
Turn off the Order Prints picture task (CCE-9823)
|
|
18. |
|
Turn off the Publish to Web task for files and folders (CCE-9643)
|
|
19. |
|
Turn off the Windows Messenger Customer Experience Improvement Program (CCE-9559)
|
|
20. |
|
Turn Off Windows Error Reporting (CCE-10441)
|
|
21. |
|
Always Use Classic Logon (CCE-10591)
|
|
22. |
|
Do not process the run once list (CCE-10154)
|
|
23. |
|
Require a Password when a Computer Wakes (On Battery) (CCE-9829)
|
|
24. |
|
Require a Password when a Computer Wakes (Plugged) (CCE-9670)
|
|
25. |
|
Offer Remote Assistance (CCE-9960)
|
|
26. |
|
Solicited Remote Assistance (CCE-9506)
|
|
27. |
|
Turn on session logging (CCE-10344)
|
|
27. |
|
Restrictions for Unauthenticated RPC clients (CCE-9396)
|
|
29. |
|
RPC Endpoint Mapper Client Authentication (CCE-10181)
|
|
|
|
Computer Configuration - Administrative Templates - System - Troubleshooting and Diagnostics
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Microsoft support diagnostic tool: turn on msdt interactive communication with support provider (CCE-9842)
|
|
2. |
|
Troubleshooting: allow user to access online troubleshooting content on Microsoft server from the troubleshooting control panel (CCE-10606)
|
|
3. |
|
Enable or disable perftrack (CCE-10219)
|
|
|
|
Computer Configuration - Administrative Templates - Windows Components
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Confidure Windows NTP client (CCE-10500)
|
|
2. |
|
Turn off program inventory (CCE-10787)
|
|
3. |
|
Default behavior for autorun (CCE-10527)
|
|
4. |
|
Turn off Autoplay (CCE-9528)
|
|
5. |
|
Turn off autoplay for non volume devices (CCE-10655)
|
|
6. |
|
Enumerate administrator accounts on elevation (CCE-9938)
|
|
7. |
|
Do not allow digital locker to run (CCE-10759)
|
|
8. |
|
Override the More Gadgets Lnk (CCE-9857)
|
|
9. |
|
Disable unpacking and installation of gadgets that are not digitally signed (CCE-10811)
|
|
10. |
|
Turn Off User Installed Windows Sidebar Gidgets (CCE-10586)
|
|
11. |
|
Maximum Application Log Size (CCE-9603)
|
|
12. |
|
Maximum Security Log Size (CCE-9967)
|
|
13. |
|
Maximum Setup Log Size (CCE-10714)
|
|
14. |
|
Maximum Setup Log Size (CCE-10156)
|
|
15. |
|
Turn Off Downloading of Game Information (CCE-10828)
|
|
16. |
|
Turn off game updates (CCE-10850)
|
|
17. |
|
Prevent the computer from joining a Homegroup (CCE-10183)
|
|
18. |
|
Disable remote desktop sharing (CCE-10763)
|
|
19. |
|
Do not allow passwords to be saved (CCE-10090)
|
|
20. |
|
Allow users to connect remotely using Remote Desktop Services (CCE-9985)
|
|
21. |
|
Always prompt client for password upon connection (CCE-10103)
|
|
22. |
|
Set client connection encryption level (CCE-9764)
|
|
23. |
|
Set a time limit for active but idle Terminal Services sessions (CCE-10608)
|
|
24. |
|
Set a time limit for disconnected sessions (CCE-9858)
|
|
25. |
|
Do not delete temp folders upon exit (CCE-10856)
|
|
26. |
|
Do not use temporary folders per session (CCE-9864)
|
|
27. |
|
Turn off downloading of enclosures (CCE-10730)
|
|
28. |
|
Allow indexing of encrypted files (CCE-10496)
|
|
29. |
|
Enable indexing uncached Exchange folders (CCE-9866)
|
|
30. |
|
Prevent Windows anytime upgrade from running (CCE-10137)
|
|
31. |
|
Configure Microsoft SpyNet Reporting (CCE-9868)
|
|
32. |
|
Disable Logging (CCE-10157)
|
|
33. |
|
Disable Windows Error Reporting (CCE-9914)
|
|
34. |
|
Display Error Notification (CCE-10709)
|
|
35. |
|
Do Not Send Additional Data (CCE-10824)
|
|
36. |
|
Turn off data execution prevention for explorer (CCE-9918)
|
|
37. |
|
Turn off Heap termination on corruption (CCE-9874)
|
|
38. |
|
Turn off shell protocol protected mode (CCE-10623)
|
|
39. |
|
Disable IE security prompt for Windows Installer scripts (CCE-9875)
|
|
40. |
|
Enable user control over installs (CCE-9876)
|
|
41. |
|
Prohibit non-administrators from applying vendor signed updates (CCE-9888)
|
|
42. |
|
Report Logon Server Not Available During User logon (CCE-9907)
|
|
43. |
|
Turn off the communities features (CCE-11252)
|
|
44. |
|
windows_mail_application_manual_launch_permitted_var (CCE-10882)
|
|
45. |
|
Prevent Windows Media DRM Internet Access (CCE-9908)
|
|
46. |
|
Do Not Show First Use Dialog Boxes (CCE-10692)
|
|
47. |
|
Prevent Automatic Updates (CCE-10602)
|
|
48. |
|
Configure automatic updates (CCE-9403)
|
|
49. |
|
Reschedule automatic updates scheduled installation (CCE-10205)
|
|
50. |
|
No auto restart with logged on users for scheduled automatic updates installations (CCE-9672)
|
|
51. |
|
Do not display 'Install updates and shut down option' in shut down windows dialog box (CCE-9464)
|
|
52. |
|
Games are not installed
|
|
53. |
|
Internet Information Services
|
|
54. |
|
Simple TCPIP Services
|
|
55. |
|
Telnet Client
|
|
56. |
|
Telnet Server
|
|
57. |
|
TFTP Client
|
|
58. |
|
Windows Media Center
|
|
|
|
Security Patches
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Security Patches Up-To-Date
|
|
|
|
Windows Firewall Inbound Rules
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Core Networking - Dynamic Host Configuration Protocol (DHCP-In) (CCE-14986)
|
|
2. |
|
Core Networking - Dynamic Host Configuration Protocol (DHCPV6-In) (CCE-14854)
|
|
|
|
Windows Firewall with Advanced Security - Domain Profile
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Log Dropped Packets (CCE-10502)
|
|
2. |
|
Logged Successful Connections (CCE-10268)
|
|
3. |
|
Name (CCE-10022)
|
|
4. |
|
Size Limit (CCE-9747)
|
|
5. |
|
Display a Notification (CCE-9774)
|
|
6. |
|
Apply Local Connection Security Rules (CCE-9329)
|
|
7. |
|
Apply Local Firewall Rules (CCE-9686)
|
|
8. |
|
Allow Unicast Response (CCE-9069)
|
|
9. |
|
Firewall state (CCE-9465)
|
|
10. |
|
Inbound Connections (CCE-9620)
|
|
11. |
|
Outbound Connections (CCE-9509)
|
|
|
|
Windows Firewall with Advanced Security - Private Profile
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Log Dropped Packets (CCE-10215)
|
|
2. |
|
Logged Successful Connections (CCE-10611)
|
|
3. |
|
Name (CCE-10386)
|
|
4. |
|
Size Limit (CCE-10250)
|
|
5. |
|
Display a Notification (CCE-8884)
|
|
6. |
|
Apply Local Connection Security Rules (CCE-9712)
|
|
7. |
|
Apply Local Firewall Rules (CCE-9663)
|
|
8. |
|
Allow Unicast Response (CCE-9522)
|
|
9. |
|
Firewall state (CCE-9739)
|
|
10. |
|
Inbound Connections (CCE-9694)
|
|
11. |
|
Outbound Connections (CCE-8870)
|
|
|
|
Windows Firewall with Advanced Security - Public Profile
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Log Dropped Packets (CCE-9749)
|
|
2. |
|
Logged Successful Connections (CCE-9753)
|
|
3. |
|
Name (CCE-9926)
|
|
4. |
|
Size Limit (CCE-10373)
|
|
5. |
|
Display a Notification (CCE-9742)
|
|
6. |
|
Apply Local Connection Security Rules (CCE-9817)
|
|
7. |
|
Apply Local Firewall Rules (CCE-9786)
|
|
8. |
|
Allow Unicast Response (CCE-9773)
|
|
9. |
|
Firewall state (CCE-9593)
|
|
10. |
|
Inbound Connections (CCE-9007)
|
|
11. |
|
Outbound Connections (CCE-9588)
|
|
|
|
Internet Explorer 8 - Local Computer Policy
|
Section Score: 0.00 of 0.63 |
|
1. |
|
Disable Configuring History - Local Computer (CCE-10387)
|
|
2. |
|
Disable Changing Automatic Configuration Settings - Local Computer (CCE-10638)
|
|
3. |
|
Do Not Allow Users to enable or Disable Add-Ons - Local Computer (CCE-10235)
|
|
4. |
|
Make proxy settings per-machine (rather than per-user) - Local Computer (CCE-9870)
|
|
5. |
|
Prevent participation in the Customer Experience Improvement Programs - Local Computer (CCE-10522)
|
|
6. |
|
Prevent performance of First Run Customize settings - Local Computer (CCE-10641)
|
|
7. |
|
Security Zones: Do Not Allow Users to Add/Delete Sites - Local Computer (CCE-10394)
|
|
8. |
|
Security Zones: Do Not Allow Users to Change Policies - Local Computer (CCE-10037)
|
|
9. |
|
Security Zones: Use Only Machine Settings - Local Computer (CCE-10096)
|
|
10. |
|
Turn Off Crash Detection - Local Computer (CCE-10594)
|
|
11. |
|
Turn Off Managing SmartScreen Filter - Local Computer (CCE-9973)
|
|
12. |
|
Turn Off the Security Settings Check Feature - Local Computer (CCE-10607)
|
|
13. |
|
Include updated Web site lists from Microsoft - Local Computer (CCE-10603)
|
|
14. |
|
Configure Delete Browsing History on exit - Local Computer (CCE-10590)
|
|
15. |
|
Prevent Deleting Web sites that the User has Visited - Local Computer (CCE-10110)
|
|
16. |
|
Turn off InPrivate Browsing - Local Computer (CCE-9885)
|
|
17. |
|
Allow Active Content from CDs to Run on User Machine - Local Computer (CCE-10293)
|
|
18. |
|
Allow Software to Run or Install Even if the Signature is Invalid - Local Computer (CCE-10052)
|
|
19. |
|
Allow Third-Party Browser Extensions - Local Computer (CCE-9905)
|
|
20. |
|
Automatically Check for Internet Explorer Updates - Local Computer (CCE-10581)
|
|
21. |
|
Check for Server Certificate Revocation - Local Computer (CCE-10074)
|
|
22. |
|
Check for signatures on downloaded programs - Local Computer - variable (CCE-10055)
|
|
23. |
|
Intranet Sites: Include all network paths (UNCs) - Local Computer (CCE-9660)
|
|
24. |
|
Access Data Sources Across Domains - Internet Zone - Local Computer (CCE-10380)
|
|
25. |
|
Allow cut, copy or paste operations from the clipboard via script - Internet Zone - Local Computer (CCE-10002)
|
|
26. |
|
Allow drag and drop or copy and paste files - Internet Zone - Local Computer (CCE-10033)
|
|
27. |
|
Allow Font Downloads - Internet Zone - Local Computer (CCE-10403)
|
|
28. |
|
Allow installation of desktop items - Internet Zone - Local Computer (CCE-9790)
|
|
29. |
|
Allow scripting of Internet Explorer web browser control - Internet Zone - Local Computer (CCE-9779)
|
|
30. |
|
Allow script-initiated windows without size or position constraints - Internet Zone - Local Computer (CCE-9882)
|
|
31. |
|
Allow Scriptlets - Internet Zone - Local Computer (CCE-10685)
|
|
32. |
|
Allow status bar updates via script - Internet Zone - Local Computer (CCE-9750)
|
|
33. |
|
Automatic prompting for file downloads - Internet Zone - Local Computer (CCE-10389)
|
|
34. |
|
Download signed ActiveX controls - Internet Zone - Local Computer (CCE-9917)
|
|
35. |
|
Download unsigned ActiveX controls - Internet Zone - Local Computer (CCE-10433)
|
|
36. |
|
Include local directory path when uploading files to a server - Internet Zone - Local Computer (CCE-10646)
|
|
37. |
|
Initialize and script ActiveX controls not marked as safe - Internet Zone - Local Computer (CCE-10561)
|
|
38. |
|
Java permissions - Internet Zone - Local Computer (CCE-10182)
|
|
39. |
|
Launching applications and files in an IFRAME - Internet Zone - Local Computer (CCE-9821)
|
|
40. |
|
Launching programs and unsafe files - Internet Zone - Local Computer (CCE-10650)
|
|
41. |
|
Logon Options - Internet Zone - Local Computer (CCE-10472)
|
|
42. |
|
Loose XAML files - Internet Zone - Local Computer (CCE-10672)
|
|
43. |
|
Navigate windows and frames across different domains - Internet Zone - Local Computer (CCE-9865)
|
|
44. |
|
Only allow approved domains to use ActiveX controls without prompt - Internet Zone - Local Computer (CCE-9793)
|
|
45. |
|
Open files based on content, not file extension - Internet Zone - Local Computer (CCE-10107)
|
|
46. |
|
Run .NET Framework-reliant components not signed with Authenticode - Internet Zone - Local Computer (CCE-10515)
|
|
47. |
|
Run .NET Framework-reliant components signed with Authenticode - Internet Zone - Local Computer (CCE-10625)
|
|
48. |
|
Software channel permissions - Internet Zone - Local Computer (CCE-10425)
|
|
49. |
|
Turn Off First-Run Opt-In - Internet Zone - Local Computer (CCE-10434)
|
|
50. |
|
Turn on Cross-Site Scripting (XSS) Filter - Internet Zone - Local Computer (CCE-10276)
|
|
51. |
|
Turn On Protected Mode - Internet Zone - Local Computer (CCE-10676)
|
|
52. |
|
Use Pop-up Blocker - Internet Zone - Local Computer (CCE-10486)
|
|
53. |
|
Userdata Persistence - Internet Zone - Local Computer (CCE-10200)
|
|
54. |
|
Web sites in less privileged Web content zones can navigate into this zone - Internet Zone - Local Computer (CCE-10622)
|
|
55. |
|
Java permissions - Intranet Zone - Local Computer (CCE-10566)
|
|
56. |
|
Java permissions - Local Machine Zone - Local Computer (CCE-10319)
|
|
57. |
|
Download Signed ActiveX Controls - Locked Down Internet Zone - Local Computer (CCE-10095)
|
|
58. |
|
Java permissions - Locked Down Internet Zone - Local Computer (CCE-10597)
|
|
59. |
|
Java permissions - Locked Down Intranet Zone - Local Computer (CCE-10342)
|
|
60. |
|
Java permissions - Locked Down Local Machine - Local Computer (CCE-10535)
|
|
61. |
|
Java permissions - Locked Down Restricted Sites Zone - Local Computer (CCE-10275)
|
|
62. |
|
Java permissions - Locked Down Trusted Sites Zone - Local Computer (CCE-10654)
|
|
63. |
|
Access Data Sources Across Domains - Restricted Sites Zone - Local Computer (CCE-10525)
|
|
64. |
|
Allow Active Scripting - Restricted Sites Zone - Local Computer (CCE-10393)
|
|
65. |
|
Allow Binary and Script Behaviors - Restricted Sites Zone - Local Computer (CCE-10547)
|
|
66. |
|
Allow cut, copy or paste operations from the clipboard via script - Restricted SitesZone - Local Computer (CCE-10539)
|
|
67. |
|
Allow drag and drop or copy and paste files - Restricted Sites Zone - Local Computer (CCE-9667)
|
|
68. |
|
Allow File Downloads - Restricted Sites Zone - Local Computer (CCE-10466)
|
|
69. |
|
Allow Font Downloads - Restricted Sites Zone - Local Computer (CCE-9982)
|
|
70. |
|
Allow installation of desktop items - Restricted Sites Zone - Local Computer (CCE-10475)
|
|
71. |
|
Allow scripting of Internet Explorer web browser control - Restricted Sites Zone - Local Computer (CCE-10725)
|
|
72. |
|
Allow META REFRESH - Restricted Sites Zone - Local Computer (CCE-10664)
|
|
73. |
|
Allow script-initiated windows without size or position constraints - Restricted Sites Zone - Local Computer (CCE-9814)
|
|
74. |
|
Allow Scriptlets - Restricted Sites Zone - Local Computer (CCE-10630)
|
|
75. |
|
Allow status bar updates via script - Restricted Sites Zone - Local Computer (CCE-10431)
|
|
76. |
|
Automatic prompting for file downloads - Restricted Sites Zone - Local Computer (CCE-9959)
|
|
77. |
|
Download signed ActiveX controls - Restricted Sites Zone - Local Computer (CCE-10470)
|
|
78. |
|
Download unsigned ActiveX controls - Restricted Sites Zone - Local Computer (CCE-10461)
|
|
79. |
|
Include local directory path when uploading files to a server - Restricted Sites Zone - Local Computer (CCE-9781)
|
|
80. |
|
Initialize and script ActiveX controls not marked as safe - Restricted Sites Zone - Local Computer (CCE-10347)
|
|
81. |
|
Java permissions - Restricted Sites Zone - Local Computer (CCE-10620)
|
|
82. |
|
Launching applications and files in an IFRAME - Restricted Sites Zone - Local Computer (CCE-10360)
|
|
83. |
|
Launching programs and unsafe files - Restricted Sites Zone - Local Computer (CCE-10744)
|
|
84. |
|
Logon Options - Restricted Sites Zone - Local Computer (CCE-10651)
|
|
85. |
|
Loose XAML files - Restricted Sites Zone - Local Computer (CCE-10178)
|
|
86. |
|
Navigate sub-frames across different domains - Restricted Sites Zone - Local Computer (CCE-10642)
|
|
87. |
|
Only allow approved domains to use ActiveX controls without prompt - Restricted Sites Zone - Local Computer (CCE-9832)
|
|
88. |
|
Open files based on content, not file extension - Restricted Sites Zone - Local Computer (CCE-10277)
|
|
89. |
|
Run .NET Framework-reliant components not signed with Authenticode - Restricted Sites Zone - Local Computer (CCE-9898)
|
|
90. |
|
Run .NET Framework-reliant components signed with Authenticode - Restricted Sites Zone - Local Computer (CCE-9673)
|
|
91. |
|
Run ActiveX controls and plugins - Restricted Sites Zone - Local Computer (CCE-9792)
|
|
92. |
|
Script ActiveX controls marked safe for scripting - Restricted Sites Zone - Local Computer (CCE-10554)
|
|
93. |
|
Scripting of Java Applets - Restricted Sites Zone - Local Computer (CCE-10083)
|
|
94. |
|
Software channel permissions - Restricted Sites Zone - Local Computer (CCE-9669)
|
|
95. |
|
Turn Off First-Run Opt-In - Restricted Sites Zone - Local Computer (CCE-10420)
|
|
96. |
|
Turn on Cross-Site Scripting (XSS) Filter - Restricted Sites Zone - Local Computer (CCE-10105)
|
|
97. |
|
Turn On Protected Mode - Restricted Sites Zone - Local Computer (CCE-9945)
|
|
98. |
|
Use Pop-up Blocker - Restricted Sites Zone - Local Computer (CCE-10094)
|
|
99. |
|
Userdata Persistence - Restricted Sites Zone - Local Computer (CCE-9760)
|
|
100. |
|
Web sites in less privileged Web content zones can navigate into this zone - Restricted Sites Zone - Local Computer (CCE-10609)
|
|
101. |
|
Java permissions - Trusted Sites Zone - Local Computer (CCE-10696)
|
|
102. |
|
Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools - Local Computer (CCE-10595)
|
|
103. |
|
Turn Off Configuring the Update Check Interval (In Days) - Local Computer (CCE-9776)
|
|
104. |
|
Internet Explorer Processes - Consistent Mime Handling - Local Computer (CCE-10138)
|
|
105. |
|
Internet Explorer Processes - Mime Sniffing Safety Feature - Local Computer (CCE-10635)
|
|
106. |
|
Internet Explorer Processes - MK Protocol Security Restriction - Local Computer (CCE-10265)
|
|
107. |
|
Internet Explorer Processes - Protection From Zone Elevation - Local Computer (CCE-10574)
|
|
108. |
|
Internet Explorer Processes - Restrict ActiveX Install - Local Computer (CCE-10405)
|
|
109. |
|
Internet Explorer Processes - Restrict File Download - Local Computer (CCE-10578)
|
|
110. |
|
Internet Explorer Processes - Scripted Window Security Restrictions - Local Computer (CCE-10604)
|
|