Upload
lycong
View
239
Download
4
Embed Size (px)
Citation preview
SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
RONLAB
Chapter CCE SummaryCCE to NIST 800 53April 18, 2013 at 5:53am EDT[cody]Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-1 - Access Control Policy and Procedures
Tenable Network Security 1
AC-1 - Access Control Policy andProcedures
CCE-10591-6 - Use Classic Logon should be properly configured.
CCE-10661-7 - The startup type of the Bluetooth service should be correct.
CCE-9985-3 - The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.
CCE-9136-3 - The 'Account lockout threshold' setting should be configured correctly.
CCE-9960-6 - Unsolicited offers of remote assistance (aka the 'Offer Remote Assistance' setting) should be automatically rejected or passed to the logged-on userfor confirmation as appropriate.
CCE-9107-4 - The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.
CCE-10763-1 - The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
CCE-10608-8 - The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
CCE-10103-0 - The 'Always prompt for password upon connection' setting should be configured correctly.
CCE-9407-8 - The 'Act as part of the operating system' user right should be assigned to the appropriate accounts.
CCE-9879-8 - The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet(UPnP).
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-10148-5 - The 'Screen Saver timeout' setting should be configured correctly.
CCE-9274-2 - The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-8807-0 - The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly.
CCE-8945-8 - The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-1 - Access Control Policy and Procedures
Tenable Network Security 2
CCE-10769-8 - The "Allow remote access to the PnP interface" setting should be configured correctly.
CCE-9704-8 - The 'Network security: Force logoff when logon hours expire' setting should be configured correctly.
CCE-9858-2 - The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.
CCE-10527-0 - The default behavior for AutoRun should be properly configured.
CCE-9336-9 - The 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts.
CCE-9439-1 - The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly.
CCE-9730-3 - The 'Password protect the screen saver' setting should be configured correctly.
CCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-1 - Access Control Policy and Procedures
Tenable Network Security 3
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000261CCE-9107-4:Log On Through TerminalServices
Info 1
Plugin Plugin Name Severity Total
1000201CCE-9858-2:Set a time limit fordisconnected sessions
High 1
Plugin Plugin Name Severity Total
1000200CCE-10608-8:Set a time limit for active butidle Terminal Services sessions
High 1
Plugin Plugin Name Severity Total
1000198CCE-10103-0:Always prompt client forpassword upon connection
High 1
Plugin Plugin Name Severity Total
1000197CCE-9985-3:Allow users to connectremotely using Remote Desktop Services
High 1
Plugin Plugin Name Severity Total
1000195CCE-10763-1:Disable remote desktopsharing
High 1
Plugin Plugin Name Severity Total
1000180 CCE-10527-0:Default behavior for autorun High 1
Plugin Plugin Name Severity Total
1000170 CCE-9960-6:Offer Remote Assistance High 1
Plugin Plugin Name Severity Total
1000166 CCE-10591-6:Always Use Classic Logon High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-1 - Access Control Policy and Procedures
Tenable Network Security 4
Plugin Plugin Name Severity Total
1000146CCE-10769-8:Allow remote access to thePnP interface
High 1
Plugin Plugin Name Severity Total
1000143CCE-9879-8:Configuration of WirelessSettings Using Windows Connect Now
High 1
Plugin Plugin Name Severity Total
1000110 CCE-10661-7:Bluetooth Support Service High 1
Plugin Plugin Name Severity Total
1000107
CCE-8591-0:MSS:(ScreenSaverGracePeriod) The time inseconds before the screen saver graceperiod expires (0 recommended)
High 1
Plugin Plugin Name Severity Total
1000103CCE-9439-1:MSS: (NoDefaultExempt)Enable NoDefaultExempt for IPSec Filtering(recommended)
High 1
Plugin Plugin Name Severity Total
1000084CCE-8945-8:Recovery Console: AllowFloppy Copy and Access to All Drives andAll Folders
Info 1
Plugin Plugin Name Severity Total
1000083CCE-8807-0:Recovery Console: AllowAutomatic Administrative Logon
Info 1
Plugin Plugin Name Severity Total
1000078CCE-9704-8:Network security: Force logoffwhen logon hours expire
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-1 - Access Control Policy and Procedures
Tenable Network Security 5
Plugin Plugin Name Severity Total
1000062CCE-9406-0:Microsoft network server:Amount of idle time required beforesuspending session
Info 1
Plugin Plugin Name Severity Total
1000023CCE-9336-9:Force Shutdown From ARemote System
Info 1
Plugin Plugin Name Severity Total
1000022CCE-9274-2:Deny Logon Through RemoteDesktop Services
High 1
Plugin Plugin Name Severity Total
1000012CCE-9407-8:Act As Part Of The OperatingSystem
Info 1
Plugin Plugin Name Severity Total
1000003 CCE-9136-3:Account Lockout Threshold High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-2 - Account Management
Tenable Network Security 6
AC-2 - Account Management
CCE-9938-2 - The 'Enumerate administrator accounts on elevation' setting should be configured correctly.
CCE-8936-7 - The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly.
CCE-9449-0 - The 'Interactive logon: Do not display last user name' setting should be configured correctly.
CCE-10359-8 - The "Require domain users to elevate when setting a network's location" setting should be configured correctly.
CCE-8467-3 - The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts.
CCE-8811-2 - The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly.
CCE-10154-3 - The 'Do not process the run once list' setting should be configured correctly.
CCE-8813-8 - The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.
CCE-9907-7 - The "Report Logon Server Not Available During User logon" setting should be configured correctly.
CCE-8958-1 - The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.
CCE-9218-9 - The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-2 - Account Management
Tenable Network Security 7
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000255CCE-8467-3:Impersonate a Client AfterAuthentication
Info 1
Plugin Plugin Name Severity Total
1000219CCE-9907-7:Report Logon Server NotAvailable During User logon
High 1
Plugin Plugin Name Severity Total
1000183CCE-9938-2:Enumerate administratoraccounts on elevation
High 1
Plugin Plugin Name Severity Total
1000167CCE-10154-3:Do not process the run oncelist
High 1
Plugin Plugin Name Severity Total
1000137CCE-10359-8:Require Domain users toelevate when setting a networks location
High 1
Plugin Plugin Name Severity Total
1000092CCE-8813-8:User Account Control:Behavior of the elevation prompt forstandard users
High 1
Plugin Plugin Name Severity Total
1000091CCE-8958-1:User Account Control:Behavior of the elevation prompt foradministrators in Admin Approval Mode
High 1
Plugin Plugin Name Severity Total
1000090CCE-8811-2:User Account Control: AdminApproval Mode for the Built-in Administratoraccount
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-2 - Account Management
Tenable Network Security 8
Plugin Plugin Name Severity Total
1000071CCE-9218-9:Network access: NamedPipes that can be accessed anonymously -netlogon, lsarpc, samr, browser
Info 1
Plugin Plugin Name Severity Total
1000070CCE-8936-7:Network access: Let Everyonepermissions apply to anonymous users
Info 1
Plugin Plugin Name Severity Total
1000051CCE-9449-0:Interactive logon: Do notdisplay last user name
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-1 - Access Enforcement
Tenable Network Security 9
AC-3-1 - Access Enforcement
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-9801-2 - The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly.
CCE-9938-2 - The 'Enumerate administrator accounts on elevation' setting should be configured correctly.
CCE-9985-3 - The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.
CCE-9189-2 - The 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly.
CCE-9215-5 - The 'Create a token object' user right should be assigned to the appropriate accounts.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9156-1 - The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly.
CCE-9199-1 - The 'Accounts: Administrator account status' setting should be configured correctly.
CCE-9212-2 - The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-9185-0 - The 'Create a pagefile' user right should be assigned to the appropriate accounts.
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-8999-5 - The 'Increase scheduling priority' user right should be assigned to the appropriate accounts.
CCE-9253-6 - The 'Access this computer from the network' user right should be assigned to the appropriate accounts.
CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.
CCE-9616-4 - The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-9021-7 - The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly.
CCE-9534-9 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' settingshould be enabled or disabled as appropriate.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-1 - Access Enforcement
Tenable Network Security 10
CCE-9098-5 - The 'Deny log on as a service' user right should be assigned to the appropriate accounts.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-10769-8 - The "Allow remote access to the PnP interface" setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-1 - Access Enforcement
Tenable Network Security 11
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000249 CCE-9199-1:accounts_administrator_account_status High 1
Plugin Plugin Name Severity Total
1000247 CCE-8714-8:accounts_guest_account_status Info 1
Plugin Plugin Name Severity Total
1000237
CCE-8655-3:MSS:(DisableIPSourceRouting IPv6) IP sourcerouting protection level (protects againstpacket spoofing)
High 1
Plugin Plugin Name Severity Total
1000197CCE-9985-3:Allow users to connectremotely using Remote Desktop Services
High 1
Plugin Plugin Name Severity Total
1000183CCE-9938-2:Enumerate administratoraccounts on elevation
High 1
Plugin Plugin Name Severity Total
1000146CCE-10769-8:Allow remote access to thePnP interface
High 1
Plugin Plugin Name Severity Total
1000108
CCE-9456-5:MSS:(TCPMaxDataRetransmissions) How manytimes unacknowledged data is retransmitted(3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000096CCE-9189-2:User Account Control: Run alladministrators in Admin Approval Mode
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-1 - Access Enforcement
Tenable Network Security 12
Plugin Plugin Name Severity Total
1000095CCE-9801-2:User Account Control: Onlyelevate UIAccess applications that areinstalled in secure locations
High 1
Plugin Plugin Name Severity Total
1000094CCE-9021-7:User Account Control: Onlyelevate executables that are signed andvalidated
High 1
Plugin Plugin Name Severity Total
1000093CCE-9616-4:User Account Control: Detectapplication installations and prompt forelevation
High 1
Plugin Plugin Name Severity Total
1000081CCE-9534-9:Network security: Minimumsession security for NTLM SSP based(including secure RPC) clients
High 1
Plugin Plugin Name Severity Total
1000068CCE-9156-1:Network access: Do not allowanonymous enumeration of SAM accountsand shares
High 1
Plugin Plugin Name Severity Total
1000062CCE-9406-0:Microsoft network server:Amount of idle time required beforesuspending session
Info 1
Plugin Plugin Name Severity Total
1000060CCE-9344-3:Microsoft network client:Digitally sign communications (if serveragrees)
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-1 - Access Enforcement
Tenable Network Security 13
Plugin Plugin Name Severity Total
1000057CCE-8818-7:Interactive logon: RequireDomain Controller authentication to unlockworkstation
Info 1
Plugin Plugin Name Severity Total
1000036CCE-9418-5:Accounts: Limit local accountuse to blank passwords to console logononly
Info 1
Plugin Plugin Name Severity Total
1000024 CCE-8999-5:Increase Scheduling Priority Info 1
Plugin Plugin Name Severity Total
1000020 CCE-9098-5:Deny Logon As A Service Info 1
Plugin Plugin Name Severity Total
1000019 CCE-9212-2:Deny Logon As A Batch Job High 1
Plugin Plugin Name Severity Total
1000015 CCE-9215-5:Create A Token Object Info 1
Plugin Plugin Name Severity Total
1000014 CCE-9185-0:Create A Pagefile Info 1
Plugin Plugin Name Severity Total
1000011CCE-9253-6:Access This Computer FromThe Network
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-2 - Access Enforcement
Tenable Network Security 14
AC-3-2 - Access Enforcement
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-8475-6 - The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-9014-2 - The 'Shut down the system' user right should be assigned to the appropriate accounts.
CCE-8817-9 - The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly.
CCE-8414-5 - The 'Bypass traverse checking' user right should be assigned to the appropriate accounts.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-9121-5 - The 'Network access: Remotely accessible registry paths' setting should be configured correctly.
CCE-9301-3 - The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly.
CCE-9068-8 - The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-9395-5 - The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE-9149-6 - The 'Modify an object label' user right should be assigned to the appropriate accounts.
CCE-9531-5 - The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly.
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-2 - Access Enforcement
Tenable Network Security 15
CCE-9048-0 - The 'Increase a process working set' user right should be assigned to the appropriate accounts.
CCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.
CCE-9254-4 - The 'Create permanent shared objects' user right should be assigned to the appropriate accounts.
CCE-9026-6 - The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-2 - Access Enforcement
Tenable Network Security 16
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000263CCE-9068-8:Adjust Memory Quotas For AProcess
Info 1
Plugin Plugin Name Severity Total
1000260 CCE-8414-5:Bypass Traverse Checking High 1
Plugin Plugin Name Severity Total
1000254CCE-9048-0:Increase a Process WorkingSet
High 1
Plugin Plugin Name Severity Total
1000250 CCE-9014-2:Shut Down The System High 1
Plugin Plugin Name Severity Total
1000244CCE-9301-3:User Account Control: AllowUIAccess applications to prompt forelevation without using the secure desktop
High 1
Plugin Plugin Name Severity Total
1000239
CCE-9487-0:MSS:(TcpMaxDataRetransmissions IPv6) Howmany times unacknowledged data isretransmitted (3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000107
CCE-8591-0:MSS:(ScreenSaverGracePeriod) The time inseconds before the screen saver graceperiod expires (0 recommended)
High 1
Plugin Plugin Name Severity Total
1000101CCE-8513-4:MSS: (EnableICMPRedirect)Allow ICMP redirects to override OSPFgenerated routes
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-2 - Access Enforcement
Tenable Network Security 17
Plugin Plugin Name Severity Total
1000100
CCE-9496-1:MSS:(DisableIPSourceRouting) IP source routingprotection level (protects against packetspoofing)
High 1
Plugin Plugin Name Severity Total
1000099CCE-9342-7:MSS: (AutoAdminLogon)Enable Automatic Logon (NotRecommended)
Info 1
Plugin Plugin Name Severity Total
1000098CCE-8817-9:User Account Control:Virtualize file and registry write failures toper-user locations
High 1
Plugin Plugin Name Severity Total
1000097CCE-9395-5:User Account Control: Switchto the secure desktop when prompting forelevation
High 1
Plugin Plugin Name Severity Total
1000077CCE-8937-5:Network security: Do not storeLAN Manager hash value on next passwordchange
Info 1
Plugin Plugin Name Severity Total
1000072CCE-9121-5:Network access: Remotelyaccessible registry paths
Info 1
Plugin Plugin Name Severity Total
1000066CCE-9531-5:Network access: Allowanonymous SID-Name translation
Info 1
Plugin Plugin Name Severity Total
1000065CCE-9358-3:Microsoft network server:Disconnect clients when logon hours expire
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-2 - Access Enforcement
Tenable Network Security 18
Plugin Plugin Name Severity Total
1000064CCE-8825-2:Microsoft network server:Digitally sign communications (if clientagrees)
High 1
Plugin Plugin Name Severity Total
1000055CCE-8487-1:Interactive logon: Number ofprevious logons to cache (in case domaincontroller is not available)
High 1
Plugin Plugin Name Severity Total
1000049CCE-9123-1:Domain member: Maximummachine account password age
Info 1
Plugin Plugin Name Severity Total
1000042CCE-9026-6:Devices: Prevent users frominstalling printer drivers
Info 1
Plugin Plugin Name Severity Total
1000032CCE-8475-6:Perform Volume MaintenanceTasks
Info 1
Plugin Plugin Name Severity Total
1000030 CCE-9149-6:Modify an object label Info 1
Plugin Plugin Name Severity Total
1000016CCE-9254-4:Create Permanent SharedObjects
Info 1
Plugin Plugin Name Severity Total
1000006 CCE-9193-4:Maximum Password Age Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-3 - Access Enforcement
Tenable Network Security 19
AC-3-3 - Access Enforcement
CCE-8431-9 - The 'Create global objects' user right should be assigned to the appropriate accounts.
CCE-8583-7 - The 'Debug programs' user right should be assigned to the appropriate accounts.
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
CCE-9345-0 - The 'Allow log on locally' user right should be assigned to the appropriate accounts.
CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.
CCE-8806-2 - The 'Network security: LAN Manager authentication level' setting should be configured correctly.
CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-3-3 - Access Enforcement
Tenable Network Security 20
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000262 CCE-9345-0:Log On Locally High 1
Plugin Plugin Name Severity Total
1000257 CCE-8431-9:Create Global Objects Info 1
Plugin Plugin Name Severity Total
1000105
CCE-9458-1:MSS:(PerformRouterDiscovery) Allow IRDPto detect and configure DefaultGatewayaddresses (could lead to DoS)
High 1
Plugin Plugin Name Severity Total
1000079CCE-8806-2:Network security: LANManager Authentication Level
High 1
Plugin Plugin Name Severity Total
1000067CCE-9249-4:Network access: Do not allowanonymous enumeration of SAM accounts
Info 1
Plugin Plugin Name Severity Total
1000058CCE-9067-0:Interactive logon: Smart cardremoval behavior
High 1
Plugin Plugin Name Severity Total
1000052CCE-9317-9:Interactive logon: Do notrequire CTRL+ALT+DEL
High 1
Plugin Plugin Name Severity Total
1000017 CCE-8583-7:Debug Programs Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-4 - Information Flow Enforcement
Tenable Network Security 21
AC-4 - Information Flow Enforcement
CCE-10509-8 - The "Route all traffic through the internal network" setting should be configured correctly.
CCE-9348-4 - The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly.
CCE-9426-8 - The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.
CCE-9501-8 - The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configuredcorrectly.
CCE-8560-5 - The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configuredcorrectly.
CCE-9439-1 - The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly.
CCE-8562-1 - The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting shouldbe configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-4 - Information Flow Enforcement
Tenable Network Security 22
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000238CCE-8560-5:MSS: (Hidden) Hide computerfrom the browse list (Not Recommendedexcept for highly secure environments)
High 1
Plugin Plugin Name Severity Total
1000138CCE-10509-8:Route all traffic through theinternal network
High 1
Plugin Plugin Name Severity Total
1000109
CCE-9501-8:MSS: (WarningLevel)Percentage threshold for the security eventlog at which the system will generate awarning
High 1
Plugin Plugin Name Severity Total
1000106CCE-9348-4:MSS: (SafeDllSearchMode)Enable Safe DLL search mode(recommended)
High 1
Plugin Plugin Name Severity Total
1000104
CCE-8562-1:MSS:(NoNameReleaseOnDemand) Allow thecomputer to ignore NetBIOS name releaserequests except from WINS servers
High 1
Plugin Plugin Name Severity Total
1000103CCE-9439-1:MSS: (NoDefaultExempt)Enable NoDefaultExempt for IPSec Filtering(recommended)
High 1
Plugin Plugin Name Severity Total
1000102CCE-9426-8:MSS: (KeepAliveTime)Howoften keep-alive packets are sent inmilliseconds
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-6 - Least Privilege
Tenable Network Security 23
AC-6 - Least Privilege
CCE-10661-7 - The startup type of the Bluetooth service should be correct.
CCE-9801-2 - The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly.
CCE-9189-2 - The 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly.
CCE-8817-9 - The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly.
CCE-9199-1 - The 'Accounts: Administrator account status' setting should be configured correctly.
CCE-9616-4 - The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly.
CCE-9301-3 - The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly.
CCE-9021-7 - The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly.
CCE-10644-3 - The "Prevent users from sharing files within their profile" setting should be configured correctly.
CCE-9395-5 - The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-6 - Least Privilege
Tenable Network Security 24
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000249 CCE-9199-1:accounts_administrator_account_status High 1
Plugin Plugin Name Severity Total
1000244CCE-9301-3:User Account Control: AllowUIAccess applications to prompt forelevation without using the secure desktop
High 1
Plugin Plugin Name Severity Total
1000110 CCE-10661-7:Bluetooth Support Service High 1
Plugin Plugin Name Severity Total
1000098CCE-8817-9:User Account Control:Virtualize file and registry write failures toper-user locations
High 1
Plugin Plugin Name Severity Total
1000097CCE-9395-5:User Account Control: Switchto the secure desktop when prompting forelevation
High 1
Plugin Plugin Name Severity Total
1000096CCE-9189-2:User Account Control: Run alladministrators in Admin Approval Mode
High 1
Plugin Plugin Name Severity Total
1000095CCE-9801-2:User Account Control: Onlyelevate UIAccess applications that areinstalled in secure locations
High 1
Plugin Plugin Name Severity Total
1000094CCE-9021-7:User Account Control: Onlyelevate executables that are signed andvalidated
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-6 - Least Privilege
Tenable Network Security 25
Plugin Plugin Name Severity Total
1000093CCE-9616-4:User Account Control: Detectapplication installations and prompt forelevation
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-7 - Unsuccessful Logon Attempts
Tenable Network Security 26
AC-7 - Unsuccessful Logon Attempts
CCE-9308-8 - The 'Account lockout duration' setting should be configured correctly.
CCE-9400-3 - The 'Reset account lockout counter after' setting should be configured correctly.
CCE-8484-8 - The built-in Administrator account should be correctly named.
CCE-9229-6 - The built-in Guest account should be correctly named.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000038CCE-9229-6:Accounts: Rename guestaccount
High 1
Plugin Plugin Name Severity Total
1000037CCE-8484-8:Accounts: Renameadministrator account
High 1
Plugin Plugin Name Severity Total
1000004CCE-9400-3:Reset Account LockoutCounter After
Info 1
Plugin Plugin Name Severity Total
1000002 CCE-9308-8:Account Lockout Duration Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AC-8 - System Use Notification
Tenable Network Security 27
AC-8 - System Use Notification
CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.
CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000054CCE-8740-3:Interactive logon: Message titlefor users attempting to log on
High 1
Plugin Plugin Name Severity Total
1000053CCE-8973-0:Interactive logon: Messagetext for users attempting to log on
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-1 - Audit Events
Tenable Network Security 28
AU-2-1 - Audit Events
CCE-9542-2 - Auditing of 'Account Management: User Account Management' events on success should be enabled or disabled as appropriate.
CCE-10078-4 - Auditing of 'Object Access:Â Registry' events on failure should be enabled or disabled as appropriate.
CCE-9172-8 - Auditing of 'Privilege Use: Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate.
CCE-9058-9 - Auditing of 'Logon-Logoff: Logoff' events on failure should be enabled or disabled as appropriate.
CCE-9805-3 - Auditing of 'Detailed Tracking: Process Creation' events on failure should be enabled or disabled as appropriate.
CCE-9737-8 - Auditing of 'Object Access:Â Registry' events on success should be enabled or disabled as appropriate.
CCE-9657-8 - Auditing of 'Account Management: Other Account Management Events' events on success should be enabled or disabled as appropriate.
CCE-9056-3 - Auditing of 'Account Management: Security Group Management' events on failure should be enabled or disabled as appropriate.
CCE-9863-2 - Auditing of 'System: Security System Extension' events on success should be enabled or disabled as appropriate.
CCE-9878-0 - Auditing of 'Privilege Use: Sensitive Privilege Use' events on success should be enabled or disabled as appropriate.
CCE-9976-2 - Auditing of 'Policy Change: Authentication Policy Change' events on success should be enabled or disabled as appropriate.
CCE-9998-6 - Auditing of 'System: Security System Extension' events on failure should be enabled or disabled as appropriate.
CCE-9608-1 - Auditing of 'Account Management: Computer Account Management' events on failure should be enabled or disabled as appropriate.
CCE-9683-4 - Auditing of 'Logon-Logoff: Logon' events on success should be enabled or disabled as appropriate.
CCE-9217-1 - Auditing of 'Object Access: File System' events on success should be enabled or disabled as appropriate.
CCE-9692-5 - Auditing of 'Account Management: Security Group Management' events on success should be enabled or disabled as appropriate.
CCE-9150-4 - The 'Audit: Audit the access of global system objects' setting should be configured correctly.
CCE-9520-8 - Auditing of 'System: System Integrity' events on success should be enabled or disabled as appropriate.
CCE-9802-0 - Auditing of 'System: IPsec Driver' events on failure should be enabled or disabled as appropriate.
CCE-10344-0 - The "Turn on session logging" setting should be configured correctly.
CCE-9850-9 - Auditing of 'System: Security State Change' events on success should be enabled or disabled as appropriate.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-1 - Audit Events
Tenable Network Security 29
CCE-9800-4 - Auditing of 'Account Management: User Account Management' events on failure should be enabled or disabled as appropriate.
CCE-9498-7 - Auditing of 'Account Management: Computer Account Management' events on success should be enabled or disabled as appropriate.
CCE-8856-7 - Auditing of 'Logon-Logoff: Logoff' events on success should be enabled or disabled as appropriate.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-1 - Audit Events
Tenable Network Security 30
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000172 CCE-10344-0:Turn on session logging High 1
Plugin Plugin Name Severity Total
1000132 CCE-9520-8:System Integrity Info 1
Plugin Plugin Name Severity Total
1000131 CCE-9863-2:Security System Extension Info 1
Plugin Plugin Name Severity Total
1000130 CCE-9850-9:Security State Change Info 1
Plugin Plugin Name Severity Total
1000128 CCE-9878-0:Sensitive Privilege Use Info 1
Plugin Plugin Name Severity Total
1000127 CCE-9976-2:Authentication Policy Change Info 1
Plugin Plugin Name Severity Total
1000125 CCE-9737-8:Registry Info 1
Plugin Plugin Name Severity Total
1000124 CCE-9217-1:File System Info 1
Plugin Plugin Name Severity Total
1000122 CCE-9683-4:Logon Info 1
Plugin Plugin Name Severity Total
1000121 CCE-8856-7:Logoff Info 1
Plugin Plugin Name Severity Total
1000119 CCE-9542-2:User Account Management Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-1 - Audit Events
Tenable Network Security 31
Plugin Plugin Name Severity Total
1000118 CCE-9692-5:Security Group Management Info 1
Plugin Plugin Name Severity Total
1000117CCE-9657-8:Other Account ManagementEvents
Info 1
Plugin Plugin Name Severity Total
1000116CCE-9498-7:Computer AccountManagement
Info 1
Plugin Plugin Name Severity Total
1000039CCE-9150-4:Audit: Audit the access ofglobal system objects
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-2 - Audit Events
Tenable Network Security 32
AU-2-2 - Audit Events
CCE-9235-3 - Auditing of 'Policy Change: Audit Policy Change' events on failure should be enabled or disabled as appropriate.
CCE-9811-1 - Auditing of 'Object Access: File System' events on failure should be enabled or disabled as appropriate.
CCE-9213-0 - Auditing of 'Logon-Logoff: Logon' events on failure should be enabled or disabled as appropriate.
CCE-10156-8 - The 'Maximum Log Size (KB)' setting should be configured correctly for the system log.
CCE-8789-0 - The 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly.
CCE-10157-6 - The Windows Error Reporting "Disable Logging" setting should be configured correctly.
CCE-9432-6 - The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configuredcorrectly.
CCE-9718-8 - Auditing of 'Account Logon: Credential Validation' events on failure should be enabled or disabled as appropriate.
CCE-9925-9 - Auditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate.
CCE-9194-2 - Auditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate.
CCE-9521-6 - Auditing of 'Logon-Logoff: Special Logon' events on failure should be enabled or disabled as appropriate.
CCE-9562-0 - Auditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate.
CCE-9725-3 - Auditing of 'Account Logon: Credential Validation' events on success should be enabled or disabled as appropriate.
CCE-9603-2 - The 'Maximum Log Size (KB)' setting should be configured correctly for the application log.
CCE-9763-4 - Auditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate.
CCE-9668-5 - Auditing of 'Account Management: Other Account Management Events' events on failure should be enabled or disabled as appropriate.
CCE-10021-4 - Auditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate.
CCE-10014-9 - Auditing of 'Policy Change: Authentication Policy Change' events on failure should be enabled or disabled as appropriate.
CCE-9179-3 - Auditing of 'System: Security State Change' events on failure should be enabled or disabled as appropriate.
CCE-9223-9 - The 'Manage auditing and security log' user right should be assigned to the appropriate accounts.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-2 - Audit Events
Tenable Network Security 33
CCE-9226-2 - The 'Generate security audits' user right should be assigned to the appropriate accounts.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-2 - Audit Events
Tenable Network Security 34
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000256 CCE-9226-2:Generate Security Audits Info 1
Plugin Plugin Name Severity Total
1000209 CCE-10157-6:Disable Logging High 1
Plugin Plugin Name Severity Total
1000191 CCE-10156-8:Maximum System Log Size High 1
Plugin Plugin Name Severity Total
1000188 CCE-9603-2:Maximum Application Log Size High 1
Plugin Plugin Name Severity Total
1000129 CCE-9925-9:IPsec Driver Info 1
Plugin Plugin Name Severity Total
1000126 CCE-10021-4:Audit Policy Change Info 1
Plugin Plugin Name Severity Total
1000123 CCE-9763-4:Special Logon Info 1
Plugin Plugin Name Severity Total
1000120 CCE-9562-0:Process Creation Info 1
Plugin Plugin Name Severity Total
1000041
CCE-9432-6:Audit: Force audit policysubcategory settings (Windows Vista orlater) to override audit policy categorysettings
High 1
Plugin Plugin Name Severity Total
1000040CCE-8789-0:Audit: Audit the use of Backupand Restore privilege
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-2-2 - Audit Events
Tenable Network Security 35
Plugin Plugin Name Severity Total
1000029CCE-9223-9:Manage Auditing And SecurityLog
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-4 - Audit Storage Capacity
Tenable Network Security 36
AU-4 - Audit Storage Capacity
CCE-10714-4 - The setup log maximum size should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000190 CCE-10714-4:Maximum Setup Log Size High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-5 - Response to Audit Processing Failures
Tenable Network Security 37
AU-5 - Response to Audit ProcessingFailures
CCE-10714-4 - The setup log maximum size should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000190 CCE-10714-4:Maximum Setup Log Size High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-8 - Time Stamps
Tenable Network Security 38
AU-8 - Time Stamps
CCE-8423-6 - The 'Change the time zone' user right should be assigned to the appropriate accounts.
CCE-10500-7 - The "Configure Windows NTP Client\NtpServer" setting should be configured correctly.
CCE-8612-4 - The 'Change the system time' user right should be assigned to the appropriate accounts.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000259 CCE-8612-4:Change the System Time Info 1
Plugin Plugin Name Severity Total
1000258 CCE-8423-6:Change the time zone Info 1
Plugin Plugin Name Severity Total
1000178CCE-10500-7:Configure Windows NTPclient
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
AU-9 - Protection of Audit Information
Tenable Network Security 39
AU-9 - Protection of Audit Information
CCE-9260-1 - The 'Store passwords using reversible encryption' setting should be configured correctly.
CCE-9501-8 - The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configuredcorrectly.
CCE-10856-3 - The "Do not delete temp folder upon exit" setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000202CCE-10856-3:Do not delete temp foldersupon exit
High 1
Plugin Plugin Name Severity Total
1000109
CCE-9501-8:MSS: (WarningLevel)Percentage threshold for the security eventlog at which the system will generate awarning
High 1
Plugin Plugin Name Severity Total
1000010CCE-9260-1:Reversible PasswordEncryption
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CA-3 - System Interconnections
Tenable Network Security 40
CA-3 - System Interconnections
CCE-10543-7 - The startup type of the Homegroup Listener service should be correct.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000112 CCE-10543-7:HomeGroup Listener High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-2 - Baseline Configuration
Tenable Network Security 41
CM-2 - Baseline Configuration
CCE-9361-7 - The 'Registry policy processing' setting should be enabled or disabled as appropriate.
CCE-10602-1 - The "Disable Media Player for automatic updates" policy should be set correctly.
CCE-8945-8 - The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000224 CCE-10602-1:Prevent Automatic Updates High 1
Plugin Plugin Name Severity Total
1000151 CCE-9361-7:Registry Policy High 1
Plugin Plugin Name Severity Total
1000084CCE-8945-8:Recovery Console: AllowFloppy Copy and Access to All Drives andAll Folders
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-3 - Configuration Change Control
Tenable Network Security 42
CM-3 - Configuration Change Control
CCE-9918-4 - The 'Turn off Data Execution Prevention for Explorer' setting should be configured correctly.
CCE-9819-4 - The "Turn Off Event Views "Events.asp" Links" setting should be configured correctly.
CCE-10061-0 - The 'Turn off printing over HTTP' setting should be configured correctly.
CCE-9674-3 - The 'Turn off Internet download for Web publishing and online ordering wizards' setting should be configured correctly.
CCE-9876-4 - The "Enable User Control Over Installs" policy should be set correctly.
CCE-10649-2 - The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
CCE-9857-4 - The "Override the More Gadgets Link" setting should be configured correctly.
CCE-9874-9 - The "Turn off Heap termination on corruption" setting should be configured correctly.
CCE-9417-7 - The 'Modify firmware environment values' user right should be assigned to the appropriate accounts.
CCE-10850-6 - The "Turn off game updates" setting should be configured correctly.
CCE-9403-7 - Automatic Updates should be enabled or disabled as appropriate.
CCE-10828-2 - The "Turn Off Downloading of Game Information" setting should be configured correctly.
CCE-10438-0 - The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.
CCE-9195-9 - The 'Turn off downloading of print drivers over HTTP' setting should be configured correctly.
CCE-10795-3 - The "Turn Off Internet File Association Service" setting should be configured correctly.
CCE-10586-6 - The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.
CCE-10730-0 - The "Turn off downloading of enclosures" setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-3 - Configuration Change Control
Tenable Network Security 43
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000225 CCE-9403-7:Configure automatic updates High 1
Plugin Plugin Name Severity Total
1000217CCE-9876-4:Enable user control overinstalls
High 1
Plugin Plugin Name Severity Total
1000214CCE-9874-9:Turn off Heap termination oncorruption
High 1
Plugin Plugin Name Severity Total
1000213CCE-9918-4:Turn off data executionprevention for explorer
High 1
Plugin Plugin Name Severity Total
1000204CCE-10730-0:Turn off downloading ofenclosures
High 1
Plugin Plugin Name Severity Total
1000193 CCE-10850-6:Turn off game updates High 1
Plugin Plugin Name Severity Total
1000192CCE-10828-2:Turn Off Downloading ofGame Information
High 1
Plugin Plugin Name Severity Total
1000187CCE-10586-6:Turn Off User InstalledWindows Sidebar Gidgets
High 1
Plugin Plugin Name Severity Total
1000185CCE-9857-4:Override the More GadgetsLnk
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-3 - Configuration Change Control
Tenable Network Security 44
Plugin Plugin Name Severity Total
1000159 CCE-10061-0:Turn off printing over HTTP High 1
Plugin Plugin Name Severity Total
1000158CCE-10795-3:Turn off Internet fileassociation service
High 1
Plugin Plugin Name Severity Total
1000157CCE-9674-3:Turn off Internet download forWeb publishing and online ordering wizards
High 1
Plugin Plugin Name Severity Total
1000156CCE-10649-2:Turn off Internet connectionwizard if URL connection is referring toMicrosoft.com
High 1
Plugin Plugin Name Severity Total
1000153CCE-9819-4:Turn off event views'Events.asp' links
High 1
Plugin Plugin Name Severity Total
1000152CCE-9195-9:Turn off downloading of printdrivers over HTTP
High 1
Plugin Plugin Name Severity Total
1000135CCE-10438-0:Turn Off Microsoft Peer-to-Peer Networking Services
High 1
Plugin Plugin Name Severity Total
1000031CCE-9417-7:Modify Firmware EnvironmentValues
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-5 - Access Restrictions for Change
Tenable Network Security 45
CM-5 - Access Restrictions for Change
CCE-10140-2 - The 'Turn off Search Companion content file updates' setting should be configured correctly.
CCE-9910-1 - The startup type of the Homegroup Provider service should be correct.
CCE-9135-5 - The 'Load and unload device drivers' user right should be assigned to the appropriate accounts.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000161CCE-10140-2:Turn off Search Companioncontent file updates
High 1
Plugin Plugin Name Severity Total
1000113 CCE-9910-1:Homegroup Provider High 1
Plugin Plugin Name Severity Total
1000025CCE-9135-5:Load And Unload DeviceDrivers
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-1 - Configuration Settings
Tenable Network Security 46
CM-6-1 - Configuration Settings
CCE-9783-2 - The "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly.
CCE-10183-2 - The 'Prevent the computer from joining a homegroup' setting should be configured correctly.
CCE-8460-8 - The 'Create symbolic links' user right should be assigned to the appropriate accounts.
CCE-10602-1 - The "Disable Media Player for automatic updates" policy should be set correctly.
CCE-9156-1 - The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly.
CCE-10181-6 - The 'RPC Endpoint Mapper Client Authentication' setting should be configured correctly.
CCE-9866-5 - The "Prevent indexing uncached Exchange folders" setting should be configured correctly.
CCE-9864-0 - The "Do not use temporary folders per session" setting should be configured correctly.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-9253-6 - The 'Access this computer from the network' user right should be assigned to the appropriate accounts.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-10295-4 - The "Turn off Help Ratings" setting should be configured correctly.
CCE-9040-7 - The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly.
CCE-10311-9 - The startup type of the Parantal Controls service should be correct.
CCE-9098-5 - The 'Deny log on as a service' user right should be assigned to the appropriate accounts.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-10787-0 - The "Turn off Program Inventory" setting should be configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-1 - Configuration Settings
Tenable Network Security 47
CCE-9528-1 - The 'Turn off Autoplay' setting should be configured correctly.
CCE-9149-6 - The 'Modify an object label' user right should be assigned to the appropriate accounts.
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
CCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-1 - Configuration Settings
Tenable Network Security 48
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000247 CCE-8714-8:accounts_guest_account_status Info 1
Plugin Plugin Name Severity Total
1000245 CCE-8460-8:create_symbolic_links Info 1
Plugin Plugin Name Severity Total
1000239
CCE-9487-0:MSS:(TcpMaxDataRetransmissions IPv6) Howmany times unacknowledged data isretransmitted (3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000224 CCE-10602-1:Prevent Automatic Updates High 1
Plugin Plugin Name Severity Total
1000206CCE-9866-5:Enable indexing uncachedExchange folders
High 1
Plugin Plugin Name Severity Total
1000203CCE-9864-0:Do not use temporary foldersper session
High 1
Plugin Plugin Name Severity Total
1000194CCE-10183-2:Prevent the computer fromjoining a Homegroup
High 1
Plugin Plugin Name Severity Total
1000179 CCE-10787-0:Turn off program inventory High 1
Plugin Plugin Name Severity Total
1000174CCE-10181-6:RPC Endpoint Mapper ClientAuthentication
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-1 - Configuration Settings
Tenable Network Security 49
Plugin Plugin Name Severity Total
1000133CCE-9783-2:Turn on Mapper I/O (LLTDIO)driver
High 1
Plugin Plugin Name Severity Total
1000115 CCE-10311-9:Parental Controls Service High 1
Plugin Plugin Name Severity Total
1000107
CCE-8591-0:MSS:(ScreenSaverGracePeriod) The time inseconds before the screen saver graceperiod expires (0 recommended)
High 1
Plugin Plugin Name Severity Total
1000099CCE-9342-7:MSS: (AutoAdminLogon)Enable Automatic Logon (NotRecommended)
Info 1
Plugin Plugin Name Severity Total
1000068CCE-9156-1:Network access: Do not allowanonymous enumeration of SAM accountsand shares
High 1
Plugin Plugin Name Severity Total
1000065CCE-9358-3:Microsoft network server:Disconnect clients when logon hours expire
Info 1
Plugin Plugin Name Severity Total
1000063CCE-9040-7:Microsoft network server:Digitally sign communications (always)
High 1
Plugin Plugin Name Severity Total
1000062CCE-9406-0:Microsoft network server:Amount of idle time required beforesuspending session
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-1 - Configuration Settings
Tenable Network Security 50
Plugin Plugin Name Severity Total
1000057CCE-8818-7:Interactive logon: RequireDomain Controller authentication to unlockworkstation
Info 1
Plugin Plugin Name Severity Total
1000030 CCE-9149-6:Modify an object label Info 1
Plugin Plugin Name Severity Total
1000020 CCE-9098-5:Deny Logon As A Service Info 1
Plugin Plugin Name Severity Total
1000011CCE-9253-6:Access This Computer FromThe Network
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-2 - Configuration Settings
Tenable Network Security 51
CM-6-2 - Configuration Settings
CCE-10591-6 - Use Classic Logon should be properly configured.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9014-2 - The 'Shut down the system' user right should be assigned to the appropriate accounts.
CCE-10160-0 - The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
CCE-9908-5 - The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.
CCE-10496-8 - The "Allow indexing of encrypted files" setting should be configured correctly.
CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.
CCE-9823-6 - The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.
CCE-10130-3 - The "ISATAP State" setting for IPv6 should be configured correctly.
CCE-10219-4 - The "Enable/Disable PerfTrack" setting should be configured correctly.
CCE-10103-0 - The 'Always prompt for password upon connection' setting should be configured correctly.
CCE-10553-6 - The "Do not create system restore point when new device driver installed" setting should be configured correctly.
CCE-9319-5 - The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-9375-7 - The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly.
CCE-10699-7 - The startup type of the Media Center Extenders service should be correct.
CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.
CCE-8431-9 - The 'Create global objects' user right should be assigned to the appropriate accounts.
CCE-9229-6 - The built-in Guest account should be correctly named.
CCE-9396-3 - The 'Restrictions for Unauthenticated RPC clients' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-2 - Configuration Settings
Tenable Network Security 52
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9048-0 - The 'Increase a process working set' user right should be assigned to the appropriate accounts.
CCE-9254-4 - The 'Create permanent shared objects' user right should be assigned to the appropriate accounts.
CCE-9026-6 - The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-2 - Configuration Settings
Tenable Network Security 53
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000257 CCE-8431-9:Create Global Objects Info 1
Plugin Plugin Name Severity Total
1000254CCE-9048-0:Increase a Process WorkingSet
High 1
Plugin Plugin Name Severity Total
1000250 CCE-9014-2:Shut Down The System High 1
Plugin Plugin Name Severity Total
1000222CCE-9908-5:Prevent Windows Media DRMInternet Access
High 1
Plugin Plugin Name Severity Total
1000205CCE-10496-8:Allow indexing of encryptedfiles
High 1
Plugin Plugin Name Severity Total
1000198CCE-10103-0:Always prompt client forpassword upon connection
High 1
Plugin Plugin Name Severity Total
1000177 CCE-10219-4:Enable or disable perftrack High 1
Plugin Plugin Name Severity Total
1000173CCE-9396-3:Restrictions forUnauthenticated RPC clients
High 1
Plugin Plugin Name Severity Total
1000166 CCE-10591-6:Always Use Classic Logon High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-2 - Configuration Settings
Tenable Network Security 54
Plugin Plugin Name Severity Total
1000162CCE-9823-6:Turn off the 'Order Prints'picture task
High 1
Plugin Plugin Name Severity Total
1000160CCE-10160-0:Turn off registration if URLconnection is referring to Microsoft.com
High 1
Plugin Plugin Name Severity Total
1000148
CCE-10553-6:Prevent creation of a systemrestore point during device activity thatwould normally promp creation of a restorepoint.
High 1
Plugin Plugin Name Severity Total
1000140 CCE-10130-3:ISATAP State High 1
Plugin Plugin Name Severity Total
1000114 CCE-10699-7:Media Center Extender Info 1
Plugin Plugin Name Severity Total
1000105
CCE-9458-1:MSS:(PerformRouterDiscovery) Allow IRDPto detect and configure DefaultGatewayaddresses (could lead to DoS)
High 1
Plugin Plugin Name Severity Total
1000100
CCE-9496-1:MSS:(DisableIPSourceRouting) IP source routingprotection level (protects against packetspoofing)
High 1
Plugin Plugin Name Severity Total
1000088CCE-9319-5:System objects: Require caseinsensitivity for non-Windows subsystems
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-2 - Configuration Settings
Tenable Network Security 55
Plugin Plugin Name Severity Total
1000054CCE-8740-3:Interactive logon: Message titlefor users attempting to log on
High 1
Plugin Plugin Name Severity Total
1000053CCE-8973-0:Interactive logon: Messagetext for users attempting to log on
High 1
Plugin Plugin Name Severity Total
1000047CCE-9375-7:Domain member: Digitally signsecure channel data (when possible)
Info 1
Plugin Plugin Name Severity Total
1000042CCE-9026-6:Devices: Prevent users frominstalling printer drivers
Info 1
Plugin Plugin Name Severity Total
1000038CCE-9229-6:Accounts: Rename guestaccount
High 1
Plugin Plugin Name Severity Total
1000016CCE-9254-4:Create Permanent SharedObjects
Info 1
Plugin Plugin Name Severity Total
1000006 CCE-9193-4:Maximum Password Age Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-3 - Configuration Settings
Tenable Network Security 56
CM-6-3 - Configuration Settings
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-10764-9 - The "IP HTTPS" state setting should be configured correctly.
CCE-10140-2 - The 'Turn off Search Companion content file updates' setting should be configured correctly.
CCE-8732-0 - The 'Replace a process level token' user right should be assigned to the appropriate accounts.
CCE-9985-3 - The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.
CCE-9215-5 - The 'Create a token object' user right should be assigned to the appropriate accounts.
CCE-10811-8 - The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-10059-4 - The "Turn on Responder (RSPNDR) Driver" setting should be configured correctly.
CCE-10500-7 - The "Configure Windows NTP Client\NtpServer" setting should be configured correctly.
CCE-9212-2 - The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts.
CCE-9868-1 - The "Configure Microsoft SpyNet Reporting" setting should be configured correctly.
CCE-9185-0 - The 'Create a pagefile' user right should be assigned to the appropriate accounts.
CCE-8999-5 - The 'Increase scheduling priority' user right should be assigned to the appropriate accounts.
CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.
CCE-9534-9 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' settingshould be enabled or disabled as appropriate.
CCE-8484-8 - The built-in Administrator account should be correctly named.
CCE-10769-8 - The "Allow remote access to the PnP interface" setting should be configured correctly.
CCE-10759-9 - The "Do not allow Digital Locker to run" setting should be configured correctly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-3 - Configuration Settings
Tenable Network Security 57
CCE-11252-4 - The "Turn off the communitication features" setting should be configured correctly. (sic)
CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.
CCE-10714-4 - The setup log maximum size should be configured correctly.
CCE-8806-2 - The 'Network security: LAN Manager authentication level' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-3 - Configuration Settings
Tenable Network Security 58
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000251CCE-8732-0:Replace A Process LevelToken
Info 1
Plugin Plugin Name Severity Total
1000237
CCE-8655-3:MSS:(DisableIPSourceRouting IPv6) IP sourcerouting protection level (protects againstpacket spoofing)
High 1
Plugin Plugin Name Severity Total
1000220CCE-11252-4:Turn off the communitiesfeatures
High 1
Plugin Plugin Name Severity Total
1000208CCE-9868-1:Configure Microsoft SpyNetReporting
Info 1
Plugin Plugin Name Severity Total
1000197CCE-9985-3:Allow users to connectremotely using Remote Desktop Services
High 1
Plugin Plugin Name Severity Total
1000190 CCE-10714-4:Maximum Setup Log Size High 1
Plugin Plugin Name Severity Total
1000186CCE-10811-8:Disable unpacking andinstallation of gadgets that are not digitallysigned
High 1
Plugin Plugin Name Severity Total
1000184CCE-10759-9:Do not allow digital locker torun
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-3 - Configuration Settings
Tenable Network Security 59
Plugin Plugin Name Severity Total
1000178CCE-10500-7:Configure Windows NTPclient
High 1
Plugin Plugin Name Severity Total
1000161CCE-10140-2:Turn off Search Companioncontent file updates
High 1
Plugin Plugin Name Severity Total
1000146CCE-10769-8:Allow remote access to thePnP interface
High 1
Plugin Plugin Name Severity Total
1000142 CCE-10764-9:IP HTTPS High 1
Plugin Plugin Name Severity Total
1000134CCE-10059-4:Turn on Responder(RSPNDR) driver
High 1
Plugin Plugin Name Severity Total
1000081CCE-9534-9:Network security: Minimumsession security for NTLM SSP based(including secure RPC) clients
High 1
Plugin Plugin Name Severity Total
1000079CCE-8806-2:Network security: LANManager Authentication Level
High 1
Plugin Plugin Name Severity Total
1000067CCE-9249-4:Network access: Do not allowanonymous enumeration of SAM accounts
Info 1
Plugin Plugin Name Severity Total
1000060CCE-9344-3:Microsoft network client:Digitally sign communications (if serveragrees)
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-3 - Configuration Settings
Tenable Network Security 60
Plugin Plugin Name Severity Total
1000058CCE-9067-0:Interactive logon: Smart cardremoval behavior
High 1
Plugin Plugin Name Severity Total
1000037CCE-8484-8:Accounts: Renameadministrator account
High 1
Plugin Plugin Name Severity Total
1000036CCE-9418-5:Accounts: Limit local accountuse to blank passwords to console logononly
Info 1
Plugin Plugin Name Severity Total
1000024 CCE-8999-5:Increase Scheduling Priority Info 1
Plugin Plugin Name Severity Total
1000019 CCE-9212-2:Deny Logon As A Batch Job High 1
Plugin Plugin Name Severity Total
1000015 CCE-9215-5:Create A Token Object Info 1
Plugin Plugin Name Severity Total
1000014 CCE-9185-0:Create A Pagefile Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-4 - Configuration Settings
Tenable Network Security 61
CM-6-4 - Configuration Settings
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-8475-6 - The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-10623-7 - The "Turn off shell protocol protected mode" setting should be configured correctly.
CCE-9506-7 - User-intiated solicitations for remote assistance (aka the 'Solicited Remote Assistance' setting) should be enabled or disabled as appropriate.
CCE-9910-1 - The startup type of the Homegroup Provider service should be correct.
CCE-8912-8 - The "enforce password history" policy should meet minimum requirements.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-9857-4 - The "Override the More Gadgets Link" setting should be configured correctly.
CCE-10655-9 - The "Turn off Autoplay for non-volume devices" setting should be configured correctly.
CCE-9121-5 - The 'Network access: Remotely accessible registry paths' setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
CCE-10606-2 - The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via WindowsOnline Troubleshooting Service - WOTS)" setting should be configured correctly.
CCE-10692-2 - The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.
CCE-9643-8 - The 'Turn off the "Publish to Web" task for files and folders' setting should be configured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-9419-3 - The 'Profile system performance' user right should be assigned to the appropriate accounts.
CCE-9531-5 - The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly.
CCE-10165-9 - The "Prevent device metadata retrieval from internet" setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-4 - Configuration Settings
Tenable Network Security 62
CCE-10166-7 - The 'Do not preserve zone information in file attachments' setting should be configured correctly.
CCE-9730-3 - The 'Password protect the screen saver' setting should be configured correctly.
CCE-9464-9 - The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly.
CCE-9684-2 - The 'Hide mechanisms to remove zone information' setting should be configured correctly.
CCE-9191-8 - The 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-4 - Configuration Settings
Tenable Network Security 63
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000253 CCE-9419-3:Profile System Performance Info 1
Plugin Plugin Name Severity Total
1000228CCE-9464-9:Do not display 'Install updatesand shut diown option' in shut downwindows dialog box
High 1
Plugin Plugin Name Severity Total
1000223CCE-10692-2:Do Not Show First UseDialog Boxes
High 1
Plugin Plugin Name Severity Total
1000215CCE-10623-7:Turn off shell protocolprotected mode
High 1
Plugin Plugin Name Severity Total
1000185CCE-9857-4:Override the More GadgetsLnk
High 1
Plugin Plugin Name Severity Total
1000182CCE-10655-9:Turn off autoplay for nonvolume devices
High 1
Plugin Plugin Name Severity Total
1000176
CCE-10606-2:Troubleshooting: allow userto access online troubleshooting content onMicrosoft server from the troubleshootingcontrol panel
High 1
Plugin Plugin Name Severity Total
1000171 CCE-9506-7:Solicited Remote Assistance High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-4 - Configuration Settings
Tenable Network Security 64
Plugin Plugin Name Severity Total
1000163CCE-9643-8:Turn off the 'Publish to Web'task for files and folders
High 1
Plugin Plugin Name Severity Total
1000149CCE-10165-9:Prevent device metadataretrieval from the internet
High 1
Plugin Plugin Name Severity Total
1000113 CCE-9910-1:Homegroup Provider High 1
Plugin Plugin Name Severity Total
1000108
CCE-9456-5:MSS:(TCPMaxDataRetransmissions) How manytimes unacknowledged data is retransmitted(3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000101CCE-8513-4:MSS: (EnableICMPRedirect)Allow ICMP redirects to override OSPFgenerated routes
High 1
Plugin Plugin Name Severity Total
1000089CCE-9191-8:System objects: Strengthendefault permissions of internal systemobjects
Info 1
Plugin Plugin Name Severity Total
1000077CCE-8937-5:Network security: Do not storeLAN Manager hash value on next passwordchange
Info 1
Plugin Plugin Name Severity Total
1000072CCE-9121-5:Network access: Remotelyaccessible registry paths
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-4 - Configuration Settings
Tenable Network Security 65
Plugin Plugin Name Severity Total
1000066CCE-9531-5:Network access: Allowanonymous SID-Name translation
Info 1
Plugin Plugin Name Severity Total
1000055CCE-8487-1:Interactive logon: Number ofprevious logons to cache (in case domaincontroller is not available)
High 1
Plugin Plugin Name Severity Total
1000049CCE-9123-1:Domain member: Maximummachine account password age
Info 1
Plugin Plugin Name Severity Total
1000032CCE-8475-6:Perform Volume MaintenanceTasks
Info 1
Plugin Plugin Name Severity Total
1000005 CCE-8912-8:Enforce Password History High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-5 - Configuration Settings
Tenable Network Security 66
CM-6-5 - Configuration Settings
CCE-9068-8 - The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts.
CCE-9135-5 - The 'Load and unload device drivers' user right should be assigned to the appropriate accounts.
CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.
CCE-9309-6 - The 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts.
CCE-9388-0 - The 'Profile single process' user right should be assigned to the appropriate accounts.
CCE-9919-2 - The "Specify Search Order for device driver source locations" setting should be configured correctly.
CCE-10154-3 - The 'Do not process the run once list' setting should be configured correctly.
CCE-10882-9 - The "Turn off Windows Mail application" setting should be configured correctly.
CCE-10778-9 - The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.
CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.
CCE-10150-1 - The startup type of the Fax service should be correct.
CCE-9387-2 - The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-5 - Configuration Settings
Tenable Network Security 67
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000263CCE-9068-8:Adjust Memory Quotas For AProcess
Info 1
Plugin Plugin Name Severity Total
1000221 CCE-10882-9:windows_mail_application_manual_launch_permitted_varHigh 1
Plugin Plugin Name Severity Total
1000167CCE-10154-3:Do not process the run oncelist
High 1
Plugin Plugin Name Severity Total
1000150CCE-9919-2:Specify search order for devicedriver source locations
High 1
Plugin Plugin Name Severity Total
1000144CCE-10778-9:Prohibit Access of theWindows Connect Now Wizards
High 1
Plugin Plugin Name Severity Total
1000111 CCE-10150-1:Fax Service High 1
Plugin Plugin Name Severity Total
1000064CCE-8825-2:Microsoft network server:Digitally sign communications (if clientagrees)
High 1
Plugin Plugin Name Severity Total
1000052CCE-9317-9:Interactive logon: Do notrequire CTRL+ALT+DEL
High 1
Plugin Plugin Name Severity Total
1000050CCE-9387-2:Domain member: Requirestrong (Windows 2000 or later) session key
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-6-5 - Configuration Settings
Tenable Network Security 68
Plugin Plugin Name Severity Total
1000035CCE-9309-6:Take Ownership Of Files OrOther Objects
Info 1
Plugin Plugin Name Severity Total
1000033 CCE-9388-0:Profile Single Process Info 1
Plugin Plugin Name Severity Total
1000025CCE-9135-5:Load And Unload DeviceDrivers
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-1 - Least Functionality
Tenable Network Security 69
CM-7-1 - Least Functionality
CCE-9783-2 - The "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly.
CCE-10591-6 - Use Classic Logon should be properly configured.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-10183-2 - The 'Prevent the computer from joining a homegroup' setting should be configured correctly.
CCE-8460-8 - The 'Create symbolic links' user right should be assigned to the appropriate accounts.
CCE-9014-2 - The 'Shut down the system' user right should be assigned to the appropriate accounts.
CCE-9196-7 - The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly.
CCE-9908-5 - The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.
CCE-9156-1 - The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-10311-9 - The startup type of the Parantal Controls service should be correct.
CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.
CCE-8612-4 - The 'Change the system time' user right should be assigned to the appropriate accounts.
CCE-9768-3 - The 'Network security: LDAP client signing requirements' setting should be configured correctly.
CCE-9528-1 - The 'Turn off Autoplay' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE-10527-0 - The default behavior for AutoRun should be properly configured.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-1 - Least Functionality
Tenable Network Security 70
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
CCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.
CCE-9222-1 - The 'Shutdown: Clear virtual memory pagefile' setting should be configured correctly.
CCE-9026-6 - The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-1 - Least Functionality
Tenable Network Security 71
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000259 CCE-8612-4:Change the System Time Info 1
Plugin Plugin Name Severity Total
1000250 CCE-9014-2:Shut Down The System High 1
Plugin Plugin Name Severity Total
1000247 CCE-8714-8:accounts_guest_account_status Info 1
Plugin Plugin Name Severity Total
1000245 CCE-8460-8:create_symbolic_links Info 1
Plugin Plugin Name Severity Total
1000239
CCE-9487-0:MSS:(TcpMaxDataRetransmissions IPv6) Howmany times unacknowledged data isretransmitted (3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000222CCE-9908-5:Prevent Windows Media DRMInternet Access
High 1
Plugin Plugin Name Severity Total
1000194CCE-10183-2:Prevent the computer fromjoining a Homegroup
High 1
Plugin Plugin Name Severity Total
1000180 CCE-10527-0:Default behavior for autorun High 1
Plugin Plugin Name Severity Total
1000166 CCE-10591-6:Always Use Classic Logon High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-1 - Least Functionality
Tenable Network Security 72
Plugin Plugin Name Severity Total
1000133CCE-9783-2:Turn on Mapper I/O (LLTDIO)driver
High 1
Plugin Plugin Name Severity Total
1000115 CCE-10311-9:Parental Controls Service High 1
Plugin Plugin Name Severity Total
1000107
CCE-8591-0:MSS:(ScreenSaverGracePeriod) The time inseconds before the screen saver graceperiod expires (0 recommended)
High 1
Plugin Plugin Name Severity Total
1000100
CCE-9496-1:MSS:(DisableIPSourceRouting) IP source routingprotection level (protects against packetspoofing)
High 1
Plugin Plugin Name Severity Total
1000099CCE-9342-7:MSS: (AutoAdminLogon)Enable Automatic Logon (NotRecommended)
Info 1
Plugin Plugin Name Severity Total
1000086CCE-9222-1:Shutdown: Clear VirtualMemory Pagefile
Info 1
Plugin Plugin Name Severity Total
1000080CCE-9768-3:Network security: LDAP clientsigning requirements
Info 1
Plugin Plugin Name Severity Total
1000075CCE-9196-7:Network access: Shares thatcan be accessed anonymously
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-1 - Least Functionality
Tenable Network Security 73
Plugin Plugin Name Severity Total
1000068CCE-9156-1:Network access: Do not allowanonymous enumeration of SAM accountsand shares
High 1
Plugin Plugin Name Severity Total
1000065CCE-9358-3:Microsoft network server:Disconnect clients when logon hours expire
Info 1
Plugin Plugin Name Severity Total
1000062CCE-9406-0:Microsoft network server:Amount of idle time required beforesuspending session
Info 1
Plugin Plugin Name Severity Total
1000057CCE-8818-7:Interactive logon: RequireDomain Controller authentication to unlockworkstation
Info 1
Plugin Plugin Name Severity Total
1000042CCE-9026-6:Devices: Prevent users frominstalling printer drivers
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-2 - Least Functionality
Tenable Network Security 74
CM-7-2 - Least Functionality
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-8732-0 - The 'Replace a process level token' user right should be assigned to the appropriate accounts.
CCE-8804-7 - The 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.
CCE-10059-4 - The "Turn on Responder (RSPNDR) Driver" setting should be configured correctly.
CCE-10130-3 - The "ISATAP State" setting for IPv6 should be configured correctly.
CCE-8423-6 - The 'Change the time zone' user right should be assigned to the appropriate accounts.
CCE-9096-9 - The 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly.
CCE-10763-1 - The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
CCE-9770-9 - The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly.
CCE-10219-4 - The "Enable/Disable PerfTrack" setting should be configured correctly.
CCE-10103-0 - The 'Always prompt for password upon connection' setting should be configured correctly.
CCE-10500-7 - The "Configure Windows NTP Client\NtpServer" setting should be configured correctly.
CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-9503-4 - The 'Network access: Sharing and security model for local accounts' setting should be configured correctly.
CCE-9540-6 - The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
CCE-8945-8 - The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-2 - Least Functionality
Tenable Network Security 75
CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-2 - Least Functionality
Tenable Network Security 76
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000258 CCE-8423-6:Change the time zone Info 1
Plugin Plugin Name Severity Total
1000251CCE-8732-0:Replace A Process LevelToken
Info 1
Plugin Plugin Name Severity Total
1000242CCE-9770-9:Network Security: AllowPKU2U authentication requests to thiscomputer to use online identities
High 1
Plugin Plugin Name Severity Total
1000241CCE-8804-7:Network security: AllowLocalSystem NULL session fallback
High 1
Plugin Plugin Name Severity Total
1000240CCE-9096-9:Network security: Allow LocalSystem to use computer identity for NTLM
High 1
Plugin Plugin Name Severity Total
1000237
CCE-8655-3:MSS:(DisableIPSourceRouting IPv6) IP sourcerouting protection level (protects againstpacket spoofing)
High 1
Plugin Plugin Name Severity Total
1000198CCE-10103-0:Always prompt client forpassword upon connection
High 1
Plugin Plugin Name Severity Total
1000195CCE-10763-1:Disable remote desktopsharing
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-2 - Least Functionality
Tenable Network Security 77
Plugin Plugin Name Severity Total
1000178CCE-10500-7:Configure Windows NTPclient
High 1
Plugin Plugin Name Severity Total
1000177 CCE-10219-4:Enable or disable perftrack High 1
Plugin Plugin Name Severity Total
1000140 CCE-10130-3:ISATAP State High 1
Plugin Plugin Name Severity Total
1000134CCE-10059-4:Turn on Responder(RSPNDR) driver
High 1
Plugin Plugin Name Severity Total
1000108
CCE-9456-5:MSS:(TCPMaxDataRetransmissions) How manytimes unacknowledged data is retransmitted(3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000105
CCE-9458-1:MSS:(PerformRouterDiscovery) Allow IRDPto detect and configure DefaultGatewayaddresses (could lead to DoS)
High 1
Plugin Plugin Name Severity Total
1000084CCE-8945-8:Recovery Console: AllowFloppy Copy and Access to All Drives andAll Folders
Info 1
Plugin Plugin Name Severity Total
1000076CCE-9503-4:Network access: Sharing andsecurity model for local accounts
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-2 - Least Functionality
Tenable Network Security 78
Plugin Plugin Name Severity Total
1000074CCE-9540-6:Network access: Restrictanonymous access to Named Pipes andShares
Info 1
Plugin Plugin Name Severity Total
1000067CCE-9249-4:Network access: Do not allowanonymous enumeration of SAM accounts
Info 1
Plugin Plugin Name Severity Total
1000060CCE-9344-3:Microsoft network client:Digitally sign communications (if serveragrees)
Info 1
Plugin Plugin Name Severity Total
1000058CCE-9067-0:Interactive logon: Smart cardremoval behavior
High 1
Plugin Plugin Name Severity Total
1000054CCE-8740-3:Interactive logon: Message titlefor users attempting to log on
High 1
Plugin Plugin Name Severity Total
1000053CCE-8973-0:Interactive logon: Messagetext for users attempting to log on
High 1
Plugin Plugin Name Severity Total
1000036CCE-9418-5:Accounts: Limit local accountuse to blank passwords to console logononly
Info 1
Plugin Plugin Name Severity Total
1000006 CCE-9193-4:Maximum Password Age Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-3 - Least Functionality
Tenable Network Security 79
CM-7-3 - Least Functionality
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-10661-7 - The startup type of the Bluetooth service should be correct.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-10655-9 - The "Turn off Autoplay for non-volume devices" setting should be configured correctly.
CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.
CCE-10759-9 - The "Do not allow Digital Locker to run" setting should be configured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-10438-0 - The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.
CCE-9386-4 - The 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly.
CCE-9736-0 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers'setting should be enabled or disabled as appropriate.
CCE-9531-5 - The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly.
CCE-10778-9 - The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.
CCE-9707-1 - The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly.
CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-3 - Least Functionality
Tenable Network Security 80
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000184CCE-10759-9:Do not allow digital locker torun
High 1
Plugin Plugin Name Severity Total
1000182CCE-10655-9:Turn off autoplay for nonvolume devices
High 1
Plugin Plugin Name Severity Total
1000144CCE-10778-9:Prohibit Access of theWindows Connect Now Wizards
High 1
Plugin Plugin Name Severity Total
1000135CCE-10438-0:Turn Off Microsoft Peer-to-Peer Networking Services
High 1
Plugin Plugin Name Severity Total
1000110 CCE-10661-7:Bluetooth Support Service High 1
Plugin Plugin Name Severity Total
1000101CCE-8513-4:MSS: (EnableICMPRedirect)Allow ICMP redirects to override OSPFgenerated routes
High 1
Plugin Plugin Name Severity Total
1000085CCE-9707-1:Shutdown: Allow System to beShut Down Without Having to Log On
High 1
Plugin Plugin Name Severity Total
1000082CCE-9736-0:Network security: Minimumsession security for NTLM SSP based(including secure RPC) servers
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CM-7-3 - Least Functionality
Tenable Network Security 81
Plugin Plugin Name Severity Total
1000077CCE-8937-5:Network security: Do not storeLAN Manager hash value on next passwordchange
Info 1
Plugin Plugin Name Severity Total
1000073CCE-9386-4:Network access: Remotelyaccessible registry paths and sub paths
Info 1
Plugin Plugin Name Severity Total
1000066CCE-9531-5:Network access: Allowanonymous SID-Name translation
Info 1
Plugin Plugin Name Severity Total
1000064CCE-8825-2:Microsoft network server:Digitally sign communications (if clientagrees)
High 1
Plugin Plugin Name Severity Total
1000055CCE-8487-1:Interactive logon: Number ofprevious logons to cache (in case domaincontroller is not available)
High 1
Plugin Plugin Name Severity Total
1000052CCE-9317-9:Interactive logon: Do notrequire CTRL+ALT+DEL
High 1
Plugin Plugin Name Severity Total
1000049CCE-9123-1:Domain member: Maximummachine account password age
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
CP-9 - Information System Backup
Tenable Network Security 82
CP-9 - Information System Backup
CCE-8475-6 - The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts.
CCE-9389-8 - The 'Back up files and directories' user right should be assigned to the appropriate accounts.
CCE-9124-9 - The 'Restore files and directories' user right should be assigned to the appropriate accounts.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000034 CCE-9124-9:Restore Files And Directories High 1
Plugin Plugin Name Severity Total
1000032CCE-8475-6:Perform Volume MaintenanceTasks
Info 1
Plugin Plugin Name Severity Total
1000013 CCE-9389-8:Back Up Files and Directories High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
IA-2 - Identification and Authentication (Organizational Users)
Tenable Network Security 83
IA-2 - Identification and Authentication(Organizational Users)
CCE-8804-7 - The 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly.
CCE-9196-7 - The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly.
CCE-9096-9 - The 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly.
CCE-9407-8 - The 'Act as part of the operating system' user right should be assigned to the appropriate accounts.
CCE-9770-9 - The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly.
CCE-9239-5 - The 'Deny log on locally' user right should be assigned to the appropriate accounts.
CCE-8936-7 - The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly.
CCE-9503-4 - The 'Network access: Sharing and security model for local accounts' setting should be configured correctly.
CCE-9672-7 - The 'No auto-restart with logged on users for scheduled automatic updates installations' setting should be configured correctly.
CCE-8807-0 - The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly.
CCE-8811-2 - The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly.
CCE-8813-8 - The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
CCE-9244-5 - The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts.
CCE-9218-9 - The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.
CCE-8958-1 - The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
IA-2 - Identification and Authentication (Organizational Users)
Tenable Network Security 84
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000242CCE-9770-9:Network Security: AllowPKU2U authentication requests to thiscomputer to use online identities
High 1
Plugin Plugin Name Severity Total
1000241CCE-8804-7:Network security: AllowLocalSystem NULL session fallback
High 1
Plugin Plugin Name Severity Total
1000240CCE-9096-9:Network security: Allow LocalSystem to use computer identity for NTLM
High 1
Plugin Plugin Name Severity Total
1000227CCE-9672-7:No auto restart with loggedon users for scheduled automatic updatesinstallations
High 1
Plugin Plugin Name Severity Total
1000099CCE-9342-7:MSS: (AutoAdminLogon)Enable Automatic Logon (NotRecommended)
Info 1
Plugin Plugin Name Severity Total
1000092CCE-8813-8:User Account Control:Behavior of the elevation prompt forstandard users
High 1
Plugin Plugin Name Severity Total
1000091CCE-8958-1:User Account Control:Behavior of the elevation prompt foradministrators in Admin Approval Mode
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
IA-2 - Identification and Authentication (Organizational Users)
Tenable Network Security 85
Plugin Plugin Name Severity Total
1000090CCE-8811-2:User Account Control: AdminApproval Mode for the Built-in Administratoraccount
High 1
Plugin Plugin Name Severity Total
1000083CCE-8807-0:Recovery Console: AllowAutomatic Administrative Logon
Info 1
Plugin Plugin Name Severity Total
1000076CCE-9503-4:Network access: Sharing andsecurity model for local accounts
Info 1
Plugin Plugin Name Severity Total
1000075CCE-9196-7:Network access: Shares thatcan be accessed anonymously
High 1
Plugin Plugin Name Severity Total
1000071CCE-9218-9:Network access: NamedPipes that can be accessed anonymously -netlogon, lsarpc, samr, browser
Info 1
Plugin Plugin Name Severity Total
1000070CCE-8936-7:Network access: Let Everyonepermissions apply to anonymous users
Info 1
Plugin Plugin Name Severity Total
1000021 CCE-9239-5:Deny Logon Locally High 1
Plugin Plugin Name Severity Total
1000018CCE-9244-5:Deny Access To ThisComputer From The Network
High 1
Plugin Plugin Name Severity Total
1000012CCE-9407-8:Act As Part Of The OperatingSystem
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
IA-4 - Identifier Management
Tenable Network Security 86
IA-4 - Identifier Management
CCE-8654-6 - The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly.
CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000069CCE-8654-6:Network access: Do not allowstorage of passwords and credentials fornetwork authentication
High 1
Plugin Plugin Name Severity Total
1000067CCE-9249-4:Network access: Do not allowanonymous enumeration of SAM accounts
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
IA-5 - Authenticator Management
Tenable Network Security 87
IA-5 - Authenticator Management
CCE-9307-0 - The 'Interactive logon: Prompt user to change password before expiration' setting should be configured correctly.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-9370-8 - The 'Password must meet complexity requirements' policy should be set correctly.
CCE-8912-8 - The "enforce password history" policy should meet minimum requirements.
CCE-9670-1 - The 'Require a Password When a Computer Wakes (Plugged In)' setting should be configured correctly.
CCE-9330-2 - The 'Minimum password age' setting should be configured correctly.
CCE-10090-9 - The 'Do not allow passwords to be saved' setting should be configured correctly.
CCE-9260-1 - The 'Store passwords using reversible encryption' setting should be configured correctly.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-9098-5 - The 'Deny log on as a service' user right should be assigned to the appropriate accounts.
CCE-9295-7 - The 'Domain member: Disable machine account password changes' setting should be configured correctly.
CCE-9320-3 - The 'Log on as a batch job' user right should be assigned to the appropriate accounts.
CCE-9829-3 - The 'Require a Password When a Computer Wakes (On Battery)' setting should be configured correctly.
CCE-9357-5 - The 'Minimum password length' setting should be configured correctly.
CCE-9730-3 - The 'Password protect the screen saver' setting should be configured correctly.
CCE-9461-5 - The 'Log on as a service' user right should be assigned to the appropriate accounts.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
IA-5 - Authenticator Management
Tenable Network Security 88
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000196CCE-10090-9:Do not allow passwords to besaved
High 1
Plugin Plugin Name Severity Total
1000169CCE-9670-1:Require a Password when aComputer Wakes (Plugged)
High 1
Plugin Plugin Name Severity Total
1000168CCE-9829-3:Require a Password when aComputer Wakes (On Battery)
High 1
Plugin Plugin Name Severity Total
1000056CCE-9307-0:Interactive logon: Prompt userto change password before expiration
High 1
Plugin Plugin Name Severity Total
1000049CCE-9123-1:Domain member: Maximummachine account password age
Info 1
Plugin Plugin Name Severity Total
1000048CCE-9295-7:Domain member: Disablemachine account password changes
Info 1
Plugin Plugin Name Severity Total
1000028 CCE-9461-5:Log On As A Service High 1
Plugin Plugin Name Severity Total
1000027 CCE-9320-3:Log On As A Batch Job High 1
Plugin Plugin Name Severity Total
1000020 CCE-9098-5:Deny Logon As A Service Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
IA-5 - Authenticator Management
Tenable Network Security 89
Plugin Plugin Name Severity Total
1000010CCE-9260-1:Reversible PasswordEncryption
Info 1
Plugin Plugin Name Severity Total
1000009 CCE-9370-8:Password Complexity High 1
Plugin Plugin Name Severity Total
1000008 CCE-9357-5:Minimum Password Length High 1
Plugin Plugin Name Severity Total
1000007 CCE-9330-2:Minimum Password Age High 1
Plugin Plugin Name Severity Total
1000006 CCE-9193-4:Maximum Password Age Info 1
Plugin Plugin Name Severity Total
1000005 CCE-8912-8:Enforce Password History High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
MP-2 - Media Access
Tenable Network Security 90
MP-2 - Media Access
CCE-9440-9 - The 'Devices: Restrict floppy access to locally logged-on user only' setting should be configured correctly.
CCE-9304-7 - The 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000044CCE-9440-9:Devices: Restrict floppyaccess to locally logged-on user only
High 1
Plugin Plugin Name Severity Total
1000043CCE-9304-7:Devices: Restrict CD-ROMaccess to locally logged-on user only
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PE-3 - Physical Access Control
Tenable Network Security 91
PE-3 - Physical Access Control
CCE-9326-0 - The 'Remove computer from docking station' user right should be assigned to the appropriate accounts.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000252CCE-9326-0:Remove Computer FromDocking Station
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-1 - System and Communications Protection Policy and Procedures
Tenable Network Security 92
SC-1 - System and CommunicationsProtection Policy and Procedures
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000065CCE-9358-3:Microsoft network server:Disconnect clients when logon hours expire
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-2 - Application Partitioning
Tenable Network Security 93
SC-2 - Application Partitioning
CCE-9375-7 - The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly.
CCE-10606-2 - The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via WindowsOnline Troubleshooting Service - WOTS)" setting should be configured correctly.
CCE-9953-1 - Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
CCE-9387-2 - The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000176
CCE-10606-2:Troubleshooting: allow userto access online troubleshooting content onMicrosoft server from the troubleshootingcontrol panel
High 1
Plugin Plugin Name Severity Total
1000136CCE-9953-1:Prohibit installation andconfiguration of Network Bridge on yourDNS domain network
High 1
Plugin Plugin Name Severity Total
1000050CCE-9387-2:Domain member: Requirestrong (Windows 2000 or later) session key
Info 1
Plugin Plugin Name Severity Total
1000047CCE-9375-7:Domain member: Digitally signsecure channel data (when possible)
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-5-1 - Denial of Service Protection
Tenable Network Security 94
SC-5-1 - Denial of Service Protection
CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.
CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.
CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.
CCE-9348-4 - The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly.
CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.
CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.
CCE-9426-8 - The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.
CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.
CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.
CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.
CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.
CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.
CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.
CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.
CCE-9501-8 - The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configuredcorrectly.
CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.
CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.
CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-5-1 - Denial of Service Protection
Tenable Network Security 95
CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.
CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.
CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.
CCE-9026-6 - The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly.
CCE-8562-1 - The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting shouldbe configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-5-1 - Denial of Service Protection
Tenable Network Security 96
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000247 CCE-8714-8:accounts_guest_account_status Info 1
Plugin Plugin Name Severity Total
1000239
CCE-9487-0:MSS:(TcpMaxDataRetransmissions IPv6) Howmany times unacknowledged data isretransmitted (3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000237
CCE-8655-3:MSS:(DisableIPSourceRouting IPv6) IP sourcerouting protection level (protects againstpacket spoofing)
High 1
Plugin Plugin Name Severity Total
1000109
CCE-9501-8:MSS: (WarningLevel)Percentage threshold for the security eventlog at which the system will generate awarning
High 1
Plugin Plugin Name Severity Total
1000108
CCE-9456-5:MSS:(TCPMaxDataRetransmissions) How manytimes unacknowledged data is retransmitted(3 recommended, 5 is default)
High 1
Plugin Plugin Name Severity Total
1000106CCE-9348-4:MSS: (SafeDllSearchMode)Enable Safe DLL search mode(recommended)
High 1
Plugin Plugin Name Severity Total
1000105CCE-9458-1:MSS:(PerformRouterDiscovery) Allow IRDP
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-5-1 - Denial of Service Protection
Tenable Network Security 97
to detect and configure DefaultGatewayaddresses (could lead to DoS)
Plugin Plugin Name Severity Total
1000104
CCE-8562-1:MSS:(NoNameReleaseOnDemand) Allow thecomputer to ignore NetBIOS name releaserequests except from WINS servers
High 1
Plugin Plugin Name Severity Total
1000102CCE-9426-8:MSS: (KeepAliveTime)Howoften keep-alive packets are sent inmilliseconds
High 1
Plugin Plugin Name Severity Total
1000101CCE-8513-4:MSS: (EnableICMPRedirect)Allow ICMP redirects to override OSPFgenerated routes
High 1
Plugin Plugin Name Severity Total
1000100
CCE-9496-1:MSS:(DisableIPSourceRouting) IP source routingprotection level (protects against packetspoofing)
High 1
Plugin Plugin Name Severity Total
1000099CCE-9342-7:MSS: (AutoAdminLogon)Enable Automatic Logon (NotRecommended)
Info 1
Plugin Plugin Name Severity Total
1000077CCE-8937-5:Network security: Do not storeLAN Manager hash value on next passwordchange
Info 1
Plugin Plugin Name Severity Total
1000065CCE-9358-3:Microsoft network server:Disconnect clients when logon hours expire
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-5-1 - Denial of Service Protection
Tenable Network Security 98
Plugin Plugin Name Severity Total
1000064CCE-8825-2:Microsoft network server:Digitally sign communications (if clientagrees)
High 1
Plugin Plugin Name Severity Total
1000058CCE-9067-0:Interactive logon: Smart cardremoval behavior
High 1
Plugin Plugin Name Severity Total
1000057CCE-8818-7:Interactive logon: RequireDomain Controller authentication to unlockworkstation
Info 1
Plugin Plugin Name Severity Total
1000055CCE-8487-1:Interactive logon: Number ofprevious logons to cache (in case domaincontroller is not available)
High 1
Plugin Plugin Name Severity Total
1000054CCE-8740-3:Interactive logon: Message titlefor users attempting to log on
High 1
Plugin Plugin Name Severity Total
1000053CCE-8973-0:Interactive logon: Messagetext for users attempting to log on
High 1
Plugin Plugin Name Severity Total
1000049CCE-9123-1:Domain member: Maximummachine account password age
Info 1
Plugin Plugin Name Severity Total
1000042CCE-9026-6:Devices: Prevent users frominstalling printer drivers
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-5-1 - Denial of Service Protection
Tenable Network Security 99
Plugin Plugin Name Severity Total
1000036CCE-9418-5:Accounts: Limit local accountuse to blank passwords to console logononly
Info 1
Plugin Plugin Name Severity Total
1000006 CCE-9193-4:Maximum Password Age Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-5-2 - Denial of Service Protection
Tenable Network Security 100
SC-5-2 - Denial of Service Protection
CCE-8560-5 - The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configuredcorrectly.
CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000238CCE-8560-5:MSS: (Hidden) Hide computerfrom the browse list (Not Recommendedexcept for highly secure environments)
High 1
Plugin Plugin Name Severity Total
1000052CCE-9317-9:Interactive logon: Do notrequire CTRL+ALT+DEL
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-7 - Boundary Protection
Tenable Network Security 101
SC-7 - Boundary Protection
CCE-9559-6 - The 'Turn off the Windows Messenger Customer Experience Improvement Program' setting should be configured correctly.
CCE-9842-6 - The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" setting should be configured correctly.
CCE-10266-5 - The "6to4 State" setting should be configured correctly.
CCE-9953-1 - Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000175CCE-9842-6:Microsoft support diagnostictool: turn on msdt interactive communicationwith support provider
High 1
Plugin Plugin Name Severity Total
1000164CCE-9559-6:Turn off the WindowsMessenger Customer ExperienceImprovement Program
High 1
Plugin Plugin Name Severity Total
1000139 CCE-10266-5:6to4 State High 1
Plugin Plugin Name Severity Total
1000136CCE-9953-1:Prohibit installation andconfiguration of Network Bridge on yourDNS domain network
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-8 - Transmission Confidentiality and Integrity
Tenable Network Security 102
SC-8 - Transmission Confidentiality andIntegrity
CCE-10011-5 - The "Teredo State" setting should be configured correctly.
CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.
CCE-9040-7 - The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly.
CCE-9327-8 - The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly.
CCE-9265-0 - The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-8 - Transmission Confidentiality and Integrity
Tenable Network Security 103
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000141 CCE-10011-5:Teredo State High 1
Plugin Plugin Name Severity Total
1000063CCE-9040-7:Microsoft network server:Digitally sign communications (always)
High 1
Plugin Plugin Name Severity Total
1000061CCE-9265-0:Microsoft network client: Sendunencrypted password to third-party SMBservers
Info 1
Plugin Plugin Name Severity Total
1000060CCE-9344-3:Microsoft network client:Digitally sign communications (if serveragrees)
Info 1
Plugin Plugin Name Severity Total
1000059CCE-9327-8:Microsoft network client:Digitally sign communications (always)
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-9 - Withdrawn
Tenable Network Security 104
SC-9 - Withdrawn
CCE-9764-2 - The Remote Desktop Services 'Set client connection encryption level' setting should be enabled or disabled as appropriate.
CCE-8503-5 - The 'Microsoft network server: Server SPN target name validation level' setting should be configured correctly.
CCE-10130-3 - The "ISATAP State" setting for IPv6 should be configured correctly.
CCE-9040-7 - The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly.
CCE-9251-0 - The 'Domain member: Digitally encrypt secure channel data (when possible)' setting should be configured correctly.
CCE-9532-3 - The 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly.
CCE-9266-8 - The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly.
CCE-8974-8 - The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SC-9 - Withdrawn
Tenable Network Security 105
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000243CCE-9532-3:Network Security: Configureencryption types allowed for Kerberos
High 1
Plugin Plugin Name Severity Total
1000236CCE-8503-5:Microsoft network server: SPNTarget name validation
High 1
Plugin Plugin Name Severity Total
1000199CCE-9764-2:Set client connectionencryption level
High 1
Plugin Plugin Name Severity Total
1000140 CCE-10130-3:ISATAP State High 1
Plugin Plugin Name Severity Total
1000087CCE-9266-8:System Cryptography: UseFIPS compliant algorithms for encryption,hashing, and signing
High 1
Plugin Plugin Name Severity Total
1000063CCE-9040-7:Microsoft network server:Digitally sign communications (always)
High 1
Plugin Plugin Name Severity Total
1000046CCE-9251-0:Domain member: Digitallyencrypt secure channel data (whenpossible)
Info 1
Plugin Plugin Name Severity Total
1000045CCE-8974-8:Domain member: Digitallyencrypt or sign secure channel data(always)
Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SI-1 - System and Information Integrity Policy and Procedures
Tenable Network Security 106
SI-1 - System and Information Integrity Policyand Procedures
CCE-10441-4 - The "Enable Error Reporting" policy should be set correctly.
CCE-10824-1 - The Windows Error Reporting "Do not send additional data" setting should be configured correctly.
CCE-10709-4 - The Windows Error Reporting "Display Error Notification" setting should be configured correctly.
CCE-10645-0 - The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.
CCE-9914-3 - The "Disable Windows Error Reporting" setting should be configured correctly.
CCE-9901-0 - The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.
CCE-10658-3 - The "Turn off handwriting personalization data sharing" setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SI-1 - System and Information Integrity Policy and Procedures
Tenable Network Security 107
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000212 CCE-10824-1:Do Not Send Additional Data High 1
Plugin Plugin Name Severity Total
1000211 CCE-10709-4:Display Error Notification High 1
Plugin Plugin Name Severity Total
1000210CCE-9914-3:Disable Windows ErrorReporting
High 1
Plugin Plugin Name Severity Total
1000165CCE-10441-4:Turn Off Windows ErrorReporting
High 1
Plugin Plugin Name Severity Total
1000155CCE-10645-0:Turn off handwritingrecognition error reporting
High 1
Plugin Plugin Name Severity Total
1000154CCE-10658-3:Turn off handwritingpersonalization data sharing
High 1
Plugin Plugin Name Severity Total
1000147CCE-9901-0:Do not send a Windows ErrorReport when a generic driver is installed ona device
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SI-2 - Flaw Remediation
Tenable Network Security 108
SI-2 - Flaw Remediation
CCE-10441-4 - The "Enable Error Reporting" policy should be set correctly.
CCE-10602-1 - The "Disable Media Player for automatic updates" policy should be set correctly.
CCE-10824-1 - The Windows Error Reporting "Do not send additional data" setting should be configured correctly.
CCE-10709-4 - The Windows Error Reporting "Display Error Notification" setting should be configured correctly.
CCE-10205-3 - The 'Reschedule Automatic Updates scheduled installations' setting should be enabled or disabled as appropriate.
CCE-9403-7 - Automatic Updates should be enabled or disabled as appropriate.
CCE-10782-1 - The "Extend Point and Print connection to search Windows Update and use alternate connection if needed" setting should be configured correctly.
CCE-10137-8 - The "Prevent Windows Anytime Upgrade from running" setting should be configured correctly.
CCE-10645-0 - The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.
CCE-9901-0 - The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.
CCE-9914-3 - The "Disable Windows Error Reporting" setting should be configured correctly.
CCE-10658-3 - The "Turn off handwriting personalization data sharing" setting should be configured correctly.
CCE-9464-9 - The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly.
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SI-2 - Flaw Remediation
Tenable Network Security 109
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000228CCE-9464-9:Do not display 'Install updatesand shut diown option' in shut downwindows dialog box
High 1
Plugin Plugin Name Severity Total
1000226CCE-10205-3:Reschedule automaticupdates scheduled installation
High 1
Plugin Plugin Name Severity Total
1000225 CCE-9403-7:Configure automatic updates High 1
Plugin Plugin Name Severity Total
1000224 CCE-10602-1:Prevent Automatic Updates High 1
Plugin Plugin Name Severity Total
1000212 CCE-10824-1:Do Not Send Additional Data High 1
Plugin Plugin Name Severity Total
1000211 CCE-10709-4:Display Error Notification High 1
Plugin Plugin Name Severity Total
1000210CCE-9914-3:Disable Windows ErrorReporting
High 1
Plugin Plugin Name Severity Total
1000207CCE-10137-8:Prevent Windows anytimeupgrade from running
High 1
Plugin Plugin Name Severity Total
1000165CCE-10441-4:Turn Off Windows ErrorReporting
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SI-2 - Flaw Remediation
Tenable Network Security 110
Plugin Plugin Name Severity Total
1000155CCE-10645-0:Turn off handwritingrecognition error reporting
High 1
Plugin Plugin Name Severity Total
1000154CCE-10658-3:Turn off handwritingpersonalization data sharing
High 1
Plugin Plugin Name Severity Total
1000147CCE-9901-0:Do not send a Windows ErrorReport when a generic driver is installed ona device
High 1
Plugin Plugin Name Severity Total
1000145CCE-10782-1:Extend point and printconnection to search Windows update anduse alternate connection if needed
High 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SI-3 - Malicious Code Protection
Tenable Network Security 111
SI-3 - Malicious Code Protection
CCE-9289-0 - The 'Lock pages in memory' user right should be assigned to the appropriate accounts.
CCE-10076-8 - The 'Notify antivirus programs when opening attachments' setting should be configured correctly.
CCE-9888-9 - The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.
CCE-9875-6 - The "Set Safe for Scripting" policy should be set correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000218CCE-9888-9:Prohibit non-administratorsfrom applying vendor signed updates
High 1
Plugin Plugin Name Severity Total
1000216CCE-9875-6:Disable IE security prompt forWindows Installer scripts
High 1
Plugin Plugin Name Severity Total
1000026 CCE-9289-0:Lock Pages In Memory Info 1
Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
SI-4 - Information System Monitoring
Tenable Network Security 112
SI-4 - Information System Monitoring
CCE-10130-3 - The "ISATAP State" setting for IPv6 should be configured correctly.
CCE Mapping Summary
Plugin Plugin Name Severity Total
1000140 CCE-10130-3:ISATAP State High 1