CCE to NIST 800 53 Chapter CCE Summary RONLAB - · PDF fileCCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) ... Chapter CCE Summary

SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013

RONLAB

Chapter CCE SummaryCCE to NIST 800 53April 18, 2013 at 5:53am EDT[cody]Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.

http://www.tenablesecurity.com

Chapter CCE Summary CCE to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013

AC-1 - Access Control Policy and Procedures

Tenable Network Security 1

AC-1 - Access Control Policy andProcedures

CCE-10591-6 - Use Classic Logon should be properly configured.

CCE-10661-7 - The startup type of the Bluetooth service should be correct.

CCE-9985-3 - The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.

CCE-9136-3 - The 'Account lockout threshold' setting should be configured correctly.

CCE-9960-6 - Unsolicited offers of remote assistance (aka the 'Offer Remote Assistance' setting) should be automatically rejected or passed to the logged-on userfor confirmation as appropriate.

CCE-9107-4 - The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.

CCE-10763-1 - The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

CCE-10608-8 - The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

CCE-10103-0 - The 'Always prompt for password upon connection' setting should be configured correctly.

CCE-9407-8 - The 'Act as part of the operating system' user right should be assigned to the appropriate accounts.

CCE-9879-8 - The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet(UPnP).

CCE-10051-1 - The screen saver should be enabled or disabled as appropriate for the current user.

CCE-10148-5 - The 'Screen Saver timeout' setting should be configured correctly.

CCE-9274-2 - The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.

CCE-9406-0 - The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.

CCE-8807-0 - The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly.

CCE-8945-8 - The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly.




CCE-10769-8 - The "Allow remote access to the PnP interface" setting should be configured correctly.

CCE-9704-8 - The 'Network security: Force logoff when logon hours expire' setting should be configured correctly.

CCE-9858-2 - The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

CCE-10527-0 - The default behavior for AutoRun should be properly configured.

CCE-9336-9 - The 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts.

CCE-9439-1 - The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly.

CCE-9730-3 - The 'Password protect the screen saver' setting should be configured correctly.

CCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.




CCE Mapping Summary

Plugin Plugin Name Severity Total

1000261CCE-9107-4:Log On Through TerminalServices

Info 1


1000201CCE-9858-2:Set a time limit fordisconnected sessions

High 1


1000200CCE-10608-8:Set a time limit for active butidle Terminal Services sessions

High 1


1000198CCE-10103-0:Always prompt client forpassword upon connection

High 1


1000197CCE-9985-3:Allow users to connectremotely using Remote Desktop Services

High 1


1000195CCE-10763-1:Disable remote desktopsharing

High 1


1000180 CCE-10527-0:Default behavior for autorun High 1


1000170 CCE-9960-6:Offer Remote Assistance High 1


1000166 CCE-10591-6:Always Use Classic Logon High 1





1000146CCE-10769-8:Allow remote access to thePnP interface

High 1


1000143CCE-9879-8:Configuration of WirelessSettings Using Windows Connect Now

High 1


1000110 CCE-10661-7:Bluetooth Support Service High 1


1000107

CCE-8591-0:MSS:(ScreenSaverGracePeriod) The time inseconds before the screen saver graceperiod expires (0 recommended)

High 1


1000103CCE-9439-1:MSS: (NoDefaultExempt)Enable NoDefaultExempt for IPSec Filtering(recommended)

High 1


1000084CCE-8945-8:Recovery Console: AllowFloppy Copy and Access to All Drives andAll Folders

Info 1


1000083CCE-8807-0:Recovery Console: AllowAutomatic Administrative Logon

Info 1


1000078CCE-9704-8:Network security: Force logoffwhen logon hours expire

High 1





1000062CCE-9406-0:Microsoft network server:Amount of idle time required beforesuspending session

Info 1


1000023CCE-9336-9:Force Shutdown From ARemote System

Info 1


1000022CCE-9274-2:Deny Logon Through RemoteDesktop Services

High 1


1000012CCE-9407-8:Act As Part Of The OperatingSystem

Info 1


1000003 CCE-9136-3:Account Lockout Threshold High 1


AC-2 - Account Management



CCE-9938-2 - The 'Enumerate administrator accounts on elevation' setting should be configured correctly.

CCE-8936-7 - The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly.

CCE-9449-0 - The 'Interactive logon: Do not display last user name' setting should be configured correctly.

CCE-10359-8 - The "Require domain users to elevate when setting a network's location" setting should be configured correctly.

CCE-8467-3 - The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts.

CCE-8811-2 - The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly.

CCE-10154-3 - The 'Do not process the run once list' setting should be configured correctly.

CCE-8813-8 - The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.

CCE-9907-7 - The "Report Logon Server Not Available During User logon" setting should be configured correctly.

CCE-8958-1 - The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.

CCE-9218-9 - The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.




CCE Mapping Summary


1000255CCE-8467-3:Impersonate a Client AfterAuthentication

Info 1


1000219CCE-9907-7:Report Logon Server NotAvailable During User logon

High 1


1000183CCE-9938-2:Enumerate administratoraccounts on elevation

High 1


1000167CCE-10154-3:Do not process the run oncelist

High 1


1000137CCE-10359-8:Require Domain users toelevate when setting a networks location

High 1


1000092CCE-8813-8:User Account Control:Behavior of the elevation prompt forstandard users

High 1


1000091CCE-8958-1:User Account Control:Behavior of the elevation prompt foradministrators in Admin Approval Mode

High 1


1000090CCE-8811-2:User Account Control: AdminApproval Mode for the Built-in Administratoraccount

High 1





1000071CCE-9218-9:Network access: NamedPipes that can be accessed anonymously -netlogon, lsarpc, samr, browser

Info 1


1000070CCE-8936-7:Network access: Let Everyonepermissions apply to anonymous users

Info 1


1000051CCE-9449-0:Interactive logon: Do notdisplay last user name

High 1


AC-3-1 - Access Enforcement



CCE-9418-5 - The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.

CCE-9801-2 - The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly.

CCE-9938-2 - The 'Enumerate administrator accounts on elevation' setting should be configured correctly.


CCE-9189-2 - The 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly.

CCE-9215-5 - The 'Create a token object' user right should be assigned to the appropriate accounts.

CCE-8655-3 - The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.

CCE-9156-1 - The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly.

CCE-9199-1 - The 'Accounts: Administrator account status' setting should be configured correctly.

CCE-9212-2 - The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts.

CCE-8714-8 - The 'Accounts: Guest account status' setting should be configured correctly.

CCE-9185-0 - The 'Create a pagefile' user right should be assigned to the appropriate accounts.


CCE-8999-5 - The 'Increase scheduling priority' user right should be assigned to the appropriate accounts.

CCE-9253-6 - The 'Access this computer from the network' user right should be assigned to the appropriate accounts.

CCE-9344-3 - The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.

CCE-9616-4 - The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly.

CCE-8818-7 - The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.

CCE-9021-7 - The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly.

CCE-9534-9 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' settingshould be enabled or disabled as appropriate.




CCE-9098-5 - The 'Deny log on as a service' user right should be assigned to the appropriate accounts.



CCE-9456-5 - The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should beconfigured correctly.




CCE Mapping Summary


1000249 CCE-9199-1:accounts_administrator_account_status High 1


1000247 CCE-8714-8:accounts_guest_account_status Info 1


1000237

CCE-8655-3:MSS:(DisableIPSourceRouting IPv6) IP sourcerouting protection level (protects againstpacket spoofing)

High 1



High 1


1000183CCE-9938-2:Enumerate administratoraccounts on elevation

High 1



High 1


1000108

CCE-9456-5:MSS:(TCPMaxDataRetransmissions) How manytimes unacknowledged data is retransmitted(3 recommended, 5 is default)

High 1


1000096CCE-9189-2:User Account Control: Run alladministrators in Admin Approval Mode

High 1





1000095CCE-9801-2:User Account Control: Onlyelevate UIAccess applications that areinstalled in secure locations

High 1


1000094CCE-9021-7:User Account Control: Onlyelevate executables that are signed andvalidated

High 1


1000093CCE-9616-4:User Account Control: Detectapplication installations and prompt forelevation

High 1


1000081CCE-9534-9:Network security: Minimumsession security for NTLM SSP based(including secure RPC) clients

High 1


1000068CCE-9156-1:Network access: Do not allowanonymous enumeration of SAM accountsand shares

High 1



Info 1


1000060CCE-9344-3:Microsoft network client:Digitally sign communications (if serveragrees)

Info 1





1000057CCE-8818-7:Interactive logon: RequireDomain Controller authentication to unlockworkstation

Info 1


1000036CCE-9418-5:Accounts: Limit local accountuse to blank passwords to console logononly

Info 1


1000024 CCE-8999-5:Increase Scheduling Priority Info 1


1000020 CCE-9098-5:Deny Logon As A Service Info 1


1000019 CCE-9212-2:Deny Logon As A Batch Job High 1


1000015 CCE-9215-5:Create A Token Object Info 1


1000014 CCE-9185-0:Create A Pagefile Info 1


1000011CCE-9253-6:Access This Computer FromThe Network

High 1





CCE-8937-5 - The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.

CCE-8475-6 - The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts.

CCE-9496-1 - The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.

CCE-9123-1 - The 'Domain member: Maximum machine account password age' setting should be configured correctly.

CCE-9014-2 - The 'Shut down the system' user right should be assigned to the appropriate accounts.

CCE-8817-9 - The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly.

CCE-8414-5 - The 'Bypass traverse checking' user right should be assigned to the appropriate accounts.

CCE-8513-4 - The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.

CCE-9121-5 - The 'Network access: Remotely accessible registry paths' setting should be configured correctly.

CCE-9301-3 - The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly.

CCE-9068-8 - The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts.

CCE-9193-4 - The 'Maximum password age' setting should be configured correctly.

CCE-8825-2 - The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.

CCE-8487-1 - The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.

CCE-9395-5 - The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly.

CCE-9487-0 - The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting shouldbe configured correctly.

CCE-9358-3 - The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.

CCE-9149-6 - The 'Modify an object label' user right should be assigned to the appropriate accounts.

CCE-9531-5 - The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly.

CCE-9342-7 - The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly.




CCE-9048-0 - The 'Increase a process working set' user right should be assigned to the appropriate accounts.


CCE-9254-4 - The 'Create permanent shared objects' user right should be assigned to the appropriate accounts.

CCE-9026-6 - The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly.




CCE Mapping Summary


1000263CCE-9068-8:Adjust Memory Quotas For AProcess

Info 1


1000260 CCE-8414-5:Bypass Traverse Checking High 1


1000254CCE-9048-0:Increase a Process WorkingSet

High 1


1000250 CCE-9014-2:Shut Down The System High 1


1000244CCE-9301-3:User Account Control: AllowUIAccess applications to prompt forelevation without using the secure desktop

High 1


1000239

CCE-9487-0:MSS:(TcpMaxDataRetransmissions IPv6) Howmany times unacknowledged data isretransmitted (3 recommended, 5 is default)

High 1


1000107


High 1


1000101CCE-8513-4:MSS: (EnableICMPRedirect)Allow ICMP redirects to override OSPFgenerated routes

High 1





1000100

CCE-9496-1:MSS:(DisableIPSourceRouting) IP source routingprotection level (protects against packetspoofing)

High 1


1000099CCE-9342-7:MSS: (AutoAdminLogon)Enable Automatic Logon (NotRecommended)

Info 1


1000098CCE-8817-9:User Account Control:Virtualize file and registry write failures toper-user locations

High 1


1000097CCE-9395-5:User Account Control: Switchto the secure desktop when prompting forelevation

High 1


1000077CCE-8937-5:Network security: Do not storeLAN Manager hash value on next passwordchange

Info 1


1000072CCE-9121-5:Network access: Remotelyaccessible registry paths

Info 1


1000066CCE-9531-5:Network access: Allowanonymous SID-Name translation

Info 1


1000065CCE-9358-3:Microsoft network server:Disconnect clients when logon hours expire

Info 1





1000064CCE-8825-2:Microsoft network server:Digitally sign communications (if clientagrees)

High 1


1000055CCE-8487-1:Interactive logon: Number ofprevious logons to cache (in case domaincontroller is not available)

High 1


1000049CCE-9123-1:Domain member: Maximummachine account password age

Info 1


1000042CCE-9026-6:Devices: Prevent users frominstalling printer drivers

Info 1


1000032CCE-8475-6:Perform Volume MaintenanceTasks

Info 1


1000030 CCE-9149-6:Modify an object label Info 1


1000016CCE-9254-4:Create Permanent SharedObjects

Info 1


1000006 CCE-9193-4:Maximum Password Age Info 1





CCE-8431-9 - The 'Create global objects' user right should be assigned to the appropriate accounts.

CCE-8583-7 - The 'Debug programs' user right should be assigned to the appropriate accounts.

CCE-9458-1 - The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configuredcorrectly.

CCE-9067-0 - The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.

CCE-9345-0 - The 'Allow log on locally' user right should be assigned to the appropriate accounts.

CCE-9249-4 - The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.

CCE-8806-2 - The 'Network security: LAN Manager authentication level' setting should be configured correctly.

CCE-9317-9 - The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.




CCE Mapping Summary


1000262 CCE-9345-0:Log On Locally High 1


1000257 CCE-8431-9:Create Global Objects Info 1


1000105

CCE-9458-1:MSS:(PerformRouterDiscovery) Allow IRDPto detect and configure DefaultGatewayaddresses (could lead to DoS)

High 1


1000079CCE-8806-2:Network security: LANManager Authentication Level

High 1


1000067CCE-9249-4:Network access: Do not allowanonymous enumeration of SAM accounts

Info 1


1000058CCE-9067-0:Interactive logon: Smart cardremoval behavior

High 1


1000052CCE-9317-9:Interactive logon: Do notrequire CTRL+ALT+DEL

High 1


1000017 CCE-8583-7:Debug Programs Info 1


AC-4 - Information Flow Enforcement



CCE-10509-8 - The "Route all traffic through the internal network" setting should be configured correctly.

CCE-9348-4 - The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly.

CCE-9426-8 - The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.

CCE-9501-8 - The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configuredcorrectly.

CCE-8560-5 - The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configuredcorrectly.

CCE-9439-1 - The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly.

CCE-8562-1 - The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting shouldbe configured correctly.




CCE Mapping Summary


1000238CCE-8560-5:MSS: (Hidden) Hide computerfrom the browse list (Not Recommendedexcept for highly secure environments)

High 1


1000138CCE-10509-8:Route all traffic through theinternal network

High 1


1000109

CCE-9501-8:MSS: (WarningLevel)Percentage threshold for the security eventlog at which the system will generate awarning

High 1


1000106CCE-9348-4:MSS: (SafeDllSearchMode)Enable Safe DLL search mode(recommended)

High 1


1000104

CCE-8562-1:MSS:(NoNameReleaseOnDemand) Allow thecomputer to ignore NetBIOS name releaserequests except from WINS servers

High 1


1000103CCE-9439-1:MSS: (NoDefaultExempt)Enable NoDefaultExempt for IPSec Filtering(recommended)

High 1


1000102CCE-9426-8:MSS: (KeepAliveTime)Howoften keep-alive packets are sent inmilliseconds

High 1


AC-6 - Least Privilege




CCE-9801-2 - The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly.

CCE-9189-2 - The 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly.

CCE-8817-9 - The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly.

CCE-9199-1 - The 'Accounts: Administrator account status' setting should be configured correctly.

CCE-9616-4 - The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly.

CCE-9301-3 - The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly.

CCE-9021-7 - The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly.

CCE-10644-3 - The "Prevent users from sharing files within their profile" setting should be configured correctly.

CCE-9395-5 - The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly.




CCE Mapping Summary


1000249 CCE-9199-1:accounts_administrator_account_status High 1


1000244CCE-9301-3:User Account Control: AllowUIAccess applications to prompt forelevation without using the secure desktop

High 1




1000098CCE-8817-9:User Account Control:Virtualize file and registry write failures toper-user locations

High 1


1000097CCE-9395-5:User Account Control: Switchto the secure desktop when prompting forelevation

High 1


1000096CCE-9189-2:User Account Control: Run alladministrators in Admin Approval Mode

High 1


1000095CCE-9801-2:User Account Control: Onlyelevate UIAccess applications that areinstalled in secure locations

High 1


1000094CCE-9021-7:User Account Control: Onlyelevate executables that are signed andvalidated

High 1





1000093CCE-9616-4:User Account Control: Detectapplication installations and prompt forelevation

High 1


AC-7 - Unsuccessful Logon Attempts


AC-7 - Unsuccessful Logon Attempts

CCE-9308-8 - The 'Account lockout duration' setting should be configured correctly.

CCE-9400-3 - The 'Reset account lockout counter after' setting should be configured correctly.

CCE-8484-8 - The built-in Administrator account should be correctly named.

CCE-9229-6 - The built-in Guest account should be correctly named.

CCE Mapping Summary


1000038CCE-9229-6:Accounts: Rename guestaccount

High 1


1000037CCE-8484-8:Accounts: Renameadministrator account

High 1


1000004CCE-9400-3:Reset Account LockoutCounter After

Info 1


1000002 CCE-9308-8:Account Lockout Duration Info 1


AC-8 - System Use Notification


AC-8 - System Use Notification

CCE-8973-0 - The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.

CCE-8740-3 - The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.

CCE Mapping Summary


1000054CCE-8740-3:Interactive logon: Message titlefor users attempting to log on

High 1


1000053CCE-8973-0:Interactive logon: Messagetext for users attempting to log on

High 1


AU-2-1 - Audit Events



CCE-9542-2 - Auditing of 'Account Management: User Account Management' events on success should be enabled or disabled as appropriate.

CCE-10078-4 - Auditing of 'Object Access:Â Registry' events on failure should be enabled or disabled as appropriate.

CCE-9172-8 - Auditing of 'Privilege Use: Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate.

CCE-9058-9 - Auditing of 'Logon-Logoff: Logoff' events on failure should be enabled or disabled as appropriate.

CCE-9805-3 - Auditing of 'Detailed Tracking: Process Creation' events on failure should be enabled or disabled as appropriate.

CCE-9737-8 - Auditing of 'Object Access:Â Registry' events on success should be enabled or disabled as appropriate.

CCE-9657-8 - Auditing of 'Account Management: Other Account Management Events' events on success should be enabled or disabled as appropriate.

CCE-9056-3 - Auditing of 'Account Management: Security Group Management' events on failure should be enabled or disabled as appropriate.

CCE-9863-2 - Auditing of 'System: Security System Extension' events on success should be enabled or disabled as appropriate.

CCE-9878-0 - Auditing of 'Privilege Use: Sensitive Privilege Use' events on success should be enabled or disabled as appropriate.

CCE-9976-2 - Auditing of 'Policy Change: Authentication Policy Change' events on success should be enabled or disabled as appropriate.

CCE-9998-6 - Auditing of 'System: Security System Extension' events on failure should be enabled or disabled as appropriate.

CCE-9608-1 - Auditing of 'Account Management: Computer Account Management' events on failure should be enabled or disabled as appropriate.

CCE-9683-4 - Auditing of 'Logon-Logoff: Logon' events on success should be enabled or disabled as appropriate.

CCE-9217-1 - Auditing of 'Object Access: File System' events on success should be enabled or disabled as appropriate.

CCE-9692-5 - Auditing of 'Account Management: Security Group Management' events on success should be enabled or disabled as appropriate.

CCE-9150-4 - The 'Audit: Audit the access of global system objects' setting should be configured correctly.

CCE-9520-8 - Auditing of 'System: System Integrity' events on success should be enabled or disabled as appropriate.

CCE-9802-0 - Auditing of 'System: IPsec Driver' events on failure should be enabled or disabled as appropriate.

CCE-10344-0 - The "Turn on session logging" setting should be configured correctly.

CCE-9850-9 - Auditing of 'System: Security State Change' events on success should be enabled or disabled as appropriate.




CCE-9800-4 - Auditing of 'Account Management: User Account Management' events on failure should be enabled or disabled as appropriate.

CCE-9498-7 - Auditing of 'Account Management: Computer Account Management' events on success should be enabled or disabled as appropriate.

CCE-8856-7 - Auditing of 'Logon-Logoff: Logoff' events on success should be enabled or disabled as appropriate.




CCE Mapping Summary


1000172 CCE-10344-0:Turn on session logging High 1


1000132 CCE-9520-8:System Integrity Info 1


1000131 CCE-9863-2:Security System Extension Info 1


1000130 CCE-9850-9:Security State Change Info 1


1000128 CCE-9878-0:Sensitive Privilege Use Info 1


1000127 CCE-9976-2:Authentication Policy Change Info 1


1000125 CCE-9737-8:Registry Info 1


1000124 CCE-9217-1:File System Info 1


1000122 CCE-9683-4:Logon Info 1


1000121 CCE-8856-7:Logoff Info 1


1000119 CCE-9542-2:User Account Management Info 1





1000118 CCE-9692-5:Security Group Management Info 1


1000117CCE-9657-8:Other Account ManagementEvents

Info 1


1000116CCE-9498-7:Computer AccountManagement

Info 1


1000039CCE-9150-4:Audit: Audit the access ofglobal system objects

Info 1





CCE-9235-3 - Auditing of 'Policy Change: Audit Policy Change' events on failure should be enabled or disabled as appropriate.

CCE-9811-1 - Auditing of 'Object Access: File System' events on failure should be enabled or disabled as appropriate.

CCE-9213-0 - Auditing of 'Logon-Logoff: Logon' events on failure should be enabled or disabled as appropriate.

CCE-10156-8 - The 'Maximum Log Size (KB)' setting should be configured correctly for the system log.

CCE-8789-0 - The 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly.

CCE-10157-6 - The Windows Error Reporting "Disable Logging" setting should be configured correctly.

CCE-9432-6 - The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configuredcorrectly.

CCE-9718-8 - Auditing of 'Account Logon: Credential Validation' events on failure should be enabled or disabled as appropriate.

CCE-9925-9 - Auditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate.

CCE-9194-2 - Auditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate.

CCE-9521-6 - Auditing of 'Logon-Logoff: Special Logon' events on failure should be enabled or disabled as appropriate.

CCE-9562-0 - Auditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate.

CCE-9725-3 - Auditing of 'Account Logon: Credential Validation' events on success should be enabled or disabled as appropriate.

CCE-9603-2 - The 'Maximum Log Size (KB)' setting should be configured correctly for the application log.

CCE-9763-4 - Auditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate.

CCE-9668-5 - Auditing of 'Account Management: Other Account Management Events' events on failure should be enabled or disabled as appropriate.

CCE-10021-4 - Auditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate.

CCE-10014-9 - Auditing of 'Policy Change: Authentication Policy Change' events on failure should be enabled or disabled as appropriate.

CCE-9179-3 - Auditing of 'System: Security State Change' events on failure should be enabled or disabled as appropriate.

CCE-9223-9 - The 'Manage auditing and security log' user right should be assigned to the appropriate accounts.




CCE-9226-2 - The 'Generate security audits' user right should be assigned to the appropriate accounts.




CCE Mapping Summary


1000256 CCE-9226-2:Generate Security Audits Info 1


1000209 CCE-10157-6:Disable Logging High 1


1000191 CCE-10156-8:Maximum System Log Size High 1


1000188 CCE-9603-2:Maximum Application Log Size High 1


1000129 CCE-9925-9:IPsec Driver Info 1


1000126 CCE-10021-4:Audit Policy Change Info 1


1000123 CCE-9763-4:Special Logon Info 1


1000120 CCE-9562-0:Process Creation Info 1


1000041

CCE-9432-6:Audit: Force audit policysubcategory settings (Windows Vista orlater) to override audit policy categorysettings

High 1


1000040CCE-8789-0:Audit: Audit the use of Backupand Restore privilege

Info 1





1000029CCE-9223-9:Manage Auditing And SecurityLog

Info 1


AU-4 - Audit Storage Capacity


AU-4 - Audit Storage Capacity

CCE-10714-4 - The setup log maximum size should be configured correctly.

CCE Mapping Summary


1000190 CCE-10714-4:Maximum Setup Log Size High 1


AU-5 - Response to Audit Processing Failures


AU-5 - Response to Audit ProcessingFailures


CCE Mapping Summary




AU-8 - Time Stamps


AU-8 - Time Stamps

CCE-8423-6 - The 'Change the time zone' user right should be assigned to the appropriate accounts.

CCE-10500-7 - The "Configure Windows NTP Client\NtpServer" setting should be configured correctly.

CCE-8612-4 - The 'Change the system time' user right should be assigned to the appropriate accounts.

CCE Mapping Summary


1000259 CCE-8612-4:Change the System Time Info 1


1000258 CCE-8423-6:Change the time zone Info 1


1000178CCE-10500-7:Configure Windows NTPclient

High 1


AU-9 - Protection of Audit Information


AU-9 - Protection of Audit Information

CCE-9260-1 - The 'Store passwords using reversible encryption' setting should be configured correctly.


CCE-10856-3 - The "Do not delete temp folder upon exit" setting should be configured correctly.

CCE Mapping Summary


1000202CCE-10856-3:Do not delete temp foldersupon exit

High 1


1000109


High 1


1000010CCE-9260-1:Reversible PasswordEncryption

Info 1


CA-3 - System Interconnections


CA-3 - System Interconnections

CCE-10543-7 - The startup type of the Homegroup Listener service should be correct.

CCE Mapping Summary


1000112 CCE-10543-7:HomeGroup Listener High 1


CM-2 - Baseline Configuration


CM-2 - Baseline Configuration

CCE-9361-7 - The 'Registry policy processing' setting should be enabled or disabled as appropriate.

CCE-10602-1 - The "Disable Media Player for automatic updates" policy should be set correctly.


CCE Mapping Summary


1000224 CCE-10602-1:Prevent Automatic Updates High 1


1000151 CCE-9361-7:Registry Policy High 1



Info 1


CM-3 - Configuration Change Control



CCE-9918-4 - The 'Turn off Data Execution Prevention for Explorer' setting should be configured correctly.

CCE-9819-4 - The "Turn Off Event Views "Events.asp" Links" setting should be configured correctly.

CCE-10061-0 - The 'Turn off printing over HTTP' setting should be configured correctly.

CCE-9674-3 - The 'Turn off Internet download for Web publishing and online ordering wizards' setting should be configured correctly.

CCE-9876-4 - The "Enable User Control Over Installs" policy should be set correctly.

CCE-10649-2 - The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CCE-9857-4 - The "Override the More Gadgets Link" setting should be configured correctly.

CCE-9874-9 - The "Turn off Heap termination on corruption" setting should be configured correctly.

CCE-9417-7 - The 'Modify firmware environment values' user right should be assigned to the appropriate accounts.

CCE-10850-6 - The "Turn off game updates" setting should be configured correctly.

CCE-9403-7 - Automatic Updates should be enabled or disabled as appropriate.

CCE-10828-2 - The "Turn Off Downloading of Game Information" setting should be configured correctly.

CCE-10438-0 - The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

CCE-9195-9 - The 'Turn off downloading of print drivers over HTTP' setting should be configured correctly.

CCE-10795-3 - The "Turn Off Internet File Association Service" setting should be configured correctly.

CCE-10586-6 - The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.

CCE-10730-0 - The "Turn off downloading of enclosures" setting should be configured correctly.




CCE Mapping Summary


1000225 CCE-9403-7:Configure automatic updates High 1


1000217CCE-9876-4:Enable user control overinstalls

High 1


1000214CCE-9874-9:Turn off Heap termination oncorruption

High 1


1000213CCE-9918-4:Turn off data executionprevention for explorer

High 1


1000204CCE-10730-0:Turn off downloading ofenclosures

High 1


1000193 CCE-10850-6:Turn off game updates High 1


1000192CCE-10828-2:Turn Off Downloading ofGame Information

High 1


1000187CCE-10586-6:Turn Off User InstalledWindows Sidebar Gidgets

High 1


1000185CCE-9857-4:Override the More GadgetsLnk

High 1





1000159 CCE-10061-0:Turn off printing over HTTP High 1


1000158CCE-10795-3:Turn off Internet fileassociation service

High 1


1000157CCE-9674-3:Turn off Internet download forWeb publishing and online ordering wizards

High 1


1000156CCE-10649-2:Turn off Internet connectionwizard if URL connection is referring toMicrosoft.com

High 1


1000153CCE-9819-4:Turn off event views'Events.asp' links

High 1


1000152CCE-9195-9:Turn off downloading of printdrivers over HTTP

High 1


1000135CCE-10438-0:Turn Off Microsoft Peer-to-Peer Networking Services

High 1


1000031CCE-9417-7:Modify Firmware EnvironmentValues

Info 1


CM-5 - Access Restrictions for Change


CM-5 - Access Restrictions for Change

CCE-10140-2 - The 'Turn off Search Companion content file updates' setting should be configured correctly.

CCE-9910-1 - The startup type of the Homegroup Provider service should be correct.

CCE-9135-5 - The 'Load and unload device drivers' user right should be assigned to the appropriate accounts.

CCE Mapping Summary


1000161CCE-10140-2:Turn off Search Companioncontent file updates

High 1


1000113 CCE-9910-1:Homegroup Provider High 1


1000025CCE-9135-5:Load And Unload DeviceDrivers

Info 1


CM-6-1 - Configuration Settings



CCE-9783-2 - The "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly.

CCE-10183-2 - The 'Prevent the computer from joining a homegroup' setting should be configured correctly.

CCE-8460-8 - The 'Create symbolic links' user right should be assigned to the appropriate accounts.



CCE-10181-6 - The 'RPC Endpoint Mapper Client Authentication' setting should be configured correctly.

CCE-9866-5 - The "Prevent indexing uncached Exchange folders" setting should be configured correctly.

CCE-9864-0 - The "Do not use temporary folders per session" setting should be configured correctly.



CCE-9253-6 - The 'Access this computer from the network' user right should be assigned to the appropriate accounts.


CCE-10295-4 - The "Turn off Help Ratings" setting should be configured correctly.

CCE-9040-7 - The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly.

CCE-10311-9 - The startup type of the Parantal Controls service should be correct.



CCE-10787-0 - The "Turn off Program Inventory" setting should be configured correctly.






CCE-9528-1 - The 'Turn off Autoplay' setting should be configured correctly.

CCE-9149-6 - The 'Modify an object label' user right should be assigned to the appropriate accounts.






CCE Mapping Summary




1000245 CCE-8460-8:create_symbolic_links Info 1


1000239


High 1




1000206CCE-9866-5:Enable indexing uncachedExchange folders

High 1


1000203CCE-9864-0:Do not use temporary foldersper session

High 1


1000194CCE-10183-2:Prevent the computer fromjoining a Homegroup

High 1


1000179 CCE-10787-0:Turn off program inventory High 1


1000174CCE-10181-6:RPC Endpoint Mapper ClientAuthentication

High 1





1000133CCE-9783-2:Turn on Mapper I/O (LLTDIO)driver

High 1


1000115 CCE-10311-9:Parental Controls Service High 1


1000107


High 1



Info 1



High 1



Info 1


1000063CCE-9040-7:Microsoft network server:Digitally sign communications (always)

High 1



Info 1






Info 1


1000030 CCE-9149-6:Modify an object label Info 1




1000011CCE-9253-6:Access This Computer FromThe Network

High 1








CCE-10160-0 - The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CCE-9908-5 - The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.

CCE-10496-8 - The "Allow indexing of encrypted files" setting should be configured correctly.


CCE-9823-6 - The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

CCE-10130-3 - The "ISATAP State" setting for IPv6 should be configured correctly.

CCE-10219-4 - The "Enable/Disable PerfTrack" setting should be configured correctly.


CCE-10553-6 - The "Do not create system restore point when new device driver installed" setting should be configured correctly.

CCE-9319-5 - The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly.


CCE-9375-7 - The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly.

CCE-10699-7 - The startup type of the Media Center Extenders service should be correct.


CCE-8431-9 - The 'Create global objects' user right should be assigned to the appropriate accounts.

CCE-9229-6 - The built-in Guest account should be correctly named.

CCE-9396-3 - The 'Restrictions for Unauthenticated RPC clients' setting should be configured correctly.





CCE-9048-0 - The 'Increase a process working set' user right should be assigned to the appropriate accounts.

CCE-9254-4 - The 'Create permanent shared objects' user right should be assigned to the appropriate accounts.





CCE Mapping Summary


1000257 CCE-8431-9:Create Global Objects Info 1


1000254CCE-9048-0:Increase a Process WorkingSet

High 1




1000222CCE-9908-5:Prevent Windows Media DRMInternet Access

High 1


1000205CCE-10496-8:Allow indexing of encryptedfiles

High 1



High 1


1000177 CCE-10219-4:Enable or disable perftrack High 1


1000173CCE-9396-3:Restrictions forUnauthenticated RPC clients

High 1







1000162CCE-9823-6:Turn off the 'Order Prints'picture task

High 1


1000160CCE-10160-0:Turn off registration if URLconnection is referring to Microsoft.com

High 1


1000148

CCE-10553-6:Prevent creation of a systemrestore point during device activity thatwould normally promp creation of a restorepoint.

High 1


1000140 CCE-10130-3:ISATAP State High 1


1000114 CCE-10699-7:Media Center Extender Info 1


1000105


High 1


1000100


High 1


1000088CCE-9319-5:System objects: Require caseinsensitivity for non-Windows subsystems

Info 1






High 1



High 1


1000047CCE-9375-7:Domain member: Digitally signsecure channel data (when possible)

Info 1



Info 1


1000038CCE-9229-6:Accounts: Rename guestaccount

High 1


1000016CCE-9254-4:Create Permanent SharedObjects

Info 1








CCE-10764-9 - The "IP HTTPS" state setting should be configured correctly.

CCE-10140-2 - The 'Turn off Search Companion content file updates' setting should be configured correctly.

CCE-8732-0 - The 'Replace a process level token' user right should be assigned to the appropriate accounts.


CCE-9215-5 - The 'Create a token object' user right should be assigned to the appropriate accounts.

CCE-10811-8 - The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.


CCE-10059-4 - The "Turn on Responder (RSPNDR) Driver" setting should be configured correctly.


CCE-9212-2 - The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts.

CCE-9868-1 - The "Configure Microsoft SpyNet Reporting" setting should be configured correctly.

CCE-9185-0 - The 'Create a pagefile' user right should be assigned to the appropriate accounts.

CCE-8999-5 - The 'Increase scheduling priority' user right should be assigned to the appropriate accounts.


CCE-9534-9 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' settingshould be enabled or disabled as appropriate.

CCE-8484-8 - The built-in Administrator account should be correctly named.


CCE-10759-9 - The "Do not allow Digital Locker to run" setting should be configured correctly.





CCE-11252-4 - The "Turn off the communitication features" setting should be configured correctly. (sic)



CCE-8806-2 - The 'Network security: LAN Manager authentication level' setting should be configured correctly.




CCE Mapping Summary


1000251CCE-8732-0:Replace A Process LevelToken

Info 1


1000237


High 1


1000220CCE-11252-4:Turn off the communitiesfeatures

High 1


1000208CCE-9868-1:Configure Microsoft SpyNetReporting

Info 1



High 1




1000186CCE-10811-8:Disable unpacking andinstallation of gadgets that are not digitallysigned

High 1


1000184CCE-10759-9:Do not allow digital locker torun

High 1






High 1


1000161CCE-10140-2:Turn off Search Companioncontent file updates

High 1



High 1


1000142 CCE-10764-9:IP HTTPS High 1


1000134CCE-10059-4:Turn on Responder(RSPNDR) driver

High 1


1000081CCE-9534-9:Network security: Minimumsession security for NTLM SSP based(including secure RPC) clients

High 1


1000079CCE-8806-2:Network security: LANManager Authentication Level

High 1



Info 1



Info 1






High 1


1000037CCE-8484-8:Accounts: Renameadministrator account

High 1



Info 1


1000024 CCE-8999-5:Increase Scheduling Priority Info 1


1000019 CCE-9212-2:Deny Logon As A Batch Job High 1


1000015 CCE-9215-5:Create A Token Object Info 1


1000014 CCE-9185-0:Create A Pagefile Info 1








CCE-10623-7 - The "Turn off shell protocol protected mode" setting should be configured correctly.

CCE-9506-7 - User-intiated solicitations for remote assistance (aka the 'Solicited Remote Assistance' setting) should be enabled or disabled as appropriate.

CCE-9910-1 - The startup type of the Homegroup Provider service should be correct.

CCE-8912-8 - The "enforce password history" policy should meet minimum requirements.


CCE-9857-4 - The "Override the More Gadgets Link" setting should be configured correctly.

CCE-10655-9 - The "Turn off Autoplay for non-volume devices" setting should be configured correctly.

CCE-9121-5 - The 'Network access: Remotely accessible registry paths' setting should be configured correctly.


CCE-10606-2 - The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via WindowsOnline Troubleshooting Service - WOTS)" setting should be configured correctly.

CCE-10692-2 - The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

CCE-9643-8 - The 'Turn off the "Publish to Web" task for files and folders' setting should be configured correctly.


CCE-9419-3 - The 'Profile system performance' user right should be assigned to the appropriate accounts.


CCE-10165-9 - The "Prevent device metadata retrieval from internet" setting should be configured correctly.




CCE-10166-7 - The 'Do not preserve zone information in file attachments' setting should be configured correctly.


CCE-9464-9 - The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly.

CCE-9684-2 - The 'Hide mechanisms to remove zone information' setting should be configured correctly.

CCE-9191-8 - The 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' setting should be configured correctly.




CCE Mapping Summary


1000253 CCE-9419-3:Profile System Performance Info 1


1000228CCE-9464-9:Do not display 'Install updatesand shut diown option' in shut downwindows dialog box

High 1


1000223CCE-10692-2:Do Not Show First UseDialog Boxes

High 1


1000215CCE-10623-7:Turn off shell protocolprotected mode

High 1


1000185CCE-9857-4:Override the More GadgetsLnk

High 1


1000182CCE-10655-9:Turn off autoplay for nonvolume devices

High 1


1000176

CCE-10606-2:Troubleshooting: allow userto access online troubleshooting content onMicrosoft server from the troubleshootingcontrol panel

High 1


1000171 CCE-9506-7:Solicited Remote Assistance High 1





1000163CCE-9643-8:Turn off the 'Publish to Web'task for files and folders

High 1


1000149CCE-10165-9:Prevent device metadataretrieval from the internet

High 1


1000113 CCE-9910-1:Homegroup Provider High 1


1000108


High 1



High 1


1000089CCE-9191-8:System objects: Strengthendefault permissions of internal systemobjects

Info 1



Info 1


1000072CCE-9121-5:Network access: Remotelyaccessible registry paths

Info 1






Info 1



High 1



Info 1



Info 1


1000005 CCE-8912-8:Enforce Password History High 1





CCE-9068-8 - The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts.

CCE-9135-5 - The 'Load and unload device drivers' user right should be assigned to the appropriate accounts.


CCE-9309-6 - The 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts.

CCE-9388-0 - The 'Profile single process' user right should be assigned to the appropriate accounts.

CCE-9919-2 - The "Specify Search Order for device driver source locations" setting should be configured correctly.

CCE-10154-3 - The 'Do not process the run once list' setting should be configured correctly.

CCE-10882-9 - The "Turn off Windows Mail application" setting should be configured correctly.

CCE-10778-9 - The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.


CCE-10150-1 - The startup type of the Fax service should be correct.

CCE-9387-2 - The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly.




CCE Mapping Summary


1000263CCE-9068-8:Adjust Memory Quotas For AProcess

Info 1


1000221 CCE-10882-9:windows_mail_application_manual_launch_permitted_varHigh 1


1000167CCE-10154-3:Do not process the run oncelist

High 1


1000150CCE-9919-2:Specify search order for devicedriver source locations

High 1


1000144CCE-10778-9:Prohibit Access of theWindows Connect Now Wizards

High 1


1000111 CCE-10150-1:Fax Service High 1



High 1



High 1


1000050CCE-9387-2:Domain member: Requirestrong (Windows 2000 or later) session key

Info 1





1000035CCE-9309-6:Take Ownership Of Files OrOther Objects

Info 1


1000033 CCE-9388-0:Profile Single Process Info 1


1000025CCE-9135-5:Load And Unload DeviceDrivers

Info 1


CM-7-1 - Least Functionality



CCE-9783-2 - The "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly.



CCE-10183-2 - The 'Prevent the computer from joining a homegroup' setting should be configured correctly.

CCE-8460-8 - The 'Create symbolic links' user right should be assigned to the appropriate accounts.


CCE-9196-7 - The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly.

CCE-9908-5 - The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.





CCE-10311-9 - The startup type of the Parantal Controls service should be correct.


CCE-8612-4 - The 'Change the system time' user right should be assigned to the appropriate accounts.

CCE-9768-3 - The 'Network security: LDAP client signing requirements' setting should be configured correctly.

CCE-9528-1 - The 'Turn off Autoplay' setting should be configured correctly.



CCE-10527-0 - The default behavior for AutoRun should be properly configured.






CCE-9222-1 - The 'Shutdown: Clear virtual memory pagefile' setting should be configured correctly.





CCE Mapping Summary


1000259 CCE-8612-4:Change the System Time Info 1






1000245 CCE-8460-8:create_symbolic_links Info 1


1000239


High 1


1000222CCE-9908-5:Prevent Windows Media DRMInternet Access

High 1


1000194CCE-10183-2:Prevent the computer fromjoining a Homegroup

High 1


1000180 CCE-10527-0:Default behavior for autorun High 1







1000133CCE-9783-2:Turn on Mapper I/O (LLTDIO)driver

High 1


1000115 CCE-10311-9:Parental Controls Service High 1


1000107


High 1


1000100


High 1



Info 1


1000086CCE-9222-1:Shutdown: Clear VirtualMemory Pagefile

Info 1


1000080CCE-9768-3:Network security: LDAP clientsigning requirements

Info 1


1000075CCE-9196-7:Network access: Shares thatcan be accessed anonymously

High 1






High 1



Info 1



Info 1



Info 1



Info 1






CCE-8732-0 - The 'Replace a process level token' user right should be assigned to the appropriate accounts.

CCE-8804-7 - The 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly.



CCE-10059-4 - The "Turn on Responder (RSPNDR) Driver" setting should be configured correctly.


CCE-8423-6 - The 'Change the time zone' user right should be assigned to the appropriate accounts.

CCE-9096-9 - The 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly.

CCE-10763-1 - The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

CCE-9770-9 - The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly.

CCE-10219-4 - The "Enable/Disable PerfTrack" setting should be configured correctly.





CCE-9503-4 - The 'Network access: Sharing and security model for local accounts' setting should be configured correctly.

CCE-9540-6 - The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly.













CCE Mapping Summary


1000258 CCE-8423-6:Change the time zone Info 1


1000251CCE-8732-0:Replace A Process LevelToken

Info 1


1000242CCE-9770-9:Network Security: AllowPKU2U authentication requests to thiscomputer to use online identities

High 1


1000241CCE-8804-7:Network security: AllowLocalSystem NULL session fallback

High 1


1000240CCE-9096-9:Network security: Allow LocalSystem to use computer identity for NTLM

High 1


1000237


High 1



High 1


1000195CCE-10763-1:Disable remote desktopsharing

High 1






High 1


1000177 CCE-10219-4:Enable or disable perftrack High 1




1000134CCE-10059-4:Turn on Responder(RSPNDR) driver

High 1


1000108


High 1


1000105


High 1



Info 1


1000076CCE-9503-4:Network access: Sharing andsecurity model for local accounts

Info 1





1000074CCE-9540-6:Network access: Restrictanonymous access to Named Pipes andShares

Info 1



Info 1



Info 1



High 1



High 1



High 1



Info 1











CCE-10655-9 - The "Turn off Autoplay for non-volume devices" setting should be configured correctly.


CCE-10759-9 - The "Do not allow Digital Locker to run" setting should be configured correctly.


CCE-10438-0 - The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

CCE-9386-4 - The 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly.

CCE-9736-0 - The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers'setting should be enabled or disabled as appropriate.


CCE-10778-9 - The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.

CCE-9707-1 - The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly.





CCE Mapping Summary


1000184CCE-10759-9:Do not allow digital locker torun

High 1


1000182CCE-10655-9:Turn off autoplay for nonvolume devices

High 1


1000144CCE-10778-9:Prohibit Access of theWindows Connect Now Wizards

High 1


1000135CCE-10438-0:Turn Off Microsoft Peer-to-Peer Networking Services

High 1





High 1


1000085CCE-9707-1:Shutdown: Allow System to beShut Down Without Having to Log On

High 1


1000082CCE-9736-0:Network security: Minimumsession security for NTLM SSP based(including secure RPC) servers

High 1






Info 1


1000073CCE-9386-4:Network access: Remotelyaccessible registry paths and sub paths

Info 1



Info 1



High 1



High 1



High 1



Info 1


CP-9 - Information System Backup


CP-9 - Information System Backup


CCE-9389-8 - The 'Back up files and directories' user right should be assigned to the appropriate accounts.

CCE-9124-9 - The 'Restore files and directories' user right should be assigned to the appropriate accounts.

CCE Mapping Summary


1000034 CCE-9124-9:Restore Files And Directories High 1



Info 1


1000013 CCE-9389-8:Back Up Files and Directories High 1


IA-2 - Identification and Authentication (Organizational Users)


IA-2 - Identification and Authentication(Organizational Users)

CCE-8804-7 - The 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly.

CCE-9196-7 - The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly.

CCE-9096-9 - The 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly.

CCE-9407-8 - The 'Act as part of the operating system' user right should be assigned to the appropriate accounts.

CCE-9770-9 - The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly.

CCE-9239-5 - The 'Deny log on locally' user right should be assigned to the appropriate accounts.

CCE-8936-7 - The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly.

CCE-9503-4 - The 'Network access: Sharing and security model for local accounts' setting should be configured correctly.

CCE-9672-7 - The 'No auto-restart with logged on users for scheduled automatic updates installations' setting should be configured correctly.

CCE-8807-0 - The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly.

CCE-8811-2 - The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly.

CCE-8813-8 - The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.


CCE-9244-5 - The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts.

CCE-9218-9 - The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.

CCE-8958-1 - The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.




CCE Mapping Summary


1000242CCE-9770-9:Network Security: AllowPKU2U authentication requests to thiscomputer to use online identities

High 1


1000241CCE-8804-7:Network security: AllowLocalSystem NULL session fallback

High 1


1000240CCE-9096-9:Network security: Allow LocalSystem to use computer identity for NTLM

High 1


1000227CCE-9672-7:No auto restart with loggedon users for scheduled automatic updatesinstallations

High 1



Info 1


1000092CCE-8813-8:User Account Control:Behavior of the elevation prompt forstandard users

High 1


1000091CCE-8958-1:User Account Control:Behavior of the elevation prompt foradministrators in Admin Approval Mode

High 1





1000090CCE-8811-2:User Account Control: AdminApproval Mode for the Built-in Administratoraccount

High 1


1000083CCE-8807-0:Recovery Console: AllowAutomatic Administrative Logon

Info 1


1000076CCE-9503-4:Network access: Sharing andsecurity model for local accounts

Info 1


1000075CCE-9196-7:Network access: Shares thatcan be accessed anonymously

High 1


1000071CCE-9218-9:Network access: NamedPipes that can be accessed anonymously -netlogon, lsarpc, samr, browser

Info 1


1000070CCE-8936-7:Network access: Let Everyonepermissions apply to anonymous users

Info 1


1000021 CCE-9239-5:Deny Logon Locally High 1


1000018CCE-9244-5:Deny Access To ThisComputer From The Network

High 1


1000012CCE-9407-8:Act As Part Of The OperatingSystem

Info 1


IA-4 - Identifier Management


IA-4 - Identifier Management

CCE-8654-6 - The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly.


CCE Mapping Summary


1000069CCE-8654-6:Network access: Do not allowstorage of passwords and credentials fornetwork authentication

High 1



Info 1


IA-5 - Authenticator Management



CCE-9307-0 - The 'Interactive logon: Prompt user to change password before expiration' setting should be configured correctly.


CCE-9370-8 - The 'Password must meet complexity requirements' policy should be set correctly.

CCE-8912-8 - The "enforce password history" policy should meet minimum requirements.

CCE-9670-1 - The 'Require a Password When a Computer Wakes (Plugged In)' setting should be configured correctly.

CCE-9330-2 - The 'Minimum password age' setting should be configured correctly.

CCE-10090-9 - The 'Do not allow passwords to be saved' setting should be configured correctly.

CCE-9260-1 - The 'Store passwords using reversible encryption' setting should be configured correctly.



CCE-9295-7 - The 'Domain member: Disable machine account password changes' setting should be configured correctly.

CCE-9320-3 - The 'Log on as a batch job' user right should be assigned to the appropriate accounts.

CCE-9829-3 - The 'Require a Password When a Computer Wakes (On Battery)' setting should be configured correctly.

CCE-9357-5 - The 'Minimum password length' setting should be configured correctly.


CCE-9461-5 - The 'Log on as a service' user right should be assigned to the appropriate accounts.




CCE Mapping Summary


1000196CCE-10090-9:Do not allow passwords to besaved

High 1


1000169CCE-9670-1:Require a Password when aComputer Wakes (Plugged)

High 1


1000168CCE-9829-3:Require a Password when aComputer Wakes (On Battery)

High 1


1000056CCE-9307-0:Interactive logon: Prompt userto change password before expiration

High 1



Info 1


1000048CCE-9295-7:Domain member: Disablemachine account password changes

Info 1


1000028 CCE-9461-5:Log On As A Service High 1


1000027 CCE-9320-3:Log On As A Batch Job High 1







1000010CCE-9260-1:Reversible PasswordEncryption

Info 1


1000009 CCE-9370-8:Password Complexity High 1


1000008 CCE-9357-5:Minimum Password Length High 1


1000007 CCE-9330-2:Minimum Password Age High 1




1000005 CCE-8912-8:Enforce Password History High 1


MP-2 - Media Access


MP-2 - Media Access

CCE-9440-9 - The 'Devices: Restrict floppy access to locally logged-on user only' setting should be configured correctly.

CCE-9304-7 - The 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly.

CCE Mapping Summary


1000044CCE-9440-9:Devices: Restrict floppyaccess to locally logged-on user only

High 1


1000043CCE-9304-7:Devices: Restrict CD-ROMaccess to locally logged-on user only

High 1


PE-3 - Physical Access Control


PE-3 - Physical Access Control

CCE-9326-0 - The 'Remove computer from docking station' user right should be assigned to the appropriate accounts.

CCE Mapping Summary


1000252CCE-9326-0:Remove Computer FromDocking Station

Info 1


SC-1 - System and Communications Protection Policy and Procedures


SC-1 - System and CommunicationsProtection Policy and Procedures


CCE Mapping Summary



Info 1


SC-2 - Application Partitioning


SC-2 - Application Partitioning

CCE-9375-7 - The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly.

CCE-10606-2 - The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via WindowsOnline Troubleshooting Service - WOTS)" setting should be configured correctly.

CCE-9953-1 - Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

CCE-9387-2 - The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly.

CCE Mapping Summary


1000176

CCE-10606-2:Troubleshooting: allow userto access online troubleshooting content onMicrosoft server from the troubleshootingcontrol panel

High 1


1000136CCE-9953-1:Prohibit installation andconfiguration of Network Bridge on yourDNS domain network

High 1


1000050CCE-9387-2:Domain member: Requirestrong (Windows 2000 or later) session key

Info 1


1000047CCE-9375-7:Domain member: Digitally signsecure channel data (when possible)

Info 1


SC-5-1 - Denial of Service Protection







CCE-9348-4 - The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly.



CCE-9426-8 - The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.



















CCE-8562-1 - The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting shouldbe configured correctly.




CCE Mapping Summary




1000239


High 1


1000237


High 1


1000109


High 1


1000108


High 1


1000106CCE-9348-4:MSS: (SafeDllSearchMode)Enable Safe DLL search mode(recommended)

High 1


1000105CCE-9458-1:MSS:(PerformRouterDiscovery) Allow IRDP

High 1




to detect and configure DefaultGatewayaddresses (could lead to DoS)


1000104

CCE-8562-1:MSS:(NoNameReleaseOnDemand) Allow thecomputer to ignore NetBIOS name releaserequests except from WINS servers

High 1


1000102CCE-9426-8:MSS: (KeepAliveTime)Howoften keep-alive packets are sent inmilliseconds

High 1



High 1


1000100


High 1



Info 1



Info 1



Info 1






High 1



High 1



Info 1



High 1



High 1



High 1



Info 1



Info 1






Info 1







CCE-8560-5 - The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configuredcorrectly.


CCE Mapping Summary


1000238CCE-8560-5:MSS: (Hidden) Hide computerfrom the browse list (Not Recommendedexcept for highly secure environments)

High 1



High 1


SC-7 - Boundary Protection


SC-7 - Boundary Protection

CCE-9559-6 - The 'Turn off the Windows Messenger Customer Experience Improvement Program' setting should be configured correctly.

CCE-9842-6 - The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" setting should be configured correctly.

CCE-10266-5 - The "6to4 State" setting should be configured correctly.

CCE-9953-1 - Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

CCE Mapping Summary


1000175CCE-9842-6:Microsoft support diagnostictool: turn on msdt interactive communicationwith support provider

High 1


1000164CCE-9559-6:Turn off the WindowsMessenger Customer ExperienceImprovement Program

High 1


1000139 CCE-10266-5:6to4 State High 1


1000136CCE-9953-1:Prohibit installation andconfiguration of Network Bridge on yourDNS domain network

High 1


SC-8 - Transmission Confidentiality and Integrity


SC-8 - Transmission Confidentiality andIntegrity

CCE-10011-5 - The "Teredo State" setting should be configured correctly.



CCE-9327-8 - The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly.

CCE-9265-0 - The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly.


SC-8 - Transmission Confidentiality and Integrity


CCE Mapping Summary


1000141 CCE-10011-5:Teredo State High 1



High 1


1000061CCE-9265-0:Microsoft network client: Sendunencrypted password to third-party SMBservers

Info 1



Info 1


1000059CCE-9327-8:Microsoft network client:Digitally sign communications (always)

High 1


SC-9 - Withdrawn


SC-9 - Withdrawn

CCE-9764-2 - The Remote Desktop Services 'Set client connection encryption level' setting should be enabled or disabled as appropriate.

CCE-8503-5 - The 'Microsoft network server: Server SPN target name validation level' setting should be configured correctly.



CCE-9251-0 - The 'Domain member: Digitally encrypt secure channel data (when possible)' setting should be configured correctly.

CCE-9532-3 - The 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly.

CCE-9266-8 - The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly.

CCE-8974-8 - The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly.


SC-9 - Withdrawn


CCE Mapping Summary


1000243CCE-9532-3:Network Security: Configureencryption types allowed for Kerberos

High 1


1000236CCE-8503-5:Microsoft network server: SPNTarget name validation

High 1


1000199CCE-9764-2:Set client connectionencryption level

High 1




1000087CCE-9266-8:System Cryptography: UseFIPS compliant algorithms for encryption,hashing, and signing

High 1



High 1


1000046CCE-9251-0:Domain member: Digitallyencrypt secure channel data (whenpossible)

Info 1


1000045CCE-8974-8:Domain member: Digitallyencrypt or sign secure channel data(always)

Info 1


SI-1 - System and Information Integrity Policy and Procedures


SI-1 - System and Information Integrity Policyand Procedures

CCE-10441-4 - The "Enable Error Reporting" policy should be set correctly.

CCE-10824-1 - The Windows Error Reporting "Do not send additional data" setting should be configured correctly.

CCE-10709-4 - The Windows Error Reporting "Display Error Notification" setting should be configured correctly.

CCE-10645-0 - The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.

CCE-9914-3 - The "Disable Windows Error Reporting" setting should be configured correctly.

CCE-9901-0 - The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.

CCE-10658-3 - The "Turn off handwriting personalization data sharing" setting should be configured correctly.


SI-1 - System and Information Integrity Policy and Procedures


CCE Mapping Summary


1000212 CCE-10824-1:Do Not Send Additional Data High 1


1000211 CCE-10709-4:Display Error Notification High 1


1000210CCE-9914-3:Disable Windows ErrorReporting

High 1


1000165CCE-10441-4:Turn Off Windows ErrorReporting

High 1


1000155CCE-10645-0:Turn off handwritingrecognition error reporting

High 1


1000154CCE-10658-3:Turn off handwritingpersonalization data sharing

High 1


1000147CCE-9901-0:Do not send a Windows ErrorReport when a generic driver is installed ona device

High 1


SI-2 - Flaw Remediation



CCE-10441-4 - The "Enable Error Reporting" policy should be set correctly.


CCE-10824-1 - The Windows Error Reporting "Do not send additional data" setting should be configured correctly.

CCE-10709-4 - The Windows Error Reporting "Display Error Notification" setting should be configured correctly.

CCE-10205-3 - The 'Reschedule Automatic Updates scheduled installations' setting should be enabled or disabled as appropriate.

CCE-9403-7 - Automatic Updates should be enabled or disabled as appropriate.

CCE-10782-1 - The "Extend Point and Print connection to search Windows Update and use alternate connection if needed" setting should be configured correctly.

CCE-10137-8 - The "Prevent Windows Anytime Upgrade from running" setting should be configured correctly.

CCE-10645-0 - The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.

CCE-9901-0 - The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.

CCE-9914-3 - The "Disable Windows Error Reporting" setting should be configured correctly.

CCE-10658-3 - The "Turn off handwriting personalization data sharing" setting should be configured correctly.

CCE-9464-9 - The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly.




CCE Mapping Summary


1000228CCE-9464-9:Do not display 'Install updatesand shut diown option' in shut downwindows dialog box

High 1


1000226CCE-10205-3:Reschedule automaticupdates scheduled installation

High 1


1000225 CCE-9403-7:Configure automatic updates High 1




1000212 CCE-10824-1:Do Not Send Additional Data High 1


1000211 CCE-10709-4:Display Error Notification High 1


1000210CCE-9914-3:Disable Windows ErrorReporting

High 1


1000207CCE-10137-8:Prevent Windows anytimeupgrade from running

High 1


1000165CCE-10441-4:Turn Off Windows ErrorReporting

High 1





1000155CCE-10645-0:Turn off handwritingrecognition error reporting

High 1


1000154CCE-10658-3:Turn off handwritingpersonalization data sharing

High 1


1000147CCE-9901-0:Do not send a Windows ErrorReport when a generic driver is installed ona device

High 1


1000145CCE-10782-1:Extend point and printconnection to search Windows update anduse alternate connection if needed

High 1


SI-3 - Malicious Code Protection


SI-3 - Malicious Code Protection

CCE-9289-0 - The 'Lock pages in memory' user right should be assigned to the appropriate accounts.

CCE-10076-8 - The 'Notify antivirus programs when opening attachments' setting should be configured correctly.

CCE-9888-9 - The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

CCE-9875-6 - The "Set Safe for Scripting" policy should be set correctly.

CCE Mapping Summary


1000218CCE-9888-9:Prohibit non-administratorsfrom applying vendor signed updates

High 1


1000216CCE-9875-6:Disable IE security prompt forWindows Installer scripts

High 1


1000026 CCE-9289-0:Lock Pages In Memory Info 1


SI-4 - Information System Monitoring


SI-4 - Information System Monitoring


CCE Mapping Summary



Documents

CCE to NIST 800 53 Chapter CCE Summary RONLAB - · PDF fileCCE-8591-0 - The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) ... Chapter CCE Summary