Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
CIS Microsoft Windows XP Benchmark v3.1.0 (03 Dec 2013) Security Configuration Recommendations Mapped to IEC/TR 80001-‐2-‐2 Security Capabilities
15 October 2014
The complete CIS Microsoft Windows XP Benchmark v3.1.0 is freely available for download at: https://benchmarks.cisecurity.org/downloads/show-‐single/?file=winxp.310
To provide comments/feedback or to learn more about and/or join other CIS/MDISS benchmark mapping efforts in support of healthcare security, please contact: [email protected]
CENTER FOR INTERNET SECURITY (“CIS”) SECURITY BENCHMARKS LICENSE CIS PROVIDES ACCESS TO CERTAIN OF ITS “PUBLICLY AVAILABLE WORK PRODUCTS” (AS DEFINED HEREIN) THROUGH THE TERMS OF THIS LICENSE; ANY USE OF A PUBLICLY AVAILABLE WORK PRODUCT OTHER THAN AS AUTHORIZED UNDER THIS LICENSE IS PROHIBITED. BY EXERCISING ANY OF THE RIGHTS PROVIDED HEREIN FOR ANY PUBLICLY AVAILABLE WORK PRODUCT, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED A CONTRACT, CIS GRANTS YOU THE RIGHTS CONTAINED HEREIN IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1. Definitions: “PUBLICLY AVAILABLE WORK PRODUCT” means each of the consensus-based information security resources, including documents, metrics, suggestions and recommendations produced and made available for public use by CIS in Portable Document Format (PDF). “You” means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to any PUBLICLY AVAILABLE WORK PRODUCT, or who has received permission from CIS to exercise rights under this License despite a previous violation. Anyone exercising rights under this License in a manner that will be used by others in an entity, does so on behalf of that entity and the entity will be bound by its terms. “Reproduce” means to make copies of any PUBLICLY AVAILABLE WORK PRODUCT by any means including without limitation by photocopying or storage in digital form or other electronic medium. “Distribute” means to share or make available a copy of any PUBLICLY AVAILABLE WORK PRODUCT (1) within Your organization, including any subsidiaries, parents or other affiliated organizations, and (2) to persons or entities outside Your organization, in each case subject to the terms and conditions of this License. 2. License Grant: Subject to the terms and conditions of this License, CIS hereby grants You a worldwide, royalty-free, non-exclusive, perpetual license to exercise the rights in any PUBLICLY AVAILABLE WORK PRODUCT as set forth below: • Download, read and/or use each of the PUBLICLY AVAILABLE WORK PRODUCTs, • Reproduce one or more copies of any PUBLICLY AVAILABLE WORK PRODUCT, and/or • Distribute any PUBLICLY AVAILABLE WORK PRODUCT. 3. Restrictions:
3.1 Intellectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any PUBLICLY AVAILABLE WORK PRODUCT, and full title and all ownership rights to the PUBLICLY AVAILABLE WORK PRODUCTs remain the exclusive property of CIS. All rights to the PUBLICLY AVAILABLE WORK PRODUCTs not expressly granted in this License are hereby reserved.
3.2 You acknowledge and agree that you may not: (1) sublicense any PUBLICLY AVAILABLE WORK PRODUCT; (2) Distribute, re-Distribute, sell, rent, lease or otherwise transfer or exploit any rights to any PUBLICLY AVAILABLE WORK PRODUCT in a manner that is primarily intended for or directed toward commercial advantage or monetary compensation; (3) distort, mutilate, modify or take other derogatory action in relation to any PUBLICLY AVAILABLE WORK PRODUCT that would be prejudicial to CIS’s reputation; (4) remove or alter the copy of this License or any other proprietary notice(s) included in any PUBLICLY AVAILABLE WORK PRODUCT; (5) represent or claim a particular level of compliance or consistency with any PUBLICLY AVAILABLE WORK PRODUCT; or (6) facilitate or otherwise aid other individuals or entities in violating this License.
3.3 Each time You Distribute a PUBLICLY AVAILABLE WORK PRODUCT, CIS offers to the recipient a license to the PUBLICLY AVAILABLE WORK PRODUCT under the same terms and conditions as the license granted to You under this License.
4. Representations, Warranties and Disclaimers:
4.1 PUBLICLY AVAILABLE WORK PRODUCTs Provided As Is. CIS is providing the PUBLICLY AVAILABLE WORK PRODUCTs “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty) regarding: (a) the effect or lack of effect of any PUBLICLY AVAILABLE WORK PRODUCT on the operation or the security of any network, system, device, hardware, software, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any PUBLICLY AVAILABLE WORK PRODUCT; or (2) the responsibility to make or notify You of any corrections, updates, upgrades, or fixes made to any PUBLICLY AVAILABLE WORK PRODUCT.
4.2 Your Responsibility to Evaluate Risks. You acknowledge and agree that: (1) no network, system, device, hardware, software, or component can be made fully secure; (2) You have the sole responsibility to evaluate the risks and benefits of the PUBLICLY AVAILABLE WORK PRODUCTs to Your particular circumstances and requirements; and (3) CIS is not assuming any of the liabilities associated with Your use of any or all of the PUBLICLY AVAILABLE WORK PRODUCTs.
4.3 CIS Liability. You acknowledge and agree that neither CIS nor any of its employees, officers, directors, agents or other service providers has or will have any liability to You whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential or special damages that arise out of or are connected in any way, directly or indirectly, with Your use of any PUBLICLY AVAILABLE WORK PRODUCT.
4.4 Indemnification. You agree to indemnify, defend, and hold CIS and all of CIS's employees, officers, directors, agents and other service providers harmless from and against any liabilities, costs, and expenses (including reasonable attorneys’ fees) incurred by any of them in connection with Your violation of this License.
5. Termination. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Sections 1, 3, 4, 5 and 6 will survive termination of this License. 6. Miscellaneous:
6.1 Jurisdiction. You acknowledge and agree that: (1) this License will be governed by and construed in accordance with the laws of the State of New York, without regard for conflicts of law principles; (2) any action at law or in equity arising out of or relating to this License shall be filed only in the courts located in the State of New York; and (3) You hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action.
6.2 U.S. Export Control and Sanctions Laws. Regarding Your use of the PUBLICLY AVAILABLE WORK PRODUCTs with any non-U.S. entity or country, You acknowledge that it is Your responsibility to understand and abide by all U.S. sanctions and export control laws as set from time to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).
6.3 Partial Invalidity. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this License, such provision shall be reformed to the minimum extent necessary to make sure the provision is valid and enforceable.
6.4 Waiver and Consent. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent is in writing and signed by the party to be charged with such waiver or consent.
6.5 Entire Agreement. This License constitutes the entire agreement between the parties with respect to the PUBLICLY AVAILABLE WORK PRODUCTs licensed herein. There are no understandings, agreements or representations with respect to the PUBLICLY AVAILABLE WORK PRODUCTs not specified herein. CIS shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of CIS and You.
Table of Contents Background, Description and Purpose of the Joint Effort Resulting in this Security Mapping ........................................................................................................................................................... 2 1. Complete Mapping of All CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities .................................. 4
Table: Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................................... 43
Graph: Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................................. 44 2. Mapping of CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations by Each Applicable IEC/TR 80001-‐2-‐2 Security Capability
Automatic logoff (ALOF) ......................................................................................................................................................................................................................................................................................... 45
Audit controls (AUDT) ............................................................................................................................................................................................................................................................................................. 47
Authorization (AUTH) ............................................................................................................................................................................................................................................................................................. 51
Configuration of security features (CNFS) ...................................................................................................................................................................................................................................................... 60
Cyber security product upgrades (CSUP) ....................................................................................................................................................................................................................................................... 67
Data backup and disaster recovery (DTBK) .................................................................................................................................................................................................................................................. 69
Malware detection/protection (MLDP) ........................................................................................................................................................................................................................................................... 70
Node authentication (NAUT) ................................................................................................................................................................................................................................................................................ 71
Person authentication (PAUT) ............................................................................................................................................................................................................................................................................. 73
Transmission confidentiality (TXCF) ................................................................................................................................................................................................................................................................ 77
Transmission integrity (TXIG) ............................................................................................................................................................................................................................................................................. 79 3. Mapping of Scored (Only) CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities ............................. 81
Table: Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................. 106
Graph: Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................ 107
1
Background, Description and Purpose of the Joint Effort Resulting in this Security Mapping In August 2013, the Center for Internet Security (CIS) launched a new initiative to develop security configuration guidelines, or benchmarks, for networked medical devices and issued a request for information (RFI) to invite participation. CIS has been helping to build consensus on secure configuration settings across a wide range of information technologies for well over a decade. CIS is now bringing that experience and its industry best practice standards to add value to the cybersecurity of medical devices and healthcare systems, however may be possible and without duplicating existing or previous efforts. Soon after the RFI was issued, CIS began coordinating with the Medical Device Innovation, Safety and Security Consortium (MDISS). MDISS is an established leader in the medical device security and safety space, and MDISS agreed to co-‐lead this initiative. The Council on CyberSecurity (CCS) also came on board in support of this effort, as well as other organizations including Albany Medical College, the Association for the Advancement of Medical Instrumentation (AAMI), the College of Healthcare Information Management Executives (CHIME), Underwriters Laboratories (UL), Industrial Control Systems Cyber Emergency Response Team (ICS-‐CERT) and many other partners. This CIS and MDISS-‐led initiative has included many interactive workshops where subject matter experts from healthcare delivery organizations (HDOs), medical device manufacturers, cybersecurity consultancies and government entities have engaged to identify critical cybersecurity challenges faced by all members of the medical device ecosystem. Various cyber risks and potential mitigations, as well as which entities should be responsible for addressing them, were shared in an open and honest communications environment. The ideas generated from the workshops and from additional collaboration and consensus-‐based review and feedback has resulted in two initial resources being made publicly available for free reference and use. One of those resources is this mapping of security configuration recommendations in the CIS Microsoft Windows XP Benchmark v3.1.0 to supported Security Capabilities (e.g. “Automatic Logoff,” “Authorization,” “Audit Controls”) prescribed within Part 2-‐2: Guidance for the disclosure and communication of medical device security needs, risks and controls, which is a Technical Report (TR) within the International Electrotechnical Commission’s (IEC) 80001-‐1 standard, Application of Risk Management for IT-‐Networks Incorporating Medical Devices. A similar mapping between IEC/TR 80001-‐2-‐2’s Security Capabilities and the CIS Microsoft Windows 7 Benchmark v2.1.0 is the other, first-‐to-‐be-‐published resource resulting from this consensus-‐based effort. Implementation of applicable CIS benchmark security configuration recommendations, which do not negatively impact patient safety or device effectiveness within an intended use environment, may further reduce cybersecurity risk to a medical device. The Healthcare Information and Management Systems Society (HIMSS)/National Electrical Manufacturers Association’s (NEMA) Manufacturer Disclosure Statement for Medical Device Security (MDS2) form also includes a series of questions specifically based on and grouped by each of the IEC/TR 80001-‐2-‐2 Security Capabilities. An HDO may leverage the HIMSS/NEMA MDS2 form by requesting a device manufacturer from which it is considering to procure one or more medical devices to address the form’s Security Capability-‐based questions for the device(s). This mapping could be leveraged by HDOs as a supplement to the MDS2 form to further inquire into whether or not a medical device(s) with some form of a Microsoft Windows XP operating system (OS) installed also complies with the IEC/TR 80001-‐2-‐2 Security Capabilities-‐mapped configuration recommendations of the CIS Microsoft Windows XP Benchmark v3.1.0 provided here. And wherever the OS may not be so configured, the HDO could ask the device manufacturer for the rationale supporting such exceptions to determine if they are based on competing needs to ensure patient safety and/or device effectiveness. An HDO could also use this guidance post-‐procurement to ask a medical device manufacturer(s) if configuration setting updates can be made to any Windows XP-‐based medical device(s) already deployed in order to meet the minimum due diligence level of security prescribed by the CIS Microsoft Windows XP Benchmark v3.1.0. This guide maps the CIS Microsoft Windows XP Benchmark v3.1.0 to the applicable Security Capabilities contained in IEC/TR 80001-‐2-‐2, but in effect it is really three mappings in one. The first section maps each security configuration recommendation according to the same hierarchical structure of the full CIS Benchmark, which is laid out according to the user interface view in Microsoft’s Group Policy Editor. The next part provides the CIS Benchmark
2
recommendations that map to each applicable IEC/TR 80001-‐2-‐2 Security Capability, with the exception of “System and Application Hardening (SAHD),” which is supported by every Benchmark recommendation. The final component of this guide again presents the mapping according to the format of the full CIS Benchmark for Windows XP but only includes those recommendations that are “Scored” in the Benchmark. Most configuration recommendations in a CIS Benchmark are “Scored;” however, there are a small number that are “Not Scored,” which essentially are those Benchmark recommendations that still add security value but for which the exact settings are organizational environment-‐specific and therefore a particular setting cannot be generally prescribed. Assessed system/application conformance to a CIS Benchmark is based only on compliance with “Scored” Benchmark recommendations. This voluntary guidance is meant to serve only as a reference document to aid both HDOs and medical device manufacturers. It supports the additional hardening of Microsoft Windows XP OS-‐based medical devices by providing the associated CIS benchmark-‐prescribed mitigations for potential configuration-‐based vulnerabilities within that OS. A key element of this guidance is that because it maps setting recommendations from the CIS Benchmark for Windows XP Professional, it is intended for use only with medical devices that are built on some form of the Windows XP OS—full Windows XP Professional, which is licensed specifically for use in embedded systems such as medical devices, or one of the componentized forms of Windows XP Embedded (e.g. Windows XP Embedded Service Pack 3, Windows Embedded Standard 2009). Because Windows XP Embedded is a componentized OS, there may be any number of available components of Windows XP that are not included within a medical device if they are not needed to support the functionality and intended use of the device. This capability to build a version of Windows XP that only includes OS components that are needed and none that are not reduces the total OS footprint, which improves OS security right from the outset by minimizing the available attack surface. Therefore, for devices running on a Windows XP Embedded OS there may be many security configuration recommendations within this benchmark that simply do not apply because the features or services they address were specifically not included in the Windows XP Embedded image by the medical device manufacturer during development. For any medical device(s) with Windows XP Embedded or some components of Windows XP Embedded installed, it is essential for the individual(s) responsible for the security, administration, updating and/or servicing of such device(s) to know and understand which components of Windows XP Embedded are included in the OS image in order to determine which sections/groupings of security configuration recommendations within the CIS Benchmark for Windows XP would and would not apply.
The Way Forward… Again, this mapping and the guide also being released at this time based on the CIS Microsoft Windows 7 Benchmark v2.1.0 are the first of such documents to be published, but if the reception by those in the medical device/healthcare industry is positive and they would like to see other such mappings, then CIS and MDISS—as well as any other prospective partners that would like to join this effort—will look to create other such mapping resources. There are currently over 90 supported CIS Benchmarks so there are many possible candidates for follow-‐on mappings to the IEC/TR 80001-‐2-‐2 Security Capabilities, including CIS Benchmarks for Microsoft Windows 8 and 8.1, as well as for many types of UNIX/Linux operating systems and even mobile devices such as Google Android and Apple iOS. CIS and MDISS also welcome and appreciate as much constructive feedback on these two initial mappings as possible so that the security value of these resources can be improved going forward. (Please provide comments to [email protected].) All other related ideas are also welcome, such as the development of example use cases for various medical devices (e.g. MRI, CT Scanner, portable ultrasound, patient monitoring device) that leverage OSs such as Microsoft Windows XP and Windows 7 or embedded versions derived from them and utilized across multiple intended use environments. And by examining newer OSs with support lives running well into the future such as Microsoft Windows 8/8.1 for embedded devices and their componentized embedded versions, the value proposition of such resources is much more likely to be available earlier on in, and even before, the medical device development process. Such mappings could aid in OS configuration decisions as early as possible in the development lifecycle and prior to submission for FDA certification and the follow-‐on sales cycle and associated pilot testing, etc.
3
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
Alignment Totals 8 27 55 37 8 5 6 12 24 249 8 12
1 Computer Configuration1.1 Windows Settings1.1.1 Security Settings1.1.1.1 Local Policies1.1.1.1.1 User Rights Assignment1.1.1.1.1.1 Configure 'Deny log on through Terminal Services' X X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2814-2
1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2829-0
1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2864-7
1.1.1.1.1.4 Configure 'Log on as a service' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2948-8
1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentPerform volume maintenance tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2960-3
1.1.1.1.1.6 Set 'Bypass traverse checking' to 'Administrators, Users, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBypass traverse checking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2806-8
IEC/TR 80001-2-2 Security Capabilities
1. Complete Mapping of All CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
4
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.7 Configure 'Log on as a batch job' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2882-9
1.1.1.1.1.8 Configure 'Add workstations to domain' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdd workstations to domain
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2374-7
1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify firmware environment values
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2657-5
1.1.1.1.1.10 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2982-7
1.1.1.1.1.11 Set 'Deny log on as a batch job' to 'Guests, Support_388945a0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2898-5
1.1.1.1.1.12 Configure 'Deny log on as a service' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2792-0
1.1.1.1.1.13 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdjust memory quotas for a process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2547-8
5
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.14 Configure 'Create permanent shared objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate permanent shared objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-1969-5
1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentShut down the system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2366-3
1.1.1.1.1.16 Configure 'Back up files and directories' X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBack up files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2299-6
1.1.1.1.1.17 Configure 'Restore files and directories' X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentRestore files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2847-2
1.1.1.1.1.18 Set 'Take ownership of files or other objects' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentTake ownership of files or other objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2021-4
1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile system performance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2675-7
1.1.1.1.1.20 Configure 'Create a token object' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a token object
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2791-2
6
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentIncrease scheduling priority
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2944-7
1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2700-3
1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2786-2
1.1.1.1.1.25 Set 'Access this computer from the network' to 'Users, Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2379-6
1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2609-6
1.1.1.1.1.27 Set 'Deny access to this computer from the network' to 'Support_388945a0, Guests'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-1978-6
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
7
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.29 Configure 'Allow log on through Terminal Services' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3004-9
1.1.1.1.1.30 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.1.31 Set 'Replace a process level token' to 'Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2860-5
1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2446-3
1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2167-5
1.1.1.1.1.34 Configure 'Create global objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate global objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3107-0
1.1.1.1.1.35 Configure 'Profile single process' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile single process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2807-6
8
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.1.36 Set 'Force shutdown from a remote system' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentForce shutdown from a remote system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2886-0
1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2846-4
1.1.1.1.2 Security Options1.1.1.1.2.1 Configure 'Domain controller: LDAP server signing
requirements'X X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: LDAP server signing requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters:ldapserverintegrity
CCE-2551-0
1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinServerSec
CCE-2799-5
1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to Named Pipes and Shares'
X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict anonymous access to Named Pipes and Shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:restrictnullsessaccess
CCE-2834-0
1.1.1.1.2.4 Configure 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSaferCodeIdentifiers:AuthenticodeEnabled
CCE-2723-5
9
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.5 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Force strong key protection for user keys stored on the computer
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftCryptography:ForceKeyProtection
CCE-2992-6
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requiresignorseal
CCE-3097-3
1.1.1.1.2.7 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Require strong (Windows 2000 or later) session key
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requirestrongkey
CCE-3151-8
1.1.1.1.2.8 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:sealsecurechannel
CCE-7598-6
1.1.1.1.2.9 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require Domain Controller authentication to unlock workstation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ForceUnlockLogon
CCE-3172-4
1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore privilege'
X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:fullprivilegeauditing
CCE-2955-3
10
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Administrator account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2943-9
1.1.1.1.2.12 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:RequireSecuritySignature
CCE-3027-0
1.1.1.1.2.13 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Let Everyone permissions apply to anonymous users
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:EveryoneIncludesAnonymous
CCE-3110-4
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DisableCAD
CCE-2891-0
1.1.1.1.2.15 Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager:SafeDllSearchMode
CCE-2841-5
1.1.1.1.2.16 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymousSAM
CCE-2147-7
1.1.1.1.2.17 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally sign secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:signsecurechannel
CCE-3000-7
11
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.18 Set 'Domain member: Maximum machine account password age' to '30'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 30.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Maximum machine account password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3018-9
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X X X X Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:FIPSAlgorithmPolicy
CCE-3084-1
1.1.1.1.2.20 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Send unencrypted password to third-party SMB servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnablePlainTextPassword
CCE-3049-4
1.1.1.1.2.21 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:cachedlogonscount
CCE-3106-2
1.1.1.1.2.22 Set 'Domain member: Disable machine account password changes' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Disable machine account password changes
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:disablepasswordchange
CCE-2313-5
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:ForceGuest
CCE-3058-5
1.1.1.1.2.24 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Allow anonymous SID/Name translation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2973-6
12
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.25 Configure 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:SynAttackProtect
CCE-2916-5
1.1.1.1.2.26 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymous
CCE-2804-3
1.1.1.1.2.27 Configure 'Domain controller: Allow server operators to schedule tasks'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Allow server operators to schedule tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:SubmitControl
CCE-2968-6
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionShares
CCE-3036-1
1.1.1.1.2.29 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 5.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LAN Manager authentication level
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LmCompatibilityLevel
CCE-2926-4
1.1.1.1.2.30 Configure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManParameters:DisableSavePassword
CCE-2444-8
13
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.31 Set 'Network access: Remotely accessible registry paths and sub-paths' as recommended
X X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Remotely accessible registry paths and sub-paths
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedPaths:Machine
CCE-3155-9
1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Amount of idle time required before suspending session
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:autodisconnect
CCE-3157-5
1.1.1.1.2.33 Configure 'Audit: Audit the access of global system objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the access of global system objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:AuditBaseObjects
CCE-3162-5
1.1.1.1.2.34 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Clear virtual memory pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerMemory Management:ClearPageFileAtShutdown
CCE-3128-6
1.1.1.1.2.35 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Limit local account use of blank passwords to console logon only
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LimitBlankPasswordUse
CCE-2344-0
14
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.36 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 01.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Unsigned driver installation behavior
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftDriver Signing:Policy
CCE-3085-8
1.1.1.1.2.37 Set 'System objects: Default owner for objects created by members of the Administrators group' to 'Object creator'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Default owner for objects created by members of the Administrators group
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:nodefaultadminowner
CCE-2842-3
1.1.1.1.2.38 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:DisableIPSourceRouting
CCE-3132-8
1.1.1.1.2.39 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (if server agrees)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnableSecuritySignature
CCE-2802-7
1.1.1.1.2.40 Set 'Interactive logon: Do not display last user name' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not display last user name
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DontDisplayLastUserName
CCE-2930-6
1.1.1.1.2.41 Configure 'Network access: Named Pipes that can be accessed anonymously'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Named Pipes that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionPipes
CCE-3150-0
15
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.42 Configure 'Network security: Force logoff when logon hours expire'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Force logoff when logon hours expire
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3139-3
1.1.1.1.2.43 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Smart card removal behavior
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:scremoveoption
CCE-3133-6
1.1.1.1.2.44 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Do not store LAN Manager hash value on next password change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:NoLMHash
CCE-2993-4
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinClientSec
CCE-3156-7
1.1.1.1.2.46 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AutoAdminLogon
CCE-2776-3
1.1.1.1.2.47 Configure 'MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:TcpMaxConnectResponseRetransmissions
CCE-2213-7
16
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.48 Set 'Network access: Do not allow storage of credentials or .NET Passports for network authentication' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of credentials or .NET Passports for network authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:DisableDomainCreds
CCE-3088-2
1.1.1.1.2.49 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:requiresecuritysignature
CCE-3053-6
1.1.1.1.2.50 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 90.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogSecurity:WarningLevel
CCE-3061-9
1.1.1.1.2.51 Configure 'Microsoft network server: Disconnect clients when logon hours expire'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Disconnect clients when logon hours expire
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enableforcedlogoff
CCE-2692-2
1.1.1.1.2.52 Configure 'Interactive logon: Message title for users attempting to log on'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Message title for users attempting to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:LegalNoticeCaption
CCE-2573-4
1.1.1.1.2.53 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:TcpMaxDataRetransmissions
CCE-2239-2
17
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Guest account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3040-3
1.1.1.1.2.55 Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession Manager:ProtectionMode
CCE-3005-6
1.1.1.1.2.56 Set 'Devices: Prevent users from installing printer drivers' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Prevent users from installing printer drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlPrintProvidersLanMan Print ServicesServers:AddPrinterDrivers
CCE-2789-6
1.1.1.1.2.57 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Allowed to format and eject removable media
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AllocateDASD
CCE-3111-2
1.1.1.1.2.58 Configure 'Recovery console: Allow floppy copy and access to all drives and all folders'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow floppy copy and access to all drives and all folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:setcommand
CCE-2957-9
1.1.1.1.2.59 Configure 'Interactive logon: Message text for users attempting to log on'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Message text for users attempting to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:LegalNoticeText
CCE-2472-9
1.1.1.1.2.60 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Shut down system immediately if unable to log security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:crashonauditfail
CCE-2851-4
18
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.61 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LDAP client signing requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLDAP:LDAPClientIntegrity
CCE-2991-8
1.1.1.1.2.62 Configure 'Interactive logon: Require smart card' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require smart card
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:scforceoption
CCE-3186-4
1.1.1.1.2.63 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Require case insensitivity for non-Windows subsystems
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerKernel:ObCaseInsensitive
CCE-2987-6
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:passwordexpirywarning
CCE-2701-1
1.1.1.1.2.65 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (if client agrees)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enablesecuritysignature
CCE-2688-0
1.1.1.1.2.66 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ScreenSaverGracePeriod
CCE-2980-1
19
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.2.67 Configure 'Shutdown: Allow system to be shut down without having to log on'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Allow system to be shut down without having to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:ShutdownWithoutLogon
CCE-2983-5
1.1.1.1.2.68 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow automatic administrative logon
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:securitylevel
CCE-2935-5
1.1.1.1.3 Audit Policy1.1.1.1.3.1 Set 'Audit account logon events' to 'Success, Failure' X X Not Scored To implement the recommended configuration
state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account logon events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2867-0
1.1.1.1.3.2 Configure 'Audit object access' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit object access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2259-0
1.1.1.1.3.3 Configure 'Audit directory service access' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit directory service access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2933-0
1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No Auditing.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit process tracking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2816-7
1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit privilege use
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2913-2
20
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account management
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2902-5
1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit policy change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2971-0
1.1.1.1.3.8 Set 'Audit system events' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit system events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2878-7
1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit logon events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2100-6
1.1.1.2 Event Log1.1.1.2.1 Set 'Maximum application log size' to '16384' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum application log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2904-1
1.1.1.2.2 Configure 'Retain application log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3019-7
1.1.1.2.3 Configure 'Retain security log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2966-0
1.1.1.2.4 Configure 'Retain system log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2050-3
21
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.2.5 Set 'Maximum system log size' to '16384' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum system log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3006-4
1.1.1.2.6 Set 'Prevent local guests group from accessing security log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.7 Set 'Retention method for security log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2336-6
1.1.1.2.8 Set 'Retention method for application log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3014-8
1.1.1.2.9 Set 'Maximum security log size' to '81920' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum security log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2693-0
1.1.1.2.10 Set 'Prevent local guests group from accessing application log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2116-2
1.1.1.2.11 Set 'Prevent local guests group from accessing system log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2345-7
1.1.1.2.12 Set 'Retention method for system log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2777-1
22
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3 System Services1.1.1.3.1 Configure 'Shell Hardware Detection' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesShell Hardware Detection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesShellHWDetection:Start
CCE-00000-0
1.1.1.3.2 Configure 'Human Interface Device Access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesHuman Interface Device Access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceshidserv:Start
CCE-00000-0
1.1.1.3.3 Configure 'Distributed Link Tracking Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDistributed Link Tracking Client
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTrkWks:Start
CCE-00000-0
1.1.1.3.4 Configure 'Telephony' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTelephony
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTapiSrv:Start
CCE-00000-0
1.1.1.3.5 Configure 'Network Connections' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesNetwork Connections
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNetman:Start
CCE-00000-0
1.1.1.3.6 Configure 'SNMP Trap' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSNMP Trap
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSNMPTRAP:Start
CCE-00000-0
1.1.1.3.7 Configure 'Distributed Transaction Coordinator' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDistributed Transaction Coordinator
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMSDTC:Start
CCE-00000-0
23
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.8 Configure 'WMI Performance Adapter' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWMI Performance Adapter
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceswmiApSrv:Start
CCE-00000-0
1.1.1.3.9 Set 'Computer Browser' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesComputer Browser
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesBrowser:Start
CCE-00000-0
1.1.1.3.10 Configure 'Microsoft Software Shadow Copy Provider' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesMicrosoft Software Shadow Copy Provider
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesswprv:Start
CCE-00000-0
1.1.1.3.11 Configure 'Workstation' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWorkstation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesLanmanWorkstation:Start
CCE-00000-0
1.1.1.3.12 Configure 'Remote Access Auto Connection Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRemote Access Auto Connection Manager
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRasAuto:Start
CCE-00000-0
1.1.1.3.13 Configure 'Print Spooler' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesPrint Spooler
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSpooler:Start
CCE-00000-0
1.1.1.3.14 Configure 'Performance Logs & Alerts' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesPerformance Logs & Alerts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicessysmonlog:Start
CCE-00000-0
24
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.15 Configure 'TCP/IP NetBIOS Helper' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTCP/IP NetBIOS Helper
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceslmhosts:Start
CCE-00000-0
1.1.1.3.16 Configure 'Background Intelligent Transfer Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesBackground Intelligent Transfer Service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesBITS:Start
CCE-00000-0
1.1.1.3.17 Configure 'Netlogon' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesNetlogon
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNetlogon:Start
CCE-00000-0
1.1.1.3.18 Configure 'Remote Access Connection Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRemote Access Connection Manager
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRasMan:Start
CCE-00000-0
1.1.1.3.19 Configure 'Network Location Awareness (NLA)' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesNetwork Location Awareness (NLA)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNLA:Start
CCE-00000-0
1.1.1.3.20 Configure 'DHCP Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDHCP Client
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDHCP:Start
CCE-00000-0
1.1.1.3.21 Configure 'Plug and Play' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesPlug and Play
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesPlugPlay:Start
CCE-00000-0
25
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.22 Configure 'COM+ System Application' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCOM+ System Application
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesComSysApp:Start
CCE-00000-0
1.1.1.3.23 Configure 'Windows Time' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesW32Time:Start
CCE-00000-0
1.1.1.3.24 Configure 'Smart Card' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSmart Card
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSCardSvr:Start
CCE-00000-0
1.1.1.3.25 Set 'Routing and Remote Access' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRouting and Remote Access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRemoteAccess:Start
CCE-00000-0
1.1.1.3.26 Configure 'IPSEC Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesIPSEC Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesPolicyAgent:Start
CCE-00000-0
1.1.1.3.27 Configure 'COM+ Event System' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCOM+ Event System
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesEventSystem:Start
CCE-00000-0
1.1.1.3.28 Configure 'Security Accounts Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSecurity Accounts Manager
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSamSs:Start
CCE-00000-0
26
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.29 Configure 'DCOM Server Process Launcher' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDCOM Server Process Launcher
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDcomLaunch:Start
CCE-00000-0
1.1.1.3.30 Configure 'Internet Connection Sharing (ICS)' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesInternet Connection Sharing (ICS)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccess:Start
CCE-00000-0
1.1.1.3.31 Configure 'Application Management' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesApplication Management
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesAppMgmt:Start
CCE-00000-0
1.1.1.3.32 Configure 'Windows Management Instrumentation' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Management Instrumentation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWinmgmt:Start
CCE-00000-0
1.1.1.3.33 Set 'Task Scheduler' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTask Scheduler
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSchedule:Start
CCE-00000-0
1.1.1.3.34 Configure 'System Event Notification Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSystem Event Notification Service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSENS:Start
CCE-00000-0
1.1.1.3.35 Configure 'Volume Shadow Copy' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesVolume Shadow Copy
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesVSS:Start
CCE-00000-0
27
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.3.36 Configure 'Windows Audio' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Audio
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesAudioSrv:Start
CCE-00000-0
1.1.1.3.37 Configure 'Cryptographic Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCryptographic Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesCryptSvc:Start
CCE-00000-0
1.1.1.3.38 Set 'SSDP Discovery' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSSDP Discovery
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSSDPSRV:Start
CCE-00000-0
1.1.1.3.39 Configure 'Windows Installer' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Installer
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesmsiserver:Start
CCE-00000-0
1.1.1.3.40 Configure 'Server' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesServer
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesLanmanServer:Start
CCE-00000-0
1.1.1.3.41 Configure 'Application Layer Gateway Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesApplication Layer Gateway Service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesALG:Start
CCE-00000-0
1.1.1.3.42 Configure 'DNS Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDNS Client
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDnscache:Start
CCE-00000-0
28
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.4 Account Policies1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyPassword must meet complexity requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2735-9
1.1.1.4.1.2 Set 'Minimum password length' to '14' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password length
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2981-9
1.1.1.4.1.3 Set 'Enforce password history' to '24' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyEnforce password history
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2994-2
1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2920-7
1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2889-4
1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2439-8
1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 50 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout threshold
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2986-8
29
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyReset account lockout counter after
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2466-1
1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout duration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2928-0
1.2 Administrative Templates1.2.1 Network1.2.1.1 Network Connections1.2.1.1.1 Windows Profile1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow ICMP exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileIcmpSettings:AllowOutboundParameterProblem
CCE-3081-7
1.2.1.1.1.1.2 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound Remote Desktop exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesRemoteDesktop:Enabled
CCE-3213-6
1.2.1.1.1.1.3 Configure 'Windows Firewall: Prohibit notifications' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit notifications
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableNotifications
CCE-3134-4
1.2.1.1.1.1.4 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableUnicastResponsesToMulticastBroadcast
CCE-3103-9
30
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.1.1.1.1.5 Set 'Windows Firewall: Allow inbound remote administration exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound remote administration exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileRemoteAdminSettings:Enabled
CCE-2954-6
1.2.1.1.1.1.6 Configure 'Windows Firewall: Do not allow exceptions' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DoNotAllowExceptions
CCE-3179-9
1.2.1.1.1.1.7 Set 'Windows Firewall: Allow inbound file and printer sharing exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound file and printer sharing exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesFileAndPrint:Enabled
CCE-3262-3
1.2.1.1.1.1.8 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:AllowUserPrefMerge
CCE-2989-2
1.2.1.1.1.1.9 Configure 'Windows Firewall: Define inbound port exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:Enabled
CCE-3231-8
1.2.1.1.1.1.10 Configure 'Windows Firewall: Define inbound program exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:Enabled
CCE-00000-0
31
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.1.1.1.1.11 Set 'Windows Firewall: Allow inbound UPnP framework exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound UPnP framework exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesUPnPFramework:Enabled
CCE-3235-9
1.2.1.1.1.1.12 Set 'Windows Firewall: Protect all network connections' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Protect all network connections
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:EnableFirewall
CCE-3284-7
1.2.1.1.1.1.13 Configure 'Windows Firewall: Allow local program exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:AllowUserPrefMerge
CCE-3183-1
1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow ICMP exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileIcmpSettings:AllowInboundRouterRequest
CCE-3141-9
1.2.1.1.1.2.2 Set 'Windows Firewall: Allow local program exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:AllowUserPrefMerge
CCE-2828-2
1.2.1.1.1.2.3 Set 'Windows Firewall: Allow inbound UPnP framework exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound UPnP framework exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesUPnPFramework:Enabled
CCE-3176-5
32
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.1.1.1.2.4 Configure 'Windows Firewall: Define inbound port exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:Enabled
CCE-2866-2
1.2.1.1.1.2.5 Configure 'Windows Firewall: Define inbound program exceptions'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:Enabled
CCE-8515-9
1.2.1.1.1.2.6 Configure 'Windows Firewall: Prohibit notifications' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit notifications
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableNotifications
CCE-3198-9
1.2.1.1.1.2.7 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableUnicastResponsesToMulticastBroadcast
CCE-2972-8
1.2.1.1.1.2.8 Set 'Windows Firewall: Allow inbound remote administration exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound remote administration exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileRemoteAdminSettings:Enabled
CCE-2476-0
1.2.1.1.1.2.9 Configure 'Windows Firewall: Do not allow exceptions' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DoNotAllowExceptions
CCE-3194-8
33
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.1.1.1.2.10 Set 'Windows Firewall: Protect all network connections' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Protect all network connections
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:EnableFirewall
CCE-3154-2
1.2.1.1.1.2.11 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound Remote Desktop exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesRemoteDesktop:Enabled
CCE-3304-3
1.2.1.1.1.2.12 Set 'Windows Firewall: Allow inbound file and printer sharing exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound file and printer sharing exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesFileAndPrint:Enabled
CCE-3247-4
1.2.1.1.1.2.13 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:AllowUserPrefMerge
CCE-3258-1
1.2.2 System1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to
'Enabled:Authenticated'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to Authenticated.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRestrictions for Unauthenticated RPC clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:RestrictRemoteClients
CCE-3273-0
1.2.2.1.2 Set 'RPC Endpoint Mapper Client Authentication' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRPC Endpoint Mapper Client Authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:EnableAuthEpResolution
CCE-2956-1
34
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.2.2 Group Policy1.2.2.2.1 Set 'Registry policy processing' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemGroup PolicyRegistry policy processing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsGroup Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
CCE-5053-4
1.2.2.2.2 Set 'Process even if the Group Policy objects have not changed' to 'True'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Process even if the Group Policy objects have not changed
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsGroup Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
CCE-5053-4
1.2.2.2.3 Set 'Do not apply during periodic background processing' to 'False'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Do not apply during periodic background processing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsGroup Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
CCE-5053-4
1.2.2.3 Remote Assistance1.2.2.3.1 Set 'Solicited Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceSolicited Remote Assistance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowToGetHelp
CCE-3007-2
1.2.2.3.2 Set 'Offer Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceOffer Remote Assistance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowUnsolicited
CCE-3012-2
1.2.2.4 Internet Communication Management1.2.2.4.1 Internet Communication settings1.2.2.4.1.1 Set 'Turn off downloading of print drivers over HTTP' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off downloading of print drivers over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableWebPnPDownload
CCE-5200-1
35
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.2.4.1.2 Set 'Turn off Windows Update device driver searching' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Windows Update device driver searching
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsDriverSearching:DontSearchWindowsUpdate
CCE-5014-6
1.2.2.4.1.3 Set 'Turn off the "Publish to Web" task for files and folders' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the "Publish to Web" task for files and folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoPublishingWizard
CCE-4887-6
1.2.2.4.1.4 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Internet download for Web publishing and online ordering wizards
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoWebServices
CCE-5099-7
1.2.2.4.1.5 Set 'Turn off printing over HTTP' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off printing over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableHTTPPrinting
CCE-4513-8
1.2.2.4.1.6 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the Windows Messenger Customer Experience Improvement Program
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:CEIP
CCE-4224-2
1.2.2.4.1.7 Set 'Turn off Search Companion content file updates' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Search Companion content file updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSearchCompanion:DisableContentFileUpdates
CCE-5055-9
36
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.2.5 Logon1.2.2.5.1 Configure 'Do not process the legacy run list' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesSystemLogonDo not process the legacy run list
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer:DisableLocalMachineRun
CCE-8364-2
1.2.2.5.2 Configure 'Do not process the run once list' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesSystemLogonDo not process the run once list
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer:DisableLocalMachineRunOnce
CCE-5032-8
1.2.3 Windows Components1.2.3.1 Windows Update1.2.3.1.1 Set 'Configure Automatic Updates' to '3 - Auto download
and notify for install'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 3 - Auto download and notify for install.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateAutoUpdateMode
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoUpdate
CCE-7528-3
1.2.3.1.2 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled:10'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to 10.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateReschedule Automatic Updates scheduled installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:RescheduleWaitTimeEnabled
CCE-8406-1
1.2.3.1.3 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateNo auto-restart with logged on users for scheduled automatic updates installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoRebootWithLoggedOnUsers
CCE-8375-8
1.2.3.1.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUShutdownOption
CCE-8400-4
37
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.3.1.5 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUAsDefaultShutdownOption
CCE-8574-6
1.2.3.1.6 Configure 'Specify intranet Microsoft update service location'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateSpecify intranet Microsoft update service location
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate:WUServer
CCE-00000-0
1.2.3.1.7 Configure 'Set the intranet statistics server' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet statistics server
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate:WUServer
CCE-00000-0
1.2.3.1.8 Configure 'Set the intranet update service for detecting updates'
X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet update service for detecting updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate:WUServer
CCE-00000-0
1.2.3.2 Windows Installer1.2.3.2.1 Set 'Always install with elevated privileges' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows InstallerAlways install with elevated privileges
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsInstaller:AlwaysInstallElevated
CCE-00000-0
1.2.3.3 Remote Desktop Services1.2.3.3.1 Remote Desktop Connection Client1.2.3.3.1.1 Set 'Do not allow passwords to be saved' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Connection ClientDo not allow passwords to be saved
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:DisablePasswordSaving
CCE-4849-6
38
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.3.3.2 Remote Desktop Session Host1.2.3.3.2.1 Connections1.2.3.3.2.1.1 Configure 'Allow users to connect remotely using Remote
Desktop Services'X X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnectionsAllow users to connect remotely using Remote Desktop Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:Not Configured
CCE-3028-8
1.2.3.3.2.2 Device and Resource Redirection1.2.3.3.2.2.1 Set 'Do not allow drive redirection' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow drive redirection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fDisableCdm
CCE-8261-0
1.2.3.3.2.3 Security1.2.3.3.2.3.1 Set 'Always prompt for password upon connection' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fPromptForPassword
CCE-2949-6
1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High Level'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to High Level.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecuritySet client connection encryption level
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:MinEncryptionLevel
CCE-3116-1
1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to All drives.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsAutoPlay PoliciesTurn off Autoplay
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoDriveTypeAutoRun
CCE-2710-2
39
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
1.2.3.5 Windows Error Reporting1.2.3.5.1 Advanced Error Reporting Settings1.2.3.5.1.1 Set 'Report operating system errors' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingAdvanced Error Reporting SettingsReport operating system errors
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:IncludeKernelFaults
CCE-00000-0
1.2.3.5.1.2 Set 'Display Error Notification' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingDisplay Error Notification
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:ShowUI
CCE-5136-7
1.2.3.6 NetMeeting1.2.3.6.1 Set 'Disable remote Desktop Sharing' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsNetMeetingDisable remote Desktop Sharing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftConferencing:NoRDS
CCE-2896-9
1.2.3.7 Windows Messenger1.2.3.7.1 Set 'Do not allow Windows Messenger to be run' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows MessengerDo not allow Windows Messenger to be run
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:PreventRun
CCE-2684-9
2 User Configuration2.1 Administrative Templates2.1.1 System2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /
suspend' to 'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesSystemPower ManagementPrompt for password on resume from hibernate / suspend
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsSystemPower:PromptPasswordOnResume
CCE-4390-1
2.1.1.1.2 Configure 'Prevent access to registry editing tools' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!User ConfigurationAdministrative TemplatesSystemPrevent access to registry editing tools
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DisableRegistryTools
CCE-8445-9
40
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
2.1.2 Windows Components2.1.2.1 Windows Explorer2.1.2.1.1 Configure 'Remove Security tab' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!User ConfigurationAdministrative TemplatesWindows ComponentsWindows ExplorerRemove Security tab
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_USER:Not Configured
CCE-8326-1
2.1.2.1.2 Configure 'Remove CD Burning features' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!User ConfigurationAdministrative TemplatesWindows ComponentsWindows ExplorerRemove CD Burning features
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_USER:Not Configured
CCE-8374-1
2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerHide mechanisms to remove zone information
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:HideZoneInfoOnProperties
CCE-5042-7
2.1.2.2.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerNotify antivirus programs when opening attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:ScanWithAntiVirus
CCE-5059-1
2.1.2.2.3 Set 'Do not preserve zone information in file attachments' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerDo not preserve zone information in file attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:SaveZoneInformation
CCE-4412-3
2.1.3 Control Panel2.1.3.1 Personalization2.1.3.1.1 Set 'Screen saver timeout' to 'Enabled:900' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to a value less than or equal to 900.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationScreen saver timeout
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveTimeOut
41
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
IEC/TR 80001-2-2 Security Capabilities
CCE-IDCIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
Scored orNot Scored?
2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationPassword protect the screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaverIsSecure
CCE-4500-5
2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationEnable screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveActive
CCE-2174-1
2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationForce specific screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:SCRNSAVE.EXE
CCE-3170-8
42
IEC/TR 80001-‐2-‐2 Code IEC/TR 80001-‐2-‐2 Security Capabilities
# BM Recommendations that Map to Sec. Cap.
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
ALOF Automatic logoff 8 Benchmark recommendations on setting screen saver, logon hours, session timeout, etc.
AUDT Audit controls 27 All audit-‐related items in BenchmarkAUTH Authorization 55 All user rights and "anonymous can/cannot do x"
recommendations in BenchmarkCNFS Configuration of security features 37 Firewall, logon as a service, etc. Benchmark settingsCSUP Cyber security product upgrades 8 All Windows-‐update related items in BenchmarkDTBK Data backup and disaster recovery 5 User rights related to file and backupMLDP Malware detection/protection 6 IE Benchmark-‐smartscreenNAUT Node authentication 12 All authentication-‐related controls, but not password storage-‐
related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
PAUT Person authentication 24 All authentication-‐related controls, but not password storage-‐related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
SAHD System and Application Hardening 249 Everything in the Benchmark maps to this Security CapabilityTXCF Transmission confidentiality 8 All the SSP RPC crypto itemsTXIG Transmission integrity 12 All the SSP RPC signing items
IEC/TR 80001-‐2-‐2 Code IEC/TR 80001-‐2-‐2 Security Capabilities
# BM Recommendations that Map to Sec. Cap.
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
DIDT HEALTH DATA de-‐identification N/AEMRG Emergency access N/AIGAU HEALTH DATA integrity and authenticity N/A File permisionsPLOK Physical locks on device N/ARDMP Third-‐party components in product lifecycle roadmaps N/A See related CIS Benchmarks, as applicableSGUD Security guides N/ASTCF HEALTH DATA storage confidentiality N/A
Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability
43
8
27
55
37
8 5 6 12
24
249
8 12
0
50
100
150
200
250
300
ALOF AUDT AUTH CNFS CSUP DTBK MLDP NAUT PAUT SAHD TXCF TXIG
Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-2-2 Security Capability
44
IEC/TR 80001-2-2 Security Capability
Automatic logoff (ALOF)
Alignment Total 8
1.1.1.1.2 Security Options1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required
before suspending session' to '15'X Scored To implement the recommended configuration
state, set the following Group Policy setting to 15.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Amount of idle time required before suspending session
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:autodisconnect
CCE-3157-5
1.1.1.1.2.42 Configure 'Network security: Force logoff when logon hours expire'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Force logoff when logon hours expire
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3139-3
1.1.1.1.2.51 Configure 'Microsoft network server: Disconnect clients when logon hours expire'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Disconnect clients when logon hours expire
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enableforcedlogoff
CCE-2692-2
1.1.1.1.2.66 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ScreenSaverGracePeriod
CCE-2980-1
2.1.3.1 Personalization2.1.3.1.1 Set 'Screen saver timeout' to 'Enabled:900' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to a value less than or equal to 900.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationScreen saver timeout
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveTimeOut
2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationPassword protect the screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaverIsSecure
CCE-4500-5
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
45
IEC/TR 80001-2-2 Security Capability
Automatic logoff (ALOF)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationEnable screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveActive
CCE-2174-1
2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationForce specific screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:SCRNSAVE.EXE
CCE-3170-8
46
IEC/TR 80001-2-2 Security Capability
Audit controls (AUDT)
Alignment Total 27
1.1.1.1.1 User Rights Assignment1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
1.1.1.1.2 Security Options1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore
privilege'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:fullprivilegeauditing
CCE-2955-3
1.1.1.1.2.33 Configure 'Audit: Audit the access of global system objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the access of global system objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:AuditBaseObjects
CCE-3162-5
1.1.1.1.2.50 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 90.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogSecurity:WarningLevel
CCE-3061-9
1.1.1.1.2.60 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Shut down system immediately if unable to log security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:crashonauditfail
CCE-2851-4
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
47
IEC/TR 80001-2-2 Security Capability
Audit controls (AUDT)CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.3 Audit Policy1.1.1.1.3.1 Set 'Audit account logon events' to 'Success, Failure' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account logon events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2867-0
1.1.1.1.3.2 Configure 'Audit object access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit object access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2259-0
1.1.1.1.3.3 Configure 'Audit directory service access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit directory service access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2933-0
1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X Scored To implement the recommended configuration state, set the following Group Policy setting to No Auditing.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit process tracking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2816-7
1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit privilege use
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2913-2
1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account management
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2902-5
1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit policy change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2971-0
48
IEC/TR 80001-2-2 Security Capability
Audit controls (AUDT)CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.3.8 Set 'Audit system events' to 'Success' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit system events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2878-7
1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit logon events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2100-6
1.1.1.2 Event Log1.1.1.2.1 Set 'Maximum application log size' to '16384' X Scored To implement the recommended configuration
state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum application log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2904-1
1.1.1.2.2 Configure 'Retain application log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3019-7
1.1.1.2.3 Configure 'Retain security log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2966-0
1.1.1.2.4 Configure 'Retain system log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2050-3
1.1.1.2.5 Set 'Maximum system log size' to '16384' X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum system log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3006-4
49
IEC/TR 80001-2-2 Security Capability
Audit controls (AUDT)CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.2.6 Set 'Prevent local guests group from accessing security log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.7 Set 'Retention method for security log' to 'Overwrites events as needed'
X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2336-6
1.1.1.2.8 Set 'Retention method for application log' to 'Overwrites events as needed'
X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3014-8
1.1.1.2.9 Set 'Maximum security log size' to '81920' X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum security log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2693-0
1.1.1.2.10 Set 'Prevent local guests group from accessing application log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2116-2
1.1.1.2.11 Set 'Prevent local guests group from accessing system log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2345-7
1.1.1.2.12 Set 'Retention method for system log' to 'Overwrites events as needed'
X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2777-1
50
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)
Alignment Total 55
1.1.1.1.1 User Rights Assignment1.1.1.1.1.1 Configure 'Deny log on through Terminal Services' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2814-2
1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2829-0
1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2864-7
1.1.1.1.1.4 Configure 'Log on as a service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2948-8
1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentPerform volume maintenance tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2960-3
1.1.1.1.1.6 Set 'Bypass traverse checking' to 'Administrators, Users, Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBypass traverse checking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2806-8
1.1.1.1.1.7 Configure 'Log on as a batch job' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2882-9
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
51
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.8 Configure 'Add workstations to domain' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdd workstations to domain
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2374-7
1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify firmware environment values
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2657-5
1.1.1.1.1.10 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'
X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2982-7
1.1.1.1.1.11 Set 'Deny log on as a batch job' to 'Guests, Support_388945a0'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2898-5
1.1.1.1.1.12 Configure 'Deny log on as a service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a service
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2792-0
1.1.1.1.1.13 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdjust memory quotas for a process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2547-8
1.1.1.1.1.14 Configure 'Create permanent shared objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate permanent shared objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-1969-5
52
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentShut down the system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2366-3
1.1.1.1.1.16 Configure 'Back up files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBack up files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2299-6
1.1.1.1.1.17 Configure 'Restore files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentRestore files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2847-2
1.1.1.1.1.18 Set 'Take ownership of files or other objects' to 'Administrators'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentTake ownership of files or other objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2021-4
1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile system performance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2675-7
1.1.1.1.1.20 Configure 'Create a token object' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a token object
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2791-2
1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentIncrease scheduling priority
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2944-7
53
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2700-3
1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2786-2
1.1.1.1.1.25 Set 'Access this computer from the network' to 'Users, Administrators'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2379-6
1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2609-6
1.1.1.1.1.27 Set 'Deny access to this computer from the network' to 'Support_388945a0, Guests'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-1978-6
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
54
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.29 Configure 'Allow log on through Terminal Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on through Terminal Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3004-9
1.1.1.1.1.30 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.1.31 Set 'Replace a process level token' to 'Local Service, Network Service'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2860-5
1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2446-3
1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2167-5
1.1.1.1.1.34 Configure 'Create global objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate global objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-3107-0
1.1.1.1.1.35 Configure 'Profile single process' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile single process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2807-6
55
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.1.36 Set 'Force shutdown from a remote system' to 'Administrators'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentForce shutdown from a remote system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2886-0
1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2846-4
1.1.1.1.2 Security Options1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to
Named Pipes and Shares'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict anonymous access to Named Pipes and Shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:restrictnullsessaccess
CCE-2834-0
1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Administrator account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2943-9
1.1.1.1.2.13 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Let Everyone permissions apply to anonymous users
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:EveryoneIncludesAnonymous
CCE-3110-4
1.1.1.1.2.16 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymousSAM
CCE-2147-7
56
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:ForceGuest
CCE-3058-5
1.1.1.1.2.24 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Allow anonymous SID/Name translation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2973-6
1.1.1.1.2.26 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymous
CCE-2804-3
1.1.1.1.2.27 Configure 'Domain controller: Allow server operators to schedule tasks'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Allow server operators to schedule tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:SubmitControl
CCE-2968-6
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionShares
CCE-3036-1
57
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.31 Set 'Network access: Remotely accessible registry paths and sub-paths' as recommended
X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Remotely accessible registry paths and sub-paths
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedPaths:Machine
CCE-3155-9
1.1.1.1.2.41 Configure 'Network access: Named Pipes that can be accessed anonymously'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Named Pipes that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionPipes
CCE-3150-0
1.1.1.1.2.56 Set 'Devices: Prevent users from installing printer drivers' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Prevent users from installing printer drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlPrintProvidersLanMan Print ServicesServers:AddPrinterDrivers
CCE-2789-6
1.1.1.1.2.57 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Allowed to format and eject removable media
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AllocateDASD
CCE-3111-2
1.1.1.1.2.67 Configure 'Shutdown: Allow system to be shut down without having to log on'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Allow system to be shut down without having to log on
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:ShutdownWithoutLogon
CCE-2983-5
58
IEC/TR 80001-2-2 Security Capability
Authorization (AUTH)CCE-IDScored or
Not Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.2 Event Log1.1.1.2.6 Set 'Prevent local guests group from accessing security log'
to 'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.10 Set 'Prevent local guests group from accessing application log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2116-2
1.1.1.2.11 Set 'Prevent local guests group from accessing system log' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2345-7
1.2.3.3.2.1 Connections1.2.3.3.2.1.1 Configure 'Allow users to connect remotely using Remote
Desktop Services'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnectionsAllow users to connect remotely using Remote Desktop Services
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:Not Configured
CCE-3028-8
59
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
Alignment Total 37
1.1.1.1.2 Security Options1.1.1.1.2.5 Configure 'System cryptography: Force strong key
protection for user keys stored on the computer'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Force strong key protection for user keys stored on the computer
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftCryptography:ForceKeyProtection
CCE-2992-6
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DisableCAD
CCE-2891-0
1.1.1.1.2.15 Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager:SafeDllSearchMode
CCE-2841-5
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:FIPSAlgorithmPolicy
CCE-3084-1
1.1.1.1.2.20 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Send unencrypted password to third-party SMB servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnablePlainTextPassword
CCE-3049-4
1.1.1.1.2.25 Configure 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:SynAttackProtect
CCE-2916-5
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
60
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.43 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Smart card removal behavior
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:scremoveoption
CCE-3133-6
1.1.1.1.2.44 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Do not store LAN Manager hash value on next password change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:NoLMHash
CCE-2993-4
1.1.1.1.2.48 Set 'Network access: Do not allow storage of credentials or .NET Passports for network authentication' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of credentials or .NET Passports for network authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:DisableDomainCreds
CCE-3088-2
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:passwordexpirywarning
CCE-2701-1
1.1.1.4.1 Password Policy1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to
'Disabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2889-4
1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow ICMP exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileIcmpSettings:AllowOutboundParameterProblem
CCE-3081-7
61
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.1.2 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound Remote Desktop exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesRemoteDesktop:Enabled
CCE-3213-6
1.2.1.1.1.1.3 Configure 'Windows Firewall: Prohibit notifications' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit notifications
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableNotifications
CCE-3134-4
1.2.1.1.1.1.4 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableUnicastResponsesToMulticastBroadcast
CCE-3103-9
1.2.1.1.1.1.5 Set 'Windows Firewall: Allow inbound remote administration exception' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound remote administration exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileRemoteAdminSettings:Enabled
CCE-2954-6
1.2.1.1.1.1.6 Configure 'Windows Firewall: Do not allow exceptions' X unscored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DoNotAllowExceptions
CCE-3179-9
1.2.1.1.1.1.7 Set 'Windows Firewall: Allow inbound file and printer sharing exception' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound file and printer sharing exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesFileAndPrint:Enabled
CCE-3262-3
62
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.1.8 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:AllowUserPrefMerge
CCE-2989-2
1.2.1.1.1.1.9 Configure 'Windows Firewall: Define inbound port exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:Enabled
CCE-3231-8
1.2.1.1.1.1.10 Configure 'Windows Firewall: Define inbound program exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:Enabled
CCE-00000-0
1.2.1.1.1.1.11 Set 'Windows Firewall: Allow inbound UPnP framework exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound UPnP framework exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesUPnPFramework:Enabled
CCE-3235-9
1.2.1.1.1.1.12 Set 'Windows Firewall: Protect all network connections' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Protect all network connections
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:EnableFirewall
CCE-3284-7
1.2.1.1.1.1.13 Configure 'Windows Firewall: Allow local program exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:AllowUserPrefMerge
CCE-3183-1
63
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow ICMP exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileIcmpSettings:AllowInboundRouterRequest
CCE-3141-9
1.2.1.1.1.2.2 Set 'Windows Firewall: Allow local program exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:AllowUserPrefMerge
CCE-2828-2
1.2.1.1.1.2.3 Set 'Windows Firewall: Allow inbound UPnP framework exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound UPnP framework exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesUPnPFramework:Enabled
CCE-3176-5
1.2.1.1.1.2.4 Configure 'Windows Firewall: Define inbound port exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:Enabled
CCE-2866-2
1.2.1.1.1.2.5 Configure 'Windows Firewall: Define inbound program exceptions'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:Enabled
CCE-8515-9
1.2.1.1.1.2.6 Configure 'Windows Firewall: Prohibit notifications' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit notifications
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableNotifications
CCE-3198-9
64
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.2.7 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableUnicastResponsesToMulticastBroadcast
CCE-2972-8
1.2.1.1.1.2.8 Set 'Windows Firewall: Allow inbound remote administration exception' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound remote administration exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileRemoteAdminSettings:Enabled
CCE-2476-0
1.2.1.1.1.2.9 Configure 'Windows Firewall: Do not allow exceptions' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Do not allow exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DoNotAllowExceptions
CCE-3194-8
1.2.1.1.1.2.10 Set 'Windows Firewall: Protect all network connections' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Protect all network connections
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:EnableFirewall
CCE-3154-2
1.2.1.1.1.2.11 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound Remote Desktop exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesRemoteDesktop:Enabled
CCE-3304-3
1.2.1.1.1.2.12 Set 'Windows Firewall: Allow inbound file and printer sharing exception' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound file and printer sharing exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesFileAndPrint:Enabled
CCE-3247-4
65
IEC/TR 80001-2-2 Security Capability
Configuration of security features (CNFS)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.1.1.1.2.13 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:AllowUserPrefMerge
CCE-3258-1
66
IEC/TR 80001-2-2 Security Capability
Cyber security product upgrades (CSUP)
Alignment Total 8
1.2.3.1 Windows Update1.2.3.1.1 Set 'Configure Automatic Updates' to '3 - Auto download
and notify for install'X Scored To implement the recommended configuration
state, set the following Group Policy setting to 3 - Auto download and notify for install.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateAutoUpdateMode
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoUpdate
CCE-7528-3
1.2.3.1.2 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled:10'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to 10.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateReschedule Automatic Updates scheduled installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:RescheduleWaitTimeEnabled
CCE-8406-1
1.2.3.1.3 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateNo auto-restart with logged on users for scheduled automatic updates installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoRebootWithLoggedOnUsers
CCE-8375-8
1.2.3.1.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUShutdownOption
CCE-8400-4
1.2.3.1.5 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUAsDefaultShutdownOption
CCE-8574-6
1.2.3.1.6 Configure 'Specify intranet Microsoft update service location'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateSpecify intranet Microsoft update service location
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate:WUServer
CCE-00000-0
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
67
IEC/TR 80001-2-2 Security Capability
Cyber security product upgrades (CSUP)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.2.3.1.7 Configure 'Set the intranet statistics server' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet statistics server
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate:WUServer
CCE-00000-0
1.2.3.1.8 Configure 'Set the intranet update service for detecting updates'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet update service for detecting updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate:WUServer
CCE-00000-0
68
IEC/TR 80001-2-2 Security Capability
Data backup and disaster recovery (DTBK)
Alignment Total 5
1.1.1.1.1 User Rights Assignment1.1.1.1.1.16 Configure 'Back up files and directories' X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBack up files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2299-6
1.1.1.1.1.17 Configure 'Restore files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentRestore files and directories
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.
CCE-2847-2
1.1.1.1.2 Security Options1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore
privilege'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:fullprivilegeauditing
CCE-2955-3
1.1.1.1.2.58 Configure 'Recovery console: Allow floppy copy and access to all drives and all folders'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow floppy copy and access to all drives and all folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:setcommand
CCE-2957-9
1.1.1.1.2.68 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow automatic administrative logon
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:securitylevel
CCE-2935-5
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
69
IEC/TR 80001-2-2 Security Capability
Malware detection/protection (MLDP)
Alignment Total 6
1.1.1.1.2 Security Options1.1.1.1.2.4 Configure 'System settings: Use Certificate Rules on
Windows Executables for Software Restriction Policies'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSaferCodeIdentifiers:AuthenticodeEnabled
CCE-2723-5
1.1.1.1.2.15 Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager:SafeDllSearchMode
CCE-2841-5
1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to All drives.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsAutoPlay PoliciesTurn off Autoplay
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoDriveTypeAutoRun
CCE-2710-2
2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerHide mechanisms to remove zone information
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:HideZoneInfoOnProperties
CCE-5042-7
2.1.2.2.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerNotify antivirus programs when opening attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:ScanWithAntiVirus
CCE-5059-1
2.1.2.2.3 Set 'Do not preserve zone information in file attachments' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerDo not preserve zone information in file attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:SaveZoneInformation
CCE-4412-3
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
70
IEC/TR 80001-2-2 Security Capability
Node authentication(NAUT)
Alignment Total 12
1.1.1.1.2 Security Options1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM
SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinServerSec
CCE-2799-5
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requiresignorseal
CCE-3097-3
1.1.1.1.2.8 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:sealsecurechannel
CCE-7598-6
1.1.1.1.2.17 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally sign secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:signsecurechannel
CCE-3000-7
1.1.1.1.2.18 Set 'Domain member: Maximum machine account password age' to '30'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 30.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Maximum machine account password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3018-9
1.1.1.1.2.20 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Send unencrypted password to third-party SMB servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnablePlainTextPassword
CCE-3049-4
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
71
IEC/TR 80001-2-2 Security Capability
Node authentication(NAUT)
CCE-IDScored orNot Scored?
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.22 Set 'Domain member: Disable machine account password changes' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Disable machine account password changes
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:disablepasswordchange
CCE-2313-5
1.1.1.1.2.29 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 5.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LAN Manager authentication level
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LmCompatibilityLevel
CCE-2926-4
1.1.1.1.2.39 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (if server agrees)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnableSecuritySignature
CCE-2802-7
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinClientSec
CCE-3156-7
1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to
'Enabled:Authenticated'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to Authenticated.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRestrictions for Unauthenticated RPC clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:RestrictRemoteClients
CCE-3273-0
1.2.2.1.2 Set 'RPC Endpoint Mapper Client Authentication' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRPC Endpoint Mapper Client Authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:EnableAuthEpResolution
CCE-2956-1
72
IEC/TR 80001-2-2 Security Capability
Person authentication(PAUT)
Alignment Total 24
1.1.1.1.1 User Rights Assignment1.1.1.1.1.30 Set 'Impersonate a client after authentication' to
'Administrators, SERVICE, Local Service, Network Service'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.2 Security Options1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to
Named Pipes and Shares'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict anonymous access to Named Pipes and Shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:restrictnullsessaccess
CCE-2834-0
1.1.1.1.2.9 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require Domain Controller authentication to unlock workstation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ForceUnlockLogon
CCE-3172-4
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DisableCAD
CCE-2891-0
1.1.1.1.2.21 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:cachedlogonscount
CCE-3106-2
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:ForceGuest
CCE-3058-5
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
73
IEC/TR 80001-2-2 Security Capability
Person authentication(PAUT)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionShares
CCE-3036-1
1.1.1.1.2.35 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Limit local account use of blank passwords to console logon only
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LimitBlankPasswordUse
CCE-2344-0
1.1.1.1.2.43 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Smart card removal behavior
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:scremoveoption
CCE-3133-6
1.1.1.1.2.46 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AutoAdminLogon
CCE-2776-3
1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Guest account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3040-3
1.1.1.1.2.62 Configure 'Interactive logon: Require smart card' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require smart card
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:scforceoption
CCE-3186-4
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:passwordexpirywarning
CCE-2701-1
74
IEC/TR 80001-2-2 Security Capability
Person authentication(PAUT)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.68 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow automatic administrative logon
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:securitylevel
CCE-2935-5
1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyPassword must meet complexity requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2735-9
1.1.1.4.1.2 Set 'Minimum password length' to '14' X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password length
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2981-9
1.1.1.4.1.3 Set 'Enforce password history' to '24' X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyEnforce password history
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2994-2
1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2920-7
1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2439-8
1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X Scored To implement the recommended configuration
state, set the following Group Policy setting to 50 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout threshold
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2986-8
75
IEC/TR 80001-2-2 Security Capability
Person authentication(PAUT)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title Scored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyReset account lockout counter after
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2466-1
1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout duration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2928-0
1.2.3.3.2.3 Security1.2.3.3.2.3.1 Set 'Always prompt for password upon connection' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fPromptForPassword
CCE-2949-6
2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /
suspend' to 'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesSystemPower ManagementPrompt for password on resume from hibernate / suspend
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsSystemPower:PromptPasswordOnResume
CCE-4390-1
76
IEC/TR 80001-2-2 Security Capability
Transmission confidentiality (TXCF)
Alignment Total 8
1.1.1.1.2 Security Options1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM
SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinServerSec
CCE-2799-5
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requiresignorseal
CCE-3097-3
1.1.1.1.2.7 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Require strong (Windows 2000 or later) session key
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requirestrongkey
CCE-3151-8
1.1.1.1.2.8 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:sealsecurechannel
CCE-7598-6
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:FIPSAlgorithmPolicy
CCE-3084-1
1.1.1.1.2.20 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Send unencrypted password to third-party SMB servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnablePlainTextPassword
CCE-3049-4
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
77
IEC/TR 80001-2-2 Security Capability
Transmission confidentiality (TXCF)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinClientSec
CCE-3156-7
1.2.3.3.2.3 Security1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High
Level'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to High Level.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecuritySet client connection encryption level
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:MinEncryptionLevel
CCE-3116-1
78
IEC/TR 80001-2-2 Security Capability
Transmission integrity(TXIG)
Alignment Total 12
1.1.1.1.2 Security Options1.1.1.1.2.1 Configure 'Domain controller: LDAP server signing
requirements'X Not Scored Configure the following Group Policy setting in
a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: LDAP server signing requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters:ldapserverintegrity
CCE-2551-0
1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinServerSec
CCE-2799-5
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requiresignorseal
CCE-3097-3
1.1.1.1.2.7 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Require strong (Windows 2000 or later) session key
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requirestrongkey
CCE-3151-8
1.1.1.1.2.12 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:RequireSecuritySignature
CCE-3027-0
1.1.1.1.2.17 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally sign secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:signsecurechannel
CCE-3000-7
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
79
IEC/TR 80001-2-2 Security Capability
Transmission integrity(TXIG)
CCE-ID
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
Scored orNot Scored?
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:FIPSAlgorithmPolicy
CCE-3084-1
1.1.1.1.2.39 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (if server agrees)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnableSecuritySignature
CCE-2802-7
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinClientSec
CCE-3156-7
1.1.1.1.2.49 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:requiresecuritysignature
CCE-3053-6
1.1.1.1.2.61 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LDAP client signing requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLDAP:LDAPClientIntegrity
CCE-2991-8
1.1.1.1.2.65 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (if client agrees)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enablesecuritysignature
CCE-2688-0
80
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
Alignment Totals 6 19 38 26 5 1 5 12 22 156 8 11
1 Computer Configuration1.1 Windows Settings1.1.1 Security Settings1.1.1.1 Local Policies1.1.1.1.1 User Rights Assignment1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2829-0
1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2864-7
1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentPerform volume maintenance tasks
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2960-3
1.1.1.1.1.6 Set 'Bypass traverse checking' to 'Administrators, Users, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBypass traverse checking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2806-8
1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify firmware environment values
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2657-5
1.1.1.1.1.10 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2982-7
Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310
3. Mapping of Scored (Only) CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
81
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.1.11 Set 'Deny log on as a batch job' to 'Guests, Support_388945a0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a batch job
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2898-5
1.1.1.1.1.13 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdjust memory quotas for a process
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2547-8
1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentShut down the system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2366-3
1.1.1.1.1.18 Set 'Take ownership of files or other objects' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentTake ownership of files or other objects
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2021-4
1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile system performance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2675-7
1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentIncrease scheduling priority
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2944-7
1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2247-5
1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on locally
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2700-3
82
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2786-2
1.1.1.1.1.25 Set 'Access this computer from the network' to 'Users, Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2379-6
1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2609-6
1.1.1.1.1.27 Set 'Deny access to this computer from the network' to 'Support_388945a0, Guests'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-1978-6
1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2767-2
1.1.1.1.1.30 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2737-5
1.1.1.1.1.31 Set 'Replace a process level token' to 'Local Service, Network Service'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2860-5
83
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2446-3
1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2167-5
1.1.1.1.1.36 Set 'Force shutdown from a remote system' to 'Administrators'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentForce shutdown from a remote system
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2886-0
1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2846-4
1.1.1.1.2 Security Options1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM
SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinServerSec
CCE-2799-5
1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requiresignorseal
CCE-3097-3
1.1.1.1.2.7 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Require strong (Windows 2000 or later) session key
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requirestrongkey
CCE-3151-8
84
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.8 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:sealsecurechannel
CCE-7598-6
1.1.1.1.2.9 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require Domain Controller authentication to unlock workstation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ForceUnlockLogon
CCE-3172-4
1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Administrator account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2943-9
1.1.1.1.2.12 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:RequireSecuritySignature
CCE-3027-0
1.1.1.1.2.13 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Let Everyone permissions apply to anonymous users
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:EveryoneIncludesAnonymous
CCE-3110-4
1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DisableCAD
CCE-2891-0
1.1.1.1.2.15 Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager:SafeDllSearchMode
CCE-2841-5
85
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.16 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymousSAM
CCE-2147-7
1.1.1.1.2.17 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally sign secure channel data (when possible)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:signsecurechannel
CCE-3000-7
1.1.1.1.2.18 Set 'Domain member: Maximum machine account password age' to '30'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 30.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Maximum machine account password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3018-9
1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'
X X X X Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:FIPSAlgorithmPolicy
CCE-3084-1
1.1.1.1.2.20 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Send unencrypted password to third-party SMB servers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnablePlainTextPassword
CCE-3049-4
1.1.1.1.2.21 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:cachedlogonscount
CCE-3106-2
86
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.22 Set 'Domain member: Disable machine account password changes' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Disable machine account password changes
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:disablepasswordchange
CCE-2313-5
1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:ForceGuest
CCE-3058-5
1.1.1.1.2.24 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Allow anonymous SID/Name translation
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2973-6
1.1.1.1.2.26 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymous
CCE-2804-3
1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionShares
CCE-3036-1
1.1.1.1.2.29 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 5.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LAN Manager authentication level
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LmCompatibilityLevel
CCE-2926-4
87
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.31 Set 'Network access: Remotely accessible registry paths and sub-paths' as recommended
X X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Remotely accessible registry paths and sub-paths
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedPaths:Machine
CCE-3155-9
1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Amount of idle time required before suspending session
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:autodisconnect
CCE-3157-5
1.1.1.1.2.34 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Clear virtual memory pagefile
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerMemory Management:ClearPageFileAtShutdown
CCE-3128-6
1.1.1.1.2.35 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Limit local account use of blank passwords to console logon only
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LimitBlankPasswordUse
CCE-2344-0
1.1.1.1.2.36 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 01.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Unsigned driver installation behavior
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftDriver Signing:Policy
CCE-3085-8
88
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.37 Set 'System objects: Default owner for objects created by members of the Administrators group' to 'Object creator'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Default owner for objects created by members of the Administrators group
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:nodefaultadminowner
CCE-2842-3
1.1.1.1.2.38 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:DisableIPSourceRouting
CCE-3132-8
1.1.1.1.2.39 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (if server agrees)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnableSecuritySignature
CCE-2802-7
1.1.1.1.2.40 Set 'Interactive logon: Do not display last user name' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not display last user name
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DontDisplayLastUserName
CCE-2930-6
1.1.1.1.2.43 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Smart card removal behavior
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:scremoveoption
CCE-3133-6
1.1.1.1.2.44 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Do not store LAN Manager hash value on next password change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:NoLMHash
CCE-2993-4
1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'
X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinClientSec
CCE-3156-7
89
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.46 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AutoAdminLogon
CCE-2776-3
1.1.1.1.2.48 Set 'Network access: Do not allow storage of credentials or .NET Passports for network authentication' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of credentials or .NET Passports for network authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:DisableDomainCreds
CCE-3088-2
1.1.1.1.2.49 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (always)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:requiresecuritysignature
CCE-3053-6
1.1.1.1.2.50 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 90.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogSecurity:WarningLevel
CCE-3061-9
1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Guest account status
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3040-3
1.1.1.1.2.55 Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession Manager:ProtectionMode
CCE-3005-6
1.1.1.1.2.56 Set 'Devices: Prevent users from installing printer drivers' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Prevent users from installing printer drivers
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlPrintProvidersLanMan Print ServicesServers:AddPrinterDrivers
CCE-2789-6
90
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.57 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 2.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Allowed to format and eject removable media
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AllocateDASD
CCE-3111-2
1.1.1.1.2.60 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Shut down system immediately if unable to log security audits
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:crashonauditfail
CCE-2851-4
1.1.1.1.2.61 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LDAP client signing requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLDAP:LDAPClientIntegrity
CCE-2991-8
1.1.1.1.2.63 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Require case insensitivity for non-Windows subsystems
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerKernel:ObCaseInsensitive
CCE-2987-6
1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:passwordexpirywarning
CCE-2701-1
1.1.1.1.2.65 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (if client agrees)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enablesecuritysignature
CCE-2688-0
91
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.2.66 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ScreenSaverGracePeriod
CCE-2980-1
1.1.1.1.2.68 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow automatic administrative logon
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:securitylevel
CCE-2935-5
1.1.1.1.3 Audit Policy1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to No Auditing.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit process tracking
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2816-7
1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit privilege use
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2913-2
1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account management
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2902-5
1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit policy change
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2971-0
1.1.1.1.3.8 Set 'Audit system events' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit system events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2878-7
92
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.
!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit logon events
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2100-6
1.1.1.2 Event Log1.1.1.2.1 Set 'Maximum application log size' to '16384' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum application log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2904-1
1.1.1.2.5 Set 'Maximum system log size' to '16384' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum system log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3006-4
1.1.1.2.6 Set 'Prevent local guests group from accessing security log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2794-6
1.1.1.2.7 Set 'Retention method for security log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for security log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2336-6
1.1.1.2.8 Set 'Retention method for application log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-3014-8
1.1.1.2.9 Set 'Maximum security log size' to '81920' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum security log size
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2693-0
1.1.1.2.10 Set 'Prevent local guests group from accessing application log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing application log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2116-2
93
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.2.11 Set 'Prevent local guests group from accessing system log' to 'Enabled'
X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2345-7
1.1.1.2.12 Set 'Retention method for system log' to 'Overwrites events as needed'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.
!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for system log
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2777-1
1.1.1.3 System Services1.1.1.3.9 Set 'Computer Browser' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesComputer Browser
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesBrowser:Start
CCE-00000-0
1.1.1.3.25 Set 'Routing and Remote Access' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRouting and Remote Access
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRemoteAccess:Start
CCE-00000-0
1.1.1.3.33 Set 'Task Scheduler' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTask Scheduler
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSchedule:Start
CCE-00000-0
1.1.1.3.38 Set 'SSDP Discovery' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.
!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSSDP Discovery
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSSDPSRV:Start
CCE-00000-0
1.1.1.4 Account Policies1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to True.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyPassword must meet complexity requirements
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2735-9
94
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.4.1.2 Set 'Minimum password length' to '14' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password length
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2981-9
1.1.1.4.1.3 Set 'Enforce password history' to '24' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyEnforce password history
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2994-2
1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2920-7
1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to False.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2889-4
1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password age
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2439-8
1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 50 or less.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout threshold
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2986-8
1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyReset account lockout counter after
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2466-1
95
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.
!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout duration
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
CCE-2928-0
1.2 Administrative Templates1.2.1 Network1.2.1.1 Network Connections1.2.1.1.1 Windows Profile1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow ICMP exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileIcmpSettings:AllowOutboundParameterProblem
CCE-3081-7
1.2.1.1.1.1.2 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound Remote Desktop exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesRemoteDesktop:Enabled
CCE-3213-6
1.2.1.1.1.1.4 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableUnicastResponsesToMulticastBroadcast
CCE-3103-9
1.2.1.1.1.1.5 Set 'Windows Firewall: Allow inbound remote administration exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound remote administration exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileRemoteAdminSettings:Enabled
CCE-2954-6
1.2.1.1.1.1.7 Set 'Windows Firewall: Allow inbound file and printer sharing exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound file and printer sharing exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesFileAndPrint:Enabled
CCE-3262-3
96
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.2.1.1.1.1.8 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:AllowUserPrefMerge
CCE-2989-2
1.2.1.1.1.1.11 Set 'Windows Firewall: Allow inbound UPnP framework exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound UPnP framework exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesUPnPFramework:Enabled
CCE-3235-9
1.2.1.1.1.1.12 Set 'Windows Firewall: Protect all network connections' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Protect all network connections
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:EnableFirewall
CCE-3284-7
1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow ICMP exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileIcmpSettings:AllowInboundRouterRequest
CCE-3141-9
1.2.1.1.1.2.2 Set 'Windows Firewall: Allow local program exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local program exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:AllowUserPrefMerge
CCE-2828-2
1.2.1.1.1.2.3 Set 'Windows Firewall: Allow inbound UPnP framework exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound UPnP framework exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesUPnPFramework:Enabled
CCE-3176-5
97
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.2.1.1.1.2.7 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableUnicastResponsesToMulticastBroadcast
CCE-2972-8
1.2.1.1.1.2.8 Set 'Windows Firewall: Allow inbound remote administration exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound remote administration exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileRemoteAdminSettings:Enabled
CCE-2476-0
1.2.1.1.1.2.10 Set 'Windows Firewall: Protect all network connections' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Protect all network connections
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:EnableFirewall
CCE-3154-2
1.2.1.1.1.2.11 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound Remote Desktop exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesRemoteDesktop:Enabled
CCE-3304-3
1.2.1.1.1.2.12 Set 'Windows Firewall: Allow inbound file and printer sharing exception' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound file and printer sharing exception
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesFileAndPrint:Enabled
CCE-3247-4
1.2.1.1.1.2.13 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local port exceptions
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:AllowUserPrefMerge
CCE-3258-1
98
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.2.2 System1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to
'Enabled:Authenticated'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to Authenticated.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRestrictions for Unauthenticated RPC clients
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:RestrictRemoteClients
CCE-3273-0
1.2.2.1.2 Set 'RPC Endpoint Mapper Client Authentication' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRPC Endpoint Mapper Client Authentication
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:EnableAuthEpResolution
CCE-2956-1
1.2.2.2 Group Policy1.2.2.2.1 Set 'Registry policy processing' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemGroup PolicyRegistry policy processing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsGroup Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
CCE-5053-4
1.2.2.2.2 Set 'Process even if the Group Policy objects have not changed' to 'True'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Process even if the Group Policy objects have not changed
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsGroup Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
CCE-5053-4
1.2.2.2.3 Set 'Do not apply during periodic background processing' to 'False'
X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.
!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Do not apply during periodic background processing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsGroup Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
CCE-5053-4
1.2.2.3 Remote Assistance1.2.2.3.1 Set 'Solicited Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceSolicited Remote Assistance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowToGetHelp
CCE-3007-2
99
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.2.2.3.2 Set 'Offer Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceOffer Remote Assistance
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowUnsolicited
CCE-3012-2
1.2.2.4 Internet Communication Management1.2.2.4.1 Internet Communication settings1.2.2.4.1.1 Set 'Turn off downloading of print drivers over HTTP' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off downloading of print drivers over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableWebPnPDownload
CCE-5200-1
1.2.2.4.1.2 Set 'Turn off Windows Update device driver searching' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Windows Update device driver searching
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsDriverSearching:DontSearchWindowsUpdate
CCE-5014-6
1.2.2.4.1.3 Set 'Turn off the "Publish to Web" task for files and folders' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the "Publish to Web" task for files and folders
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoPublishingWizard
CCE-4887-6
1.2.2.4.1.4 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Internet download for Web publishing and online ordering wizards
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoWebServices
CCE-5099-7
1.2.2.4.1.5 Set 'Turn off printing over HTTP' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off printing over HTTP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableHTTPPrinting
CCE-4513-8
100
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.2.2.4.1.6 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the Windows Messenger Customer Experience Improvement Program
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:CEIP
CCE-4224-2
1.2.2.4.1.7 Set 'Turn off Search Companion content file updates' to 'Enabled'
X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Search Companion content file updates
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSearchCompanion:DisableContentFileUpdates
CCE-5055-9
1.2.2.5 Logon1.2.3 Windows Components1.2.3.1 Windows Update1.2.3.1.1 Set 'Configure Automatic Updates' to '3 - Auto download
and notify for install'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to 3 - Auto download and notify for install.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateAutoUpdateMode
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoUpdate
CCE-7528-3
1.2.3.1.2 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled:10'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to 10.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateReschedule Automatic Updates scheduled installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:RescheduleWaitTimeEnabled
CCE-8406-1
1.2.3.1.3 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateNo auto-restart with logged on users for scheduled automatic updates installations
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoRebootWithLoggedOnUsers
CCE-8375-8
1.2.3.1.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUShutdownOption
CCE-8400-4
101
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.2.3.1.5 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUAsDefaultShutdownOption
CCE-8574-6
1.2.3.2 Windows Installer1.2.3.2.1 Set 'Always install with elevated privileges' to 'Disabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows InstallerAlways install with elevated privileges
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsInstaller:AlwaysInstallElevated
CCE-00000-0
1.2.3.3 Remote Desktop Services1.2.3.3.1 Remote Desktop Connection Client1.2.3.3.1.1 Set 'Do not allow passwords to be saved' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Connection ClientDo not allow passwords to be saved
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:DisablePasswordSaving
CCE-4849-6
1.2.3.3.2 Remote Desktop Session Host1.2.3.3.2.1 Connections1.2.3.3.2.2 Device and Resource Redirection1.2.3.3.2.2.1 Set 'Do not allow drive redirection' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow drive redirection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fDisableCdm
CCE-8261-0
1.2.3.3.2.3 Security1.2.3.3.2.3.1 Set 'Always prompt for password upon connection' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fPromptForPassword
CCE-2949-6
102
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High Level'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to High Level.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecuritySet client connection encryption level
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:MinEncryptionLevel
CCE-3116-1
1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to All drives.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsAutoPlay PoliciesTurn off Autoplay
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoDriveTypeAutoRun
CCE-2710-2
1.2.3.5 Windows Error Reporting1.2.3.5.1 Advanced Error Reporting Settings1.2.3.5.1.1 Set 'Report operating system errors' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingAdvanced Error Reporting SettingsReport operating system errors
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:IncludeKernelFaults
CCE-00000-0
1.2.3.5.1.2 Set 'Display Error Notification' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingDisplay Error Notification
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:ShowUI
CCE-5136-7
1.2.3.6 NetMeeting1.2.3.6.1 Set 'Disable remote Desktop Sharing' to 'Enabled' X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsNetMeetingDisable remote Desktop Sharing
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftConferencing:NoRDS
CCE-2896-9
1.2.3.7 Windows Messenger1.2.3.7.1 Set 'Do not allow Windows Messenger to be run' to
'Enabled'X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows MessengerDo not allow Windows Messenger to be run
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:PreventRun
CCE-2684-9
103
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
2 User Configuration2.1 Administrative Templates2.1.1 System2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /
suspend' to 'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesSystemPower ManagementPrompt for password on resume from hibernate / suspend
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsSystemPower:PromptPasswordOnResume
CCE-4390-1
2.1.2 Windows Components2.1.2.1 Windows Explorer2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to
'Enabled'X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerHide mechanisms to remove zone information
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:HideZoneInfoOnProperties
CCE-5042-7
2.1.2.2.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerNotify antivirus programs when opening attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:ScanWithAntiVirus
CCE-5059-1
2.1.2.2.3 Set 'Do not preserve zone information in file attachments' to 'Disabled'
X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.
!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerDo not preserve zone information in file attachments
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:SaveZoneInformation
CCE-4412-3
2.1.3 Control Panel2.1.3.1 Personalization2.1.3.1.1 Set 'Screen saver timeout' to 'Enabled:900' X X Scored To implement the recommended configuration
state, set the following Group Policy setting to Enabled. Then set the available option to a value less than or equal to 900.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationScreen saver timeout
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveTimeOut
2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationPassword protect the screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaverIsSecure
CCE-4500-5
104
ALO
FA
UD
TA
UTH
CN
FSC
SUP
DTB
KM
LDP
NA
UT
PAU
TSA
HD
TXC
FTX
IG
CIS MS Win XP Pro Benchmark v3.1.0
Recommendation #CIS Benchmark Section Title
IEC/TR 80001-2-2 Security CapabilitiesScored or
Not Scored?CIS Benchmark
Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID
2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationEnable screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveActive
CCE-2174-1
2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.
!User ConfigurationAdministrative TemplatesControl PanelPersonalizationForce specific screen saver
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:
!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:SCRNSAVE.EXE
CCE-3170-8
105
IEC/TR 80001-‐2-‐2 Code IEC/TR 80001-‐2-‐2 Security Capabilities
# BM Recommendations that Map to Sec. Cap.
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
ALOF Automatic logoff 6 Benchmark recommendations on setting screen saver, logon hours, session timeout, etc.
AUDT Audit controls 19 All audit-‐related items in BenchmarkAUTH Authorization 38 All user rights and "anonymous can/cannot do x"
recommendations in BenchmarkCNFS Configuration of security features 26 Firewall, logon as a service, etc. Benchmark settingsCSUP Cyber security product upgrades 5 All Windows-‐update related items in BenchmarkDTBK Data backup and disaster recovery 1 User rights related to file and backupMLDP Malware detection/protection 5 IE Benchmark-‐smartscreenNAUT Node authentication 12 All authentication-‐related controls, but not password storage-‐
related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
PAUT Person authentication 22 All authentication-‐related controls, but not password storage-‐related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items
SAHD System and Application Hardening 156 Everything in the Benchmark maps to this Security CapabilityTXCF Transmission confidentiality 8 All the SSP RPC crypto itemsTXIG Transmission integrity 11 All the SSP RPC signing items
IEC/TR 80001-‐2-‐2 Code IEC/TR 80001-‐2-‐2 Security Capabilities
# BM Recommendations that Map to Sec. Cap.
General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability
DIDT HEALTH DATA de-‐identification N/AEMRG Emergency access N/AIGAU HEALTH DATA integrity and authenticity N/A File permisionsPLOK Physical locks on device N/ARDMP Third-‐party components in product lifecycle roadmaps N/A See related CIS Benchmarks, as applicable
SGUD Security guides N/ASTCF HEALTH DATA storage confidentiality N/A
Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability
106
6
19
38
26
5 1
5
12
22
156
8 11
0
20
40
60
80
100
120
140
160
180
ALOF AUDT AUTH CNFS CSUP DTBK MLDP NAUT PAUT SAHD TXCF TXIG
Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-2-2 Security Capability
107