CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0

License
Please see our terms of service here: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

section
recommendation
# # title status
1 Account Policies accepted
1.1 Password Policy accepted
1.1 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' accepted
1.1 1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' accepted
1.1 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' accepted
1.1 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' accepted
1.1 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' accepted
1.1 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' accepted
1.2 Account Lockout Policy accepted
1.2 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' accepted
1.2 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' accepted
1.2 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' accepted
2 Local Policies accepted
2.1 Audit Policy accepted
2.2 User Rights Assignment accepted
2.2 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' accepted
2.2 2.2.2 (L1) Configure 'Access this computer from the network' accepted
2.2 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' accepted
2.2 2.2.4 (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only) accepted
2.2 2.2.5 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVIC accepted
2.2 2.2.6 (L1) Ensure 'Allow log on locally' is set to 'Administrators' accepted
2.2 2.2.7 (L1) Configure 'Allow log on through Remote Desktop Services' accepted
2.2 2.2.8 (L1) Ensure 'Back up files and directories' is set to 'Administrators' accepted
2.2 2.2.9 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.10 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.11 (L1) Ensure 'Create a pagefile' is set to 'Administrators' accepted
2.2 2.2.12 (L1) Ensure 'Create a token object' is set to 'No One' accepted
2.2 2.2.13 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK S accepted
2.2 2.2.14 (L1) Ensure 'Create permanent shared objects' is set to 'No One' accepted
2.2 2.2.15 (L1) Configure 'Create symbolic links' accepted
2.2 2.2.16 (L1) Ensure 'Debug programs' is set to 'Administrators' accepted
2.2 2.2.17 (L1) Configure 'Deny access to this computer from the network' accepted
2.2 2.2.18 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' accepted
2.2 2.2.19 (L1) Ensure 'Deny log on as a service' to include 'Guests' accepted
2.2 2.2.20 (L1) Ensure 'Deny log on locally' to include 'Guests' accepted
2.2 2.2.21 (L1) Configure 'Deny log on through Remote Desktop Services' accepted
2.2 2.2.22 (L1) Configure 'Enable computer and user accounts to be trusted for delegation' accepted
2.2 2.2.23 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' accepted
2.2 2.2.24 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' accepted
2.2 2.2.25 (L1) Configure 'Impersonate a client after authentication' accepted
2.2 2.2.26 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' accepted
2.2 2.2.27 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' accepted
2.2 2.2.28 (L1) Ensure 'Lock pages in memory' is set to 'No One' accepted
2.2 2.2.30 (L1) Configure 'Manage auditing and security log' accepted
2.2 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' accepted
2.2 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' accepted
2.2 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' accepted
2.2 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' accepted
2.2 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHostaccepted
2.2 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' accepted
2.2 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' accepted
2.2 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators' accepted
2.2 2.2.39 (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only) accepted
2.2 2.2.40 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' accepted
2.3 Security Options accepted
2.3.1 Accounts accepted
2.3.1 2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Micros accepted
2.3.1 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set taccepted
2.3.1 2.3.1.5 (L1) Configure 'Accounts: Rename administrator account' accepted
2.3.1 2.3.1.6 (L1) Configure 'Accounts: Rename guest account' accepted
2.3.2 Audit accepted
2.3.2 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override au
accepted
2.3.2 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disa accepted
2.3.3 DCOM accepted
2.3.4 Devices accepted
2.3.4 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' accepted
2.3.4 2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' accepted
2.3.5 Domain controller accepted
2.3.5 2.3.5.1 (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DCaccepted
2.3.5 2.3.5.2 (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (D accepted
2.3.5 2.3.5.3 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' accepted
2.3.6 Domain member accepted
2.3.6 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Eaccepted
2.3.6 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Eaccepted
2.3.6 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabaccepted
2.3.6 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' accepted
2.3.6 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer da
accepted
2.3.6 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'En accepted
2.3.7 Interactive logon accepted
2.3.7 2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' accepted
2.3.7 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' accepted
2.3.7 2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0accepted
2.3.7 2.3.7.4 (L1) Configure 'Interactive logon: Message text for users attempting to log on' accepted
2.3.7 2.3.7.5 (L1) Configure 'Interactive logon: Message title for users attempting to log on' accepted
2.3.7 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'be accepted
2.3.7 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higheaccepted
2.3.8 Microsoft network client accepted
2.3.8 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' accepted
2.3.8 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to accepted
2.3.8 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' isaccepted
2.3.9 Microsoft network server accepted
2.3.9 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is
accepted
2.3.9 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabledaccepted
2.3.9 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to accepted
2.3.9 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enaaccepted
2.3.10 Network access accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' accepted
2.3.10 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Di accepted
2.3.10 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' accepted
2.3.10 2.3.10.7 (L1) Configure 'Network access: Remotely accessible registry paths' accepted
2.3.10 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' accepted
2.3.10 2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - accepted
2.3.11 Network security accepted

2.3.11 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to ' accepted
2.3.11 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' accepted
2.3.11 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online
accepted
2.3.11 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to accepted
2.3.11 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change'accepted
i
2.3.11 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' accepted
2.3.11 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 res accepted
2.3.11 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or accepted
2.3.11 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secureaccepted
R
2.3.11 2.3.11.1 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secureaccepted
2.3.12 Recovery console accepted
2.3.13 Shutdown accepted
2.3.13 2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disableaccepted
2.3.14 System cryptography accepted
2.3.15 System objects accepted
2.3.15 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to ' accepted
2.3.15 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symb
accepted
2.3.16 System settings draft
2.3.17 User Account Control accepted
2.3.17 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' a
i ccepted
2.3.17 2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without us
accepted
2.3.17 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Adminaccepted
2.3.17 2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set toaccepted
2.3.17 2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is s accepted
2.3.17 2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure
accepted
2.3.17 2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'En accepted
2.3.17 2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' isaccepted
2.3.17 2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations'accepted
3 Event Log accepted
4 Restricted Groups accepted
5 System Services accepted
6 Registry accepted
7 File System accepted
8 Wired Network (IEEE 802.3) Policies accepted

9 Windows Firewall with Advanced Security accepted
9.1 Domain Profile accepted
9.1 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' accepted
9.1 9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' accepted
9.1 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' accepted
9.1 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' accepted
9.1 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\lo
accepted
9.1 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' accepted
9.1 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' accepted
9.1 9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' accepted
9.2 Private Profile accepted
9.2 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' accepted
9.2 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' accepted
9.2 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' accepted
9.2 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' accepted
9.2 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logf
accepted
9.2 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' accepted
9.2 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' accepted
9.2 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' accepted
9.3 Public Profile accepted
9.3 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' accepted
9.3 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' accepted
9.3 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' accepted
9.3 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' accepted
9.3 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' accepted
9.3 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to ' accepted
9.3 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfi
accepted
9.3 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' accepted
9.3 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' accepted
9.3 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' accepted
10 Network List Manager Policies accepted
11 Wireless Network (IEEE 802.11) Policies accepted
12 Public Key Policies accepted
13 Software Restriction Policies accepted

14 Network Access Protection NAP Client Configuration accepted
15 Application Control Policies accepted
16 IP Security Policies accepted
17 Advanced Audit Policy Configuration accepted
17.1 Account Logon accepted
17.1 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' accepted
17.2 Account Management accepted
17.2 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' accepted
17.2 17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' accepted
17.2 17.2.3 (L1) Ensure 'Audit Distribution Group Management' is set to 'Success and Failure' (DC only) accepted
17.2 17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' accepted
17.2 17.2.5 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' accepted
17.2 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' accepted
17.3 Detailed Tracking accepted
17.3 17.3.1 (L1) Ensure 'Audit Process Creation' is set to 'Success' accepted
17.4 DS Access accepted
17.4 17.4.1 (L1) Ensure 'Audit Directory Service Access' is set to 'Success and Failure' (DC only) accepted
17.4 17.4.2 (L1) Ensure 'Audit Directory Service Changes' is set to 'Success and Failure' (DC only) accepted
17.5 Logon/Logoff accepted
17.5 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' accepted
17.5 17.5.2 (L1) Ensure 'Audit Logoff' is set to 'Success' accepted
17.5 17.5.3 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' accepted
17.5 17.5.4 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' accepted
17.5 17.5.5 (L1) Ensure 'Audit Special Logon' is set to 'Success' accepted
17.6 Object Access accepted
17.6 17.6.1 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' accepted
17.6 17.6.2 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' accepted
17.7 Policy Change accepted
17.7 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' accepted
17.7 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' accepted
17.7 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' accepted
17.8 Privilege Use accepted
17.8 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' accepted
17.9 System accepted

17.9 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' accepted
17.9 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' accepted
17.9 17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' accepted
17.9 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' accepted
17.9 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' accepted
18 Administrative Templates (Computer) accepted
18.1 Control Panel accepted
18.1.1 Personalization accepted
18.1.1 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' accepted
18.1.1 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' accepted
18.2 LAPS accepted
18.3 MS Security Guide accepted
18.3 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' accepted
18.3 18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' accepted
18.3 18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enaaccepted
18.3 18.3.5 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' accepted
18.4 MSS (Legacy) accepted
18.4 18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Di accepted
18.4 18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects agai
accepted
18.4 18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects againstaccepted
p
18.4 18.4.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
accepted
18.4 18.4.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name relea
accepted
18.4 18.4.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set taccepted
18.4 18.4.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace
accepted
18.4 18.4.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the sy
accepted
18.5 Network accepted
18.5.1 Background Intelligent Transfer Service (BITS) accepted
18.5.2 BranchCache accepted
18.5.3 DirectAccess Client Experience Settings accepted
18.5.4 DNS Client accepted
18.5.5 Fonts draft
18.5.6 Hotspot Authentication accepted
18.5.7 Lanman Server accepted
18.5.8 Lanman Workstation draft

18.5.9 Link-Layer Topology Discovery accepted
18.5.10 Microsoft Peer-to-Peer Networking Services accepted
18.5.10.1 Peer Name Resolution Protocol accepted
18.5.11 Network Connections accepted
18.5.11 18.5.11. (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain networ
accepted
18.5.11 18.5.11. (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enableaccepted
18.5.11.1 Windows Defender Firewall (formerly Windows Firewall) accepted
18.5.12 Network Connectivity Status Indicator accepted
18.5.13 Network Isolation accepted
18.5.14 Network Provider accepted
18.5.14 18.5.14. (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" an accepted
18.5.15 Offline Files accepted
18.5.16 QoS Packet Scheduler accepted
18.5.17 SNMP accepted
18.5.18 SSL Configuration Settings accepted
18.5.19 TCPIP Settings accepted
18.5.19.1 IPv6 Transition Technologies accepted
18.5.19.2 Parameters accepted
18.5.20 Windows Connect Now accepted
18.5.21 Windows Connection Manager accepted
18.5.21 18.5.21. (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Doma
accepted
18.6 Printers accepted
18.7 Start Menu and Taskbar accepted
18.8.1 Access-Denied Assistance accepted
18.8.2 App-V accepted
18.8.3 Audit Process Creation accepted
18.8.3 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' accepted
18.8.4 Credentials Delegation accepted
18.8.4 18.8.4.1 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' accepted
18.8.5 Device Guard accepted
18.8.6 Device Health Attestation Service accepted
18.8.7 Device Installation draft
18.8.8 Device Redirection accepted

18.8.9 Disk NV Cache accepted
18.8.10 Disk Quotas accepted
18.8.11 Display accepted
18.8.12 Distributed COM accepted
18.8.13 Driver Installation accepted
18.8.14 Early Launch Antimalware accepted
18.8.14 18.8.14. (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad butaccepted
18.8.15 Enhanced Storage Access accepted
18.8.16 File Classification Infrastructure accepted
18.8.17 File Share Shadow Copy Agent accepted
18.8.18 File Share Shadow Copy Provider accepted
18.8.19 Filesystem (formerly NTFS Filesystem) accepted
18.8.20 Folder Redirection accepted
18.8.21 Group Policy accepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background proc accepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects hav accepted
18.8.21 18.8.21. (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' accepted
18.8.21.1 Logging and tracing accepted
18.8.22 Internet Communication Management accepted
18.8.22.1 Internet Communication settings accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set toaccepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' accepted
18.8.23 iSCSI accepted
18.8.24 KDC accepted
18.8.25 Kerberos draft
18.8.26 Locale Services accepted
18.8.27 Logon accepted
18.8.27 18.8.27. (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'accepted
18.8.27 18.8.27. (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' accepted
18.8.28 Mitigation Options draft

18.8.29 Net Logon accepted
18.8.30 OS Policies accepted
18.8.31 Performance Control Panel accepted
18.8.32 PIN Complexity accepted
18.8.33 Power Management accepted
18.8.33.1 Button Settings accepted
18.8.33.2 Energy Saver Settings accepted
18.8.33.3 Hard Disk Settings accepted
18.8.33.4 Notification Settings accepted
18.8.33.5 Power Throttling Settings accepted
18.8.33.6 Sleep Settings accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' accepted
18.8.34 Recovery accepted
18.8.35 Remote Assistance accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' accepted
18.8.36 Remote Procedure Call accepted
18.8.37 Removable Storage Access accepted
18.8.38 Scripts accepted
18.8.39 Server Manager accepted
18.8.41 Shutdown Options accepted
18.8.42 Storage Health accepted
18.8.43 System Restore accepted
18.8.44 Troubleshooting and Diagnostics accepted
18.8.44.1 Application Compatibility Diagnostics accepted
18.8.44.2 Corrupted File Recovery accepted
18.8.44.3 Disk Diagnostic accepted
18.8.44.4 Fault Tolerant Heap accepted
18.8.44.5 Microsoft Support Diagnostic Tool accepted
18.8.44.6 MSI Corrupted File Recovery accepted
18.8.44.7 Scheduled Maintenance accepted
18.8.44.8 Scripted Diagnostics accepted

18.8.44.9 Windows Boot Performance Diagnostics accepted
18.8.44.10 Windows Memory Leak Diagnosis accepted
18.8.44.11 Windows Performance PerfTrack accepted
18.8.45 Trusted Platform Module Services accepted
18.8.46 User Profiles accepted
18.8.47 Windows File Protection accepted
18.8.48 Windows HotStart accepted
18.8.49 Windows Time Service accepted
18.8.49.1 Time Providers accepted
18.9 Windows Components accepted
18.9.1 Active Directory Federation Services accepted
18.9.2 ActiveX Installer Service accepted
18.9.3 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) accepted
18.9.4 App Package Deployment draft
18.9.5 App Privacy accepted
18.9.6 App runtime accepted
18.9.6 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' accepted
18.9.7 Application Compatibility accepted
18.9.8 AutoPlay Policies accepted
18.9.8 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' accepted
18.9.8 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any auto accepted
18.9.8 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' accepted
18.9.9 Backup accepted
18.9.10 Biometrics draft
18.9.11 BitLocker Drive Encryption accepted
18.9.12 Camera draft
18.9.13 Cloud Content draft
18.9.14 Connect draft
18.9.15 Credential User Interface accepted
18.9.15 18.9.15. (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' accepted
18.9.15 18.9.15. (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' accepted
18.9.16 Data Collection and Preview Builds draft
18.9.17 Delivery Optimization accepted
18.9.18 Desktop Gadgets draft

18.9.19 Desktop Window Manager accepted
18.9.20 Device and Driver Compatibility accepted
18.9.21 Device Registration (formerly Workplace Join) accepted
18.9.22 Digital Locker accepted
18.9.23 Edge UI accepted
18.9.24 EMET accepted
18.9.24 18.9.24. (L1) Ensure 'EMET 5.52' or higher is installed accepted
18.9.24 18.9.24. (L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Internet Explorer' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In' accepted
18.9.24 18.9.24. (L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out' accepted
18.9.24 18.9.24. (L1) Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out' accepted
18.9.25 Event Forwarding accepted
18.9.26 Event Log Service accepted
18.9.26.1 Application accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size'accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or gr accepted
18.9.26.2 Security accepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' isaccepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greaaccepted
18.9.26.3 Setup accepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is seaccepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'accepted
18.9.26.4 System accepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is a
sccepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greateaccepted
18.9.27 Event Logging accepted
18.9.28 Event Viewer accepted
18.9.29 Family Safety (formerly Parental Controls) accepted
18.9.30 File Explorer (formerly Windows Explorer) accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' accepted
18.9.30.1 Previous Versions accepted
18.9.31 File History accepted
18.9.32 Find My Device accepted
18.9.33 Game Explorer accepted
18.9.34 Handwriting accepted
18.9.35 HomeGroup accepted
18.9.36 Import Video accepted
18.9.37 Internet Explorer accepted
18.9.38 Internet Information Services accepted
18.9.39 Location and Sensors accepted
18.9.39.1 Windows Location Provider accepted
18.9.40 Maintenance Scheduler accepted
18.9.41 Maps accepted
18.9.42 MDM accepted
18.9.43 Messaging accepted
18.9.44 Microsoft account draft
18.9.45 Microsoft Edge accepted
18.9.46 Microsoft FIDO Authentication accepted
18.9.47 Microsoft Secondary Authentication Factor accepted
18.9.48 Microsoft User Experience Virtualization accepted
18.9.49 NetMeeting accepted
18.9.50 Network Access Protection accepted
18.9.51 Network Projector accepted
18.9.52 OneDrive (formerly SkyDrive) accepted
18.9.52 18.9.52. (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' accepted
18.9.52 18.9.52. (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' accepted
18.9.53 Online Assistance accepted
18.9.54 Password Synchronization accepted
18.9.55 Portable Operating System accepted
18.9.56 Presentation Settings accepted
18.9.57 Push To Install accepted
18.9.58 Remote Desktop Services (formerly Terminal Services) accepted
18.9.58.1 RD Licensing (formerly TS Licensing) accepted

18.9.58.2 Remote Desktop Connection Client accepted
18.9.58. 18.9.58.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' accepted
18.9.58.2.1 RemoteFX USB Device Redirection accepted
18.9.58.3 Remote Desktop Session Host (formerly Terminal Server) accepted
18.9.58.3.1 Application Compatibility accepted
18.9.58.3.2 Connections accepted
18.9.58.3.3 Device and Resource Redirection accepted
18.9.58.318.9.58.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' accepted
18.9.58.3.4 Licensing accepted
18.9.58.3.5 Printer Redirection accepted
18.9.58.3.6 Profiles accepted
18.9.58.3.7 RD Connection Broker (formerly TS Connection Broker) accepted
18.9.58.3.8 Remote Session Environment accepted
18.9.58.3.9 Security accepted
18.9.58.318.9.58.3(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Require secure RPC communication' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' accepted
18.9.58.3.10 Session Time Limits accepted
18.9.58.3.11 Temporary folders accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' accepted
18.9.59 RSS Feeds accepted
18.9.59 18.9.59. (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' accepted
18.9.60 Search accepted
18.9.60 18.9.60. (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' accepted
18.9.60.1 OCR accepted
18.9.61 Security Center accepted
18.9.62 Server for NIS accepted
18.9.64 Smart Card accepted
18.9.65 Software Protection Platform accepted
18.9.66 Sound Recorder accepted
18.9.67 Speech accepted
18.9.68 Store accepted

18.9.69 Sync your settings accepted
18.9.70 Tablet PC accepted
18.9.71 Task Scheduler accepted
18.9.72 Text Input accepted
18.9.73 Windows Calendar accepted
18.9.74 Windows Color System accepted
18.9.75 Windows Customer Experience Improvement Program accepted
18.9.76 Windows Defender Antivirus (formerly Windows Defender) accepted
18.9.76 18.9.76. (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' accepted
18.9.76.1 Client Interface accepted
18.9.76.2 Exclusions accepted
18.9.76.3 MAPS accepted
18.9.76. 18.9.76.3(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' accepted
18.9.76.4 MpEngine accepted
18.9.76.5 Network Inspection System accepted
18.9.76.6 Quarantine accepted
18.9.76.7 Real-time Protection accepted
18.9.76. 18.9.76.7(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' accepted
18.9.76.8 Remediation accepted
18.9.76.9 Reporting accepted
18.9.76.10 Scan accepted
18.9.76. 18.9.76. (L1) Ensure 'Scan removable drives' is set to 'Enabled' accepted
18.9.76. 18.9.76. (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' accepted
18.9.76.11 Signature Updates accepted
18.9.76.12 Threats accepted
18.9.76.13 Windows Defender Exploit Guard accepted
18.9.77 Windows Defender Application Guard accepted
18.9.78 Windows Defender Exploit Guard accepted
18.9.79 Windows Defender Security Center accepted
18.9.80 Windows Defender SmartScreen accepted
18.9.80.1 Explorer accepted
18.9.80. 18.9.80.1(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent b accepted
18.9.81 Windows Error Reporting accepted
18.9.81 18.9.81. (L1) Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabl accepted
18.9.81.1 Advanced Error Reporting Settings accepted
18.9.81.2 Consent accepted
18.9.81. 18.9.81.2(L1) Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data' accepted
18.9.82 Windows Game Recording and Broadcasting accepted
18.9.83 Windows Hello for Business (formerly Microsoft Passport for Work) accepted
18.9.84 Windows Ink Workspace draft
18.9.85 Windows Installer accepted
18.9.85 18.9.85. (L1) Ensure 'Allow user control over installs' is set to 'Disabled' accepted
18.9.85 18.9.85. (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' accepted
18.9.86 Windows Logon Options accepted
18.9.86 18.9.86. (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Daccepted
18.9.87 Windows Mail accepted
18.9.88 Windows Media Center accepted
18.9.89 Windows Media Digital Rights Management accepted
18.9.90 Windows Media Player accepted
18.9.91 Windows Meeting Space accepted
18.9.92 Windows Messenger accepted
18.9.93 Windows Mobility Center accepted
18.9.94 Windows Movie Maker accepted
18.9.95 Windows PowerShell accepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' accepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' accepted
18.9.96 Windows Reliability Analysis accepted
18.9.97 Windows Remote Management (WinRM) accepted
18.9.97.1 WinRM Client accepted
18.9.97. 18.9.97.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' accepted
18.9.97. 18.9.97.1(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' accepted
18.9.97. 18.9.97.1(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' accepted
18.9.97.2 WinRM Service accepted
18.9.97. 18.9.97.2(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' accepted
18.9.98 Windows Remote Shell accepted
18.9.99 Windows SideShow accepted

18.9.100 Windows System Resource Manager accepted
18.9.101 Windows Update accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' accepted
18.9.101 18.9.101 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' accepted
i
18.9.101.1 Windows Update for Business (formerly Defer Windows Updates) draft
19 Administrative Templates (User) accepted
19.1.1 Add or Remove Programs accepted
19.1.3 Personalization (formerly Desktop Themes) accepted
19.1.3 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scr accepted
19.1.3 19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' accepted
19.2 Desktop accepted
19.4 Shared Folders accepted
19.5.1 Notifications accepted
19.5.1 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled' accepted
19.6.1 Ctrl+Alt+Del Options accepted
19.7.4 Attachment Manager accepted
19.7.4 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' accepted
19.7.4 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' accepted
19.7.9 Data Collection and Preview Builds accepted
19.7.10 Desktop Gadgets accepted
19.7.15 File Revocation accepted
19.7.16 IME accepted
19.7.18 Instant Search accepted
19.7.22 Microsoft Management Console accepted
19.7.26 Network Sharing accepted
19.7.26 19.7.26. (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' accepted

19.7.44.1 Networking accepted
19.7.44.2 Playback accepted

associated with a compromised will
user account remain
before you can exploitable for as
reuse an old long as the
password. The password is left
value for this unchanged. If
policy setting password
scoring status must
description
be betweenrationale
changesstatement
are remediation procedure audit procedure impact statement
0 and 24 required but
passwords. The password reuse
accepted This section contains recommendations for account policies.
default value for is not prevented,
Windows Vista is or if users
accepted This section contains recommendations for password
To establish policy.
the recommended configuration via GP, set the following UI path to `24 o
0 passwords, but continually reuse
the default a small number
full ``` Navigate to the UI The major impact of this configurati
setting in a of passwords,
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies
domain is 24 the effectiveness
```
passwords. To of a good
maintain the password policy
effectiveness of is greatly
this policy reduced.
setting, use the
Minimum If you specify a
password age low number for
setting to prevent this policy
users from setting, users will
repeatedly be able to use
changing their the same small
password. number of
passwords
The repeatedly. If you
recommended do not also
state for this configure the
setting is: `24 or Minimum
more password age
password(s)`. setting, users
might repeatedly
change their
passwords until
they can reuse
their original
password.
To establish the
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords.
recommended
This policy setting defines how long aconfiguration
user can usevia their password before it expires.
When this policy is enabled, passwords must meet the following minimum requirements:
To establish
GP, set the the recommended configuration via GP, set the following UI path to `60 o
-- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Values for this policy setting range from 0 to 999
following UI days.
path If you set the value to 0, the password will never expire.
full The longer a passw ``` `14
To
to establish
or more the recommended
Navigate to the configuration
UI If the Maximum
via GP, password
set the following
age setting
UI pathi to `1 or
-- Be at least six characters in length
Because
This policy
attackers
setting determines
can crack passwords,
the number
Computer
the
of days
more
character(s)`:Configuration\Policies\Windows
that
frequently
you mustyouusechange
a password
the password
Settings\Security
before you
the lesscan opportunity
change
Settings\Account
it. Thean attacker
rangePolicies
of ha
va
full Users may have fav ``` Navigate to the UI If an administrator sets a password f
-- Contain characters from three of the following four categories:
The recommended
This policy setting determines
state for this
thesetting
least is `60
Computer
```number
is: orConfiguration\Policies\Windows
`1 or fewer
of
more days, but
characters
day(s)`. thatnot 0`. upRequirements
make a password
Settings\Security
forforaextremely
user Settings\Account
account.
long There
passwords
are
Policies
many
can
full Types of passwordTo ``` establish the recommended
Computer Navigate to the UI If the default
configuration via GP,password
set the complexity
following UIconfiguration
path to Èna
---- English uppercase characters (A through Z)
The recommended state for this setting Configuration\Pol
is: `14 or more character(s)`. **Note:** Older versions of Windows such as Wi
full Passwords that con icies\Windows
``` establish the recommended
To Navigate to the UI If your organization
configuration via GP, set has more stringent
the following UI path security
to `Disa r
---- English lowercase characters (a through z)
This policy setting determines whether Settings\Security
Computer
the operating
Configuration\Policies\Windows
system stores passwords inSettings\Security
a way that uses Settings\Account
reversible encryption, Policies
wh
full Enabling this poli ```Settings\Account
``` Navigate to the UI Also,
If yourthe
organization
use of ALTuses key character
either the combinations
---- Base 10 digits (0 through 9)
The recommended state for this setting Policies\Passwor
Computer
is: `Disabled`.
Configuration\Policies\Windows Settings\Security Settings\Account Policies
accepted sectionsetting
This policy contains recommendations
determines d establish
```
the length
To for account
of time thelockout
that must policy.
recommended
pass before configuration
a locked account
via GP, is set
unlocked
the following
and a userUI path
cantotry`15to o
lo
---- Non-alphabetic characters (for example, !, $, #, %)
Policy\Minimum
full Although it might seem
A denial
like of
a good password
servicidea``` to
To establishlength
configure thethe Navigate
value for to
recommended this
thepolicy
UI If
Although
setting
configuration
this to
it may
policy
via asetting
GP,high seem
setvalue,
is likesuch
a good
theenabled,
following aa configuration
UIidea
locked-out
path to `10 wio
acco
---- A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category c
This policy setting determines the number ``` of failed
Computer Configuration\Policies\Windows
logon attempts before the account Settings\Security
is locked. SettingSettings\Account
this policy toPolicies
`0` do
full The recommended
This policy setting Setting
state for
anthis
determines account
thesetting
```
``ìs:
length
To of`15
timeorbefore
establish more minute(s)`.
Navigate
the recommended
the Accountto the UI If threshold
lockout you enforce
configuration this
via resets
GP, setsetting
tothe
zero.an attacker
following
The default could
UI path value caus
to `15
for ot
Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-c
The recommended state for this setting Computer
is: `10 orConfiguration\Policies\Windows
fewer invalid logon attempt(s), Settings\Security
but not 0`. Settings\Account Policies
full If you leave this policy
Users
setting
can accident ```
at its default
``` value or configure Navigate
the tovalue
the to If you
UI an configure
interval
do notthat isthe
tooAccount
configure long, Lockout
this your
policy se Threshold
environment cout
The recommended state for this setting is: Ènabled`.
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies
accepted The
This recommended
section containsstate for this setting
recommendations ``` is:
for`15 or policies.
local more minute(s)`.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section contains recommendations for user rights

To establish assignments. configuration via GP, set the following UI path to `No O
the recommended
This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, a
full If an account is gi To ``` establish the recommended
Navigate to the UI None - this
configuration via is
GP, theconfigure
default behavior.
the following UI path:
This policy setting allows other users on the network to connect to the computer and is required by various network protoco
is: `No One`.
Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
full This policy setting Users
allows who can conn
a process ```
```
toTo assume
establish thethe
identityNavigate
of any to
recommended userthe UI Ifthus
you gain
configuration
and remove
viaaccess
GP, theset **Access
tothethefollowingthis compu
resources UIthat
paththe to user
`No O
- **Level 1 - Domain Controller.** The recommended state for this setting is: Àdministrators, Authenticated Users, ENTER
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
- **Level 1 - Member Server.** The recommended state for this setting is: Àdministrators, Authenticated Users`.
This policy setting Thestate **Act
specifies for which
this
as partsetting ```
users``ìs:
To `No
establish
can addOne`.
computer Navigate
the recommended to the
workstations UItoThere
configuration should
the domain.via GP, beset
For little
thistheor no impact
policy
following
setting UIbtopath
taketoeffect
Àdm
This policy setting allows a user to adjust Computer Configuration\Policies\Windows
the maximum amount of memory that is Settings\Security
available to a process. Settings\Local The abilityPolicies\U
to adju
full **Note:**
In This userThe
Windows-based right**Add
networks,is considered
workstat
the termTo ``à
``` "sensitive
security
establish privilege"
principal
the for the
Navigate
is defined
recommended purposes
toasthea user, of
UI Forgroup,
configuration auditing.
organizations
orGP,
via computer
set that
thehave
that isnever
following automatically
UIalpath toassig Àdm
This policy setting determines which users or groups have the right to log on as a Remote Desktop Services client. If your o
The recommended state for this setting Computer Configuration\Policies\Windows
is: Àdministrators, LOCAL SERVICE, NETWORK Settings\Security SERVICE`. Settings\Local Policies\U
This policy setting A state
user for
determines withthis
the setting
which ```
``ìs:
** users
To Àdministrators`.
establish
can interactively Navigate
the recommendedlog ontotothe UI Organizations
configuration
computers in via
yourGP, that have not
environment.
configure the restricte
Logons
followingthat UIarepath:
initia
Restrict this user right to the Àdministrators` group, and possibly the `Remote Desktop Users` group, to prevent unwanted
**Note:** A Member Server that holdsComputer the _WebConfiguration\Policies\Windows
Server (IIS)_ Role with _Web Server_ Settings\Security
Role Service Settings\Local
will require aPolicies\U
special e
full The `Guest` account Any is account
assignedwith ```
thist To
user
``` establish
right by thedefault.Navigate
Although
recommended to the
this UI
account
If you remove
configuration isvia
disabled
GP, these by default
configuredefault, thegroups,
itfollowing
is recommended
y UI path:
- **Level 1 - Domain Controller.** The recommended state for this setting is: Àdministrators`.
**Note #2:** A Member Server with Microsoft Computer SQL Server installed will require a Settings\Security
Configuration\Policies\Windows special exceptionSettings\Localto this recommendation Policies\U
- **Level 1 - Member Server.** The recommended state for this setting is: Àdministrators,
Users who can change the time on a computer could cause several problems. For example, time stamps Remote Desktop Users`.
This policy setting Anystate
allows for
account thiswith
users tosetting ```
``ìs:
t To
circumvent Àdministrators`.
establish
file and Navigate
the recommended
directory to the
permissions UI Removal
configuration
to backvia of the
upGP,the**Allow
set the log
system. onuser
following
This through
UIright
pathistoenable
Àdm
**Note:** A Member Server that holds the _Remote Desktop Services_ Role with _Remote
The risk from these types of events is mitigated on most Domain Controllers, Member Servers, and end- Desktop Connection Broker_ R
This policy setting Users
state who
determines for thisare setting
whichable ```
``ìs:
users
establish
and groups Navigate
the recommended
can change to the
the UI Changes
configuration
time and date inon
via thethe
GP, membership
setinternal
the following
clockof the grou
ofUIthe
pathcomputers
to Àdm
**Note #2:** The above lists are
- All client to becomputers
desktop treated as and whitelists,
Member which implies
Servers usethatthethe above principals
authenticating Domain need not be present
Controller as theirfor inb
full **Note:**
The This user right
recommended stateisforconsidered
this setting ```
To a is:
``` "sensitive
Àdministrators,
the for the
Navigate
LOCAL
recommended purposes
to SERVICE`.
the UI There
configurationof auditing.
should
via GP, beset no the
impact, because
following UI patht to Àdm
- All Domain Controllers in a domain nominate the Primary Domain Controller (PDC) Emulator operation
This setting determines which users can Computer
changeConfiguration\Policies\Windows
the time zone of the computer. Settings\SecurityThis ability holds no Settings\Local
great dangerPolicies\U for the c
**Note #3:** In all versions
- All PDCofEmulator
Windowsoperations Server prior to Server
masters follow2008theR2, **Remote
hierarchy DesktopinServices**
of domains the selection wasofknown as **Term
their inbound t
full **Note:** Discrepancies
Changing betweenthe timethe To```
time on the local
``` establish computer
Navigateand
the recommended to theonUI the Domain
None
configuration viaControllers
- this is
GP, theset default
thein following
your environment
behavior. UI path tomay Àdm c
- The PDC Emulator operations master at the root of the domain is authoritative for the organization. The
The recommended
This state for
policy setting allows thistosetting
users Computer
change is: the
Àdministrators,
size LOCALBy
of the pagefile. SERVICE`.
making theSettings\Security
pagefile extremely Settings\Local
large or extremely Policies\U sma
allows who can cha
a process ```
```
toTo create
establish
an access Navigate
the recommended
token, which to the UI None
configuration
may provide - this
via is
elevated
GP, theset default
rights
the to behavior.
following
accessUI sensitive
path to data.`No O
This vulnerability becomes much more serious if an attacker is able to change the system time and then
The recommended
user for
determines this
account setting
thatComputer
whether isis:
users Àdministrators`.
given can Configuration\Policies\Windows
this user right
create global has complete
objects that control Settings\Security
over the
are available system
to all Settings\Local
and can
sessions. Users lead canPolicies\U
to still
the creasys
full The recommended state for this setting ```
``ìs:
To `No One`.
establish Navigate to the
the recommended UI None - this
GP, theset default behavior.
the following UI path to Àdm
Users who can create The global
operating system
objects Computer
could examines
affectConfiguration\Policies\Windows
a user's access
processes that runtoken undertootherdetermine
Settings\Security
users' the level ofThis
sessions. Settings\Local
the user's
capability privileges.
Policies\U
could Ac
lead
full **Note:** This userUsers
right iswhoconsidered
can crea ```
To a establish
``` "sensitivethe privilege" for the
Navigate
recommended to purposes
the UI None
- this
via is
the following UI path to `No O
The recommended
This statetofor
user right is useful this setting
kernel-mode Computer
is: Àdministrators,
components Configuration\Policies\Windows
LOCAL
that extend theSERVICE, NETWORK
object namespace. Settings\Security SERVICE,
However, Settings\Local
SERVICE`.
components Policies\U
that run in k
This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects,
full Users who have the ```
``` implement the recommended
To Navigate to theconfiguration
UI None - this is theconfigure
state, default behavior.
**Note:**
The A Memberstate
recommended Server for with
this Microsoft
setting is: SQL
Computer Server
`No One`. _and_ its optional "Integration
Configuration\Policies\Windows Services" component
Settings\Security Settings\Local installed will req
Policies\U
Symbolic
This policylinks canprohibits
setting potentially expose
users fromsecurity
connecting vulnerabilities
to a computer in applications
from across that
theare not designed
network, which would to useallow them.usersFor thisto accereas
determines who have whichthe ```
``` establish
user
To accountsthe Navigate
willrecommended
have to the
the right toUI Inyou
configuration
attach
If most cases
arevoke
debugger
via GP, there
this set
to
user willright,
any
the be no
following
process noimpact
one
or
UItowill
path
thebeto
kernel,
able
Àdm t
- **Level 1 - Domain Controller.** The recommended state for this setting is is:toÀdministrators`.
include: `Guests`.
full The recommendedThe state **Debug
for this progra
setting ```
``ìs:
the recommended UI The service
configuration account
via GP, configurethat isthe used for theUI
following cluster
path:s
- **Level 1 - Member Server.** The recommended state for this setting is is:toÀdministrators`
include: `Guests, andLocal (when the _Hyper-V_
account and member Roleoi
full **Note:**
This policyThis userUsers
setting right iswho
determines considered
can
which ```
To a establish
logaccounts
``` "sensitive privilege"
will the
not ablefortothe
beNavigate
log the
on UI Tools
configuration
to the of
If you auditing.
thatviaare
configure
computer GP, used
as the
set to manage
**Deny
a batch
the job.access
following processes
A batchUItopath
job istowill
not be
inclua
**Caution:** Configuring a standalone (non-domain-joined) server as described above may result in an inability to remotely
Computer Configuration\Policies\Windows If you Settings\Security
assign the **DenySettings\Local log on as a batch Policies\U
job** u
full user rightsetting
This security supersedes
Accounts
determinesthe
that**Log
hav To
which ```
on
```service
as a batch
establish job**
accounts
the Navigate
userprevented
recommended
are right,
to which
the UI could
configuration
from beviaused
registering GP,a to allow
process
set theaccounts
as
following
a service.to
UIschedule
path
Thistouser jobs
incluri
**Note:** The security identifier `Local account and member of Administrators group` is not available in Server 2008 R2 and
Computer Configuration\Policies\Windows For example,
Settings\Security
if you assign Settings\Local
this user right Policies\U
to the `
This policy setting determines whether users can log on as Remote Desktop clients. After the baseline Member Server is jo
This security settingAccounts
state for this
determines that which
setting
can To ```
``ùsers
is to include:
establish the `Guests`.
are prevented Navigate
recommended to the
from logging UIonIf at
you
configuration assign
the theset
computer.
via GP, **Deny
This log onsetting
the policy
following asUIa path
supersedes
to inclu
**Note #2:** Configuring a Member Server or standalone server as described above may adversely affect applications that
- **Level 1 - Domain Controller.** The recommended state for this setting is: `Guests`.
full **Note:**
The This security
recommended Any
statesetting
account
for thisdoes
with not
setting ```
``àpply
thTo is to the
to include:
establish the`System`,
`Guests`.
Navigate
recommended `Local
to theService`,
UI If youorassign
configuration `Network
via GP, Service`
theconfigure
**Deny log accounts.
theonfollowing
local UI path:
- **Level 1 - Member Server.** The recommended state for this setting is: `Guests, Local account`.
This policy setting allows users to change Computer Configuration\Policies\Windows
the Trusted for Delegation setting on aSettings\Security
computer object Settings\Local
in Active Directory. Policies\U
Abus
full **Important:** If youAny apply this security
account with t To ```policy to the
establish theÈveryone`
Navigategroup,
recommended to the noUIone
If you
configuration willassign
be
viaable
GP,theto log on log
**Deny
configure locally.
theonfollowing
throu UI path:
- **Level 1 - Domain Controller.** TheComputer recommended Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
state for this setting is: Àdministrators`.
full Misuse of the **En``` ``` Navigate to the UI None - this is the default behavior.
**Note:** The security identifier `Local account` is not available in Server 2008 R2 and Server 2012 (non-R2) unless [MSKB
- **Level 1 - Member Server.** The recommended Computer Configuration\Policies\Windows
state for this setting is: `No One`. Settings\Security Settings\Local Policies\U
```
**Note #2:** In all versions of Windows Server prior to Server 2008 R2, **Remote Desktop Services** was known as **Term
**Note:** This user right is considered a "sensitive privilege" for the purposes of auditing.
The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so t
This policy
Services setting
that determines
are started by thewhich
Service To Control
users establish
or processesthe recommended
Manager can
have generate configuration
audit
the built-in records
Service viainGP,
group set the
theadded
Securitybyfollowing
log.
default toUItheir
pathaccess
to Àdm to
This policy setting allows users to shut down Windows Vista-based and newer computers from remote locations on the net
Also, Any
state
a user can impersonateuser
for who
this
an setting
can
accessTo
s``ìs:
establish
`LOCAL
token if anythe
SERVICE,
recommended
of Navigate
the NETWORK
following to the
configuration
UI IfSERVICE`.
conditionsyouexist:
remove
via GP, the
set**Force
the following
shutdown UI path
fr to `LOC
-TheTherecommended
access token state
that isfor this setting
being Computer
impersonatedis: Àdministrators`.
isConfiguration\Policies\Windows
for this user. Settings\Security Settings\Local Policies\U
full -**Note:**
The user,This
in this
userlogon
An
right
attacker
session,
is considered
couldlogged```
uTo
```
a establish
"sensitive
on to the the network
privilege"
recommended
Navigate
with
for explicit
the
to purposes
the
configuration
credentials
UI On of most
auditing.
via
tocomputers,
create
GP, configure
the this
access isthe
the
token.
following
defaul UI path:
- The requested level is less than Impersonate, Computer Configuration\Policies\Windows
such as Anonymous or Identify. Settings\Security Settings\Local Policies\U
full **Note #2:** A Member An attacker
Server with
that th holds
```
``` establish
To the _Web theServerNavigate
(IIS)_ to
recommended Role
the with
UI In_Webmost Server_
configuration cases
via GP,this Role
setconfiguration
theService
following willwill
require
UI a speci
path to Àdm
An attacker
This policy setting
with thedetermines
**Impersonatewhether a Computer
client
users after
can Configuration\Policies\Windows
authentication**
increase the base user priority
right could
classSettings\Security
create
of a process.
a service,(It is
Settings\Local
trick
not aa client
privileged
toPolicies\U
make
operati
the
full **Note
This #3:**setting
policy A Member
A user
allows Server
who isthat
users toassi holds
```
dynamically
To the _Active
``` establish loadthe a Directory
new Navigate
recommended
device Federation
to the
driver UI Services_
onNone
configuration viaRole
- this
a system. is
An
GP,thewill require
default
attacker
set the a potentially
special
behavior.
could
following exception
UI path use thist
to Àdm
- **Level
The 1 - Domainstate
recommended Controller.** TheComputer
for this setting recommended
is: Àdministrators`. state for this setting is: `Àdministrators,
Configuration\Policies\Windows Settings\Security LOCAL SERVICE, Policies\U
Settings\Local NETWOR
full - **Level
The 1 - Member
recommended Server.**
Device
state for thisThe
drivers recommended
setting
run ```
``ìs:
To state
Àdministrators`.
establish the for this setting
Navigate
recommended to the is:
UI Àdministrators,
If you remove
configuration via GP, LOCAL
the
set**Load SERVICE,
and unload
the following UINETWORK
d to `No S
path O
This policy setting determines which users can change the auditing options for files and directories and clear the Security lo
This policy setting allows a process toComputer keep dataConfiguration\Policies\Windows
in physical memory, which prevents Settings\Security
the system from Settings\Local
paging thePolicies\U
data to vi
right iswith
considered
the **L To ```
```
a establish
"sensitivethe privilege"
Navigate
recommendedfor theto purposes
the UI None
- this
via isGP,theconfigure
default behavior.
For environments running Microsoft Exchange Server, the Èxchange Servers` group must possess this privilege on Doma
is: `No One`.Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
full **Note #2:** A Member Servertowith
The ability manMicrosoft
```
``` establish
To SQLthe Server _and_ its
Navigate
recommended optional
to the UI None "Integration
configuration - this
via isGP, Services"
the default
set component
behavior.
the following installed
UI path willO
to `No
- **Level 1 - Domain Controller.** The recommended state for this setting is: Àdministrators` and (when Exchange is runni
This privilege determines which user Computer accounts can Configuration\Policies\Windows
modify the integrity label of objects, Settings\Security
such as files, Settings\Local
registry keys, Policies\U
or proce
- **Level 1 - Member Server.** The recommended state for this setting is: Àdministrators`.
full This policy setting By modifying
allows users to theconfigure
i To
```
``` establish
the system-wide Navigate
environment UI None
configuration
variables- this
via is
that
GP,the default
affect
set the
hardwarebehavior.
following configuration.
UI path to ÀdmThis
full The recommendedAnyone state forwhothisissetting ```
assiTo
``ìs: Àdministrators`.
configuration via isGP,theset
default behavior.
This policy setting allows users to manage Computer Configuration\Policies\Windows
the system's volume or disk configuration, Settings\Security
which could Settings\Local
allow a user toPolicies\U
delete a v
full **Note:** This userArightuseriswho
considered
is assi ```Toa establish
``` "sensitivethe privilege"
Navigate
recommendedfor theto purposes
the UI None
- this
via isGP,theset
default behavior.
The recommended
This state for this
policy setting determines setting
which Computer
usersis: Àdministrators`.
can use Configuration\Policies\Windows
tools to monitor the performance Settings\Security
of non-system Settings\Local Policies\U
processes. Typically, y
full This policy setting The
allows**Profile sing ```
one process ```
Toorestablish
service tothe Navigate
recommended
start to the
another service UIorIfprocess
you remove
configuration via GP,
with the
set**Profile
the following
a different single UI
security pr path to
access `Àdm
token, w
The recommended
This state for
users useComputer
is: Àdministrators`.
tools to viewConfiguration\Policies\Windows
the performance of different Settings\Security
system processes, Settings\Local
which could be Policies\U
abused
full The recommendedThe state**Profile
for thissyst
setting```
``ìs:
To establish
`LOCALthe Navigate
SERVICE,
recommended to the
NETWORK UI None
SERVICE`. via isGP,theset
default behavior.
the following UI path to ``LO
NT SERVICE\WdiServiceHost`. Settings\Security Settings\Local Policies\U
full **Note:**
setting right iswith
the
which ```
**Rusers
```
Toa establish
"sensitive
can bypass privilege"
the Navigate
recommended
file, for the
directory,to purposes
the UI On of
configuration
registry, most
andauditing.
computers,
other
via GP,persistent
set thethisfollowing
is the permissions
object defaul
UI path to Àdm
when
An attacker with the Computer
**RestoreConfiguration\Policies\Windows
files and directories** user rightSettings\Security
could restore sensitive Settings\Local
data to aPolicies\U
compute
full **Note
The #2:** A Member
recommended stateServer
for thisthat holds
setting```
``ìs:
To the _Web Server
Àdministrators`.
establish the (IIS)_ to
Navigate
recommended Role
the with
UI If_Web Server_
you remove
configuration via GP, Role
the
set Service
**Restore
the will and
files
following require
UI a speci
path to Àdm
**Note:**
This policy setting The abilityEven
determines towhich
shutif the
Computer
following
users
down who Configuration\Policies\Windows
Domain countermeasure
are Controllers
logged on locally andisMember
configured,
to the computersan
Settings\Security
Servers attacker
should
in yourcould Settings\Local
still restore
beenvironment
limited to a very
candataPolicies\U
todown
shut
small anumb
com
full **Note #3:**
**Note:** ThisA user
MemberrightServer with Microsoft
is considered ```
Toa establish
``` SQLthe
"sensitive Server
privilege" installed
Navigate
recommendedfor thetowill require
UI Theofaimpact
purposes
the
configuration special
auditing.of exception
via GP, removing to
these
set the following this default
recommendation
UI path to `No O
The recommended
This security setting When
state a
forDomain
determinesthis which
setting
Controller
Computer
users is Configuration\Policies\Windows
and shut
groupsdown, haveit isthe
no authority
longer available Settings\Security
to process
to synchronize logons,
Settings\Local
all directory serve
service GroupPolicies\U
data.Policy,
This is
allows**Synchronize
users to take ```
``òwnership
To establish the of files,Navigate
folders,toregistry
recommended the UI keys,
None processes,
via isGP,theset
default
or the
threads. behavior.
followingThis UI user
path
right
to Àdm
bypa
full The recommendedAny stateusers
for this the```
withsetting ``ìs: Àdministrators`. Navigate to the UI None - this is the default behavior.
accepted **Note:** Thiscontains
This section user right is considered``à "sensitive
recommendations for securityprivilege"
options. for the purposes of auditing.
accepted This section contains recommendations related tothe

To establish default accounts.
recommended
Navigate to the
configuration
UI Path articulated
via GP, set
in the
theRemediation
following UI pathsection
to Ùse
and
This policy setting prevents users from adding new Microsoft accounts on this computer.
full Organizations that To ``` establish the recommended
```
Navigate to the UI Users
configuration will
vianot
Path articulated
GP,beset
able
in theto
the log onto UI
Remediation
following th path
section
to Èna
and
The recommended
This state for this
whether Computer
is: Ùsers
local Configuration\Policies\Windows
can'tthat
accounts add
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
or not
are log on with Microsoft
password Settings\Security
protected accounts`.
can be used Settings\Local
to log on fromPolicies\S
locations
full Blank passwords ar ```
To ```
``` None - this
GP,theconfigure
default behavior.
The recommendedThe state for this setting
Administrator Computer
is: Ènabled`.
account Configuration\Policies\Windows
exists HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
on all computers that run theSettings\Security
Windows 2000 or Settings\Local
later operating Policies\S
systems
full The built-in local ```
To ```
Navigate to the UI You will via
configuration haveGP,to configure
inform users the who ar UI path:
following
The built-in Administrator
Computer account
cannot be locked out, regardless Settings\Security
of how many Settings\Local
times an attacker
Policies\S
migh
full The built-in local The Guest account``` ``` Navigate to the UI There should be little impact, becaus
This policy setting allows administrators Computer
to enableConfiguration\Policies\Windows Settings\Security
the more precise auditing capabilities present inSettings\Local
Windows Vista. Policies\S
accepted This section contains recommendations ``` establish
To related tothe
auditing controls.
recommended
Navigate to the
configuration
UI Path articulated
via GP, set
in the
theRemediation
following UI pathsection
to Èna
and
The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the n
full This policy setting Prior to the introd
determines whether ```the
To establish
systemthe shuts ```
recommended
Navigate
down if ittoisthe UI None
unable
configuration
Path
to log- this
via is
articulatedtheset
Security
GP, indefault
events.
the Itbehavior.
theRemediation
following
is a requirement
UI path
section
to for
`Disa
andT
is: Ènabled`.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Settings\Security Settings\Local Policies\S
full If the Audit: Shut down
If thesystem
computer is ```
immediately
``` if unable to ```
log
``` security audits None
setting- this
is enabled,
is the default
unplanned
behavior.
system failures ca
**Important:** Be very cautious aboutComputer
audit settings thatHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
can generate a large volume
Configuration\Policies\Windows of traffic. ForSettings\Local
Settings\Security example, if you enable
Policies\S
accepted The
This recommended state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure the ``` structure of Windows benchmarks is consistent.

To establish managing devices.
recommended
Navigate to the
configuration
UI Path articulated
via GP, setin the
theRemediation
following UI path
section
to Àdm
and
This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to
full Userstomay
For a computer to print be able
a shared ``` establish
printer,
To the driver
the for ```
recommended
Navigate
that shared
to the UI None
printer - be
configuration
Path this is
mustarticulated theset
indefault
viainstalled
GP, the
on
thethe behavior.
Remediation
following
local computer.
UI path
section
toThis
Èna
andse
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Settings\Security Settings\Local Policies\S NT\Cu
full The recommendedItstate
may for
be this
appropri ```
``ìs: Ènabled`. ```
setting ``` None - this is the default behavior.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Pri
accepted **Note:**
This This
section
policy setting
contains
setting does notwhether
determines affect To
recommendations ```
thetheability
related
members
establishto add
toof
Lightweight aDirectory
Domain
the
the ```
local printer.
Controllers.
recommended
Server
Navigate This
Operators
to the
Access setting
configuration
UIProtocol
group does
Path articulated
arevia notserver
allowed
(LDAP)GP, affect
set
intothe
the Administrators.
submit
Remediation
following
jobsLDAP
requires by
UI means
path
section
toof
clients`Disa
and
tothe
n
full **Note:**
The An AT Service
recommended Ifstate
you Account
enable
for this this
canTo```
beis:
setting modified
establish to signing`.
`Require
theselect
``` a different
recommended
Navigate account
to the UI None
Pathrather
- this
configuration viathan
is
articulated
GP, thethe
indefault
set LOCAL
the behavior.
SYSTEM
theRemediation
following account.
UI path
section andT
to `Req
Unsigned network Computer Configuration\Policies\Windows
traffic is susceptibleHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Settings\Security
to man-in-the-middle attacks. Settings\Local
In such attacks, Policies\S
an intruder capture
**Note:** state forcomputers
Domain member this setting
```
```
To is:
must `Disabled`.
have _Network
establish ```
``` security:
the recommended
Navigate LDAP
to the UI Unless
signing
configuration
Path TLS/SSL
requirements_
articulated
via GP, set is the
in being
(Rule
used,
2.3.11.8)
the
theRemediation
following UI Lpath
set
toto
section `Ne
`Disa
and
Additionally,
This security setting determinesallowing Computer
whether the useConfiguration\Policies\Windows
Domain ofControllers
regular,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
unsigned LDAP
will refuse permits
requests Settings\Security
fromcredentials
member to be
Settings\Local
received
computers over
Policies\S
to change thecomp
netw
full **Note #2:** This policy
If yousetting
enabledoes
this not
```
``` have any impact ```
``òn LDAP simple None
bind (`ldap_simple_bind`) or LDAP simple bind t
- this is the default behavior.
is: `Disabled`.
**Note #3:** Before enabling this setting, ``` you should first``ènsure that there are no clients (including server-based applicatio
None - this is the default behavior. However, onl
accepted This section contains recommendations To establish
related tothe domain
recommended
Navigate
membership.
to the configuration
UI Path articulated via GP, set in the theRemediation
following UI path section to Èna
and
This policy setting When determines a computer
whether joins
all secure
a domain, channel
a computer
traffic that
account is initiated
is- The
created.
by
ability
theAfter
domain
to create
it joins member
orthedelete
domain,
musttrustbethe
relationships
signed
computer or e
full To``` establish the recommended Navigate
``` to the configuration
UI -PathLogons articulated
via
fromGP,clientsset
in the therunning
Remediation
following versions
UI path
section
of toWindow
Èna
and
The recommended
This policy setting When
Digital
determines
state a for
encryption
computer
this
whether
setting
and
joins
Computer
ais:signing
domain
aÈnabled`.
domain,
of
member
the
a computer
secure
should channel
account
attempt is ais
to- good
The
created.
negotiate
Settings\Security
ability
ideaAfterwhere
encryption
to authenticate
it joins
it is supported.
the
for
Settings\Local
all
domain,
other
secure domains'
Thethe
channel
secure
Policies\S
computer
users
traf
ch
full ```
To``` establish the recommended ```
```
Navigate to the UI None
via is
Path articulated GP, theset
indefault
the behavior.
theRemediation
following UI path
section to Èna
and
The recommended
Digital
determines
state a for
encryption
computer
this
whether
setting
and
joins
Computer
ais:signing
domain
aÈnabled`.
domain,
of
member
the
a computer
secure You can enable
should channel
account
attempt is ais
to good
created.
negotiate
Settings\Security
idea After
where
whetheritthis
joins policy
it is setting
allsupported.
the
secure
Settings\Local
domain, after
channel
The you
thesecure
Policies\S
computer
traffic elimi
tha
ch
full ```
To``` establish the recommended ```
```
via is
indefault
the behavior.
theRemediation
following UI path
section to `Disa
and
The recommended
This policy setting Digital
determines
state forencryption
this
whether
setting
and
Computer
ais:signing
domain
Ènabled`.
of
member
the secure
can periodically
channel is achange goodSettings\Security
idea
its computer
where it isaccount supported.
Settings\Local
password.
The secure
Policies\S
Comput ch
full This policy setting The default the
determines config ```
To``` establish
maximum allowable ```
``` for a computer
the recommended
age None
configuration
account - this
via is
password.
GP, theset default
By behavior.
thedefault,
following domain
UI path members
to `30 o
is: `Disabled`.
When Instate
this policy setting Active
isfor Director
this setting
enabled, ```
aTo ``` is:
secure `30channel
establish or fewer days,
``` onlybut
the recommended
can Navigate not
beto 0`.UI None
established
the
configuration
Pathwith - this
articulated
via is
Domain
GP, theset
indefault
Controllers
the behavior.
theRemediation
following that areUI path
section
capable to Èna
and of
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\S
full **Note:**
To enableAthis
value
policy
ofSession
`0`
setting,
does keys
all
notDomain
that
conform
```
``` Controllers
to the benchmark in the ```domain
as it disables
must bemaximum
None
able to - this
encrypt
password
is thesecuredefault
age.channel
behavior. data with a stron
accepted This recommended
The section contains state
recommendations
for this setting ``` is:
To related
Ènabled`.
establish tothe
interactive
```
recommended
Navigate logons.
to the configuration
UI Path articulated via GP, set in the theRemediation
and
This policy setting determines whether the account name of the last user to log on to the client computers in your organizat
full An attacker with a To ``` establish the recommended ```
Navigate to the UI ThePathname
configuration viaofGP,
articulated theset last
in the user
the to successf
Remediation
following UI path
section to `Disa
and
The recommended
This state for developed
policy setting Microsoft
determines this setting
whether Computer
is: Ènabled`.
users
this feature
mustConfiguration\Policies\Windows
press
to makeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
CTRL+ALT+DEL
it easier for users before Settings\Security
with they
certain on. ofSettings\Local
log types physical impairments Policies\S to
full Windows notices inactivity of a logon ``` To``` establish
session, andthe if the ```
```
recommended
Navigate
amount of toinactive
the UI Users
configuration
Path must
timearticulated
exceeds
via GP,press theinCTRL+ALT+DEL
set the
inactivity
theRemediation
followinglimit, UIthenbefor
path
section
thetoscreen
`900
and
The recommendedAn state
attacker
for thiscould
setting
install
Computer
is: `Disabled`.
a TrojanConfiguration\Policies\Windows
horse HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
program that looks likeSettings\Securitythe standard Windows Settings\Local
logon dialog Policies\S box a
full The recommendedIfstate a user forforgets t ```
this settingTo``ìs: `900 orthe
establish fewer ```
```
second(s),
recommended
Navigate to thebut notThe 0`. screen
configuration
UI Path articulated
via GP,saver inwill
theautomatically
configure Remediation
the following sectionUI path andto
Displaying a warning Computer
message Configuration\Policies\Windows
beforeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
logon may help prevent UsersSettings\Security
will
an attack
have tobyacknowledge Settings\Local
warning the attacker
a dialog Policies\S
box
about con th
full **Note:**
This policy A settin
value of `0` does not conform ```
To to the benchmark
``` establish ```
``` as it disables
the recommended
Navigate to the UIthe
configuration
Path machine
articulated
via GP, inactivity
in thelimit.
**Note:** Any warning Computerthat you Configuration\Policies\Windows
display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
should first be approved **Note:** Settings\Security
byWindows
your organization's
VistaSettings\Local
and Windows
legal and Policies\S
XP human
Profe
full This policy setting Displaying a warni To ```
``` establish the recommended ```
```
configuration will
viahave
Path articulated GP, to inacknowledge
set the followingaUI
theRemediation dialog
path
section box
to aandwith
val
This policy setting determines how farComputer in advance Configuration\Policies\Windows
usersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
are warned that their If you Settings\Security
password
select `Lock will expire. Settings\Local
It is recommended
Workstation`, Policies\S
the workstation that
full It is recommendedTo ```
```
configuration will
viasee
Path articulated GP,a set dialog
in the box prompt
theRemediation
following UIt path
section to `Lock
and
The recommended
This state for this
what Computer
happens is: `between
whenConfiguration\Policies\Windows
5 and
the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
smart 14card
days`. If you Settings\Security
for a logged-on select
user `Force
is removed Settings\Local
Logoff`,from users
the smart Policies\S
are automatica
cardNT\Cu rea
full Users sometimes fo ```
``` ```
```
is: `LockConfiguration\Policies\Windows
Workstation`.
ConfiguringThe Ifthis
youMicrosoft
setting
Settings\Security
select to `Disconnect
`Force Logoff`
network Settings\Local
if a will
client Remote
or `Disconnect
Desktop
Policies\S
not communicat NT\Cu if Se
a
determines whether ```packet
To relatedsigning
establish tothe ```
configuring
recommended
isNavigate
required theto
byMicrosoft
the
the
configuration
UI
SMB network
Path client client.
articulated
via
component.
GP, set in the theRemediation
and
Session hijacking uses tools that allow attackers who have Enforcing
The
None - thisthis
access
Windows to
is thesetting
2000 same onnetwork
Server,
default computers
Windows
behavior. as theused
2000 byProfe
client peo
or s
full **Note:**
This policyWhen Windows
setting determines Vista-based
whether To```
computers
theestablish
SMB client have this
``àttempt
the recommended
will policyto
Navigate setting
tothe UIenabled
configuration
negotiate PathSMB and
articulated theyset
viapacket
GP, connect
insigning.
the to file orUI
theRemediation
following print
path
sectionshares andon
to Èna
SMB is the
Session resource
hijacking Computer
uses sharing
tools thatprotocol
allow HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported
attackers who have byImplementation
The many Settings\Security
access
Windows Windows
to the ofsame
2000 operating
SMB Settings\Local
Server,signing
network systems.
Windowsmay
as the negatively
ItPolicies\S
2000 is the
client orbaa
Profe s
**Note:**
This policyEnabling state
this
setting determines for this
policy setting
setting
whether ```
on
To is:
```the
SMB Ènabled`.
establish
SMB clientstheon
redirector ```
your
``` willnetwork
recommended
Navigate sendto the makes
plaintext
configuration
UI Path them
passwordsfully
articulated
via GP, effective
during
set
in the the for packet signing
authentication
Remediation
following UI to
path
section with
third-party all c
to `Disa
and
SMB is the resource Computer
sharing protocol
Configuration\Policies\Windows When
None -SMB signing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported by Implementation
many Settings\Security
Windows
this is theofdefaultpolicies
operating
SMB are
Settings\Local
signing enabled
systems.
behavior. may isonthe
negatively
ItPolicies\SDom baa
full The
It recommendedIfthat
is recommended state
youyou for disable
enablethis this
setting
```
this is: Ènabled`.
```policy setting unless ```
``` there is a strong business case to enable it. If this policy settin
Computer Configuration\Policies\Windows WhenSettings\Security
SMBold signing
Some very policies
applications are enabled
Settings\Local
and operating onsystem
Policies\S Dom
accepted The recommended
This sectionsetting
policy contains state
allows for
youthis
recommendations setting
to specify``` is:
To the `Disabled`.
related
establish
amount tothe ```
configuring
ofrecommended
continuous
Navigate thetoMicrosoft
idle
the
configuration
time
UI Path network
that must viaserver.
articulatedpass
GP, set in
in anthe
the SMB
Remediation
following
session UI before
path
section tothe`15
and seo
The Microsoft network server will not communica
full A value of 0 appears Eachto allow
SMB sessions
sessionTo ```
ctoestablish
persist indefinitely. ``` The to
the recommended
Navigate maximum
the UI There
configurationvalue
Path will
is
via99999,
beGP,
articulated littleinwhich
setimpact
the isbecause
over 69UIdays;
theRemediation
following SM path
section in
toeffect
Èna
and
This policy setting Session
determines hijacking
whether Computer
uses packet Configuration\Policies\Windows
toolssigning
that isHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
allow required
attackers bywho the SMB
haveTheserver Settings\Security
access
Windows
Microsoft component.
to the 2000 same
Server,
Enable
network
server Windows
this
willas policyPolicies\S
the2000
negotiate client
setting
Profe
SMBor s
This state for this
whether ```
To is:
```the `15
SMBorserver
establish fewer minute(s),
```
``` negotiate
the recommended
will
Navigate tobutthe not
UI0`.
configuration
SMB Path
packet articulated
signing
via GP,with set
in the the
clients
Remediation
following
that request
UI path
section it.toIf Èna
and
no s
The recommended
This SMB
stateisfor
policy setting Session
determines thethis
resource
setting
hijacking
which Computer
uses sharing
is:tools
registry Ènabled`.
protocol
that
paths allow
and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported
attackers
sub-paths who
will by
behave Implementation
The many
accessible Settings\Security
access
Windows Windows
to the
over ofsame
2000
the operating
SMB Settings\Local
Server,
network, signing
network systems.
Windowsmay
as the
regardless negatively
ItPolicies\S
2000ofisthe
clientthe
Profe
or baa
use s
full **Note:**
This Enable
security thisdetermines
setting policy setting ```
onTo
whether ```
SMB clientsthe
establish
to disconnect ```
on recommended
your``` network
users
Navigate whotoare to
the make
configuration
connected
UI Path them tofully
articulated
via
theGP,effective
local set for
in computer
the
the packet
Remediation
followingoutsidesigningtheirwith
UI path
section to
user allac
Èna
and c
**Note:** In Windows SMB XPisthisthe setting
resource Computer
is sharing
called protocol
"Network access: When
accessible SMB signing
that is supported
Remotely by Implementation
Windows
registry policies
of operating
SMB
paths," are
Settings\Local
signing
the enabled
systems.
may
setting isonthe
negatively
ItPolicies\S
with Dom
that ba
saa
full The
If recommended
your organizationIfstateyour for
configures thislogon
organizati setting
```
``ìs: Ènabled`.
hours for users, this ```
```policy setting is necessaryNone - thistoisensure the default they behavior.
are effective. I
**Note #2:** When you configure thisComputer setting youConfiguration\Policies\Windows When SMB The
specifyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
a list of one or more signing
Settings\Security
objects. policies
delimiter arewhen
Settings\Local
used enabled on Dom
Policies\S
entering the
accepted The
This recommended
section contains state for this setting
To Ènabled`.
related
establish tothe
network ``` access. configuration via GP, set the following UI path to `Disa
recommended
To establish the recommended configuration via GP, set the following UI path to: `Sys
This recommended
The policy setting determines
state for this whether
settingan is: anonymous user can request security identifier (SID) attributes for another user,
System\CurrentControlSet\Services\Eventlog
full This policy setting If this policy which
determines set registry
To``` establishpathsthe willrecommended
beNavigate
accessible to the UI None
configuration
over the - this
Pathnetwork, via is
articulated GP, theset
indefault
regardless the behavior.
theRemediation
following
of the users UI path
section
or groups to `Disa
andlis
This policy setting determines which communication Software\Microsoft\OLAP sessions, or pipes, will have attributes and permissions that allow ano
Server
The
``` recommended
This state for this
what Computer
is: `Disabled`.
additional Configuration\Policies\Windows
permissions are assigned for anonymous Settings\Security
connections Settings\Local
to the computer. Policies\S
Software\Microsoft\Windows NT\CurrentVersion\Print
full **Note:** This setting An does
unauthorized
System\CurrentControlSet\Control\Print\Printers ```
not existuinTo ``` establishXP.
Windows theThere ``` was atosetting
recommended
Navigate the None
configuration
UIwithPaththat - this
via is
articulated
name GP, the default
in configure
in behavior.
the Remediation
Windows the
XP,following
but it section UI path:
is called and"Ne
The recommended state for this setting is:
Software\Microsoft\Windows NT\CurrentVersion\Windows
The recommended state for this
System\CurrentControlSet\Services\Eventlog setting
Computer
To is: `Disabled`.
establish Configuration\Policies\Windows
the recommended configuration Settings\Security
via GP, set the Settings\Local
following UI path Policies\S
to: `Sys
System\CurrentControlSet\Control\ContentIndex
full **Note #2:** WhenLimiting
Software\Microsoft\OLAP you configurenamedthis
Server ```
setting ```
pipSystem\CurrentControlSet\Control\Server
``` you specifyNavigate```
a list of oneto the or UI
moreNull
Path
None session
objects.
Applications
articulated
- this is access
The thedelimiter over
indefault
the null
usedsessio
Remediation
behavior. when Ifsection
entering
you and
choose the
- **Level 1 - Domain Controller.** TheSystem\CurrentControlSet\Control\Terminal
recommended state for this setting is: `LSARPC, ServerNETLOGON, SAMR` and (when th
Software\Microsoft\Windows NT\CurrentVersion\Print Computer Configuration\Policies\Windows
Software\Microsoft\Windows HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
None Settings\Security
NT\CurrentVersion` - this is the defaultSettings\Local behavior. However, Policies\S if yo
- **Level 1 - Member Server.** The recommended state for this setting is: `` (i.e. None),
System\CurrentControlSet\Control\Terminal or (when the legacy _Computer Br
Server\UserConfig
full The recommendedThe
Software\Microsoft\Windows stateregistry
for this a ``` is:
issetting
NT\CurrentVersion\Windows ```
```
Navigate to the UI -Path COMNAP:articulated SNAinsession the Remediation
access section and
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
When ```
enabled, this policy setting restricts anonymous access to only those-None HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
**Note:**
COMNODE:
shares - this If
andyou
is pipes
thewant
SNA defaultto allow
that
session remote
behavior.
are named
access inaccess,
However,
the `Netwo ifyou
yo
**Note:** A Member Server that holdsSoftware\Microsoft\Windows
the _Remote Desktop Services_ Role with _Remote Desktop Licensing_ Role Servic
NT\CurrentVersion\Perflib
full ```
System\CurrentControlSet\Control\Terminal
The registry contaiTo Computer Configuration\Policies\Windows
Server
establish ```
```
the recommended
UI -Path Settings\Security
SQL\\QUERY:
articulated
via GP, set SQL
in the the Settings\Local
instance
Remediation
following access
UI path Policies\S
section to Èna
and
System\CurrentControlSet\Services\SysmonLog`
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Terminal ``` Server\UserConfig
`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters` HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
**Note:**
- SPOOLSS: If you want to
Spooler allow remote access, you
service
full System\CurrentControlSet\Control\Server
Null sessions are To Applications
``` establish Server\DefaultUserConfiguration
```
the recommended
Navigate to the UI -PathLLSRPC:
configuration via License
articulated GP, set in the Logging
theRemediation
followingservice UI path
section to `ànd (i.e
```
Software\Microsoft\Windows
registry
This key.setting
policy This registry
determines valueNT\CurrentVersion
toggles
which Computer
null session
network Configuration\Policies\Windows
shares shares
canHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
beon or off toby
accessed control
- NETLOGON:
anonymous whether
Settings\Security
theNet
users. server
Logon
The Settings\Local
service
service
default restricts
configurationPolicies\S
unauthe for th
full ``` policy setting It
System\CurrentControlSet\Services\SysmonLog
This is very dangero
determines ```
how network
To``` establish
logonsthe that ```
``` local accounts
recommended
use
Navigate to the UI -NoneLSARPC:
configuration
Path
are - this
via isLSA
authenticated.
articulated GP, access
theset
indefault
the
The behavior.
theRemediation
following
Classic option
UI path
section
allows
to `Clas
and pre
```
```
The recommended state for this setting Computer Ènabled`.
is: `` (i.e.Configuration\Policies\Windows - SAMR: Remote access
None).HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
Settings\Security to SAM objects
Settings\Local Policies\S
When a server holds the _Active Directory Certificate Services_ Role with _Certificatio
full The recommendedWith statethe servers
forGuest
this onlthat
```
setting ``ìs:hold the _Active
`Classic - local ```Directory
``` Certificate
users authenticate -None Services_
BROWSER:
as -themselves`.
this is the Role
Computer with _Certification
default Browser
configuratservice Authority_
When a server has the _WINS Server_ Feature installed, the above list should also in
accepted ``` section
**Note:**
This Thiscontains
setting does not affect ```
recommendations interactive
related to logons
network that are performedPrevious
``` security. remotely to bythe usingreleasesuchof Windows
services as Server
Telnet or 2003 Re
System\CurrentControlSet\Services\CertSvc
`System\CurrentControlSet\Services\WINS`
```
The recommended state for servers that have the _WINS Server_ Feature installed includes the above list and:
```
System\CurrentControlSet\Services\WINS
To establish the recommended
UI Path articulated
via GP, set in the
theRemediation
following UI path sectionto Èna
and
This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication ca
full This setting determines Whenifconnecting to
online identitiesTo
``` establish
are ablethe recommended
Navigate
```
to authenticate totothe
configuration
thisUIcomputer.
Services
Path articulated
via
running
GP, set inasthe
the
Local
Remediation
following
SystemUItha path
sectionto `Disa
and
The recommended
setting
Computer
NTLM
is: Ènabled`.
allowedHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to fall back to a NULL session Settings\Security
when usedSettings\Local
with LocalSystem. Policies\S
full The Public Key Cryptography
NULL sessions Based ```
areTo
User-to-User
``` establish the (PKU2U)```
recommended
Navigate
``` protocolto the
configuration
introduced
UI Any
Pathapplications
articulated
in via
Windows
GP, set in
that
7the
the
and
require
Remediation
following
Windows NULL UIServer
spath
sectionto
2008
`Disa
andR
is: `Disabled`.
full With policy
This PKU2U, a new
setting Theextension
allowsPKU2U
you towas
protoco
set introduced
```
the``èncryption
To to the
establish the Negotiate
types ```
```
recommended
Navigate authentication
that Kerberos
to the None
Pathpackage,
configuration
is
UIallowed - this is
articulated
to
viause.
GP, the
`Spnego.dll`.
indefault
set the configurat
In previous
theRemediation
following UI path versions
section and o
to ÀES
If not selected,
Settings\Security
the encryption
Settings\Local
type will Policies\S
not be allo
full When
The
This recommended
computers
policy settingareThe
state
configured
strength
for this
determines ofsetting
toea
whether accept
```
```the
To is: authentication
ÀES128_HMAC_SHA1,
establish
LAN Manager ```
```requests
the recommended
Navigate
(LM) hash toby AES256_HMAC_SHA1,
theusing
value online
configuration
UI Path
for the IDs,GP,
articulated
new
via `Negoexts.dll`
in Future
password
set the
theis encryption
callswhen
Remediation
following
stored the PKU2U
types`.
UI path
section
the to SSP
passwo
Èna
and
LAN Manager (LM) was a family of early Computer Configuration\Policies\Windows
Microsoft HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
client/server **Note:**
software (predating Settings\Security
Windows Server NT) Settings\Local
that2008 (non-R2)
allowed Policies\S
users and be
to link
**Note:**
This policyOlder
Some
setting state
operating
legacy
The SAMfor
determines this
applications
systems setting
filewhether
can and
and
bTo
``` is:
```to
some `Disabled`.
OSes third-party
maythe
establish
disconnect require
```
applications
``` `RC4_HMAC_MD5`
users
recommended may
who are connected fail
None
configurationwhen
to-- we
this
this
the
viarecommend
is policy
local
GP, thesetdefault
setting
theyou
computer behavior.
istest
followingenabled.
outside inUIyour
theirAlso,
pathenvironm
user note
to Èna
acco
- Join a domain Computer Configuration\Policies\Windows
not_scored -The recommended
Authenticate Ifstate
between thisActive
setting
for this issetting
Directory ```
``ìs:
To Ènabled`.
forests
establish ```
the recommended
via is
indefault
the behavior.
theRemediation
following UI path
sectionto: and
`Sen
- Authenticate to down-level
Windows 2000 domains andComputer
WindowsConfiguration\Policies\Windows
XP clients were configuredClients Settings\Security
by defaultuse NTLMv2
to send LM Settings\Local
authentication Policies\S
and NTLM authentication
only and use
full -**Note:**
Authenticate
This policyThis recommendation
to computers
setting determines that isdolevel
the unscored
not
```
``òf
To run Windows
because
establish
data the 2000,
signing there
``` is
Windows
recommended
that
Navigatenot a documented
requested
to theServer 2003,
configuration
UI
onPath
behalf registry
orclients
Windows
articulated
of
via GP, value
set that
inthat
theXP
the corresponds
issue
Remediation
following
LDAPUIBIND to it.
path
sectiontoWeandst
requests
`Neg
- Authenticate to computers
The Windows that are95, not
Windows
Computer
in the 98,
domain
and Windows
NT operating **Note:**
systems
Settings\Security
For cannot
information
useSettings\Local
the
about Kerberos
a hotfixversion
Policies\S
to ensure5
full **Note:** This policy Unsigned
setting does
network not To
```
thave
``` establish
any impact on
```
```LDAP simple
the recommended
Navigate to the bind
None(`ldap_simple_bind`)
configuration
UI Path - this
via is
articulated
GP, theset
indefault
the or behavior.
LDAP simple
theRemediation
following UI path bind
section thro
to `Req
and
The Network
This security:
policy setting LAN Manager
determines Computer
authentication
which behaviors Configuration\Policies\Windows
are levelHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LD
allowed setting determines
by clients which
for applications Settings\Security
challenge/response
using the NTLM Settings\Local
authentication
Security Policies\S
Support proto
Pro
This policy setting You state forenable
can
which bot```
``ìs:
behaviors
To `Negotiate
establisharethe signing`.
```
allowed
recommended
Navigate Configuring
``` by servers
to the this setting
NTLM
configuration
for
UI applications
Path articulated
via GP,to `Require
connections
usingset
inthewill
the
theNTLMsigning`
fail if NTLMv2
Remediation
following also
Security conforms
UI path
section
Support
to `Req
andPrt
The recommended state for this setting Computer `Send
is: `Require NTLMv2 response
sessiononly.
NTLMv2 Refuse LM & 128-bit
NTLM`.encryption`.
security, Require
Settings\Security Settings\Local **Note:**
Policies\S
These
full The recommendedYou statecan
forenable all```
this setting ``ìs: `Require NTLMv2 ```
``` session security, NTLM Require
connections
128-bitwillencryption`.
fail if NTLMv2
accepted **Note:** These
This section values are dependent
is intentionally blank and``` on theto_Network
exists ensure the ```
security: LAN
structure of Manager
Windows Authentication
benchmarks isLevel_ consistent. security setting value
determines whether related tothe
Toaestablish
computer the Windows
canrecommended
be
Navigate shutdown
shut down
to the
when functionality.
configuration
UI Path
a user
articulated
via
is not
GP,logged
set
in the
the
on.
Remediation
following
If this policy
UI path
section
setting
to `Disa
and
is e
full The recommendedUsers state who

for this
cansetting
acce ``ìs: `Disabled`. ``` None - this is the default behavior.
accepted **Note:** In Server
This section 2008 R2blank
is intentionally and older
and```versions,
exists this setting
to ensure ``` structure
the had no impact on Remote
of Windows Desktop
benchmarks is (RDP) / Terminal Services s
consistent.

To establish system objects.to the
recommended
Navigate configuration
UI Path articulated
via GP, setin the
theRemediation
following UI path
section
to Èna
and
This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is
full Because WindowsTo ```
is establish the recommended
```
Path articulated
GP,theset
indefault
the behavior.
theRemediation
following UI path
section
to Èna
and
The recommended
This state for this
policy setting determines thesetting
Computer
strengthis: Ènabled`.
of theConfiguration\Policies\Windows
defaultHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
Settings\Security
discretionary access control Settings\Local
list (DACL) for Policies\S
objects. Active Directo
full This setting deter `````` ```
``` None - this is the default behavior.
is: Ènabled`.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
This section is intentionally blank and``` exists to ensure the``` structure of Windows benchmarks is consistent.
One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate
To establish User Account Control.
recommended
Navigate to the
configuration
UI Path articulated
via GP, set
in the
theRemediation
following UI path
section
to Èna
and
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
- If the computer is not joined to a domain, the first user account you create has the equivalent permissio
full ``` establish the recommended
To ```
Navigate to the UI The
Pathbuilt-in
configuration Administrator
articulated
via GP, set
in the accountUIu path
theRemediation
following section
to `Disa
and
- If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Do
The recommended
This state forwhether
policy setting controls this settingComputer
User is:Interface
Ènabled`.
Accessibility (UIAccess or UIA) Settings\Security Settings\Localdisable
programs can automatically Policies\S
the
full One of the risks t To ``` ```
```
via is
Path articulated
GP,theset
indefault
the behavior.
theRemediation
following UI path
section
to `Prom
and
Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly
The recommended
This state forthe
policy setting controls thisbehavior
setting
Computer
is: `Disabled`.
of the Configuration\Policies\Windows
elevation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
prompt for administrators. Settings\Security Settings\Local Policies\S
```
Navigate to the UI When
configuration anvia
operation
Path articulated
GP, set (including
in the executio
theRemediation
following UI path
section
to Àuto
and
The recommended
This state forthe
setting
Computer
is: `Prompt
for consent
prompton forthe secure
standard When desktop`.
Settings\Security
users.
an operation requires Settings\Local Policies\S
elevation of privilege
full This policy setting One of the
controls whether ```
risks t applications
``` establishthat
To ```
``` to run
therequest
recommended
Navigate to with
the
configuration
UI Path Interface
a User articulated
via GP,Accessibility
set
in the
theRemediation
following UI path
(UIAccess)section
to Èna
and l
integrity
The recommended
This state forthe
policy setting UIAccess
controls this setting
Computer
behavior
Integrity is: Àutomatically
of application
allows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
deny
installation
an application elevation
detection
to bypass Userrequests`.
**Note:**
Settings\Security
for the
Interface With this setting
computer.
Privilege Settings\Local
Isolation configured as
Policies\S
recomm
(UIPI) restrictions w
full - `…\Program Files\`, Some malicious
including ```
sofTo
subfolders ```
```
configuration anvia
application
Path articulated
GP, set
in the installation
the followingpack
Remediation UI path
section
to Èna
and
-The recommended- state
`…\Windows\system32\`To setforthethis setting
Computer
foreground is:window.
Ènabled`.
full - `…\Program
This Files-controls
policy setting (x86)\`,
To drivetheincluding
any ```
application
subfolders
behavior``` of
To allwindow
establish (for
User the ```
64-bit
using
Account```versions
SendInput
recommended
Navigate to of
Control thefunction.
Windows)
(UAC)UI None
configuration
Path - settings
this
via is
policyarticulated
GP,theindefault
for
setthe behavior.
thecomputer.
Remediation
following UI
If you
path
section
change
to Èna
andth
- To use read inputComputer for all integrity
levels
using low-level hooks, Settings\Security
raw input, GetKeyState,
Settings\Local
GetAsyncKeySt
Policies\S
full **Note:**
The Windows-This
recommended enforces
To set
state journal
is for
the asetting
thispublic
hooks.
```
key
setting infrastructure
``ìs:
To Ènabled`.
establish (PKI)
```
``` signature
the recommended
Navigate to the check
UI None onarticulated
configuration
Path -any
viainteractive
this is
GP,theset application
indefault
the
the behavior.
Remediation
following that requests
UI path
section andto
to Èna
This policy setting controls whether application write failures are redirected to defined registry and file system locations. Th
This policy setting -controls
To useswhether
AttachThreadInput
Computer
the torequest
attachHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
aprompt
threadistodisplayed
elevationConfiguration\Policies\Windowsa higher integrity input queue.
onSettings\Security
the interactive Settings\Local
user's desktop orPolicies\S
the secur
**Note:** state
If this policy
Standard for elevation
setting this setting``ìs:
is disabled,
```
To theÈnabled`.
Security
establish Center
```
``` notifies
the recommended
Navigate you
to the UIthat
None the
configuration
Path overall
- this
via is
articulated
GP, security
theindefault
setthe of the operating
behavior.
theRemediation
following UI path system
section andh
to Èna
- `%ProgramFiles%`
is: Ènabled`.
- `%Windir%`
full This setting reduce``` ``` ```
- `%Windir%\system32`
- `HKEY_LOCAL_MACHINE\Software`
accepted This section is intentionally blank and``` exists to ensure the ``` structure of Windows benchmarks is consistent.
accepted This section contains recommendations for configuring the Windows Firewall.

for the Domainthe recommended
Navigate
Profile of tothethe
configuration
Windows
UI Path Firewall.
articulated
via GP, setin the
theRemediation
following UI path
sectionto Òn
and (
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter networ
full If the firewall is ``` establish the recommended
To ```
via is
Path articulated theset
GP, indefault
the behavior.
theRemediation
following UI path
sectionto ``Blo
and
The recommended
This setting determinesstatethe
forbehavior
this setting
Computer
for is:
inbound
Òn (recommended)`.
connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
that do not match an Settings\Security
inbound firewall Settings\Windows
rule. Firewa
full If the firewall al ```
To ```
```
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto Àllo
and
The recommended
forbehavior
this setting
Computer
for is:
outbound
`Block Configuration\Policies\Windows
(default)`.
connections
that do not matchSettings\Security
an outbound firewall Settings\Windows
rule. Firewa
full Select this option toSome
havepeople
Windows believ```
``` establish
Firewall
To with Advanced ```
``` Security
the recommended
display
configuration
Path - this
via is
notifications
articulated the
GP, default
toset
in
the
the
the
user behavior.
Remediation
following
when a UIprogram
path
sectiontois`No`:
and
bloc
is: Àllow Configuration\Policies\Windows
(default)`.
Settings\Security Settings\Windows Firewa
full The recommendedFirewallstate fornotificat
this setting
```
``ìs:
To `No`. the recommended
establish ```
```
Navigate to the UI Windows
configuration Firewall
Path articulated
via inwill
GP, set thenot
the display UI
Remediation
following a notification
path
section andw
to `%SY
Use this option to specify the path and Computer
name of Configuration\Policies\Windows
the file in which Windows Firewall Settings\Security
will write its log Settings\Windows
information. Firewa
full **Note:** When theIf Àpply
eventslocal
are not
firewall
```
```rules`
To establishsetting
the is ```
configured
```
recommended
Navigate totothe`No`,
UI The
it's recommended
configuration
Path log file
via will
GP,be
articulated in stored
set to
the
the alsoinconfigure
the specif
Remediation
following the `Display
UI path
sectionto `16,3
and
The recommended
Use state for
this option to specify thethis
sizesetting
Computer
limit ofis:the
`%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log`.
fileConfiguration\Policies\Windows
in which HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Windows Firewall will write Settings\Security Settings\Windows Firewa
its log information.
full If events are not To ```
```
```
Pathlog
configuration file
via size
articulated will
GP, set be Remediation
in the
the limited to tUI path
following sectionto `Yes
and
The recommended
Use this option to logstate
whenforWindows
this setting
Computer
is: `16,384
Firewall Configuration\Policies\Windows
with KB orHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Advanced greater`.
Security discards an Settings\Security
inbound packetSettings\Windows
for any reason. The Firewa
log
full If events are not To ``` ```
```
Navigate to the UI Information
configuration
Path articulated about
via GP, indropped
setthe packets
theRemediation
following UI will
path
sectionto `Yes
and
The recommended
whenforWindows
this setting
Computer
is: `Yes`.
with HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Advanced Security allows an Settings\Security
inbound connection. Settings\Windows
The log recordsFirewawhy a
full If events are not ``` ``` ```
``` Information about successful connectio
is: `Yes`. Configuration\Policies\Windows
accepted This section contains recommendations ``` for the Private
To establish ```
Profile
the recommended
Navigate of the
to theWindows
UI PathFirewall.
configuration articulated
via GP, setin the
theRemediation
following UI path
sectionto Òn
and (
To ```
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto ``Blo
and
The recommended
forbehavior
this setting
Computer
for is: Òn (recommended)`.
inbound Configuration\Policies\Windows
connections that do not match an Settings\Security
rule. Firewa
full If the the
This setting determines firewall al
behavior ```
``` establish
To
for outboundthe ```
```
connections
recommended
Navigate that
to do
the UI None
configuration
not Path - an
this
matcharticulatedis theset
viaoutbound
GP, indefault
the
the behavior.
firewall
Remediation
following
rule. UI path
sectionto Àllo
and
is: `Block Configuration\Policies\Windows
(default)`.
Select Some
this option to state
havepeople
for this believ
Windows ```
setting
``ìs:
Firewall
To Àllow
establish
with Advanced ```
(default)`.
``` Security
the recommended
display
configuration
Path - this
via is
notifications
articulated the
GP, default
toset
in
the
the
the
user behavior.
Remediation
following
when a UIprogram
path
sectiontois`No`:
and
bloc
full **Note:**
The If you setFirewall
recommended Outbound connections
state fornotificat
this ```
setting
``ìs:
To to Blockthe
`No`.
establish and ```
then
``` deploy
recommended
Navigate the
to the firewall
UI Path policy
Windows
configuration by using
Firewall
articulated
via GP, inwill
setthe anot
the GPO, computers
display
Remediation
following that
a notification
UI path
section rece
to `%SY
and w
information. Firewa
eventslocal firewall
are not ```
```rules`
To establishsetting
the is ```
configured
```
recommended
Navigate totothe`No`, it's recommended
UI The
configuration
Path log file
via will
GP,be
articulated to
in stored
setthe
the alsoinconfigure
the specif
Remediation
UI path
sectionto `16,3
and
The recommended
Use state for
sizesetting
Computer
limit ofis:the
`%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log`.
```
Pathlog
configuration file
via size
articulated will
in the
and
The recommended
whenforWindows
this setting
Computer
is: `16,384
Advanced greater`.
log
```
configuration
via GP, indropped
setthe packets
theRemediation
following UI will
path
sectionto `Yes
and
The recommended
whenforWindows
this setting
Computer
is: `Yes`.
To for the Public ```
Profile of the
the recommended
Navigate to Windows
the
configuration
UI Path Firewall.
articulated
via GP, setin the
theRemediation
following UI path
sectionto Òn
and (
To ```
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto ``Blo
and
The recommended
forbehavior
this setting
Computer
rule. Firewa
full If the the
behavior ```
``` establish
To
for outboundthe ```
```
connections
recommended
Navigate that
to do
the UI None
configuration
not Path - an
this
viaoutbound
GP, indefault
the
the behavior.
firewall
Remediation
following
rule. UI path
sectionto Àllo
and
(default)`.
full The recommendedSome state people
for this believ```
setting
``ìs:
To establish ```
Àllow (default)`.```
the recommended
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto 'No':
and
Select this option to have Windows Firewall Computer withConfiguration\Policies\Windows
Advanced HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Security display notificationsSettings\Security
to the user Settings\Windows
when a programFirewa is bloc
full **Note:**
This If you
setting setSome
Outbound
controls whether connections
organizations
local ``` to Block
``` establish
administrators
To areand
the ```
then
``` deploy
allowed
recommended
Navigateto create the
to the firewall
Windows
configuration
local
UI Path policy
firewall by using
Firewall
articulated
viarules
GP, inwill
that
setthe anot
the
applyGPO, computers
display
Remediation
following
together a with
UI path that
notification
section rece
firewall
to `No`:
and wru
is: `No`.Configuration\Policies\Windows
full The recommendedWhen state in
forthe
thisPublic ```
setting
``ìs:
To establish ```
`No`. the recommended
```
Navigate to the UI Administrators
configuration via GP,can
Path articulated set still
in the create
theRemediationfirewall
following UI path
sectionto `No`:
and
This setting controls whether local administrators HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
are allowed to create connection Settings\Security
security rules that Settings\Windows
apply together withFirewa co
full **Note:** When theUsersÀpply local
with firewall
adminis ```
```rules`
To establishsetting
the is ```
configured
```
recommended
UI Administrators
configuration
Path via GP,can
articulated set to
still
in the
the also configure
create local
Remediation
UIcpath
sectionto `%SY
and
The recommended
Use state for
path setting
Computer
and is: `No`.
information. Firewa
```
Pathlog
configuration file
via will
GP,be
setthe in the specif
theRemediation
following UI path
sectionto `16,3
and
The recommended
Use state for
sizesetting
Computer
limit ofis:the
`%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log`.
```
Pathlog
configuration file
via size
articulated will
in the
and
The recommended
whenforWindows
this setting
Computer
is: `16,384
Advanced greater`.
log
```
configuration
via GP, indropped
setthe packets
theRemediation
following UI will
path
sectionto `Yes
and
The
Use recommended
this option to logstate
whenforWindows
this setting
Computer
is: `Yes`.
accepted This section contains recommendations for configuring the Windows audit facilities.
This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These ev
accepted This section contains recommendations for configuring
To establish the Account Logon
the recommended audit policy.
configuration via GP, set the following UI path to `Suc
- 4774: An account was mapped for logon.
This subcategory reports each event of distribution group management, such as when a distribution group is created, chan
- 4775: An account could not be mapped for logon.
full Auditing these eve ``` Navigate to the UI If no audit settings are configured,
- 4776:
This Thesetting
policy Domain Controller
allows you toattempted
audit events to validate
generated the by
credentials
changes for an account.groups such as the following:
to application
- 4744: A security-disabled local group Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
was created.
- 4777: The Domain Controller failed to validate the credentials for an account.
accepted -This section
4745: contains recommendations
A security-disabled local group ```was
To for configuring
establish
changed. the Account Management
the recommended configuration audit policy.
via GP, set the following UI path to `Suc
- Application
This groupreports
subcategory is created,
each changed, or deleted.
event of security group management, such as when a security group is created, changed, o
-This subcategory
4746: A memberreports
was addedeachto event of computer account
a security-disabled management, such as when a computer account is created, cha
local group.
-The recommended
Member state
is added or for thisfrom
removed setting
an is: `Successgroup.
application and Failure`.
full - 4747: A member Auditing was removed events in To
from ``` Navigate
establish the recommended
a security-disabled to the
local group. UI If no audit
configuration viasettings
GP, setare
theconfigured,
following UI path to `Suc
- 4727:
This A security-enabled
subcategory reports eachglobal group
event was account
of user created. management, such as when a user account is created, changed, or d
- 4748:4741: A security-disabled
computer accountlocal was group Computer
created. Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
was deleted.
-Application groups was
4728: A member are utilized
added to byaWindows Authorization
security-enabled globalManager,
group. which is a flexible framework created by Microsoft for in
full 4742: A security-disabled
- 4749: computerAuditing
accountevents
was changed.
global ```
in To
group``` establish
was created. Navigate to the
the recommended UI If no audit
GP, setare
theconfigured,
4729: A user
- 4720: member was was
account removed from a security-enabled global group.
created.
4743: A security-disabled
- 4750: computer accountglobal was deleted.Computer
group Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
was changed.
The
-This recommended
subcategory
4730:
4722: state
reports
security-enabled
A user account for
wasotherthisaccount
global setting
enabled. group is: `Success
deleted.and
management
was Failure`.
events. Events for this subcategory include:
full - 4751: A member Auditing
was added theseto aeve ```
security-disabled
``` establish theglobal
To Navigate
group.to the
recommended UI If no audit
GP, setare
theconfigured,
4731: An
- 4723: A security-enabled
attempt was made localto group
change wasan created.
account's password.
-The 4752:
recommended
A member was stateremoved
for this setting
fromComputer
a is:
security-disabled
`Success
and Failure`.
global group. Settings\Security Settings\Advanced Audit
4782: An
4732:
- 4724: The
A password
member
attempt washash
was added
made antoaccount anwas accessed.
a security-enabled
reset account's local group.
password.
full - 4753: A security-disabled globaleve
Auditing these group
```
To was deleted.
``` establish Navigate to the
GP, setare
theconfigured,
4793: A
4733:
- 4725: The Password
member
user wasPolicy
account removed
was Checking
from a API
disabled. was called. local group.
security-enabled
- 4759: A security-disabled universal Computer group wasConfiguration\Policies\Windows
created. Settings\Security Settings\Advanced Audit
4734: A user
- 4726: security-enabled
account waslocal group was deleted.
deleted.
full - 4760: A security-disabled universal
Auditing these eveTo```
group was changed.
``` establish Navigate to the
GP, setare
theconfigured,
-The4735:
recommended
4738: security-enabled
A user state
account forlocal
was this group
settingwas
changed. is: `Success
changed.and Failure`.
- 4761: A member was added to a security-disabled universal group.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
- 4740:
4737: A user
security-enabled
account wasgloballockedgroupout. was changed.
full - 4762: A member Auditing
was removed thesefromeve``` a security-disabled
``` universal
Navigate to group.
the UI If no audit settings are configured,
- 4765:
4754:
This A security-enabled
SID History
subcategory was added
reports universal
the to an group
creation account. was created.
of a process and the name of the program or user that created it. Events for this subc
- 4763: A security-disabled universal Computer group wasConfiguration\Policies\Windows
deleted. Settings\Security Settings\Advanced Audit
- 4766:
4755: An
A security-enabled
attempt to add SID universal
Historygroup
to anwas
account
changed.failed.
To for configuring the Detailed Tracking
the recommended auditvia
configuration policy.
GP, set the following UI path to `Suc
4756: A new
4767:
- 4688: member
user was has
account
process added
was to acreated.
unlocked.
been security-enabled universal group.
The recommended state for this setting is: `Success and Failure`.
4757: A
4780:
- 4696: member
The ACL was
primary wasset
token removed
on accounts
was from awhich
assigned tosecurity-enabled
are membersuniversal
process. group. groups.
of administrators
full Auditing these eve ``` Navigate to the UI If no audit settings are configured, or if audit sett
4758: The
- 4781: A security-enabled
name of an accountuniversalwasgroup
changed: was deleted.
4764:toAn
- 4794:
Refer AMicrosoft
group's
attempttype
waswasmade
Knowledge changed.
to set article
Base the Directory
947226: Services Restore
[Description Mode. events in Windows Vista and in Windows Serve
of security
accepted section contains
This subcategory recommendations
reports when an ADTo ```DSforobject
configuring
establish isthe the Directory
accessed.
recommended Services
Only objects withAccess
configurationSACLs audit
via GP,
cause policy.
set the
auditfollowing
events to
UIbe
path
generated
to `Suc
- 5376:
This Credentialreports
subcategory Manager credentials
changes were in
to objects backed
Activeup. Directory Domain Services (AD DS). The types of changes that are r
- 5377:
The Credential Manager
recommended state for credentials
this setting were `Success
restoredand
is: `Success`. fromFailure`.
a backup.
full - 4662 : An operation Auditing
was performed
these eveTo on
``` establish
an object.the recommended
Navigate to the UI If no audit
GP, setare
theconfigured,
- 5136 : A directory service object was modified.
-The recommended
5137 : A directory state
serviceforobject
this setting is: `Success and Failure`.
was created.
full The recommendedAuditing
state forthese
this setting
eve`````ìs: `Success andNavigate Failure`.to the UI If no audit settings are configured,
- 5138 : A directory service object was undeleted.
- 5139 : A directory service object was moved.
accepted section contains
This subcategory recommendations
reports when a user's ``` account
To for configuring
establish isthe
locked theout
Logon/Logoff
recommended
as a result audit
toopolicy.
configuration
of many
via failed
GP, set
logon
the attempts.
following UI
Events
path for
to `Suc
this
The
This recommended subcategory reports state for whenthislogon/logoff-related
other asetting
user logsis: `Success andsystem.
off from events,
the Failure`.
suchThese eventsDesktop
as Remote occur on the accessed
Services sessioncomputer. Forand
disconnects interac
rec
full - 4625: An accountAuditing failed totheselog on. eveTo ``` establish the recommended
GP, setaretheconfigured,
This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. Fo
- 4649: 4634: AAnreplay
account waswas
attack logged off.
detected.
full The recommendedAuditing state forthesethis setting
eveTo```
``ìs: `Success
establish theand Failure`.to the
Navigate
- 4778: 4647: A
4624: User
An initiated
account
session was
was logoff.
successfullytologged
reconnected a Window on. Station.
- 4779: 4625: AAnsession
accountwas failed to log on. from a Window Station.
disconnected
full Auditing these eveTo ```
-The recommended
4648:
4800: A logon
The wasstate
workstation for this
attempted
was setting
using
locked. is: `Success`.
explicit credentials.
This policy setting allows you to auditComputer Configuration\Policies\Windows
events generated by the management of task Settings\Security
scheduler jobsSettings\Advanced
or COM+ objects. Audit
- 4801: 4675: The
SIDsworkstation
were filtered. was unlocked.
full This subcategory reports Auditing these
when eveTo
a special```
``` establish
logon is used. Navigate
A special to
the recommended the
logon UI If logon
no audit
configuration
is a viasettings
that GP,
has set are
theconfigured,
administrator-equivalent
following UI path to
privileg
`Suc
- 4802: The screen saver was invoked.
For scheduler jobs, the following are audited: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
-The recommended
4803: The screen saver state for was this setting is: `Success and Failure`.
dismissed.
full - Job 4964created.
: Special groups Auditinghave these
beeneve ```
assigned
``` to a new logon.
Navigate to the UI If no audit settings are configured,
- 5378: The requested credentials delegation was disallowed by policy.
- Job deleted. Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
- 5632: A request was made to authenticate to a wireless network.
accepted -The
This Jobrecommended
section
enabled. contains state for this setting
To for`Success`.
configuring
establish the Object Access
- 5633: A request was made to authenticate to a wired network.
- Job disabled.
full - Jobsubcategory
This updated.
policy The
settingreports
allows unexpected
you
changesto auditincre
```
To
user
auditestablish
attempts
policy Navigatefileto
thetorecommended
access
including SACL the
system UIobjects
IfEvents
no audit
configuration
changes. forsettings
on
viaathis
GP, setare
removabletheconfigured,
storage
following
subcategory device.
UI pathAto
include: securit
`Suc
This subcategory reports changes in Computer authentication Configuration\Policies\Windows
policy. Events for this subcategorySettings\Security
include: Settings\Advanced Audit
full For
-The COM+
4715: Theobjects,
recommended the following
Auditing
state
audit policy forremovable
(SACL) this on areanaudited:
setting```
``ìs: `Success
object andNavigate
was changed. Failure`.to the UI If no audit settings are configured,
-This Catalog
4719:
4706: A object
System
new trust
subcategory added.
auditwaspolicy
reports wasato
created
when Computer
changed.
a domain.
user account or Configuration\Policies\Windows
service uses a sensitive privilege. Settings\Security Settings\Advanced
A sensitive privilege includes the Audit
follow
accepted This Catalog
-**Note:**
4902:
4707: The
A object
A
section toupdated.
Windows
contains
Per-user
trust 8, Server
was2012
recommendations
audit
a domain policy table
removed.(non-R2)
```was
To or higher
for created.
configuring
establish OSPolicy
the is required
the recommended Changeto access and
via set
audit policy.
configuration GP,this
set value in GroupUIPolicy.
the following path to `Suc
- 4713: Catalog
4904: An object
attempt
Act asKerberos
part deleted.
of the was made
policy to register a security event source.
was changed.
operating system
full -This 4905:
4716: Anfiles
attempt
Trusted
subcategory
Back up Auditing
was
domain
and reports made these
information
changes
directories to unregister
eve
inwas``` establish
To a security
modified.
authorization the event
Navigate
source.
recommended
policy. Events to
forthe UIsubcategory
If no audit
configuration
this viasettings
GP, setare
include: theconfigured,
-The recommended
4906:
4717:
Create The
System
a token stateaccess
CrashOnAuditFail
security
object for this setting
value
was has is:
Computer
granted `Success
changed. and Failure`.
to an account. Settings\Security Settings\Advanced Audit
full 4907: A
4718:
4704:
- Debug Auditing
System
user right
programs settings
security
Auditing onthese
was access object
assigned. was were
eve ```
``` changed.
removed
To fromthe
establish anrecommended
account.
4908:
- 4739:
Enable Special
4705: Domain
Acomputer Groups
user rightPolicy
waswas
and Logon
removed.
user table modified.
changed.
accounts Computer
to be trustedConfiguration\Policies\Windows
for delegation Settings\Security Settings\Advanced Audit
full 4912: A
4864:
4706:
- Generate PernewUser
namespace Audit
trust
security Policy
collision
Auditing
was
auditscreated was
these was changed.
adetected.
toeve ```
domain.
``` Navigate to the UI If no audit settings are configured,
4865: A trust
4707:
- Impersonate trusted forest
atoclient
a domaininformation
after was entry
removed.
authentication was added.
accepted -The
This recommended
4866:
4714:
Load A trusted
Encrypted
section
and contains
unload state
forest
data for this setting
information
recovery
recommendations
device drivers entry
policy is:
```was
To for`Success
was changed.theand
removed.
configuring
establish Failure`.
the Privilege Use
recommended audit policy.
- 4867:
Manage A trusted
auditingforest information
and security log entry was modified.
full -The recommended
Modify state forthese
firmware environment
Auditing thisvalues
setting
eve ``ìs: `Success`. Navigate to the UI If no audit settings are configured,
-The recommended
Replace state for
a process-level this setting
token is: `Success`.
accepted -This
Restore files
section and directories
contains recommendations ``` for configuring the System audit policy.
- Take ownership of files or other objects
Auditing this subcategory will create a high volume of events. Events for this subcategory include:
- 4672: Special privileges assigned to new logon.

- 4673: A privileged service was called.
This subcategory reports on other system events. Events for this subcategory include:
- 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network i
4961::IPsec
- 5024 dropped Firewall
The Windows an inbound Servicepacket hasthat failedsuccessfully.
started a replay check. If this problem persists, it could indicate a replay attack
4962::IPsec
The Windows an inbound Servicepacket hasthatbeenfailed a replay check. The inbound packet had too low a sequence number t
stopped.
4963::IPsec
The Windows an inbound Serviceclear
Towas text
establish
packet
unable thethat
to recommended
shouldthe
retrieve have configuration
been policy
security secured. via
from This
GP,islocal
the set
usually
the following
storage.due to The theUI remote
path towill
service comp
`Suc
con
4965::IPsec
- 5028 received Firewall
The Windows a packetService from a was remote unablecomputer
to parse withthe
annewincorrect
securitySecurity
policy.Parameter
The service Index (SPI). This
will continue withis usually
currentlyc
full - 5029:
5478: The
IPsec Windows
Services
Auditing
Firewall
has these
started
Service
eve
successfully.
To```
failed
establish
to initialize
the recommended
Navigate
the driver.toThe the
configuration
service
UI If no will
audit via
continue
settings
GP, set toare
the
enforce
configured,
following the current
UI pathpolicy.
to `Suc
This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. E
- 5030:
5479: The
IPsec Windows
ServicesFirewall
has been Service
shutComputer
down
failed successfully.
to start.
The shutdown of IPsecSettings\Security
Services can putSettings\Advanced
the computer at greater Audit
This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include:
full This5480:
- 5032: IPsec Services
Windows
subcategory Firewall
reports failed
Capturing the to
wasthese get au
unable
loading the
```
To
oftocomplete
``` notify thelist
establish
extension the
codeofrecommended
user network
that
Navigate
suchit as interfaces
blocked
to the onno
configurationthe
anUIapplication
authenticationIf computer.
audit viafrom
packages settings
GP,by This
accepting
settheare
the poses
configured,
following
security asubsystem.
incoming potential
pathsecurity
UI connections
toEvents
`Suc
- 4608: Windows is starting up.
5483::IPsec
- 5033 ServicesFirewall
The Windows failed toDriverinitializehasRPC
Computer server.
started IPsec Services could not be
successfully. started.
Settings\Security Settings\Advanced Audit
4609::Windows
- 4612 is shuttingallocated
Internal resources down. for the queuing of audit messages have been exhausted, leading to the loss of some a
full 5484::An
5034
- 4610: IPsec
The Services
Windows
authentication has
Auditing experienced
Firewall
these
package Driver
eve
has```
To```
has a been
been critical
establish failure
stopped.
loaded andLocal
Navigate
thebyrecommended
the has been
to the shut
Security If down.
UI Authority.
no audit
configuration The shutdown
viasettings
GP, setare offollowing
IPsec Services
theconfigured, UIorpath can
if audit put
sett
to `Suc
4616::The
- 4615 system
Invalid use oftimeLPC was changed.
port.
5485::A
5035
- 4611: IPsec
The Services
Windows
trusted failed
logonFirewall
process toDriver
process
has been some
failed
Computer IPsec
to start.
registered filtersthe onLocal
a plug-and-play
with event
Security Authority. for network interfaces.
Settings\Security Settings\Advanced This poses a po
Audit
4621::Administrator
- 4618 recovered
A monitored security eventsystem
pattern from hasCrashOnAuditFail.
occurred. Users who are not administrators will now be allowed to lo
full 5037 :AThe
- 4614: Windows
notification Firewall
Auditing
package these Driver
has eve
been detected
```
To``` loadedcritical
establish bythe runtime
therecommended
Security
Navigate error.
Account Terminating.
to the UI
Manager.
If no audit
GP, setare theconfigured,
- 4816 : RPC detected an integrity violation while decrypting an incoming message.
-The recommended
5058:
4622: Key
A security state forhas
file operation.
package thisbeen
setting is: `Success
Computer
loaded and Failure`.
by Configuration\Policies\Windows
the Local Security Authority. Settings\Security Settings\Advanced Audit
-The recommended
5038 : Code integrity state for this setting
determined that theis: `Success`.
image hash of a file is not valid. The file could be corrupt due to unauthorized m
full 5059: A
- 4697: Key migration
service was operation.
Auditing
installed
these in eve
the ```
system.
- 5056: A cryptographic self test was performed.
- 5057: A cryptographic primitive operation failed.
accepted The
This recommended
computer-based is: `Success and Failure`.
```recommendations from Group Policy Administrative Templates (ADMX).
- 5060: Verification operation failed.
This section contains recommendations for Control Panel settings.
- 5061: Cryptographic operation.
accepted
- 5062: A kernel-mode cryptographic self test was performed.
Group Policy
This section containssection is providedTo
recommendations byestablish
theControl
for Groupthe Policy
Panel
recommendedtemplate `Windows.admx/adml`
personalization settings.via GP, set
configuration thatthe is included
followingwith all versions
UI path to Èna
accepted Navigate to the UI Path articulated in the Remediation section and
This Group
Disables thePolicy sectioncamera
lock screen is provided toggle
Tobyswitch
``` the Group
establish in PCthePolicy
Settings
recommendedtemplate `ControlPanelDisplay.admx/adml`
and prevents a camera
configuration via from
GP, set beingtheinvoked
followingthaton isUIincluded
thepathlock with
toscree
Èna
full Disabling the lock Computer Configuration\Policies\Administrative
```
Navigate to the UI IfPathyouarticulated
enable Templates\Control
thisinsetting, users
the Remediation Panel\Personaliza
will no longerand
section be
The recommended state slide
for this setting Navigate to the
Disables the lock screen show ``` is: Ènabled`.
settings in PC Settings HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
and prevents a slide show from playing on the lock screen.
UI
``` Path
full Disabling the lock Computer Configuration\Policies\Administrative
``` If you enable Templates\Control
this setting, users Panel\Personaliza
will no longer be
articulated in the
The recommended
This section contains state for this setting
recommendations **Note:**
``` is:
forÈnabled`.
This Group
configuring HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path
Microsoft Localmay not exist by
Administrator default. ItSolution
Password is provided by the Group
(LAPS).
Remediation
accepted Since September 2016, Microsoft has```strongly encouraged that SMBv1 be disabled and no longer used
section and
Group Policy
This section containssection is provided
settings **Note:**
by the Group
for configuring This Group
additional Policy template
Policyfrom
settings pathÀdmPwd.admx/adml`
may
the MS not exist byGuide.
Security default.
that is It is
included
provided with
byLAPS.
the Group
To establish the recommended confirm it is set configuration via GP, set the following UI path to Èna
accepted This setting configures Morethe
Since information
start typeon
September forthis
2016, theMicrosoft
can
Serverbe found
Message
hasNavigate
at theBlock
strongly following
to version
the UIlinks:
encouraged Path
1 (SMBv1)
articulated
that SMBv1 client indriver
be the Remediation
disabled serviceand (`MRxSmb10`),
sectionused
no longer and
as prescribed.
This Group Policy section is provided by the Group Policy template `SecGuide.admx/adml` that is available from Microsoft
To This group policy configuration via GP, set the following UI path to `Disa
full The recommendedMore [Stop
stateinformation
using
for this SMB1setting| Storage
on is: Ènabled:
this canat beMicrosoft](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-us
Disable
found ``àt the driver`.
following links:Some legacy OSes (e.g. Windows XP, S
Computer
To establish Configuration\Policies\Administrative
setting is backed
the recommended configuration viaTemplates\MS
GP, set the following SecurityUIGuide\Config
path to Èna
This setting configures the server-side processing of theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\m
Server Message Block version 1 (SMBv1) protocol.
``` by the following
full **Note:** Do not, _under[Disable
[Stop any
usingSMBcircumstances_,
SMB1 v1 in| Managed
Storageconfigure
atEnvironments ```
this overall
with
to Group
setting Policy
as `Disabled`,
– "StayOSes Safe"
asin doing
Microsoft](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-us
Navigate the UI Some
Path legacy
articulated Cyber
(e.g.
the so Security
will delete
Windows
Remediation Blog](https:/
XP, the
S underl
section and
**Note:** This
Computer
``` Configuration\Policies\Administrative
Group registry
Policylocation:
path does not exist by Templates\MS
default. An additional Security Guide\Config
Group Policy
The recommended
Windows
When includes
WDigest state forforthis
support
authentication is setting
Structured
enabled, is:Exception
`Disabled`.
Lsass.exe Handling
retains aOverwrite
copy of the Protection (SEHOP).
user's plaintext We recommend
password in memory, enabling
where itthis ca
``` establish
Computer
To Configuration\Policies\Administrative
the recommended configuration viaTemplates\MS GP, set the following SecurityUIGuide\Enable
path to `Disa
full [Disabling
[Disable
This feature SMBSMBv1
is v1deinthrough
Managed Group Policy
Environments ``` – Microsoft
Navigate with theSecurity
to Group PolicyGuidance
UI After
Path you– "Stay
enable
articulated blog](https://blogs.technet.micros
Safe"
SEHOP,
in theCyber Security
existing
Remediation ver Blog](https:/
section and
**Note:** This Group
``` ```Policy path does not exist by default. An additional Group Policy
The more
For recommended
information state
about for local
this setting
accounts is: Ènabled`.
and credential HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
theft, review the "[Mitigating Pass-the-Hash (PtH) Attacks and Ot
**Note:**
``` This Group HKEY_LOCAL_
Policy path does not exist by default. An additional Group Policy
full [Disabling
PreventingSMBv1 the pla through Group Policy ``` – Microsoft Security
``` NoneGuidance
- this is also blog](https://blogs.technet.micros
the default confi
MACHINE\SYST
Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDige
For more
This sectioninformation
contains about ÙseLogonCredential`,
recommendations for the Microsoft see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
Microsoft
Solutions Knowledge
for Security Base
(MSS) article 2871997: [Microsoft Security Adv
settings.
More
```
To information
establish isEM\CurrentContr
available at configuration
the recommended [MSKB 956607: via How
GP, set to enable
the followingStructured Exception
UI path to `Disa
accepted This setting is separate from the Welcome screen feature ``` in Windows
Navigate to theXP UI and
PathWindows
articulated Vista;
in the if that
Remediation
feature is section
disabled, andthi
**Note:** This Group olSet\Services\L
Policy path does not exist by default. An additional Group Policy
The recommended
This Group Policy section state for is this setting
provided byis:the`Disabled`.
Group Policy template `MSS-legacy.admx/adml` that is available from this Tec
To``` establish the recommended anmanServer\Pa configuration via GP, set the following UI path to Èna
full For additional information,
If you configure
see Microsoft a Knowledge Base ``àrticle to
Navigate 324737:
the UI [How
None to
- this
turnison
Path articulated theautomatic
indefault behavior.
logon in Windows](http
the Remediation section and
rameters:SMB1
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (Auto
IP source routing is a mechanism that allows the senderHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
to determine the IP route that a datagram should follow through NT\Cu th
```
``` ```
To establish the recommended configuration via GP, set the following UI path to Èna
full The recommendedAn state for this
attacker setting is: `Disabled`. Navigate
could ```
``` to the UI AllPath incoming
articulated sourcein the routed packets w
Remediation section and
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\MSS (Legacy)\MSS: Group Policy(Disa
Thesource
IP recommended
routing is state for this setting
a mechanism is: Ènabled:
that allows the sender Highest
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T
protection,
to determine thesource
IP route routing
that aisdatagram
completely disabled`.
should take through the
```
To``` establish the recommended configuration via GP, set the following UI path to ```Dis
full An attacker could ```
```
Navigate to the UI AllPath incoming
**Note:** This
Templates\MSS (Legacy)\MSS: Group Policy(Disa
The recommended
Internet Control Message state for this setting
Protocol (ICMP) is: Ènabled:
redirects cause Highest
theprotection,
IPv4 stacksource
to plumb routing
host is completely
routes. Thesedisabled`.
routes override the O
The DLL search order can be configured ```
To``` establish
to searchthe forrecommended configuration
DLLs that are requested by via GP, set
running the following
processes in oneUI ofpath to Èna
two ways:
full This NetBT
The behavior is ex is designed not toNavigate
protocol ```
``` to the UI When
use authentication, Path Routing
andarticulated
is thereforeandin theRemote
vulnerable Access
Remediation Servi
to spoofing.
sectionSpoofand
**Note:** This
Templates\MSS (Legacy)\MSS: Group Policy(Enab
The recommended
NetBIOS over TCP/IP state
is afor this setting
network is: `Disabled`.
protocol that among HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T
other things provides a way to easily resolve NetBIOS names that
- Search folders specified in the system ```
To``` path
establish
first, the
andrecommended
then search the configuration
current working via GP,folder.
set the following UI path to Èna
full An attacker could send a request overNavigate ```
```
the networkto the and
UI query
None -athis
computer
Path articulated is theindefault
totherelease behavior.
Remediation its NetBIOS section name.
and
- Search current working folder first, and **Note:**
Computer This
then search Group Policy specified
path doesinnot
Configuration\Policies\Administrative
the folders theexist
system by default.
path. An additional
Templates\MSS (Legacy)\MSS: Group Policy(NoN
The recommended state for this setting is: Ènabled`. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
```
To``` establish the recommended configuration via GP, set the following UI path to Èna
full The result
If a user of such an attack could beNavigate
unknowin ```
to
``` cause to intermittent
the UI None
Path connectivity
- this is the
articulated issues the on
indefault the target computer,
behavior.
Remediation section andor
When enabled, the registry value is set **Note:**
Computer
to 1. With This a Group
settingPolicy path does first
of 1, the system not exist
searches by default.
Templates\MSS
the folders An additional
that
(Legacy)\MSS: Group Policy
are specified (Safe
in th
Windows includes a grace period between when the screen HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
saver is launched and when the console is actually locked auto
```
full The default
This setting can generate grace audit in the SecurityNavigate
a security ```
```
event logtowhen the UItheUsers
Path will haveato
log articulated
reaches in enter
user-defined their passwo
the Remediation threshold.section and
Applications will be forced to search for **Note:**
DLLs inThis
Computer the Group
systemPolicy path first.
path For
does
Configuration\Policies\Administrative applications
not exist by that
default.
require
Templates\MSS Anunique
additional versions
(Legacy)\MSS: GroupofPolicy
these
(Scre
The recommended state for this setting is: Ènabled: 5 or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
fewer seconds`. NT\Cu
```
```
full The recommendedIfstate the Security
for this setting
lo is: Ènabled: 90% ```
``òr less`. An audit event will be generated whe
**Note:**
Computer This Group Policy path does not exist by
Templates\MSS (Legacy)\MSS: Group Policy(War
This section contains recommendations for network settings. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E
```
accepted **Note:** If log settings are configured to Overwrite events ``` as needed or Overwrite events older than x days, this event will
**Note:** This Group Policy path does not exist by default. An additional Group Policy
Group Policy
This section section isblank
is intentionally provided and by the to
exists Groupensure Policy template `Windows.admx/adml`
the structure of Windows benchmarks that is is included with all versions
consistent.
accepted
Group Policy
is intentionally provided
and by the to
exists Group Policy
ensure template `Bits.admx/adml`
the structure that is included
of Windows benchmarks with all versions of the
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `PeerToPeerCaching.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
This Group
sectionPolicy section
contains is provided by related
recommendations the Group Policy
to DNS template `nca.admx/adml` that is included with the Microsoft 8.0
Client.
accepted
This Group
sectionPolicy section isblank
and by the to
exists Group Policy
ensure template `DnsClient.admx/adml`
the structure of Windows benchmarksthat is included with all versions
is consistent.
Group Policy
and by the to
exists Group Policy
ensure template `GroupPolicy.admx/adml`
the structure of Windows benchmarks isthat is included with the Micro
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `hotspotauth.admx/adml`
the structure that
of Windows benchmarks is is included with the Micro
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `LanmanServer.admx/adml`
the structure that is included with the M
This Group Policy section is provided by the Group Policy template `LanmanWorkstation.admx/adml` that is included with t
This section contains recommendations for Link-Layer Topology Discovery settings.
accepted
This section
Group Policy
contains
section
recommendations
is provided by for
theMicrosoft
Group Policy
Peer-to-Peer
template Networking
`LinkLayerTopologyDiscovery.admx/adml`
Services settings. that is includ
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `P2P-pnrp.admx/adml`
of Windows benchmarks
that
is consistent.
is included with all versions
accepted
This section
Group Policy
contains
section
recommendations
is providedTo byestablish
for
theNetwork
Groupthe Policy
Connections
templatesettings.
recommended `P2P-pnrp.admx/adml`
configuration via GP, set thatthe
is included
UI path to Èna
This can
You Group
usePolicy
this procedure
section
The Network
is to
provided
controls
Bridge
```
bysetting,
To user's
the Group
ability
if enabled,
establish Policy
thetorecommended
install
allows
template
and users
configure
`NetworkConnections.admx/adml`
to create
a Network
configuration a via
Layer
Bridge.
GP, 2 set
Mediathe Access thatControl
following isUIincluded
path(MAC)with
br
to Èna
full Computer Configuration\Policies\Administrative
```
Navigate to the UI Users cannotTemplates\Network\Network
Path articulatedcreate
in theorRemediation
configure a Nsection Connect
and
The recommended
This policy setting In state
an enterprise
for this
determines setting
managed
whether```tois:require
Ènabled`.
environment,
domain HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
where
users tothere is awhen
elevate needsetting
to control network location.
a network's traffic to only authorize
full Allowing blank
This section is intentionally regularand
u Computer Configuration\Policies\Administrative
exists to ensure ```
```structure of Windows
the Domain users
Templates\Network\Network
benchmarks mustiselevate when setti Connect
consistent.
The recommended state for this setting **Note:**
``` is: Ènabled`.
This Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path is provided by the Group Policy template `NetworkCo
accepted This Group Policy section is provided by the Group Policy ``` template `WindowsFirewall.admx/adml` that is included with all v
This section is intentionally blank and**Note:**
exists to This
ensureGroup Policy path
the structure of may not exist
Windows by default.
benchmarks is It is provided by the Group
consistent.
accepted **Note:** This section was initially named _Windows Firewall_ but was renamed by Microsoft to _Windows Defender Firew
Group Policy
and by
existsthe to
Group
ensurePolicy template `NCSI.admx/adml`
the structure of Windows benchmarks that is is
included with all versions of t
consistent.
In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Polic
accepted To establish the recommended configuration via GP, set the following UI path to Èna
Group Policy
This section section
contains is provided by for
recommendations theNetwork
Group Policy template
Provider `NetworkIsolation.admx/adml` that is included with the
settings.
Once the new GPO template is in place, Navigate
the following
to the UIare
Path
thearticulated
minimum requirements
in the Remediation to remediate
sectionthe
andG
accepted This policy setting configures secure `\\*\NETLOGON
access to UNC paths. RequireMutualAuthentication=1, RequireIntegrity=1`
This Group Policy section is provided`\\*\SYSVOL
by the GroupRequireMutualAuthentication=1,
Policy template `NetworkProvider.admx/adml`
RequireIntegrity=1` that is included with the
`\\*\NETLOGON RequireMutualAuthentication=1, ``` RequireIntegrity=1`
full The recommended state for this setting is: Ènabled, with "Require Mutual Windows Authentication"
only allows
and "Require
access toIntegrity"
the spe set for al
`\\*\SYSVOL RequireMutualAuthentication=1, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
RequireIntegrity=1`
This section is intentionally blank and ``` exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** If the environment exclusively Computer
containsConfiguration\Policies\Administrative
Windows 8.0 / Server 2012 or higherTemplates\Network\Network
systems, then the "`Privacy`" Provider
setting
**Note:** A reboot may be required after ``` the setting is applied to a client machine to access the above p
Group Policy
is intentionally and```
provided by
existsthe to
Group
ensurePolicy template ÒfflineFiles.admx/adml`
the structure of Windows benchmarks that is included with all version
is consistent.
accepted **Note:** This Group Policy path does not exist by default. An additional Group Policy
Additional guidance on the deployment of this security setting is available from the Microsoft Premier Fie
Group Policy
and by
existsthe to
Group
ensurePolicy template `QOS.admx/adml`
the structure of Windows benchmarksthat is is
included with all versions of th
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Snmp.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of t
consistent.
accepted
Group Policy
contains is provided
TCP/IP by thesettings.
configuration Group Policy template `CipherSuiteOrder.admx/adml` that is included with all
accepted
Group Policy
and by the to
exists Group Policy
ensure template `tcpip.admx/adml`
of Windows benchmarks with the Microsoft W
is consistent.
accepted
Group Policy
TCP/IP by configuration
parameter the Group Policy template `tcpip.admx/adml` that is included with the Microsoft W
settings.
accepted
Group Policy
recommendations theWindows
Connect Now `tcpip.admx/adml`
settings. that is included with the Microsoft W
accepted
Group Policy
contains is providedTo
theWindows
for GroupthePolicy template
Connection
recommended `WindowsConnectNow.admx/adml`
Manager settings.
configuration via GP, set the following thatUI
is path
included with
to Èna
Group setting
This policy Policy section
preventsiscomputers
provided```by the connecting
from Group Policy to template `WCM.admx/adml`
both a domain based networkthat andisaincluded with the
non-domain basedMicrosoft
networkW
full Blocking simultaneComputer Configuration\Policies\Administrative
``` None - thisTemplates\Network\Windows
is the default behavior. Connec
The recommended
This state forblank
and``` is: Ènabled`.
exists HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
to ensure the structure of Windows benchmarks is consistent.
accepted ```
Group Policy
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`Windows.admx/adml`
Windows benchmarks that It
is is is provided
included
consistent. byall
with theversions
Group
accepted
Group Policy
recommendations theSystem
Group Policy template `Windows.admx/adml` that is included with the Microso
settings.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `srm-fci.admx/adml`
the structure that is
of Windows benchmarks is included with the Microsoft W
consistent.
accepted
Group Policy
settings relatedTobyauditing
to the Group
establish Policy
ofthe
process template
creationàppv.admx/adml`
recommended events. that set
configuration via GP, is included with the
the following Microsoft
UI path W
to `Disa
Group setting
This policy Policy section is provided
determines by the Group
what information
``` Policyintemplate
is logged securityÀuditSettings.admx/adml`
audit events when a new process that is included
has beenwith the Mic
created.
full When this policy s Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Audit
is the default behavior. Process Cre
The recommended
This section containsstate for this
settings setting
related ```
to is:
To `Disabled`.
Credential
establish the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
Delegation.
recommended configuration via GP, set the following UI path to Èna
accepted Remote host allows delegation of non-exportable credentials. ```
Navigate When
to the
using
UI Path
credential
articulated
delegation,
in the devices
Remediation
provide
section
an export
and
This Group Policy section
_Restricted Admin**Note:**
is provided by the Group
```
Mode_ Thisdesigned
was Group Policy
Policy template path
to help may administrator
not exist by default.
`CredSsp.admx/adml`
protect that isIt included
accounts isbyprovided bythat
with
ensuring the
all Group
versions
reusabl
full The recommended_Windows
state for this
Defender
setting
Computer
Remote
is: Ènabled`.
Credential
``` Guard_ helps you Theprotect
host will
Templates\System\Credentials
your
support
credentials
the _Restric
over a RemoteDelegDesk
Both features
This section is intentionally blankshould
and``` be enabled
exists to ensure andthe
supported,
structure as they reduce
of Windows the chanceisof
benchmarks credential theft.
consistent.
accepted **Note:** More detailed information on Windows Defender ``` Remote Credential Guard and how it compares to Restricted Ad
Group Policy
provided by the to
exists This
Group
ensure Group
Policy Policy path
template
`DeviceGuard.admx/adml`
Windows benchmarks It
isthat is is
provided
includedbywith
consistent. the the
Group
Mic
accepted
Group Policy
and by the to
exists Group Policy
ensure template `TPM.admx/adml`
is consistent.
Group Policy
and by the to
exists Group Policy
ensure template `DeviceInstallation.admx/adml`
the structure that is included with all
accepted
This Group Policy section is provided by the Group Policy template `DeviceRedirection.admx/adml` that is included with the
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DiskNVCache.admx/adml`
that is included with all vers
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DiskQuota.admx/adml`
of Windows benchmarksthat
is consistent.
is included with all version
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Display.admx/adml`
that is
is consistent.
included with the Microsoft
accepted
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an E
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DCOM.admx/adml`
of Windows benchmarksthat is
is included
consistent.
with all versions of
accepted
- `Good`: The driver has been signed and has not been tampered with.
Group Policy
theconfiguring
boot-start
recommended `DeviceInstallation.admx/adml`
driver initialization
configuration viasettings. that is included
GP, set the following UI path with all
to Èna
- `Bad`: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initiali
- `Bad, but required for boot`: The driver has been identified as malware, but the computer cannot successfully boot withou
This Group Policy section is provided``` by the Group Policy template ÈarlyLaunchAM.admx/adml` that is included with the M
- Ùnknown`: This driver has not been attested to by your malware detection application and has not been classified by the
full This policy settin Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Early
is the default behavior. Launch Antim
This section is intentionally blank and```
exists to ensure theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Ea
structure of Windows benchmarks is consistent.
If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is
accepted ```
Group Policy
and**Note:**
by the to
exists Group
This Group
Policy
ensure template
Policy path
the structure ÈnhancedStorage.admx/adml`
of may
Windowsnot exist by default.
benchmarks is It is provided
that is included
consistent. by the with
Groupthe
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launc
accepted
Group Policy
and by the to
exists Group Policy
consistent.
The recommended state for this setting is: Ènabled: Good, unknown and bad but critical`.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FileServerVSSAgent.admx/adml`
the structure of Windows benchmarks is consistent. that is included with
This Group Policy section is provided by the Group Policy templates `FileServerVSSProvider.admx/adml` that is included w
accepted This Group Policy section is provided by the Group Policy template `FileSys.admx/adml` that is included with all versions o
accepted **Note:** This section was initially named _NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with
Group Policy
theconfiguring
group `FolderRedirection.admx/adml`
policy-related
recommended settings.
configuration that is included
via GP, set the following UI path with all
to Èna
This "Do
The Group
notPolicy
apply section is provided
during periodic byestablish
background
```
To the Group Policy
processing"
the template `GroupPolicy.admx/adml`
option prevents
recommended the system
configuration fromset
via GP, that
updating is included
affected
the following UIwith
pathall
toversio
policies in th
Èna
full Setting this optio Computer Configuration\Policies\Administrative
```
Navigate to the UI Group Policies
Templates\System\Group
Path articulated will be reapplied
in the Remediation eve section
Policy\Conf
and
recommended
The "Process even state
if the for this Policy
Group setting
To is: Ènabled:
``òbjects
establishhave FALSE`
thenot HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
(unchecked).
changed"
recommended option updates and
configuration reapplies
via GP, set the policies even
following UIifpath
the policies
to `Disa
full ```
Setting this optio Computer Configuration\Policies\Administrative
```
Policy\Conf
and
The recommended
This state for Group
policy setting prevents **Note:**
this setting
Policy
``` is:from This
beingGroup
Ènabled: TRUE` Policy path
themay not exist byuse.
default.
This Itpolicy
updated (checked).
while computer is in is provided
settingby the Group
applies to Gr
full ```
This setting ensur Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Group
is the default behavior. Policy\Turn
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This
is: `Disabled`.
exists Group
ensure Policy pathof may not exist by default. is It
the structure Windows benchmarks is provided by the Group
consistent.
accepted ```
Group Policy
contains is provided**Note:**
recommendations by related This
the Group Group Policy
Policy template
to Internet path is provided by the Group Policy template
`GroupPolicyPreferences.admx/adml`
Communication Management. that is`GroupPoli
included w
accepted
Group Policy
the Group
related tothePolicy
Internet template `Windows.admx/adml`
Communication
configuration via GP, setthattheis included
UI path to Èna
Group setting
controlsiswhether
provided bycomputer
the
```
To the Group
establish Policy
can
the template
download
recommended `Windows.admx/adml`
print driverPrint
packages
drivers
configuration over
via GP, that
cannot
HTTP.
set is included
be
the downloaded
To set up
following with
HTTP
UI all versions
over
path printing,
HTTP.
to Èna
full Users might downlo Computer Configuration\Policies\Administrative
```
Navigate Templates\System\Internet
to the UI Path articulated in the Remediation section Communiand
The recommended
policy setting controls this setting
``` is:
Windows
To Ènabled`.
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
will download **Note:**
a list of providers
the recommended for the
configuration This
viaWeb
GP,policy setting
publishing
set the does
and
following notpath
online
UI prevent
ordering the
to Ènaw
full ```
Although the risk Computer Configuration\Policies\Administrative
```
Navigate to the UI Windows isTemplates\System\Internet
Path articulatedprevented from downloadin
in the Remediation Communi
section and
The recommended
This state for
policy setting allows youthis **Note:**
setting
to disable
``` is: Thiscomputer's
theÈnabled`.
client Group Policy path
to is provided by computer
thewhich
Groupallows
ability printThe
over
client
HTTP, Policy
will template
notthe
be able toÌCM.admx
computer print
to print
to Int
full ```
Information that i Computer Configuration\Policies\Administrative
``` Templates\System\Internet Communi
The recommended
This state forblank
this setting
and```
exists to This
is: Ènabled`.
ensureGroup Policy path of is provided byThis
the Group
the structure **Note:**
Windows benchmarks policy Policy template
is setting affects the
consistent. ÌCM.admx
client side
accepted ```
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of is providedbenchmarks
ìSCSI.admx/adml`
Windows by thethat
isisincluded ÌCM.admx
with all versions
consistent. of t
accepted
Group Policy
and by the to
exists Group Policy
ensure template `KDC.admx/adml`
is consistent.
Group Policy
recommendations theLocale
GroupServices
Policy template `Kerberos.admx/adml` that is included with all versions
settings.
accepted
Group Policy
the Group
related tothePolicy
the logon template
process`Globalization.admx/adml`
recommended and lock screen.
configuration via GP, set the thatfollowing
is included with all
UI path versi
to Èna
Group setting
allows you to controlbywhether
```
To the Group
establish Policy
anyone
the cantemplate
interact`Logon.admx/adml`
recommended with availablevia
configuration thatset
networks
GP, isUIthe
included
onfollowingwithUI
the logon all versions
screen.
path of
to Èna
full An unauthorized usComputer Configuration\Policies\Administrative
```
PathPC's network
Templates\System\Logon\Do
articulated inconnectivity
the Remediation state section
notand
disp
The
This recommended state for connected
policy setting prevents this setting
``` is:
Tousers Ènabled`.
from the
establish being HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
enumerated configuration
recommended on domain-joined
via GP, computers.
full ```
A malicious user c Computer Configuration\Policies\Administrative
```
PathLogon Templates\System\Logon\Do
UI willinnot
articulated theenumerate
Remediation an section
notand
enu
The
This recommended state for
setting
```
To is:
to prevent app Thisthe
Ènabled`.Group
notifications
establish Policy pathconfiguration
mayonnot
theexist by default. It isfollowing
from
recommended appearing lock
via screen.
GP, set the providedUIbypaththe to
Group
Èna
full This policy setting App
allowsnotifications
you to control Computer
To whether
establisha the
domain ```
``ùser can
Navigate
recommended to the
sign inNo
UI Pathapp
using anotifications
Templates\System\Logon\Turn
articulated
configuration picture
via GP, password.
in the
set areRemediation
the displayedUIonpath
following tooff
section ap
and
`Disa
``` This Group
is: Ènabled`. Policy path may not exist by default. It is provided by the Group
This policy setting Picture
state for
allows passwords
you this setting
Computer
to control
``` is: Ènabled`.
whether Configuration\Policies\Administrative
a domain ``` user can
Navigate to the inUsers
signUI Path will not
usingarticulated bein
a convenience able to
thePIN. setInup
Remediation or si section
Windows 10,off pic
conve
and
**Note:** This
```
Computer Group Policy path may not exist by default. It is provided by the Group
Configuration\Policies\Administrative Templates\System\Logon\Turn on con
full If theuser's
**Note:** The picture
A PINpassword
domain
is created feature
password is be
f ```will permitted,
cached thein``` user's
```
the domain
system vaultpassword
when
Noneusingis cached
- this this
is the in the system
feature.
default behavior.vault when using
exists to This
ensureGroup Policy pathof may not exist by default. is It
consistent.
is: `Disabled`.
This Group ``` Policy path may not exist by default. It is provided by the Group
This Group Policy section is provided by the Group Policy template `GroupPolicy.admx/adml` that is included with the Micro
**Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Netlogon.admx/adml`
that
is is
consistent.
included with all versions
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template ÒSPolicy.admx/adml`
that
is is
consistent.
included with the Microso
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `PerfCenterCPL.admx/adml`
that is only included with t
accepted
This section
Group Policy
contains
section
recommendations
is provided by for
thePower
GroupManagement
Policy template
settings.
`Passport.admx/adml` that is included with the Microso
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Power.admx/adml`
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
the Group
related tothePolicy
Power template `Power.admx/adml`
Management
recommended Sleep mode.
configuration via GP,thatsetis the
included withUI
following the Microsoft
path to ÈnaW
This Group
Specifies Policy section
whether is provided
or not the byestablish
user is prompted
```
To the Group Policy
for athe
passwordtemplate
when `Power.admx/adml`
recommended the system resumes
configuration via GP,that
from
setissleep.
included
the withUI
following allpath
versions of
to Èna
full Enabling this sett Computer Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\System\Power
is theindefault
Path articulated behavior. section
the Remediation Managemeand
The recommended
Specifies whether orstate for this
not the usersetting ``` is: Ènabled`.
is prompted HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
for a password when the system resumes from sleep.
full ```
Enabling this sett Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Power
is the default behavior. Manageme
The recommended
This state forblank
and```**Note:** to This
is: Ènabled`.
exists ensureGroup Policy pathof may not exist by default. is It
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
consistent.
accepted ```
Group Policy
byestablish This
the Group
related totheGroup
Policy
Remote Policy
templatepath may not existvia
byGP,
`ReAgent.admx/adml`
Assistance.
recommended configuration default.
that
set theisIt included
isfollowing
provided UIbypath
with theMicroso
the Group
to `Disa
accepted This policy setting allows you to turn on or turn off Offer Navigate(Unsolicited)
to the
Remote
UI Path
Assistance
articulatedon inthis
the computer.
This Group Policy section is providedTo byestablish
``` the Groupthe Policy template `RemoteAssistance.admx/adml`
recommended configuration via GP, set the following that is included
UI path towith al
`Disa
full Help desk and support
A userpersonnel
might bewill tr Computer
not be able Configuration\Policies\Administrative
to proactively
```
Navigate offer assistance,
to the UI None -although
thisTemplates\System\Remote
is the
Path articulated they
indefault
the can still
behavior.
respondsection
Remediation toAssistanc
userand
ass
This policy setting allows you to turn on HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
``` or turn off Solicited (Ask for) Remote Assistance on this computer.
full The recommendedThere state is
forslight
this setting is: `Disabled`.
ri Computer ```
``` Users on this
Templates\System\Remote
computer cannot use e- Assistanc
The recommended
This section containsstate for this setting
``` is: This
`Disabled`.
related Group
to Remote Policy path Call.
may not exist by default. It is provided by the Group
Procedure
accepted ```
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
`RPC.admx/adml`
Windows bythat
default.
benchmarks is It
is includedis provided
with allby
consistent. the Group
versions of th
accepted
Group Policy
and by the to
exists Group Policy
ensure template `RemovableStorage.admx/adml`
the structure that is included with a
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Scripts.admx/adml`
of Windows benchmarks is included with all versions of
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `ServerManager.admx/adml`
the structure that is included with all ve
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WinInit.admx/adml`
of Windows benchmarks is included with the Microsoft
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Winsrv.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `StorageHealth.admx/adml`
the structure that is included with the Mi
accepted
Group Policy
recommendations the Group Policy template and
to Troubleshooting `SystemRestore.admx/adml`
Diagnostics. that is included with all ve
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `pca.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FileRecovery.admx/adml`
the structure of Windows benchmarks isthat is included with all versi
consistent.
accepted
This Group
and by the to
exists Group Policy
ensure template `DiskDiagnostic.admx/adml`
the structure that is included with all ver
accepted
This Group
to the template
Microsoft `fthsvc.admx/adml`
Support that is included with the Microsoft W
Diagnostic Tool.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MSDT.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Msi-FileRecovery.admx/adml`
the structure that is included with the
accepted
Group Policy
and by the to
exists Group Policy
ensure template `sdiagschd.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
This Group Policy section is provided by the Group Policy template `sdiageng.admx/adml` that is included with the Microso
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `PerformanceDiagnostics.admx/adml`
of Windows benchmarks is consistent.that is included w
accepted
This section
Group Policy
contains
section
recommendations
is provided by related
the Group
to Windows
Policy template
Performance
`LeakDiagnostic.admx/adml`
PerfTrack. that is included with all ve
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `PerformancePerftrack.admx/adml`
that is included with
accepted
This section
Group Policy
contains
section
recommendations
the Group
to User
Policy
Profiles.
template `TPM.admx/adml` that is included with all versions of th
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÙserProfiles.admx/adml`
the structure of Windows benchmarks isthat is included with all versio
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsFileProtection.admx/adml`
the structure that is included wi
accepted
Group Policy
to the template
Windows Time`HotStart.admx/adml`
Service. that is only included with the Micr
accepted
Group Policy
to Time template `W32Time.admx/adml` that is included with all versions
Providers.
accepted
Group Policy
Group Policy templatesettings.
Component `W32Time.admx/adml` that is included with all versions
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template àdfs.admx/adml`
the structure that is only
of Windows benchmarks included with the Microso
is consistent.
This Group Policy section is provided by the Group Policy template ÀctiveXInstallService.admx/adml` that is included with
accepted This Group Policy section is provided by the Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included
**Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
and by the to
exists Group Policy
ensure template ÀppxPackageManager.admx/adml`
the structure of Windows benchmarks is consistent. that is included wit
accepted
Group Policy
theApp
for Group Policy
runtime
the template ÀppPrivacy.admx/adml`
settings.
recommended configuration via GP, setthat theisfollowing
includedUIwith paththe
toMicro
Èna
Group setting
lets youiscontrol
provided by theMicrosoft
whether
``` Group Policy
accountstemplate ÀppXRuntime.admx/adml`
are optional for Windows Store apps that thatis included
requirewith the Mic
an accoun
``` Windows Store Templates\Windows
apps that typically Components\Ap
requ
The recommended
This state forblank
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
accepted ```
Group Policy
byestablish
for Thisthe
theAutoPlay
Group Group
Policy Policy path
template
policies.
recommended may not existvia
ÀppCompat.admx/adml`
configuration byGP,
default.
setthat It isis
the provided
included
following UIby
withtheallto
path Group
versio
Èna
Group setting
disallows is AutoPlay
providedTo by
``` the Group
forestablish
MTP Policy
devices
the liketemplate
camerasÀutoPlay.admx/adml`
recommended or phones. via GP, set
configuration thattheis included
UI path to Èna
full An attacker could Computer Configuration\Policies\Administrative
```
Navigate to the UI AutoPlay will
Templates\Windows
Path articulated notin
bethe allowed for Components\Au
Remediation MTPsection and
The recommended
This state
policy setting sets fordefault
the this setting
``` is:
behavior
To Ènabled`.
for Autorun
commands. Autorun
the recommended commands
configuration via GP, are
setgenerally
the following storedUIinpath
àutorun.inf
to Èna
full Priorfrom
Autoplay starts to read to Windows VComputer
a drive as soon as you insert```
```media in
Navigate tothe UI AutoRun
thedrive,
Path
which commands
Templates\Windows
articulated
causes in
thethe will
setup befile
completel
Remediation Components\Au
for programs
section and or au
``` This Group
is: Ènabled: Policy pathany
DoHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
not execute autorun commands`.
full **Note:** You cannotAn use
attacker
this policy
could setting
Computer to enable ```
Autoplay
``` on computer Autoplay
drives inwill
Templates\Windows
which
be disabled
it is disabled- users byComponents\Au
wil
default, such a
This section is intentionally blank and``` **Note:**
exists to This
of may not exist by default.is It
consistent.
accepted The recommended state for this setting is: Ènabled: All``` drives`.
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
by the Group
ÙserDataBackup.admx/adml`
Windows Policythattemplate
is consistent. ÀutoPlay.a
is only included with
Group Policy
and by the to
exists Group Policy
ensure template `Biometrics.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `VolumeEncryption.admx/adml`
Group Policy
and by the to
exists Group Policy
ensure template `Camera.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
Group Policy
and by the to
exists Group Policy
ensure template `CloudContent.admx/adml`
the structure that is included with the Mic
Group Policy
the Group
related Policy
tothe
the template
Credential
recommended `WirelessDisplay.admx/adml`
User Interface. via GP, set the that
configuration is included
following UI path with the M
to Èna
policy setting is provided
allows you byestablish
to configure
```
To the
theGroup Policy
display
the of thetemplate
password
recommended `CredUI.admx/adml`
reveal buttonvia
configuration in GP,that
setisthe
password included
entry withUI
user
following allpath
versions
experiences. of
to `Disa
full This is a useful f Computer Configuration\Policies\Administrative
```
PathpasswordTemplates\Windows
articulated reveal
in thebutton will Components\Cre
Remediation not section and
The
This recommended state forwhether
``` is: Ènabled`.
administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accounts are displayed when a user attempts to elevate a running applica
full ```
Users could see thComputer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\Cre
The recommended
This state forblank
this setting
and``` to This
is: `Disabled`.
exists Group
ensure Policy path
of may not exist by default. is It is provided by the Group
the structure Windows benchmarks consistent.
```
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
by the Group
`Windows.admx/adml`
Windows that Policy
is is template
included
consistent. `CredUI.ad
with the Microso
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DeliveryOptimization.admx/adml`
This Group Policy section is provided by the Group Policy template `Sidebar.admx/adml` that is included with the Microsoft
accepted
This section Group Policy
is intentionally
section isblank provided
and by exists
the to
Group
ensure Policy
the structure
template `DWM.admx/adml`
of Windows benchmarks that isisincluded
consistent. with all versions of t
This Group Policy section is provided by the Group Policy template `DeviceCompat.admx/adml` that is included with the M
accepted This setting Group Policy section
determines is provided by EMET
if recommended the Group Policy template
mitigations are applied`WorkplaceJoin.admx/adml`
to the following popular software: that is included with the M
This section contains is intentionally blank and exists
recommendations to ensure the
for configuring structure
Microsoft of Windows
Enhanced benchmarks
Mitigation Experienceis consistent.
Toolkit (EMET).
accepted **Note:**
- 7-Zip This section was initially named _Workplace Join_ but was renamed by Microsoft to _Device Registration_ startin
This
-The section
Group
Enhanced
Adobe is intentionally
Policy
Photoshop Mitigation isblank
sectionExperience and Toolkit
provided exists
by the to ensure
Group
(EMET) isthe
Policyfree structure
template `DigitalLocker.admx/adml`
of Windows
ÈMET.admx/adml`
and supported benchmarks
security isincluded
that
consistent.
that isdeveloped
software is included
with with allthat
Microsoft
by Microsoft versi
EME a
accepted - Foxit Reader
This
EMET
-More Group
is freePolicy
information
Google Chromeand onsection
supported
EMET, is including
provided by
security software the Group
download andPolicy
developed User by template
Microsoft
Guide, ÈdgeUI.admx/adml`
can that
be allows an
obtained here: that is to
enterprise included with the
apply exploit Microsoft
mitigations
accepted This
- Google setting
Talkconfigures the default action after detection and advanced ROP mitigation.
Navigate to the UI Path articulated in the Remediation section and
**Note:**
iTunes Although
-[Enhanced MitigationEMET is quite Toolkit
Experience effective at enhancing
- EMET - TechNet exploit protection on Windows server OSes prior to Server 2016, it
Security](https://technet.microsoft.com/en-us/security/jj653751
Microsoft EMET
These
Live Writer mitigations
state for
advanced hInstall
this setting is: EMET
mitigations for 5.52
ROPNavigate
mitigations to apply
`Control Panel\Program\Programs
to all configured software in EMET: and Featu
```
**Note
-**Note:** #2:**
Microsoft Although
EMET
Lync EMET
has been
Communicator is quite
reported
effective
to beatveryenhancing
problematicexploit onprotection
32-bit OSes on -Windows
we only recommend
server OSesusing prior to it with
Server64-bit
2016,
OSe it
To HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
configuration via GP, set the following UI path to Èna
full - Default
Microsoft Action
Photoand - **Deep
Mitigation
Gallery Hooks**
Settings
protects
- Ènabled`
critical APIs and theto
Navigate subsequent
the UI The Pathlower
advancedlevel mitigations
articulated APIs
in the used by
available
the topin
Remediation level critica
section and
Computer Configuration\Policies\Administrative
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Templates\Windows Components\EM
**Note
-ThisDeep #3:**
#2:**
Hooks
setting
Microsoft Microsoft
- Ènabled`
- **Anti
determines
SkyDrive has Detours**
announced
if recommended renders
that EMET
EMET ineffective
will beexploits
mitigations End-Of-Life that evade
are applied (EOL) hooks
on Julyby
to Internet 31,executing
Explorer.2018. This a copy
doesofnot themean
hooked thefuncti
softw
```
full Antisetting
-This
mIRC Detours - Ènabled`
- **Banned
Applying EMETFunctions**
mitig will block calls to
``` `ntdll!LdrHotPatchRoutine`
Navigate to
determines if recommended EMET mitigations are applied to the following software: the UI EMET
Path to mitigate
mitigations
articulated inwill
thebe potential
applied exploits
Remediation to Isection abusin
and
**Note:** This
Computer Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Policy path does not exist by
Templates\Windows Group Policy
Components\EM
**Note
-The
Banned #3:**
recommended
Mozilla EMET state
Functions
Firefox has been
- Ènabled`
for thisreported
settingtois:beÈnabled`.
very problematic on 32-bit OSes - we only recommend using it with 64-bit OSe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
``` ```
To configuration via GP, set the following UI path to Èna
full - Exploit
Adobe Action
Mozilla Acrobat -` User
Thunderbird Configured`
Applying EMET miti ```
```
Navigate to the UI EMET mitigationsinwill
Path articulated thebe applied to th
**Note:** This
Group Policy path does not exist by Templates\Windows
default. An additional Components\EM
Group Policy
Opera Acrobat Reader
- Adobe HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
```
``` establish the recommended configuration via GP, set the following UI path to Èna
To
full - Pidgin
Microsoft Office suiteApplying
applications
EMET miti ```
```
Path articulated thebe applied to section and
Remediation
**Note:** This
Group Policy
- Oracle
QuickTime
This Java
setting Player
determines how applications become enrolled HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
in Address Space Layout Randomization (ASLR).
```
To
full - WordPad
RealPlayer ASLR reduces the p ```
```
Navigate to the UI ASLR protectionsinwill
Path articulated thebe enabled onsection and
Remediation
**Note:** This
Group Policy
- Safari
The
This recommended
setting determines statehowfor this setting is:become
applications Ènabled: Application
enrolledHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
in DataOpt-In`.
Execution Protection (DEP).
```
To
full - Skype
The recommendedDEP statemarks
for this setting
pages of is: Ènabled`. Navigate ```
``` to the UI DEP Path protections
articulated in willthebeRemediation
enabled on *a section and
**Note:** This
Group Policy
- VideoLAN
The
This recommendedVLC statehow
setting determines for this setting is:become
Opt-Out`.
in Structured Exception Handler Overwrite Protection (SEHOP).
```
```
full - Winamp When a software co ```
``` SEHOP protections will be enabled on
**Note:** This
Group Policy
- Windows
The
This sectionLive
recommended Mailstate forblank
is intentionally this setting
and existsis: Ènabled:
to ensureApplication
the structure Opt-Out`.
```
accepted - Windows Media Player ```
- WinRAR
This Group Policy
section section
recommendations theconfiguring
Group Policy thetemplate
Event Log ÈventForwarding.admx/adml`
Service. that is included with the
accepted - WinZip To establish the recommended configuration via GP, set the following UI path to `Disa
Group Policy
ApplicationÈventLog.admx/adml`
Event Log. that is included with all versions
This state forEvent
LogTo``` is: Ènabled`.
behavior
establish when the the Navigate
log file reaches
recommended to the UIitsPath
maximum
size.set
via GP, in thetheRemediation
following UI path section and
to Èna
This Group Policy section is providedComputer by the Group Policy template ÈventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new foreventsthis are
setting
``` is: `Disabled`. Navigate ``` to the UI WhenNone -event
this islogs
Path articulated theinfill
default
the behavior.
to Remediation
capacity, theysection
will stopand
rec
This policy setting specifies the maximum Computer size of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not To
not **Note:**
be establish
``` retained Thisaccording
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
configuration automatically
byviatheGP,Group when
setof Policy
this
the full_template
policy
configuration
following UI setting.
ÈventLog.
pathis that old
to `Disa
The recommended
This section contains state for this setting is:
recommendations forÈnabled:
configuring 32,768
the or greater`.
Security Event Log.
accepted This policy setting controls Event LogTo **Note
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to the isUIprovided
itsPathAdministrative
Ideally, by
maximum
configuration all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored
Remediation
following thisevents
template setting
UI was
ÈventLog.
should
section
path to and
Ènainib
full The recommendedIfstate new foreventsthis are **Note
setting
``` #2:** In older
is: `Disabled`. ```Microsoft
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
articulated Templates,
theinfill
default
the behavior.
to Remediation
capacity, this setting
they section was
will stopandini
rec
configured betw
not **Note:**
be establish
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
setof Policy
this
the full_template
policy
configuration
ÈventLog.
pathis that old
to `Disa
The recommended
configuring 196,608
the or greater`.
Setup Event Log.
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to the isUIprovided
Ideally, by
maximum
configuration all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored
Remediation
template setting
UI was
ÈventLog.
should
section
path to and
Ènainib
setting
``` #2:** In older
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
theinfill
default
the behavior.
to Remediation
they section was
will stopandini
rec
configured betw
not **Note:**
be establish
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
setof Policy
this
the full_template
policy
configuration
ÈventLog.
pathis that old
to `Disa
The recommended
configuring 32,768
the or greater`.
System Event Log.
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to the isUIprovided
Ideally, by
maximum
configuration all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored
Remediation
template setting
UI was
ÈventLog.
should
section
path to and
Ènainib
setting
``` #2:** In older
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
theinfill
default
the behavior.
to Remediation
they section was
will stopandini
rec
configured betw
If events may not ```
not **Note:**
be retained Thisaccording
Group ```
```Policy
to thepath_Backup
is provided
log consequence
The automatically
by the Group when
of Policy
this full_template
policy setting.
configuration ÈventLog.
is that old
The recommended
This state forblank
and existsis: Ènabled:
to ensure32,768 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the or greater`.
accepted **Note #2:**
**Note:** ThisInGroup
older``` Microsoft
Policy path Windows
is provided Administrative
Ideally, by
all the Templates,
specifically
Group Policy
monitored thisevents
template setting was inib
ÈventLog.
should
This Group
and by the to
exists Group
ensure Policy template ÈventLogging.admx/adml`
the structure of Windows benchmarks is that is included with the Mic
consistent.
accepted This section is intentionally blank and**Note exists #2:**
to ensureIn older
the Microsoft
structure of Windows
Windows Administrative
benchmarksTemplates,is consistent. this setting was ini
This Group Policy section is provided by the Group Policy template ÈventViewer.admx/adml` that is included with all versio
accepted Group Policy
contains is provided by to
recommendations thecontrol
Groupthe Policy template
availability of `ParentalControls.admx/adml`
options such as menu items and that is only
tabs included
in dialog with
boxes.
To establish the recommended configuration via GP, set the following UI path to `Disa
accepted **Note:**
This Group
Disabling This
Data section
Policy
ExecutionwasPrevention
section isinitially
providednamedby the
can _Parental
Group
allow certainControls_
Policy
legacy buttowas
template
Navigate plug-in renamed bytoMicrosoft
`WindowsExplorer.admx/adml`
theapplications
UI Path articulatedfunction to _Family
in the
without that isSafety_
Remediation included
terminating starting
section allw
withand
Explorer.
``` establish the recommended configuration via GP, set the following UI path to `Disa
To
full **Note:**
The This section
recommended Data was
state forinitially
Execution named
this setting is:_Windows
PreComputer `Disabled`. Explorer_ but
towas
```
Navigate the UI renamed
None - by
thisMicrosoft to _File
Templates\Windows
is theindefault
Path articulated the Explorer_
behavior.
Remediation starting
Components\File
section andwi
Without heap termination on corruption, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
``` legacy plug-in applications may continue to function when a File Explorer session h
full **Note:** Some legacy plug-in
Allowing an applications
applic Computer and Configuration\Policies\Administrative
other software
```
``` may not function None with
- thisData
is theExecution
Templates\Windows Prevention
default behavior. and will req
Components\File
``` This Group
is: `Disabled`. Policy path may not exist by default. It is provided by the Group
```
**Note:** This Group Policy path is provided by the Group Policy template Èxplorer.a
This policy setting allows you to configure
``` the amount of functionality that the shell protocol can have. When using the full f
full Limiting the openinComputer Configuration\Policies\Administrative
is the default behavior. Components\File
The recommended
This section is intentionally
state forblank
this setting
and```
exists
is: `Disabled`.
to ensure the
accepted ```
This section
Group Policy
is intentionally
section isblank and**Note:**
provided by
exists
the to This
Group Group
ensure
Policy Policy path
the structure
template of is providedbenchmarks
by the Group
`PreviousVersions.admx/adml`
Windows Policy
thattemplate
is consistent. `WindowsE
is included with all
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `FileHistory.admx/adml`
is consistent.
is included with the Micros
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `FindMy.admx/adml`
that is
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `GameExplorer.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Handwriting.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Sharing.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `CaptureWizard.admx/adml`
the structure that is only included with t
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÌnetRes.admx/adml`
of Windows benchmarks included with all versions o
accepted
Group Policy
settings by theand
for Locations Group Policy template ÌIS.admx/adml` that is included with all versions of the
Sensors.
accepted
Group Policy
settings by theLocation
for Windows Group Policy template `Sensors.admx/adml` that is included with the Microsof
Provider.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `LocationProviderAdm.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `msched.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WinMaps.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MDM.admx/adml`
the structure that is is
of Windows benchmarks included with the Microsoft W
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Messaging.admx/adml`
is consistent.
Group Policy
and by the to
exists Group Policy
ensure template `MSAPolicy.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MicrosoftEdge.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FidoAuth.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DeviceCredential.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÙserExperienceVirtualization.admx/adml`
the structure of Windows benchmarks is consistent. that is includ
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Conf.admx/adml`
of Windows benchmarks with all versions of th
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `NAPXPQec.admx/adml`
the structure of Windows benchmarks is that is only included with the M
consistent.
To establish OneDrive.
This Group Policy section is provided by the Group Policy template `NetworkProjection.admx/adml` that is only included wi
accepted The Group Policy settings contained within ``` this section are provided
Navigate by UI
to the thePath
articulated `SkyDrive.admx/adml`
in the Remediation section andth
This policy setting lets you prevent apps Computer
To and features
establishConfiguration\Policies\Administrative
from working with
the recommended files
Users
on OneDrive
configuration can't
viaTemplates\Windows
access
GP, using
set OneDrive
thethe Nextfrom
following Generation
Components\On
UIthe OneDrive
path toSync
Èna
full **Note:**
This policyThis section
setting lets was
you initially
Enabling prevent named
this sett ``` and
apps _SkyDrive_ but
features from```was
Navigate renamed
working to with
the UIby Microsoft
files
Path to _OneDrive_
on articulated
OneDrive using
in thethe startingOneDrive/SkyD
Remediation
legacy with the Micros
section and
The recommended state for this setting ``` is: Ènabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
**Note:**
Users If your
can't organization
access OneDrive uses from Office 365, be
the OneDrive
full The recommendedEnabling
state for this
this sett **Note:**
setting
Computer This
is: Ènabled`.Group```
```Policy path may not exist by
Configuration\Policies\Administrative default. It is provided
Templates\Windows by the Group
Components\On
This section is intentionally blank and``` exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows **Note:** If your organization
benchmarks is consistent. uses Office 365, be
accepted **Note:** Despite the name of this setting,**Noteit #2:** In older
is applicable Microsoft
```to Windows
the legacy OneDrive Administrative
client on any Templates,
Windows OS. this setting was na
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
`HelpAndSupport.admx/adml`
Windows benchmarks is It isthat
provided
consistent. by thewith
is included Group
all v
accepted
This Group
and by the to
exists Group Policy
ensure template `PswdSync.admx/adml`
the structure of Windows benchmarksthat is only included with the M
is consistent.
accepted
This Group
and by the to
exists Group Policy
ensure template ÈxternalBoot.admx/adml`
the structure of Windows benchmarks isthat is included with the Micr
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MobilePCPresentationSettings.admx/adml`
the structure of Windows benchmarks is consistent. that is inclu
accepted This section contains recommendations related to Remote Desktop Services.
This Group Policy section is provided by the Group Policy template `PushToInstall.admx/adml` that is included with the Mic
and by the to
exists Group Policy
ensure template `TerminalServer.admx/adml`
accepted **Note:**
This GroupThis section
Policy wasisinitially
section providednamed _Terminal
by the Services_
Group Policy but was
template renamed by Microsoft to _Remote
`TerminalServer.admx/adml` Desktop
that is included Service
with all ve
**Note:** This section was initially named _TS Licensing_ but was renamed by Microsoft to _RD Licensing_ starting with th
This section contains recommendations for the Remote
To establish Desktop Connection
the recommended Client.via GP, set the following UI path to Èna
configuration
accepted This policy setting helps prevent Remote Desktop clients Navigate
from saving
to thepasswords
UI Path articulated
on a computer.
in the Remediation section and
This Group Policy section is provided``` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full The recommendedAn state
attacker
for this
with
setting
Computer
is: Ènabled`.
``` The passwordTemplates\Windows
saving checkbox Components\Re
will be
This section is intentionally blank and``` exists to ensure the
accepted **Note:**
This If this
section policy recommendations
contains setting was previously configured
for the Remote ```
as Disabled
Desktop or NotHost.
Session configured, any previously saved passwords wi
This Group Policy section is provided**Note:** This Group
by the Group Policy path
Policy template is provided by the Group Policy
`TerminalServer.admx/adml` that istemplate
included`TerminalS
with the M
accepted This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
accepted **Note:** This section was initially named _Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session H
Group Policy
recommendations theConnections
Group Policytotemplate `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included wit
accepted
Group setting
section
contains
preventsisusers
provided
recommendations
from bysharing
To the Group
related
establish tothe
the Policy
Remote
local template
Desktop
recommended
drives `TerminalServer.admx/adml`
Session
on their client Host
configuration Device
computers toand
via GP, set thethat
Resource
Remote is included
following
Desktop with
Redirection.
UI
Servers
path all
tothat
Ènave
th
This Group Policy section is provided```
`\\TSClient\$` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full Data could be forwComputer Configuration\Policies\Administrative
``` Drive redirection
Templates\Windows
will not be possible
Components\Re
If local
This drivesisare
section shared they
intentionally are and
blank left```
vulnerable to intruders
exists to ensure HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the who want
structure to exploitbenchmarks
of Windows the data thatisisconsistent.
stored on them.
accepted ```
The recommended
This Group Policy
section section
state for
isblank
is intentionally this
provided
setting
and**Note:**
by is:
the
exists Ènabled`.
Group
to This
ensure Group
Policy template
Policy path
the structure `TerminalServer.admx/adml`
of is providedbenchmarks
Windows by the Group Policy
that istemplate
is consistent. included`TerminalS
with all ve
accepted
Group Policy
and by the to
exists Group Policy
the structure of Windows benchmarks is consistent. that is included with all ve
This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
accepted **Note:** This section was initially named _TS Connection
To establish Broker_ but
the recommended was renamed
configuration viabyGP, Microsoft to _RD Connection
set the following UI path to Èna Brok
Group Policy
recommendations the Group Policy template
to Remote Desktop `TerminalServer.admx/adml`
Session Host Security. that is included with all ve
accepted ``` Navigate to the UI Path articulated in the Remediation section and
Group setting
specifiesis whether
providedRemote
byestablish
To the Group
Computer Desktop Policy template `TerminalServer.admx/adml`
the Services
recommended always prompts thevia
configuration client set thethat
Templates\Windows
GP,computer forisaincluded
following password with
Components\Re
UI path to all
upon
Ènave
co
allows have
you tothe opt``` whether RemoteNavigate
specify ``` the UI Users
DesktoptoServices Path cannot
requires
articulatedautomatically
secure inRemote log on tosection
the Remediation
Procedure Call (RPC)
and
The recommended state for this setting ``` is:
To Ènabled`.
the recommended configuration via GP, set the following UI path to Èna
full You can use this policy
Allowing
setting
unsecure **Note:**the
to strengthen
Computer This Group``òfPolicy path
to theisUI
provided
security ```
NavigateRPC communication Remote by
with the
Desktop Group thePolicy
Templates\Windows
clients
Path articulated inServices
by allowing template
accepts
Remediation only `TerminalS
Components\Re
authenticated
req
section and
This policy setting specifies whether to ```require the use of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
a specific encryption level to secure communications between clie
full The recommendedIfstateRemotefor this
Desktop **Note
setting #2:** In the ```
is: Ènabled`.
Computer Microsoft WindowsNone
``` Vista- Administrative
thisTemplates\Windows
is the default Templates,
behavior. this setting wa
Components\Re
The recommended
This section containsstate
for this setting
``` is: This
Ènabled:
related Group
High
to Remote Policy path is provided
Host by the Group
TimePolicy
Level`.
Desktop Session Session Limits.template `TerminalS
accepted ```
Group Policy
Policy template
to Remote Desktop path is provided
Host by the Group
`TerminalServer.admx/adml`
Session Session TemporaryPolicy
that istemplate
included`TerminalS
folders. with all ve
Group setting
specifiesis whether
providedRemote
byestablish
To the Group
the Services
recommended retains a user's per-session
configuration thethat
GP, set temporary isfolders
followingincluded with
Components\Re
UI atpath to all
logoff. ve
`Disa
full By default, RemoteSensitive
Desktop informat
Services```creates a separate ```temporary
folder Path
on thethis is theindefault
articulated
RD Session theHost behavior.
Remediation
server for each sectionactive
ands
The recommended state for this setting ``` is: `Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
full To reclaim disk space,
Disabling
the temporary **Note:**
this set To
Computer
folder This
is deleted
establish Group
the ```
```Policy
recommended pathconfiguration
the user is provided
when logs off
Nonefrom by
- this
a the Group
viasession.
Templates\Windows
is
GP,thesetdefaultPolicy
the template
behavior.
following `TerminalS
Components\Re
UI path to Èna
This section contains recommendations ``` related to RSS HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
feeds.
accepted The recommended state for this setting **Note
``` #2:** In older
is: `Disabled`. ``` Microsoft
Navigate Windows
to the UI Path Administrative
articulated inTemplates,
the Remediation this setting
section wasandna
Group setting
preventsistheprovided **Note:**
by the
user from
Computer
havingThis
Group Group Policy
Policy template path is provided
enclosures (file attachments) by the
ÌnetRes.admx/adml`
downloaded Group
that is Policy
Templates\Windows
from included
an RSS template
with
feed to`TerminalS
all versions
the user'so
Components\RS
full Allowing attachmen``` ``` Users cannot set the Feed Sync Engi
The recommended
recommendations To is:
forÈnabled`.
Searchthe
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet
settings.
recommended configuration via GP, set the following UI path to `Disa
accepted **Note:** This Group ``` Policy path
Navigate to theisUI
provided by the Group
Path articulated in thePolicy templatesection
Remediation ÌnetRes.ad
and
Group setting
controlsiswhether
encrypted
``` itemsPolicy template
are allowed `Search.admx/adml`
to be indexed. When thisthat is included
setting is changed,with alltheversions
index isofr
full **Note #2:**
Indexing and allowiComputer In older
``` Microsoft Windows
None Administrative Templates,
- thisTemplates\Windows
is the default this
behavior. setting was na
Components\Se
The recommended
This state forblank
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted ```
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
by the Group
`SearchOCR.admx/adml`
Windows Policy
isthat template
is only
consistent. included `Search.ad
with the
accepted
Group Policy
and by the to
exists Group Policy
ensure template `SecurityCenter.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Snis.admx/adml`
is consistent.
accepted
This Group
and by the to
exists Group Policy
consistent.
accepted
This Group
to the template
Software `SmartCard.admx/adml`
Protection Platform. that is included with all version
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÀVSValidationGP.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `SoundRec.admx/adml`
the structure of Windows benchmarksthat is included with all version
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Speech.admx/adml`
accepted
This Group Policy section is provided by the Group Policy template `WinStoreUI.admx/adml` that is included with the Micro
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SettingSync.admx/adml`
of Windows benchmarks is
that
consistent.
is included with the Micro
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Windows.admx/adml`
that
is is
consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `TaskScheduler.admx/adml`
that is included with all ver
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `TextInput.admx/adml`
is is
consistent.
only included with the Mic
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WinCal.admx/adml`
the structure that is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsColorSystem.admx/adml`
To establish Windows Defenderconfiguration
recommended Antivirus. via GP, set the following UI path to `Disa
This Group Policy section is provided by the Group Policy template `CEIPEnable.admx/adml` that is included with all versio
accepted This Group Policy section is provided``` by the Group Policy template
Navigate to `WindowsDefender.admx/adml`
the UI Path articulated in the Remediationthat is included with
section andall
This policy setting It
turns
is important
off Windows
to ensure
Computer
Defendera current,
Antivirus.
updated
If theantivirus
setting isproduct
configured
is scanning
toTemplates\Windows
Disabled,
each Windows
computerDefender
Components\Win
for malicious
Antiviru
file
full **Note:** This section was originally named ``` _Windows Defender_
``` but wasNone
renamed
- thisbyisMicrosoft
the default to behavior.
_Windows Defender An
The recommended
This Organizations
state forblank
that
and choose
is: `Disabled`.
exists totoensure
purchaseHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the astructure
reputableof 3rd-party
Windows antivirus
benchmarks solution may choose to exempt th
is consistent.
accepted **Note:** This Group ``` Policy path is provided by the Group Policy template `WindowsD
Group Policy
and by the to
exists Group Policy
ensure template `WindowsDefender.admx/adml`
the structure of Windows benchmarks is consistent. that is included with the
accepted **Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
Group Policy
the Group
related Policy
tothe
Microsoft template `WindowsDefender.admx/adml`
Active Protection
recommended Service
configuration (MAPS).
via GP, that is included
set the following with
UI path to the
`Disa
Group setting
configuresis provided by the Group
a local override
``` for thePolicy templateto`WindowsDefender.admx/adml`
configuration join Microsoft Active Protection that is included
Service (MAPS), with the
whic
full The decision on whComputer Configuration\Policies\Administrative
is the default behavior. Components\Win
The recommended
This state forblank
exists to ensure theHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted ```
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
`WindowsDefender.admx/adml`
Windows benchmarks is It is provided by the Group
that is included
consistent. with the
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
settings byReal-time
relatedTo
to the Groupthe
establish Policy template `WindowsDefender.admx/adml`
Protection.
recommended that is included
configuration via GP, set the following with
UI path to the
Èna
Group setting
allows you by the
to configure
``` Group monitoring
behavior Policy template `WindowsDefender.admx/adml`
for Windows Defender Antivirus. that is included with the
full When running an an Computer Configuration\Policies\Administrative
is the default configuratio
Components\Win
The recommended
This state forblank
accepted ```
Group Policy
contains settings related**Note:**
is provided byWindows
to ThisDefender
Policy template path may not exist by default. It is provided
Reporting. by the Group
that is included with the
accepted
Group Policy
settings relatedTobyWindows
to the Groupthe
establish Policy
Defender template `WindowsDefender.admx/adml`
scanning.
configuration via GP, set the following UI path to with the
Èna
Group setting
allows youis provided
to manage byestablish
```
To the Groupor
whether Policy
thenot to template `WindowsDefender.admx/adml`
scan for malicious
recommended software
configuration andset
via GP, unwanted that is included
software
the following with
in theto
UI path the
conte
Èna
full It is important to Computer Configuration\Policies\Administrative
```
Navigate to the UI Removable Templates\Windows
drives
Path articulated in will
the be scannedComponents\Win
Remediation du
section and
The recommended
This state for
policy setting allows youthis setting
``` is: e-mail
to configure Ènabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
scanning. When e-mail scanning is enabled, the engine will parse the mai
full ```
Incoming e-mails sComputer Configuration\Policies\Administrative
``` E-mail scanning
Templates\Windows
by Windows DefenderComponents\Win
The recommended
This state forblank
this setting
and``` to This
is: Ènabled`.
exists Group
ensure Policy path
of may not exist by default.
is It is provided by the Group
accepted ```
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
that is included
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÀppHVSI.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÈxploitGuard.admx/adml`
consistent.
accepted
This Group
Windows by the
Defender Group Policy
SmartScreen template `WindowsDefenderSecurityCenter.admx/adml` that is in
settings.
This Group
recommendations theExplorer-related
Windows `SmartScreen.admx/adml` that is included with the Mic
Defender SmartScreen settings.
accepted ```
The Group
This Policy settings
policy setting contained
allows you within
to manage thethis
Computer section
behavior ofare provided by the GroupWindows
Windows SmartScreen. Policy template
Templates\Windows
SmartScreen`WindowsExplorer.admx
helps
Components\Win
keep PCs s
```
full Windows SmartScre ``` Users will be warned before they ar
The recommended
recommendations To is: Ènabled:
related
establishtothe Warn
Windows and prevent
Error
recommended bypass`. via GP, set the following UI path to `Disa
Reporting.
configuration
accepted **Note:** This Group Policy path
Navigate to themay not exist
UI Path by default.
articulated in theIt Remediation
is provided bysection
the Group
and
```
Group setting
controlsiswhether
memory
``` dumps Policy template
in support ÈrrorReporting.admx/adml`
of OS-generated error reports canthat is included
be sent with allautom
to Microsoft ver
full Memory dumps may **Note #2:**
Computer In older```Microsoft Windows Administrative
All memory dumpsTemplates,
Templates\Windows
are uploaded this setting was ini
Components\Win
accord
```
**Note:** This Group Policy path may not exist by default. It is provided by the Group
accepted
This section
Group Policy
contains
section
recommendations
related
the Grouptothe
Windows
Policy template
Error Reporting
recommended ÈrrorReporting.admx/adml`
consent.
configuration via GP, set thethat is included
following withtoall
UI path ver
Èna
This setting
Group Policy
allowssection
you to set
is provided
the default
```
by consent
the Group handling
Policy template
for error reports.
ÈrrorReporting.admx/adml` that is included with all ver
full Error reports may Computer Configuration\Policies\Administrative
The recommended
state forblank
this setting
and``èxists
is: Ènabled:
to ensureAlways
the
structure
ask before
of Windows
sendingbenchmarks
data` is consistent.
accepted This section is intentionally blank and exists to ensure the ``` structure of Windows benchmarks is consistent.
This Group Policy section is provided**Note:**
by the GroupThis Group Policy path
Policy template is provided by the Group
`GameDVR.admx/adml` thatPolicy template
is included withÈrrorRepo
the Micros
accepted This Group Policy section is provided by the Group Policy template `Passport.admx/adml` that is included with the Microso
**Note:** This section was initially named _Microsoft
To establish thePassport
recommended for Work_ but was renamed
configuration via GP, set by Microsoft
the following to _Windows
UI path to Hello
`Disa
Group Policy
to Windows `WindowsInkWorkspace.admx/adml` that is included w
Installer.
Group Policy
This setting controlssection is provided
whether users
or not arebypermitted
Windows
To the Group
Computer
establish Policy
Installer
the template
recommended
should `MSI.admx/adml`
to change installation
use system options
configurationthatvia
permissions that
GP,
whenisset
typically included
Templates\Windows
itare
the with
any all
available
installs
following UIversions
only
Components\Win
to system
program
path on of
thethe
to `Disaas
full In an enterprise m ``` ```
Navigate to the UI None - this is theindefault
Path articulated behavior. section and
the Remediation
The recommended
**Note:** This settingstate for this
appears setting
both in```
theis:Computer
`Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration and User Configuration folders. To make this setting effe
full **Note:** This
Users with limited Computer Group
```
```Policy path is provided
Configuration\Policies\Administrative by the
None - this Group
Templates\Windows
is the default Policy template
behavior. `MSI.admx
Components\Win
**Caution:**
This section If enabled,
contains skilled users can
recommendations ``` establish
To take advantage
related tothe HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Windows of the permissions
Logon
recommended
Navigate to Options.
the thisarticulated
configuration
UI Path setting
via GP,grants
set
in the to Remediation
the change
following their privileges
UI path
section an
to `Disa
and
accepted **Note #2:** In older ``` Microsoft Windows Administrative Templates, this setting was na
The recommended
This Group setting
policy Policy section
state for
controls iswhether
this
provided
setting
**Note:**
byis:
a``` the
device `Disabled`.
Group
This
will Group
Policy template
Policy
automatically
This grouppath
`WinLogon.admx/adml`
sign-in is provided
policy
the setting isby the Group
last interactive
backed user
bythat Policy
isfollowing
after
the included
template
Windows with `MSI.admx
all versions
registry
Update location
restar
full Disabling this fea Computer Configuration\Policies\Administrative The deviceTemplates\Windows
does no Components\Win
The recommended
This state forblank
exists to ensure the ```structure of Windows benchmarks is consistent.
accepted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
Group Policy
provided by the to
exists This
Group
ensure Group
``` structure
Policy
the Policy path
template of may not exist by default.
`WindowsMail.admx/adml`
is that is is
provided by the with
only included
consistent. Groupthe
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MediaCenter.admx/adml`
the structure of Windows benchmarks isthat is only included with the
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsMediaDRM.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsMediaPlayer.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsCollaboration.admx/adml`
the structure that is only include
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsMessenger.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MobilePCMobilityCenter.admx/adml`
the structure of Windows benchmarks is consistent.that is included w
accepted
Group Policy
the Group
related Policy
tothe
Windows template `MovieMaker.admx/adml`
configuration via GP, set that
PowerShell.
recommended is only included
the following UI pathwith the
to `Disa
accepted This policy setting enables logging of all PowerShell script Navigate
input totothe
theMicrosoft-Windows-PowerShell/Operational
UI Path articulated in the Remediation section event
andlo
``` the GroupthePolicy template `PowerShellExecutionPolicy.admx/adml`
recommended configuration via GP, set the following UIthat is to
path include
`Disa
full The recommendedThere state are
for this
potentia
setting
Computer
is: `Disabled`.
```
Navigate to the UI Logging of Templates\Windows
PowerShell
Path articulated script input
in the Remediation Components\Win
issection and
This Policy setting lets you capture the ``ìnput and output HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
of Windows PowerShell commands into text-based transcripts.
full **Note:** In Microsoft's
If thisown hardening
setting is guidance,
Computer they recommend the opposite
None value,
``` isÈnabled`,
the defaultbecause
- thisTemplates\Windows behavior.having this data
Components\Win
The recommended
This state forblank
this setting
and``` to This Group
is: `Disabled`.
exists ensure Policy path of may not exist by default.is It is provided by the Group
accepted ```
Group Policy
Policy template
to Windows Remotepath may not exist(WinRM).
by default.that
`RacWmiProv.admx/adml`
Management It is is
provided
includedbywith
the the
Group
Mic
accepted
Group Policy
the Group
related tothePolicy
the template
Windows
recommended `WindowsRemoteManagement.admx/adml`
Remote Management
configuration (WinRM)
via GP, set theclient.
following UI path thattois`Disa
inclu
Group setting
allows you to managebyestablish
```
To the Groupthe
whether Policy
Windowstemplate
recommended `WindowsRemoteManagement.admx/adml`
Remote Management
configuration via (WinRM)
GP, set the client uses Basic
following UI paththattois`Disa
inclu
authentica
full Basic authenticati Computer Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\Windows
is theindefault
Path articulated behavior.
the Remediation Components\Win
section and
The recommended
This state for
``` is:
to manage
To `Disabled`.
whether
the Windows
recommended Remote Management
GP, set the client sendsUI
following and receives
path to Ènau
full Encrypting WinRMComputer
n ```
```
is theindefault
section and
The recommended
This state for
setting
to manage
``` Thisthe
is:whether
`Disabled`.Group PolicyRemote
path is Management
provided by the Group client
Policywill
Windows (WinRM) template
not use`WindowsR
Digest au
full ```
Digest authenticat Computer Configuration\Policies\Administrative
``` The WinRMTemplates\Windows
client will not use Digest
Components\Win
The recommended
This section contains state
for this setting
```
To is:
related This
Ènabled`.
establishtotheGroup
the PolicyRemote
pathconfiguration
is provided by
viathe Group Policy
Windows
recommended Management (WinRM)
GP, set theservice.template
following UI path`WindowsR
to `Disa
accepted ```
allows you **Note:**
to managebyestablish
```
To the
whetherThisthe
Group Group
Policy
WindowsPolicyRemote
template
recommended path is Management
provided by viathe Group
`WindowsRemoteManagement.admx/adml`
GP, Policy
service
set the template
accepts
thattois`Disa
Basic inclu
authe
```
is theindefault
section and
The
```
To is:
to manage `Disabled`.
whether
the Windows
GP, set the service sends
following UI and
pathreceives
to Èna
full This policy setting Encrypting
allows you to WinRM Computer
managen whether ```
```
the Windows
Navigate Remote
to the UI None
Management- thisTemplates\Windows
is
Path articulated theindefault
(WinRM) behavior.
theservice willComponents\Win
Remediation allowsection
RunAs andcre
``` This Group
is: `Disabled`. Policy path is provided by the Groupwill
Policy
The WinRM service template
not allow the `WindowsR
RunAsUse
full The recommendedAlthough
state for the
thisabili
setting
Computer
is: Ènabled`. ```
``` Templates\Windows Components\Win
This section contains settings related``` **Note:**
to Windows ThisRemote
Group Policy path is provided by theisGroup Policy template
Shell (WinRS). If this setting later Disabled again, any`WindowsR
values
accepted **Note:** If you enable and then disable this policy setting, ``` any values that were previously configured for RunAsPassword
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
`WindowsRemoteShell.admx/adml`
Windows benchmarks is It is provided
consistent.that isbyincluded
the Group with
accepted
This Group Policy section is provided by the Group Policy template `SideShow.admx/adml` that is only included with the M
This policy setting specifies whether computers in your environment will receive security updates from Windows Update or
After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Upda
accepted
This section
Group Policy
containssection
recommendations
related
the Group tothe
Windows
Policy template
Update.`SystemResourceManager.admx/adml`
recommended configuration via GP, set the following UI that is only
path incl
to Èna
- 2 - Notify for download and auto install _(Notify before downloading any updates)_
- 3 - Auto download and notify for install _(Download the updates automatically and notify when they are ready to be install
This Group Policy section is providedTo ```
byestablish
the Groupthe Policy template `WindowsUpdate.admx/adml`
recommended configuration via GP, set the followingthat is included
UI pathwith
to `0all-vE
- 4 - Auto download and schedule the install _(Automatically download updates and install them on the schedule specified
full This policy setting Although each vers
specifies when Computer
computers
To in Configuration\Policies\Administrative
establish your ```
theenvironment
Navigate
recommended to
will
the UI Critical
receive
Path operating
security
configuration articulated insystem
updates
GP, setthefrom
the updates
Remediation
Windows
following Components\Win
and
UI Update
section
path to or
and
`DisaW
- 5 - Allow local admin to choose setting _(Leave decision on above choices up to the local Administrators (Not Recommen
``` HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
This policy setting Although
state for that
specifies each
this Automatic
setting
vers```
Computer
is: `0 - Every
UpdatesConfiguration\Policies\Administrative
day`.
will ```
``` for computers
Navigate
wait to the UI IfPath
to`4be
- articulated
Auto Templates\Windows
download
restarted by theand
in the schedule
Remediation
users who Components\Win
th
aresection
loggedand on
**Note:** This
```
Computer Group Policy path is provided by the
Configuration\Policies\Administrative Group Policy template
Templates\Windows `WindowsU
Components\Win
full **Note:**
The
This recommended
This
section is setting
Some
state
is only
security
forblank
intentionally this
applicable
setting
upda
and``` ifis:`4`Disabled`.
exists -toAuto download
ensure the```
```structure
and schedule None
of Windowsthe install`
- this is
is the
benchmarks selected
defaultinbehavior.
Rule 18.9.101.2. It will
is consistent.
**Note:** The sub-setting "_Configure automatic updating:_" has 4 possible values – all of them are valid depending on spe
**Note:** This Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path is provided by the Group Policy template `WindowsU
**Note:**
This GroupThis
Policy
setting
section
applies
is provided
only when
**Note:**
by you the Group
configure
This Group
Policy
Automatic
``` template
Policy path
Updates
`WindowsUpdate.admx/adml`
is provided
to performby the
scheduled
Group Policy
update
that template
isinstallations.
included`WindowsU
withIf the
youM
**Note #2:** Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting,
accepted **Note:**
This section
Thiscontains
section user-based **Note #2:** Windows
was initiallyrecommendations
named _Defer In older Microsoft
from Group
Updates_ Windows
Policy
but was Administrative
Administrative Templates,
renamedTemplates
by Microsoft
(ADMX). this setting
to _Windows was inif
Update
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÀddRemovePrograms.admx/adml`
accepted This section contains recommendations for personalization settings.
the Groupthe Policy template `ControlPanelDisplay.admx/adml`
recommended configuration via GP, set the following that isUIincluded
path to with
Èna
accepted This Group Policy section is provided by the Group Policy template
Navigate to `ControlPanelDisplay.admx/adml`
the UI Path articulated in the Remediation that is included
section with
and
This policy setting enables/disables the ``` use
To of desktop
establish screen savers.
full **Note:**
setting If a was
user initially
specifies forgets named
t User
the screen _Desktop
saver for the Themes_ buttowas
therenamed
``` desktop.
user's
Navigate UI A by Microsoft
screen
Path in to
Templates\Control
saver runs,
articulated _Personalization_
theprovided starting
Panel\Personalization\E
that thsection
Remediation and w
To Ènabled`.
establish HKEY_USERS\[USER
the recommended SID]\SOFTWARE\Policies\Microsoft\Window
This setting specifies Ifstate
ahow
user
forforgets
this user
much setting
t Useris:time
idle ```
Ènabled: scrnsave.scr`.
``` beforetothe
Navigate
must elapse UI The
thescreenPath system
Templates\Control
displays
articulated
saver in thethe
is launched. Panel\Personalization\F
specified scsection and
Remediation
This setting determines whether screen **Note:**
```
To savers This
establishused Group
the on thePolicy pathconfiguration
HKEY_USERS\[USER
computer
recommended maypassword
are not exist by default.
protected.
via GP, It isfollowing
set the providedUIbypath
SID]\SOFTWARE\Policies\Microsoft\Window the to
Group
Èna
full **Note:**
The If the specified
recommended Ifstate screen
a user this saver
forforgets isis:
t User
setting not installed 900
onNavigate
```
aseconds
computer to which
Ènabled: ``` toorthe UI All
fewer, this setting
screen
Path
but applies,
Templates\Control
savers
articulated
not 0`. inare the
thepassword setting is section
ignored.and
Panel\Personalization\P
Remediation prote
``` This Group
is: Ènabled`. Policy path may not exist
HKEY_USERS\[USER by default. It is provided by the Group
SID]\SOFTWARE\Policies\Microsoft\Window
full **Note:** This setting If a has
usernoforgets
effect tunder
Userthe ```
following circumstances:
``` The screen
Templates\Control
saver will automatically
Panel\Personalization\S
a
exists to This Group
ensure Policy path
of is
HKEY_USERS\[USER
the structure provided
Windows by the Group Policy template `ControlPa
benchmarks is consistent.
accepted - The wait time is set to zero. ```
- Thesection
This "Enable
Group isScreen
Policy Saver"
section
intentionally setting
isblank andis
provided **Note:**
bydisabled.
the to
exists This
Group Group
Policy
ensure Policy path
template
`Windows.admx/adml`
Windows by default.
benchmarks that It
is is is provided
included
consistent. withbyall
theversions
Group
accepted - A valid screen existing saver is not selected manually or via the "Screen saver executable name" setting
Group Policy
and by the to
exists Group Policy
the structure of Windows benchmarks that
is is included with all versions
consistent.
accepted
Group Policy
recommendations theStart
Group Policy
Menu andtemplate
Taskbar`SharedFolders.admx/adml`
settings. that is included with all ver
accepted
Group Policy
theNotification
for Groupthe
Policy template `Windows.admx/adml`
settings.
recommended thatthe
configuration via GP, set is included
UI path to Èna
Group setting
turns offistoast
notifications
``` on thePolicy template `WPN.admx/adml` that is included with the Microsoft W
lock screen.
full While this feature User Configuration\Policies\Administrative
``` Applications
Templates\Start
will not beMenu
able to
andraise
Taskbar\Notific
The recommended
recommendations ``` isforÈnabled`. HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\Window
System settings.
accepted ```
Group Policy
provided by
existsthe to This
Group Group
Policy
ensure Policy path
template
`Windows.admx/adml`
is is is provided
included
consistent. byall
with theversions
Group
accepted
Group Policy
and by the to
exists Group Policy
ensure template `CtrlAltDel.admx/adml`
the structure of Windows benchmarks that is included with all versions
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FolderRedirection.admx/adml`
accepted
Group Policy
to Internet `GroupPolicy.admx/adml`
Communication Management. that is included with all versio
accepted
Group Policy
to Internet `Windows.admx/adml`
Communication settings. that is included with all versions
accepted
Group Policy
Component `Windows.admx/adml` that is included with all versions
This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
accepted **Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
and by the to
exists Group Policy
ensure template ÀppXRuntime.admx/adml`
accepted
Group Policy
the Group
related Policy
tothe template
Attachment ÀppCompat.admx/adml`
Manager.
recommended configuration via GP, setthatthe is included
following UIwith
pathalltoversio
`Disa
accepted This policy setting allows you to manage whether Windows Navigate
markstofile
theattachments
UI Path articulated
with information
in the Remediation
about their section
zone ofand orig
This Group Policy section is provided``` by the Group Policy template ÀttachmentManager.admx/adml` that is included with a
full The recommendedAstate file that
for this
is dow
setting
Useris: Configuration\Policies\Administrative
`Disabled`. ``` None Templates\Windows
Components\Attachm
``` HKEY_USERS\[USER SID]\SOFTWARE\Microsoft\Windows\Curre
**Note:** The Attachment Manager feature warns users``` when opening or executing files which are marked as being from a
**Note:** This Group Policy path is provided by the Group Policy template Àttachmen
This policy setting manages the behavior for notifying registered
Navigate antivirus
to the UIprograms.
Path articulated
If multiple
in theprograms
Remediation
are registered,
section andthe
```
full The recommendedAntivirus
state forprograms
this setting
Useris: Configuration\Policies\Administrative
Ènabled`. ``` Windows
Templates\Windows
tells the registered Components\Attachm
antiviru
This section is intentionally blank and``èxists to ensure theHKEY_USERS\[USER
structure of WindowsSID]\SOFTWARE\Microsoft\Windows\Curre
accepted **Note:** An updated antivirus program must be installed ```for this policy setting to function properly.
This section
Group Policy
is intentionally
provided by
exists
the to This
Group Group
ensure
Policy Policy path
the structure
template of is providedbenchmarks
by the Group
ÀutoPlay.admx/adml`
Windows that Policy
is is template
consistent.
included Àttachmen
with all versions
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template ÙserDataBackup.admx/adml`
that is included only with
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `CloudContent.admx/adml`
that is included with the Mic
accepted
Group Policy
and by the to
exists Group Policy
ensure template `CredUI.admx/adml`
of Windows benchmarks with the Microsoft
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DataCollection.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Sidebar.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DWM.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DigitalLocker.admx/adml`
consistent.
This Group Policy section is provided by the Group Policy template ÈdgeUI.admx/adml` that is included with the Microsoft
accepted This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
accepted **Note:** This section was initially named _Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting wi
Group Policy
and by the to
exists Group Policy
ensure template `FileRevocation.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÈAIME.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WordWheel.admx/adml`
the structure that
of Windows benchmarks is is included with all versio
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Sensors.admx/adml`
of Windows benchmarks included with the Microsof
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MMC.admx/adml`
of Windows benchmarks included with all versions of t
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
is consistent.
accepted
Group Policy
the Group
related Policy
tothe
Network template
Sharing.`NetworkProjection.admx/adml`
recommended that is only
configuration via GP, set the following included
UI path to Èna wi
Group setting
determines whether by
``` the Group
users Policy
can share template
files `Sharing.admx/adml`
within their profile. By default,that is included
users with to
are allowed allshare
versions
fileso
full If not properly co User Configuration\Policies\Administrative
``` UsersTemplates\Windows
cannot share files within
Components\Network
their
The recommended
This state forblank
exists HKEY_USERS\[USER
to ensure the structure of WindowsSID]\SOFTWARE\Microsoft\Windows\Curre
Policy template is provided by the Group Policy template `Sharing.ad
`MobilePCPresentationSettings.admx/adml` that is inclu
accepted **Note:** This section was initially named _Terminal Services_ but was renamed by Microsoft to _Remote Desktop Service
Group Policy
and by the to
exists Group Policy
the structure of Windows benchmarks thatisisconsistent.
included with all versions o
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Search.admx/adml`
consistent.
accepted
This Group
and by the to
exists Group Policy
is consistent.
accepted
This Group
and by the to
exists Group Policy
ensure template `WinStoreUI.admx/adml`
the structure of Windows benchmarks that is included with the Micro
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `TaskScheduler.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
accepted
This Group Policy section is provided by the Group Policy template `WindowsColorSystem.admx/adml` that is included with
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensurePolicy
the structure
template `SmartScreen.admx/adml`
of Windows benchmarks isthat consistent.
is included with the Mic
This Group Policy section is provided by the Group Policy template ÈrrorReporting.admx/adml` that is included with all ver
section controls
This setting containswhether
recommendations
or not Windowsrelated
To establish tothe
Windows
Installer shouldInstaller.
recommended
use system
configuration
permissionsvia GP,
when setit the
installs
following
any program
UI path onto `Disa
the s
accepted **Note:** This section was initially named _Microsoft Passport Navigate forto
Work_
the UIbut was
Path renamed in
articulated bytheMicrosoft to _Windows
Remediation sectionHello
and
This Group
**Note:** This
Policy
setting
section
appears
is provided
both in```
by
thetheComputer
Group Policy
Configuration
templateand`MSI.admx/adml`
User Configurationthat isfolders.
included To with
makeallthis
versions
settingofeffe
the
full Users with limited User Configuration\Policies\Administrative
``` None Templates\Windows
Components\Window
**Caution:**
This section If
is enabled, skilled
intentionally users
blank andcan
``` taketoadvantage
exists ensure the HKEY_USERS\[USER
ofstructure
the permissions
of WindowsthisSID]\SOFTWARE\Policies\Microsoft\Window
setting grantsisto
benchmarks change their privileges an
consistent.
accepted ```
The recommended
This Group Policy
section section
state for
is intentionally isblank
this
provided
setting
and**Note:**
by is:
the
exists `Disabled`.
Group
to This
ensureGroup
Policy template
Policy path
the structure `WinLogon.admx/adml`
Windows by the Group that Policy
is included
template
is consistent. with `MSI.admx
all versions
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsMail.admx/adml`
the structure of Windows benchmarks is that is only included with the
consistent.
accepted
Group Policy
to Windows `MediaCenter.admx/adml` that is only included with the
Media Player.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
to Windows `WindowsMediaPlayer.admx/adml`
Media Player playback. that is included with
accepted
This Group Policy section is provided by the Group Policy template `WindowsMediaPlayer.admx/adml` that is included with
notes CIS controls CCE-ID references
major impact of this configurati TITLE:Ensure Work

CCE-37166-6
Maximum password age settingTITLE:Ensure
i Work
CCE-37167-4
administrator sets a password f TITLE:Ensure Work CCE-37073-4

uirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure loc
TITLE:Ensure
default password complexity configuration WorkCCE-36534-6
is retained, additional help desk calls for locked-out accounts could occur because users might not be accustom
e:** Older versions of Windows such as Windows 98 and Windows NT 4.0 do not support passwords that are longer than 14 characters. Computers that ru
ur organization has more stringent
TITLE:Ensure
security requirements,
WorkCCE-37063-5
you can create a custom version of the `Passfilt.dll` file that allows the use of arbitrarily complex p
urthe
organization
use of ALTuses
key character
TITLE:Ensure
can
Work
greatly
CCE-36286-3
enhance the complexity of a password. However, such stringent password requirements can result
sugh it may
policy seem
setting like a good
is enabled, idea
TITLE:Configure
a locked-out ACCE-37034-6
account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setti
u enforce this setting an attackerTITLE:Configure

could cause a denial
ACCE-36008-1
of service condition by deliberately generating failed logons for multiple user, therefore you should al
u configure the Account

do not configure Lockout
this policy Threshold to 0, there
se TITLE:Configure is a possibility that an attacker's attempt to discover passwords with a brute force password attack m
ACCE-36883-7
e - this is the default behavior. TITLE:Minimize AnCCE-37056-9
u remove the **Access this compu

TITLE:Limitation CCE-35818-4
e should be little or no impact b TITLE:Minimize AnCCE-36876-1
rganizations that have never al TITLE:Minimize AnCCE-36282-2
nizations that have not restricte TITLE:Minimize AnCCE-37071-8
u remove these default groups, yTITLE:Account MoCCE-37659-0
oval of the **Allow log on throughTITLE:Account MoCCE-37072-6
nges in the membership of the grou

TITLE:Minimize AnCCE-35912-5
e should be no impact, because T

t ITLE:Minimize AnCCE-37452-0
uost casesthis
revoke there willright,
user be nonoimpactTITLE:Minimize AnCCE-35823-4
one will be able to debug programs. However, typical circumstances rarely require this capability on production computers. If a p
service account that is used for the

TITLE:Minimize
cluster service
Anneeds
CCE-37075-9
the **Debug programs** user right; if it does not have it, Windows Clustering will fail.
us configure
that are used to manage
the **Deny processes
access will be unable
toTITLE:Account to affect processes that are not owned by the person who runs the tools. For example, the Windows Se
MoCCE-37954-5
u assign the **Deny log on as a batch job** user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to
TITLE:Account MoCCE-36923-1
xample, if you assign this user right to the ÌWAM_`_(ComputerName)_ account, the MSM Management Point will fail. On a newly installed computer that r
u assign the **Deny log on as a TITLE:Account MoCCE-36877-9
u assign the **Deny log on local TITLE:Account MoCCE-37146-8
u assign the **Deny log on throu TITLE:Account MoCCE-36867-0

u remove the **Force shutdown frTITLE:Minimize AnCCE-37877-8
most computers, this is the defaulTITLE:Account MoCCE-37639-2
ost cases this configuration will TITLE:Minimize AnCCE-37106-2
u remove the **Load and unload TITLE:Minimize

d AnCCE-36318-4
e - this is the default behavior. TITLE:Account MoCCE-36495-0
u remove the **Profile single pr TITLE:Minimize AnCCE-37131-0
u remove the **Restore files andTITLE:Minimize AnCCE-37613-7
mpact of removing these defaultTITLE:Minimize AnCCE-38328-1
s will not be able to log onto th TITLE:Account MoCCE-36147-7
will have to inform users who ar TITLE:Account MoCCE-38233-3
e should be little impact, becausTITLE:Account MoCCE-38027-9
e - this is the default behavior. TITLE:Ensure Audit

CCE-37850-5
e - this is the default behavior. TITLE:Maintenance

CCE-35907-5
ss TLS/SSL is being used, the LTITLE:Secure ConfCCE-35904-2

e - this is the default behavior. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system sup
ability to create or delete trust relationships with clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled.
ons from clients running versions TITLE:Data
of WindowsProte
earlier
CCE-36142-8
than Windows NT 4.0 with SP6a will be disabled.
ability to authenticate other domains' users from a Domain Controller running a version of Windows earlier than Windows NT 4.0 with SP6a in a trusted do
e - this is the default behavior. TITLE:Data Prote CCE-37130-2
can enable this policy setting after you eliminate all Windows 9x clients from the domain and upgrade all Windows NT 4.0 servers and Domain Controllers f
name of the last user to successfTITLE:Data Prote CCE-36056-0
s must press CTRL+ALT+DEL befor

TITLE:Malware D CCE-37637-6
screen saver will automatically TITLE:Ensure Work CCE-38235-8

s will have to acknowledge a dialog box containing the configured text before they can log on to the computer.
CCE-37226-8
e:** Windows Vista and Windows XP Professional support logon banners that can exceed 512 characters in length and that can also contain carriage-retu
s will have to acknowledge a dialog box with the con CCE-37512-1
u select `Lock Workstation`, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, an
s will see a dialog box prompt t TITLE:Account MoCCE-37622-8
u select `Force Logoff`, users are automatically logged off when their smart card is removed.
TITLE:Ensure Work CCE-38333-1
uMicrosoft
select `Disconnect if a will
network client Remote Desktop Services
not communicate with asession`,
Microsoftremoval
networkofserver
the smart card
unless disconnects
that the session
server agrees without
to perform SMBlogging the users off. This allows th
packet signing.
rcing
- thisthis
eWindows setting
2000
is the on computers
Server,
default Windowsused
behavior. 2000 byProfessional,
people who must log onto
Windows multiple
Server 2003,computers
Windows XP in order to perform
Professional andtheir duties Vista
Windows couldimplementations
be frustrating andoflower product
the SMB file
TITLE:Data Prote CCE-36325-9
ementation
Windows 2000 of SMB signing
Server, may negatively
Windows affect performance,
2000 Professional, because
Windows Server each
2003, packet needs
Windows to be signed
XP Professional and
and verified.Vista
Windows If these settings are enabled
implementations on afile
of the SMB ser
n -SMB
ementation
e this issigning policies
theofdefault
SMB are may
signing enabled
behavior. on Domain
negatively affectControllers running
performance, Windows
because eachServer
packet2003
needs and member
to be signedcomputers running
and verified. Windows
If these settingsVista SP1 or Windows
are enabled on a ser
n very
e SMBold signing policies and
operatingonsystems
Domainsuch
Controllers running
as MS-DOS, Windows
Windows forServer 2003 and
Workgroups member
3.11, computers
and Windows 95arunning
may notWindows
be able toVista SP1 or Windows
communicate with th
Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing.
e will be little impact because SMTITLE:Secure ConfCCE-38046-9
Windows network
Microsoft 2000 Server,
serverWindows 2000 Professional,
will negotiate Windows
SMB packet signing as Server 2003,
requested by Windows
the client.XP Professional
That is, if packetand Windows
signing Vistaenabled
has been implementations of the
on the client, SMB sign
packet file
ementation
Windows Server each
2003, packet needs
XP Professional and
and verified.Vista
of the SMB ser
n SMB signing
ementation policies
of SMB are may
signing enabled on Domain
because eachServer
packet2003
needsand member
e - this is the default behavior. I TITLE:Account MoCCE-37972-7
n SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows
e - this is the default behavior. TITLE:Controlled CCE-36148-5
esession
- this isaccess over behavior.
the default null sessio TITLE:Implement
If you NCCE-38258-0
choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipe
e - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Mic
MNAP: SNA session access TITLE:Controlled CCE-37194-8
e:**
eMNODE: If you
- this want
is the
SNA to allow
default remote
behavior.
session access access, ifyou
However, youmust alsothe
remove enable theregistry
default Remotepaths
Registry
fromservice.
the list of accessible ones, remote management tools such as the Mic
L\\QUERY: SQL instance accessTITLE:Controlled CCE-36347-3
e:** If you
OOLSS: want to
Spooler allow remote access, you must also enable the Remote Registry service.
service
SRPC: License Logging service TITLE:Controlled CCE-36021-4
TLOGON: Net Logon service
ARPC:
e - this isLSAtheaccess
default behavior. TITLE:Controlled CCE-38095-6
MR: Remote access to SAM objects
eOWSER: Computer
- this is the default Browser service
configurat TITLE:Controlled CCE-37623-6
ous to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increas
ces running as Local System thaTITLE:Account MoCCE-38341-4
applications that require NULL s TITLE:Controlled CCE-37035-3
e - this is the default configurat TITLE:Configure AcCCE-38047-7

selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selection
TITLE:Encrypt/HashCCE-37755-6
e:** Windows Server 2008 (non-R2) and below allow DES for Kerberos by default, but later OS versions do not.
e - this is the default behavior. TITLE:Encrypt/Hash CCE-36326-7

ts use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; Domain Controllers refuse LM and NTLM (accept only NTLM
e:** For information about a hotfix to ensure that this setting works in networks that include Windows NT 4.0-based computers along with Windows 2000, W
M connections will fail if NTLMv2TITLE:Data Prote CCE-37553-5
e - this is the default behavior. CCE-37885-1
e - this is the default behavior. TITLE:Protect InfoCCE-37644-2
built-in Administrator account u TITLE:Minimize AnCCE-36494-3
n an operation (including executioTITLE:Minimize AnCCE-37029-6

n an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard
e:** With this setting configured as recommended, the default error message displayed when a user attempts to perform an operation or run a program req
n an application installation packTITLE:Minimize AnCCE-36533-8
e - this is the default behavior. TITLE:Leverage Hos
CCE-36062-8

CCE-38117-8

CCE-36146-9
ows Firewall will not display a notification when a CCE-38041-0
og file will be stored in the specifTITLE:Ensure Audit

CCE-37482-7
og file size will be limited to t TITLE:Ensure Audit

CCE-36088-3
mation about dropped packets will

TITLE:Ensure Audit
CCE-37523-8
mation about successful connectio

TITLE:Ensure Audit
CCE-36393-7

CCE-38239-0

CCE-38042-8

CCE-38332-3

CCE-37569-1

CCE-38178-0

TITLE:Ensure Audit
CCE-35972-9

TITLE:Ensure Audit
CCE-37387-8

CCE-37862-0

CCE-36057-8

CCE-37434-8
nistrators can still create firewallTITLE:Minimize AnCCE-37861-2
nistrators can still create local c TITLE:Minimize AnCCE-36268-1

CCE-37266-4

CCE-36395-2

TITLE:Ensure Audit
CCE-37265-6

TITLE:Ensure Audit
CCE-36394-5
audit settings are configured, TITLE:AutomaticalCCE-37741-6
nt audit policy.
audit settings are configured, TITLE:Account MoCCE-38329-9
audit settings are configured, TITLE:Inventory CCE-38004-8
audit settings are configured, TITLE:AutomaticallCCE-37855-4
audit settings are configured, or if audit setting CCE-36059-4
Access audit policy.
audit settings are configured, TITLE:Protect InfoCCE-37433-0
audit settings are configured, TITLE:Protect InfoCCE-37616-0
audit settings are configured, TITLE:Configure ACCE-37133-6
audit settings are configured, TITLE:Profile Use CCE-38237-4
audit settings are configured, TITLE:AdministratoCCE-36266-5
audit settings are configured, TITLE:Ensure Audit

CCE-37620-2
audit settings are configured, TITLE:Limit Use OCCE-37617-8
audit settings are configured, TITLE:Use File Int CCE-38028-7
audit settings are configured, TITLE:Minimize AnCCE-36267-3

audit settings are configured, TITLE:Data Prote CCE-37853-9
audit settings are configured, TITLE:Leverage Hos

CCE-38030-3
audit settings are configured, TITLE:Maintenance

CCE-36144-4

CCE-37132-8
ministrative Templates (ADMX).
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
gs.
nelDisplay.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
u enable this setting, users will no longer be abl CCE-38347-1
u enable this setting, users will no longer be able CCE-38348-9

trator Password Solution (LAPS).
dmx/adml`
ecurity that is included with LAPS.
Guide.
admx/adml` that is available from Microsoft at [this link](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators

e legacy OSes (e.g. Windows XP, TITLE:Limit
S Open Ports, Protocols, and Services CONTROL:9.1 DESCRIPTION:Ensure that only ports, protocols, and ser
e legacy OSes (e.g. Windows XP,

TITLE:Limit
you enable SEHOP, existing verTITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
e - this is also the default confi TITLE:Encrypt/Hash

CCE-38444-6
(MSS) settings.
y.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/sec
coming source routed packets wTITLE:Limitation CCE-36871-2
n Routing and Remote Access Servi

e - this is the default behavior. TITLE:Limitation CCE-36879-5
e - this is the default behavior. TITLE:Malware D CCE-36351-5
s will have to enter their passwoTITLE:Ensure Work

CCE-37993-3
udit event will be generated wheTITLE:Ensure Audit

CCE-36880-3
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
adml` that is included

benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
erCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
cy.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
consistent.
h.admx/adml` that
benchmarks is is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
rver.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
orkstation.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
ings.
TopologyDiscovery.admx/adml`
Services settings. that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
benchmarksthat
is consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
onnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot create or configure a NTITLE:Minimize AnCCE-38002-2
ain users mustiselevate

benchmarks when setti
consistent. TITLE:Minimize AnCCE-38188-9
rewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
x/adml` that is is
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
olation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ovider.admx/adml` that is included with the [MS15-011](https://technet.microsoft.com/library/security/MS15-011) / [MSKB 3000483](https://support.microso

ows only allows access to the spe
TITLE:Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CONTRO
s.admx/adml`
benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
x/adml` that is is
consistent.
x/adml` that isisincluded

consistent.
eOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
/adml` that is included

benchmarks with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
onnectNow.admx/adml`
ngs. that is included with all versions of the Microsoft Windows Administrative Templates.
x/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
e - this is the default behavior. TITLE:Boundary CCE-38338-0
dmx/adml`
benchmarksthat
consistent.
dmx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
dmx/adml`
benchmarksthat
consistent.
mx/adml` that is
benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
gs.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default behavior. TITLE:Encrypt/Hash
CCE-36925-6
host will support the _Restric TITLE:Account Monitoring and Control CONTROL:16 DESCRIPTION:Account Monitoring and Control;
ard.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.

benchmarks with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
allation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
irection.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
che.admx/adml`
that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
benchmarksthat
is consistent.
mx/adml`
benchmarks
that is
is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
mx/adml`
benchmarks
that is
is included
consistent.
with all versions of the Microsoft Windows Administrative Templates.
allation.admx/adml`
ation settings. that is included with all versions of the Microsoft Windows Administrative Templates.
chAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Storage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
mx/adml` that is
consistent.
VSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
rVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
rection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
tings.
cy.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
p Policies will be reapplied eve TITLE:Deploy SystCCE-36169-1
e - this is the default behavior. TITLE:Deploy SystCCE-37712-7

cyPreferences.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
nagement.
ngs.
dmx/adml`
drivers thatbe
cannot is included
downloadedwithover
all versions
HTTP. of the Microsoft Windows Administrative Templates.
TITLE:Inventory CCE-36625-2
e:** This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits downloading
ows is prevented from downloadin TITLE:Email and CCE-36096-6
client computer will not be able to print to Internet printers over HTTP.
TITLE:Assess DataCCE-36920-7
e:** This policy
benchmarks is setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing serve
consistent.

consistent.

benchmarks with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
is consistent.
on.admx/adml`
creen. that is included with all versions of the Microsoft Windows Administrative Templates.
PC's network connectivity state TITLE:Controlled CCE-38353-9
Logon UI will not enumerate an TITLE:Configure Ac

CCE-37838-0
pp notifications are displayed onTITLE:Ensure Work

CCE-35893-7
s will not be able to set up or si TITLE:Ensure Work

CCE-37830-7
e - this is the default behavior. TITLE:Ensure Work

CCE-37528-7
cy.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
dmx/adml`
benchmarks
that
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
benchmarksthat
is is
consistent.
CPL.admx/adml`
that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
dmx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
mx/adml` that isisincluded

consistent.

consistent.

benchmarks with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
consistent.

consistent.

consistent.
mx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
mode.
e - this is the default behavior. TITLE:Ensure Work CCE-36881-1

CCE-37066-8
dmx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
sistance.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Limit Open CCE-36388-7
s on this computer cannot use e-TITLE:Minimize AnCCE-37281-3

is consistent.
eStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
mx/adml` that is
benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
mx/adml` that is
consistent.
mx/adml` that is
consistent.
alth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
store.admx/adml`
stics. that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml`
benchmarksthat
consistent.

is consistent.
ery.admx/adml`
benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ostic.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
x/adml`
ostic that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Tool.

consistent.
covery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
admx/adml`
benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
ceDiagnostics.admx/adml`
benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
ostic.admx/adml`
rack. that is included with all versions of the Microsoft Windows Administrative Templates.
cePerftrack.admx/adml`
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
es.admx/adml`
consistent.
leProtection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
dmx/adml`
benchmarksthat
consistent.
adml` that is only

benchmarks included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
is consistent.
tallService.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
nytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
s renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ageManager.admx/adml`
benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
y.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
me.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ows Store apps that typically requ
TITLE:Configure AcCCE-38354-7
at.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Play will not be allowed for MTP TITLE:Limit Use OCCE-37636-8
Run commands will be completelTITLE:Limit Use OCCE-38217-6
play will be disabled - users wil TITLE:Limit Use OCCE-36875-3

ackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Administrative Templates (except for the
.admx/adml`
is consistent.
cryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
ent.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
splay.admx/adml`
. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
password reveal button will not TITLE:Account MoCCE-37534-5

dmx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
ptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
mx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
x/adml`
benchmarks
that isisincluded
consistent.
mpat.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Join.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks
igation is consistent.
Experience Toolkit (EMET).
by Microsoft to _Device Registration_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
er.admx/adml`
benchmarks
that
consistent.
with Microsoft EMET. of the Microsoft Windows Administrative Templates.
mx/adml`
ws that is to
an enterprise included with the
apply exploit Microsoft to
mitigations Windows 8.1 &that
applications Server
run 2012 R2 Administrative
on Windows. Templates
Many of these (or newer).
mitigations were later coded directly into Windows 10 and S
Windows server OSes prior to Server 2016, it is highly recommended that compatibility testing is done on typical server configurations (including all CIS-reco
nel\Program\Programs and Featu TITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
we only recommend using it with 64-bit OSes.
advanced mitigations available inTITLE:Enable AntiCCE-38427-1
July 31, 2018. This does not mean the software will stop working, only that Microsoft will not update it any further past that date, nor troubleshoot new prob
T mitigations will be applied to I TITLE:Enable AntiCCE-38428-9
T mitigations will be applied to thTITLE:Enable AntiCCE-36750-8
T mitigations will be applied to TITLE:Enable AntiCCE-36515-5
R protections will be enabled on TITLE:Enable AntiCCE-38437-0
protections will be enabled on *aTITLE:Enable AntiCCE-38438-8
OP protections will be enabled on

TITLE:Enable AntiCCE-38439-6
arding.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
admx/adml`
og. that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-37775-4
information unless the retention method for each is set so that the computer will overwrite the oldest ent
consequence of this configuration

TITLE:Ensure
is that older events
Audit
CCE-37948-7
will be removed from the logs. Attackers can take advantage of such a configuration, because they ca
ly, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated m
en -event
this islogs
the fill
default behavior.

TITLE:Ensure
Audit
CCE-37695-4
en -event
this islogs
the fill
default behavior.

TITLE:Ensure
Audit
CCE-37526-1
en -event
this islogs
the fill
default behavior.
consequence of this configuration TITLE:Ensure

Audit
CCE-36092-5
ing.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
er.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ontrols.admx/adml`
h as menu items and that is only
tabs included
in dialog with the Microsoft Windows Vista through the Windows 10 RTM (Release 1507) Administrative Templates.
boxes.
dxplorer.admx/adml`
by Microsoft to _Family
that isSafety_ starting
included with allwith the Microsoft
versions WindowsWindows
of the Microsoft 8.0 & Server 2012 (non-R2)
Administrative Administrative Templates.
Templates.
ed- by
thisMicrosoft to _File
is the default Explorer_TITLE:Enable
behavior. starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
AntiCCE-37809-1
e - this is the default behavior. TITLE:Enable AntiCCE-36660-9

ersions.admx/adml`
.admx/adml`
benchmarksthat
is consistent.
is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
mx/adml`
benchmarks
that is
is consistent.
orer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
g.admx/adml` that
benchmarks is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
zard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administrative Templates.
dml` that is included with all versions of the Microsoft Windows Administrative Templates.
oviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
admx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
consistent.
x/adml` that is is
consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
.admx/adml`
is consistent.
dge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
dmx/adml` that
consistent.
dential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
ienceVirtualization.admx/adml`
benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

is consistent.
c.admx/adml` that
benchmarks is is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administr
consistent.
ojection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Tem
up Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
s can't access OneDrive from the OneDrive app and file picker. Windows Store apps can't access OneDrive using the `WinRT` API. OneDrive doesn't appe
osoft to _OneDrive_ starting withTITLE:Data
the Microsoft Windows
Prote 10 RTM (Release 1507) Administrative Templates.
CCE-36939-7
se:** If your
can't organization
access OneDrive uses
from Office 365, beapp
the OneDrive aware
andthat
file this setting
picker. will prevent
Windows Store users from access
apps can't saving files to OneDrive/SkyDrive.
OneDrive using the `WinRT` API. OneDrive doesn't appe
e:** If your organization
benchmarks uses Office 365, be aware that this setting will prevent users from saving files to OneDrive/SkyDrive.
is consistent.
upport.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
benchmarksthat is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
is consistent.
ot.admx/adml`
benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
PresentationSettings.admx/adml`
benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
tall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d by Microsoft to _Remote
erver.admx/adml` Desktop
that is included Services_
with starting
all versions of thewith the Microsoft
Microsoft WindowsWindows 7 & Server
Administrative 2008 R2 Administrative Templates.
Templates.
Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
ient.
password saving checkbox will beTITLE:AutomaticallCCE-36223-6
erver.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver-Server.admx/adml`
p Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
erver.admx/adml`
ost that is included
Device and Resource with all versions of the Microsoft Windows Administrative Templates.
Redirection.
redirection will not be possible TITLE:Data Prote CCE-36509-8
amed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver.admx/adml`
ost Security. that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot automatically log on to TITLE:Encrypt/Hash CCE-37929-7
ote Desktop Services accepts req

TITLE:Use Only SeCCE-37567-5
e - this is the default behavior. TITLE:Use Only SeCCE-36627-8

ost Session Time Limits.
erver.admx/adml`
ost that isfolders.
Session Temporary included with all versions of the Microsoft Windows Administrative Templates.
s cannot set the Feed Sync EngiTITLE:Uninstall/Di CCE-37126-0
e - this is the default behavior. TITLE:Assess DataCCE-38277-0
R.admx/adml`
benchmarks isthat is only included with the Microsoft Windows 7 & Server 2008 R2 through the Windows 10 Release 1511 Administrative Templates.
consistent.
nter.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
/adml` that is only

benchmarks included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
is consistent.
mx/adml` that is
consistent.
.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
orm.
tionGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
.admx/adml`
is consistent.
mx/adml` that is
I.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsStore
c.admx/adml`
benchmarks is
that
consistent.
is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
dmx/adml`
benchmarksthat
is is
consistent.
duler.admx/adml`
admx/adml`
benchmarksthat
is is
consistent.
only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and Microsoft Windows 10 Release 1511 A
mx/adml` that is consistent.

olorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
.
e.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
efender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
emed
- thisbyisMicrosoft to behavior.
the default _Windows Defender Antivirus_
TITLE:Deploy Autom starting with the Microsoft Windows 10 Release 1703 Administrative Templates.
CCE-36082-6
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml`
ervice (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
e - this is the default configuratio TITLE:Deploy Autom
CCE-38389-3
ovable drives will be scanned duTITLE:Data Prote CCE-38409-9
ail scanning by Windows Defender

admx/adml`
benchmarksthat
consistent.
rd.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
efenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
ren.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
SmartScreen settings.
up Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
s will be warned before they ar TITLE:Inventory CCE-35859-8
rting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
emory dumps are uploaded accord TITLE:Data Prote CCE-36978-5
rting.admx/adml`
nsent. that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
dmx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
as renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates.
kWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Disable this polic TITLE:Ensure Work CCE-36977-7
ail.admx/adml`
benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Administrative Templates.
consistent.
er.admx/adml`
benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
consistent.
ediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
essenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
MobilityCenter.admx/adml`
er.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
lExecutionPolicy.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ing of PowerShell script input is TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
e - this is the default behavior. TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
ov.admx/adml`
ent (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
emoteManagement.admx/adml`
gement (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
emoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:User/Accoun
CCE-36310-1

CCE-37726-7
WinRM client will not use Digest TITLE:User/Accoun

CCE-38318-2
gement (WinRM) service.
CCE-36254-1
e - this is the default behavior. TITLE:User/Accoun CCE-38223-4

WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser
TITLE:AutomaticallCCE-36000-8
s setting is later Disabled again, any values that were previously configured for RunAsPassword will need to be reset.
emoteShell.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml` that is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Admi
sourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates
pdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
al operating system updates andTITLE:Use Automat CCE-36172-5
Auto download and schedule thTITLE:Use Automat

CCE-36172-5
e benchmarks
is consistent. TITLE:Use Automat
CCE-37027-0
pdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
enamed
trative Templates
by Microsoft
(ADMX).
to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
dmx/adml`
benchmarksthat
consistent.
vePrograms.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
nelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
deen
by Microsoft to provided
saver runs, _Personalization_ starting withWork
that thTITLE:Ensure theCCE-37970-1
Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
system displays the specified sc TITLE:Ensure Work

CCE-37907-3
creen savers are password proteTITLE:Ensure Work

CCE-37658-2
screen saver will automatically aTITLE:Ensure Work

CCE-37908-1
dmx/adml`
benchmarksthat
consistent.
dmx/adml`
benchmarksthat
consistent.
ders.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
cations will not be able to raise TITLE:Ensure WorkCCE-36332-5
dmx/adml`
benchmarksthat
consistent.
admx/adml`
is consistent.
nagement.
ngs.
tManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Email and CCE-37424-9
ows tells the registered antiviru TITLE:Scan All InbCCE-36622-9
dmx/adml`
benchmarks
that
is is
consistent.
ackup.admx/adml`
that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well
ent.admx/adml`
that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
mx/adml` that is included

consistent.
tion.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

consistent.
er.admx/adml`
consistent.
mx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
d by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).

benchmarks with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
el.admx/adml` that
benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
x/adml` that is is
consistent.

is consistent.
s cannot share files within their TITLE:Protect InfoCCE-38070-9
PresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.

consistent.
.admx/adml`
is consistent.
I.admx/adml`
benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012
is consistent.
dmx/adml`
benchmarksthat
consistent.
duler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.

en.admx/adml`
benchmarks isthat
consistent.
is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
admx/adml`
is consistent.
ail.admx/adml`
consistent.
er.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
back.
es (or newer).
ity-baseline-for-windows-10-creators-update-v1703-final/).
re that only ports, protocols, and services with validated business needs are running on each system.;
CRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/conta
ps://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/)
KB 3000483](https://support.microsoft.com/en-us/kb/3000483) security update and the Microsoft Windows 10 RTM (Release 1507) Administrative Templat
Workstations, and Servers CONTROL:3 DESCRIPTION:Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and
ring and Control;

es (or newer).
plates (or newer).

R2) Administrative Templates.
ministrative Templates.
strative Templates.
(or newer).

lates (or newer).
inistrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
es (or newer).
coded directly into Windows 10 and Server 2016.
configurations (including all CIS-recommended EMET settings) before widespread deployment to your environment.
that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to Server 2016.
7) Administrative Templates.
plates.
ative Templates.
ates (or newer).
ates (or newer).
ative Templates (or newer).
& Server 2012 R2 Update Administrative Templates.
2012 R2 Update Administrative Templates.

2 Update Administrative Templates.

ve Templates.
1511 Administrative Templates.
ate Administrative Templates.
roup Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
crosoft Windows 10 Release 1511 Administrative Templates.
ve Templates.
lates (or newer).
nistrative Templates (or newer).

ver 2016 Administrative Templates.
Templates (or newer).
rative Templates.
e Templates.
ve Templates.
emplates (or newer).

4 DESCRIPTION:Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity.;
ws 8.0 & Server 2012 (non-R2) Administrative Templates.

2 (non-R2) Administrative Templates.
tes (or newer).
strative Templates.
(or newer).

2) Administrative Templates, as well as the Microsoft Windows 10 RTM (Release 1507) and Windows 10 Release 1511 Administrative Templates.
ative Templates.
Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsStore.admx/adml` that is included with the Mi
rative Templates.
e Templates.
ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can b
07) Administrative Templates (or newer).
Laptops, Workstations, and Servers;
trative Templates.
that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
e Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables.;
section
recommendation
# # title status
1 Account Policies accepted
1.1 Password Policy accepted
1.1 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' accepted
1.1 1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' accepted
1.1 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' accepted
1.1 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' accepted
1.1 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' accepted
1.1 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' accepted
1.2 Account Lockout Policy accepted
1.2 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' accepted
1.2 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but naccepted
1.2 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' accepted
2 Local Policies accepted
2.1 Audit Policy accepted
2.2 User Rights Assignment accepted
2.2 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' accepted
2.2 2.2.2 (L1) Configure 'Access this computer from the network' accepted
2.2 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' accepted
2.2 2.2.5 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL S accepted
2.2 2.2.6 (L1) Ensure 'Allow log on locally' is set to 'Administrators' accepted
2.2 2.2.7 (L1) Configure 'Allow log on through Remote Desktop Services' accepted
2.2 2.2.8 (L1) Ensure 'Back up files and directories' is set to 'Administrators' accepted
2.2 2.2.9 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.10 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.11 (L1) Ensure 'Create a pagefile' is set to 'Administrators' accepted
2.2 2.2.12 (L1) Ensure 'Create a token object' is set to 'No One' accepted
2.2 2.2.13 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETW accepted
2.2 2.2.14 (L1) Ensure 'Create permanent shared objects' is set to 'No One' accepted
2.2 2.2.15 (L1) Configure 'Create symbolic links' accepted
2.2 2.2.16 (L1) Ensure 'Debug programs' is set to 'Administrators' accepted
2.2 2.2.17 (L1) Configure 'Deny access to this computer from the network' accepted
2.2 2.2.18 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' accepted
2.2 2.2.19 (L1) Ensure 'Deny log on as a service' to include 'Guests' accepted
2.2 2.2.20 (L1) Ensure 'Deny log on locally' to include 'Guests' accepted
2.2 2.2.21 (L1) Configure 'Deny log on through Remote Desktop Services' accepted
2.2 2.2.22 (L1) Configure 'Enable computer and user accounts to be trusted for delegation' accepted
2.2 2.2.23 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' accepted
2.2 2.2.24 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' accepted
2.2 2.2.25 (L1) Configure 'Impersonate a client after authentication' accepted
2.2 2.2.26 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' accepted
2.2 2.2.27 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' accepted
2.2 2.2.28 (L1) Ensure 'Lock pages in memory' is set to 'No One' accepted
2.2 2.2.30 (L1) Configure 'Manage auditing and security log' accepted
2.2 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' accepted
2.2 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' accepted
2.2 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' accepted
2.2 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' accepted
2.2 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServi accepted
2.2 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVaccepted
2.2 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' accepted
2.2 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators' accepted
2.2 2.2.40 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' accepted
2.3 Security Options accepted
2.3.1 Accounts accepted
2.3.1 2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only) accepted
2.3.1 2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Maccepted
2.3.1 2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) accepted
2.3.1 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' isaccepted
2.3.1 2.3.1.5 (L1) Configure 'Accounts: Rename administrator account' accepted
2.3.1 2.3.1.6 (L1) Configure 'Accounts: Rename guest account' accepted
2.3.2 Audit accepted
2.3.2 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to overraccepted
2.3.2 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to accepted
2.3.3 DCOM accepted
2.3.4 Devices accepted
2.3.4 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administratoraccepted
2.3.4 2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' accepted
2.3.5 Domain controller accepted
2.3.6 Domain member accepted
2.3.6 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is setaccepted
2.3.6 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is setaccepted
2.3.6 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to accepted
2.3.6 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabaccepted
2.3.6 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or few
accepted
2.3.6 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set taccepted
2.3.7 Interactive logon accepted
2.3.7 2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' accepted
2.3.7 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' accepted
2.3.7 2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), butaccepted
2.3.7 2.3.7.4 (L1) Configure 'Interactive logon: Message text for users attempting to log on' accepted
2.3.7 2.3.7.5 (L1) Configure 'Interactive logon: Message title for users attempting to log on' accepted
2.3.7 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set t accepted
2.3.7 2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstataccepted
2.3.7 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or accepted
2.3.8 Microsoft network client accepted
2.3.8 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enaaccepted
2.3.8 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is seaccepted
2.3.8 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB server
accepted
2.3.9 Microsoft network server accepted
2.3.9 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending sessio
accepted
2.3.9 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enaccepted
2.3.9 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is seaccepted
2.3.9 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set t accepted
2.3.9 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Acaccepted
2.3.10 Network access accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' accepted
2.3.10 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is seaccepted
2.3.10 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and accepted
sh
2.3.10 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set taccepted
2.3.10 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' accepted
2.3.10 2.3.10.7 (L1) Configure 'Network access: Remotely accessible registry paths' accepted
2.3.10 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' accepted
2.3.10 2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is saccepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Clasaccepted
2.3.11 Network security accepted
2.3.11 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is seaccepted
2.3.11 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disableaccepted
2.3.11 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use
accepted
o
2.3.11 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is s accepted
2.3.11 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password cha
accepted
2.3.11 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' accepted
2.3.11 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv accepted
2.3.11 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signinaccepted
2.3.11 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including se
accepted
2.3.11 2.3.11.1 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including se
accepted
2.3.12 Recovery console accepted
2.3.13 2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'D accepted
2.3.14 System cryptography accepted
2.3.15 System objects accepted
2.3.15 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is seaccepted
2.3.15 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.gaccepted
2.3.16 System settings draft
2.3.17 User Account Control accepted
2.3.17 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator acco
accepted
2.3.17 2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation with
accepted
2.3.17 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in accepted
2.3.17 2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is accepted
2.3.17 2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation'accepted
2.3.17 2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed inaccepted
2.3.17 2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set taccepted
2.3.17 2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevati
accepted
2.3.17 2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locataccepted
3 Event Log accepted
4 Restricted Groups accepted
5 System Services accepted
6 Registry accepted
7 File System accepted

8 Wired Network (IEEE 802.3) Policies accepted
9 Windows Firewall with Advanced Security accepted
9.1 Domain Profile accepted
9.1 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' accepted
9.1 9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' accepted
9.1 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' accepted
9.1 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' accepted
9.1 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System
accepted
9.1 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or gr accepted
9.1 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' accepted
9.1 9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yeaccepted
9.2 Private Profile accepted
9.2 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' accepted
9.2 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' accepted
9.2 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' accepted
9.2 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' accepted
9.2 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System3
accepted
9.2 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greaccepted
9.2 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' accepted
9.2 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yesaccepted
9.3 Public Profile accepted
9.3 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' accepted
9.3 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' accepted
9.3 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' accepted
9.3 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' accepted
9.3 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' accepted
9.3 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is seaccepted
9.3 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32
accepted
9.3 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greaaccepted
9.3 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' accepted
9.3 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'accepted
10 Network List Manager Policies accepted
11 Wireless Network (IEEE 802.11) Policies accepted
12 Public Key Policies accepted

13 Software Restriction Policies accepted
14 Network Access Protection NAP Client Configuration accepted
15 Application Control Policies accepted
16 IP Security Policies accepted
17 Advanced Audit Policy Configuration accepted
17.1 Account Logon accepted
17.1 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' accepted
17.2 Account Management accepted
17.2 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' accepted
17.2 17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' accepted
17.2 17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' accepted
17.2 17.2.5 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' accepted
17.2 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' accepted
17.3 Detailed Tracking accepted
17.3 17.3.1 (L1) Ensure 'Audit Process Creation' is set to 'Success' accepted
17.4 DS Access accepted
17.5 Logon/Logoff accepted
17.5 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' accepted
17.5 17.5.2 (L1) Ensure 'Audit Logoff' is set to 'Success' accepted
17.5 17.5.3 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' accepted
17.5 17.5.4 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' accepted
17.5 17.5.5 (L1) Ensure 'Audit Special Logon' is set to 'Success' accepted
17.6 Object Access accepted
17.6 17.6.1 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' accepted
17.6 17.6.2 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' accepted
17.7 Policy Change accepted
17.7 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' accepted
17.7 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' accepted
17.7 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' accepted
17.8 Privilege Use accepted
17.8 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' accepted
17.9 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' accepted
17.9 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' accepted
17.9 17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' accepted
17.9 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' accepted
17.9 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' accepted
18 Administrative Templates (Computer) accepted
18.1.1 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' accepted
18.1.1 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' accepted
18.2 LAPS accepted
18.2 18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only) accepted
18.2 18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set t accepted
18.2 18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only) accepted
18.2 18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + saccepted
18.2 18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS onlyaccepted
18.2 18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MSaccepted
18.3 MS Security Guide accepted
18.3 18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabledaccepted
18.3 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' accepted
18.3 18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' accepted
18.3 18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set t accepted
18.3 18.3.5 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' accepted
18.4 18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set a
t ccepted
18.4 18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protect
accepted
18.4 18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects aga
accepted
18.4 18.4.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated
accepted
r
18.4 18.4.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name
accepted
18.4 18.4.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' isaccepted
18.4 18.4.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver
accepted
18.4 18.4.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at whichaccepted
18.5.1 Background Intelligent Transfer Service (BITS) accepted
18.5.3 DirectAccess Client Experience Settings accepted

18.5.4 18.5.4.1 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0xaccepted
18.5.4 18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' (MS Only) accepted
18.5.5 Fonts draft
18.5.6 Hotspot Authentication accepted
18.5.8 Lanman Workstation draft
18.5.9 Link-Layer Topology Discovery accepted
18.5.10 Microsoft Peer-to-Peer Networking Services accepted
18.5.10.1 Peer Name Resolution Protocol accepted
18.5.11 Network Connections accepted
18.5.11 18.5.11. (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain accepted
n
18.5.11 18.5.11. (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to ' accepted
18.5.11.1 Windows Defender Firewall (formerly Windows Firewall) accepted
18.5.12 Network Connectivity Status Indicator accepted
18.5.14 18.5.14. (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authenticatio accepted
18.5.16 QoS Packet Scheduler accepted
18.5.18 SSL Configuration Settings accepted
18.5.19.1 IPv6 Transition Technologies accepted
18.5.19.2 Parameters accepted
18.5.20 Windows Connect Now accepted
18.5.21 Windows Connection Manager accepted
18.5.21 18.5.21. (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windowaccepted
18.8.1 Access-Denied Assistance accepted
18.8.3 Audit Process Creation accepted

18.8.3 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' accepted
18.8.4 Credentials Delegation accepted
18.8.4 18.8.4.1 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enableaccepted
18.8.6 Device Health Attestation Service accepted
18.8.7 Device Installation draft
18.8.8 Device Redirection accepted
18.8.14 Early Launch Antimalware accepted
18.8.14 18.8.14. (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and ba
accepted
18.8.15 Enhanced Storage Access accepted
18.8.16 File Classification Infrastructure accepted
18.8.17 File Share Shadow Copy Agent accepted
18.8.18 File Share Shadow Copy Provider accepted
18.8.19 Filesystem (formerly NTFS Filesystem) accepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Do not apply during periodic backgroundaccepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy object accepted
18.8.21 18.8.21. (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' accepted
18.8.21.1 Logging and tracing accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' accepted
18.8.23 iSCSI accepted

18.8.27 18.8.27. (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'En accepted
18.8.27 18.8.27. (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS oaccepted
18.8.27 18.8.27. (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' accepted
18.8.31 Performance Control Panel accepted
18.8.33 Power Management accepted
18.8.33.2 Energy Saver Settings accepted
18.8.33.3 Hard Disk Settings accepted
18.8.33.4 Notification Settings accepted
18.8.33.5 Power Throttling Settings accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' accepted
18.8.35 Remote Assistance accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' accepted
18.8.36 Remote Procedure Call accepted
18.8.36 18.8.36. (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS onaccepted
18.8.37 Removable Storage Access accepted

18.8.44 Troubleshooting and Diagnostics accepted
18.8.44.1 Application Compatibility Diagnostics accepted
18.8.44.2 Corrupted File Recovery accepted
18.8.44.4 Fault Tolerant Heap accepted
18.8.44.5 Microsoft Support Diagnostic Tool accepted
18.8.44.6 MSI Corrupted File Recovery accepted
18.8.44.7 Scheduled Maintenance accepted
18.8.44.8 Scripted Diagnostics accepted
18.8.44.9 Windows Boot Performance Diagnostics accepted
18.8.44.10 Windows Memory Leak Diagnosis accepted
18.8.44.11 Windows Performance PerfTrack accepted
18.8.45 Trusted Platform Module Services accepted
18.8.47 Windows File Protection accepted
18.8.49 Windows Time Service accepted
18.9.1 Active Directory Federation Services accepted
18.9.2 ActiveX Installer Service accepted
18.9.4 App Package Deployment draft
18.9.6 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' accepted
18.9.8 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' accepted
18.9.8 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute an accepted
18.9.8 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' accepted
18.9.11 BitLocker Drive Encryption accepted

18.9.15 18.9.15. (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' accepted
18.9.15 18.9.15. (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' accepted
18.9.16 Data Collection and Preview Builds draft
18.9.17 Delivery Optimization accepted
18.9.20 Device and Driver Compatibility accepted
18.9.21 Device Registration (formerly Workplace Join) accepted
18.9.24 18.9.24. (L1) Ensure 'EMET 5.52' or higher is installed accepted
18.9.24 18.9.24. (L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Internet Explorer' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In' accepted
18.9.24 18.9.24. (L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out' accepted
18.9.24 18.9.24. (L1) Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out' accepted
18.9.26 Event Log Service accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum
accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 accepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum siz
accepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 oaccepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size'accepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or graccepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size
accepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or accepted
18.9.28 Event Viewer accepted
18.9.29 Family Safety (formerly Parental Controls) accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' accepted
18.9.30.1 Previous Versions accepted
18.9.38 Internet Information Services accepted
18.9.39.1 Windows Location Provider accepted
18.9.40 Maintenance Scheduler accepted
18.9.46 Microsoft FIDO Authentication accepted
18.9.47 Microsoft Secondary Authentication Factor accepted
18.9.50 Network Access Protection accepted
18.9.52 OneDrive (formerly SkyDrive) accepted

18.9.52 18.9.52. (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' accepted
18.9.52 18.9.52. (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabaccepted
18.9.53 Online Assistance accepted
18.9.54 Password Synchronization accepted
18.9.55 Portable Operating System accepted
18.9.57 Push To Install accepted
18.9.58.1 RD Licensing (formerly TS Licensing) accepted
18.9.58.2 Remote Desktop Connection Client accepted
18.9.58. 18.9.58.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' accepted
18.9.58.2.1 RemoteFX USB Device Redirection accepted
18.9.58.3 Remote Desktop Session Host (formerly Terminal Server) accepted
18.9.58.3.1 Application Compatibility accepted
18.9.58.3.2 Connections accepted
18.9.58.3.3 Device and Resource Redirection accepted
18.9.58.318.9.58.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' accepted
18.9.58.3.5 Printer Redirection accepted
18.9.58.3.6 Profiles accepted
18.9.58.3.7 RD Connection Broker (formerly TS Connection Broker) accepted
18.9.58.3.8 Remote Session Environment accepted
18.9.58.3.9 Security accepted
18.9.58.318.9.58.3(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Require secure RPC communication' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' accepted
18.9.58.3.10 Session Time Limits accepted
18.9.58.3.11 Temporary folders accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' accepted
18.9.59 18.9.59. (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' accepted
18.9.60 18.9.60. (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' accepted
18.9.65 Software Protection Platform accepted
18.9.69 Sync your settings accepted
18.9.75 Windows Customer Experience Improvement Program accepted
18.9.76 Windows Defender Antivirus (formerly Windows Defender) accepted
18.9.76 18.9.76. (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' accepted
18.9.76.1 Client Interface accepted
18.9.76.2 Exclusions accepted
18.9.76.3 MAPS accepted
18.9.76. 18.9.76.3(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Dis accepted
18.9.76.4 MpEngine accepted
18.9.76.5 Network Inspection System accepted
18.9.76.6 Quarantine accepted
18.9.76.7 Real-time Protection accepted
18.9.76. 18.9.76.7(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' accepted
18.9.76. 18.9.76. (L1) Ensure 'Scan removable drives' is set to 'Enabled' accepted
18.9.76. 18.9.76. (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' accepted
18.9.76.11 Signature Updates accepted

18.9.76.13 Windows Defender Exploit Guard accepted
18.9.77 Windows Defender Application Guard accepted
18.9.78 Windows Defender Exploit Guard accepted
18.9.79 Windows Defender Security Center accepted
18.9.80. 18.9.80.1(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevaccepted
18.9.81 18.9.81. (L1) Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Daccepted
18.9.81.1 Advanced Error Reporting Settings accepted
18.9.81. 18.9.81.2(L1) Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending dataaccepted
18.9.82 Windows Game Recording and Broadcasting accepted
18.9.84 Windows Ink Workspace draft
18.9.85 18.9.85. (L1) Ensure 'Allow user control over installs' is set to 'Disabled' accepted
18.9.86 18.9.86. (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is setaccepted
18.9.89 Windows Media Digital Rights Management accepted
18.9.91 Windows Meeting Space accepted
18.9.92 Windows Messenger accepted
18.9.93 Windows Mobility Center accepted
18.9.94 Windows Movie Maker accepted
18.9.95 Windows PowerShell accepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' accepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' accepted
18.9.96 Windows Reliability Analysis accepted
18.9.97 Windows Remote Management (WinRM) accepted
18.9.97.1 WinRM Client accepted

18.9.97. 18.9.97.1(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' accepted
18.9.97.2 WinRM Service accepted
18.9.97. 18.9.97.2(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' accepted
18.9.98 Windows Remote Shell accepted
18.9.99 Windows SideShow accepted
18.9.100 Windows System Resource Manager accepted
18.9.101 Windows Update accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' accepted
18.9.101 18.9.101 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installatiaccepted
18.9.101.1 Windows Update for Business (formerly Defer Windows Updates) draft
19 Administrative Templates (User) accepted
19.1.1 Add or Remove Programs accepted
19.1.3 Personalization (formerly Desktop Themes) accepted
19.1.3 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabledaccepted
19.1.3 19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' accepted
19.2 Desktop accepted
19.5.1 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled' accepted
19.6.1 Ctrl+Alt+Del Options accepted

19.7.4 Attachment Manager accepted
19.7.4 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' accepted
19.7.4 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' accepted
19.7.9 Data Collection and Preview Builds accepted
19.7.15 File Revocation accepted
19.7.22 Microsoft Management Console accepted
19.7.26 19.7.26. (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' accepted


scoring status description rationale statement
remediation procedure
audit procedure impact statement
accepted This section contains recommendations for account policies.
accepted This section contains recommendations for password

To establish policy.
the recommended configuration via GP, set the following UI path to `24 o
This policy setting The
determines
longer athe
user
number
uses theof renewed,
same password,
unique passwords
the greaterthat
the have
chanceto be
thatassociated
an attacker
with
cana determine
user account
the bp
full ``` Navigate to the UI The major impact of this configurati
The recommendedIfstate
you specify
for this asetting
lowComputer
number
is: `24 for
orConfiguration\Policies\Windows
more
this policy
password(s)`.
setting, users will beSettings\Security
able to use the same
Settings\Account
small numberPolicies
of pa
```
This policy
This
setting policy
prohibitssetting checks all new passwords to ensure that they meet basic requirements for strong passwords.
users from
This policy setting defines how long a user can use their password before it expires.
When
connecting this policy
to a is enabled, passwords must meet the following minimum requirements:
To establish the recommended configuration via GP, set the following UI path to `60 o
-- Not contain
computer from the user's account name or parts of the user's full name that exceed two consecutive characters
Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire.
full across the The longer a passw ``` establish the recommended
To Navigate to the configuration
UI If the Maximum
via GP, password
set the following age setting UI path i to `1 or
-- Be at least
network, which six characters in length
Because
This policy attackers
setting determines
can crack passwords, the number Computer the
of days
moreConfiguration\Policies\Windows
that
frequently
you must youuse change
a password
the password
Settings\Security
before you the less can opportunity
change
Settings\Account
it. Thean attacker
rangePolicies
of ha
va
full would allow Users may have fav ``` establish the recommended
To Navigate to the configuration
UI If an administrator
via GP, setsets the afollowing
password UI fpath to `14 o
-- Contain
users to accesscharacters from three of the following four categories:
The recommended
state for this thesetting
least is `60
Computer
number
is: `1 ororConfiguration\Policies\Windows
fewer
of
more days, but
characters
day(s)`. thatnot make0`. upRequirements
a password
Settings\Security
forforaextremely
user Settings\Account
account.long Therepasswords are
Policies
many
can
full and potentially Types of passwordTo ```
``` establish the recommended Navigate to the UI If the default
configuration via GP, password
set the complexity
following UIconfiguration
path to Èna
---- English
modify datauppercase characters (A through Z)
more character(s)`. **Note:**Settings\Security
Older versionsSettings\Account
of Windows suchPolicies as Wi
full remotely. In high Passwords that con ```
To Navigate to the UI If your organization
configuration via GP, set has more stringent
the following UI path security
to `Disa r
---- English lowercase characters (a through z)
security
This policy setting determines whether Computer
the operating Configuration\Policies\Windows
system stores passwords inSettings\Security a way that uses Settings\Account
reversible encryption, Policies wh
full environments, Enabling this poli ``` ``` Navigate to the UI Also, If yourthe organization
use of ALTuses key character
---- Base
there should 10 digits
be (0statethrough 9)
The recommended for this setting Computer
is: `Disabled`.
Configuration\Policies\Windows Settings\Security Settings\Account Policies
accepted no
Thisneed section
policy forsetting
contains recommendations
determines the length ``` establish
To for account
of time thelockout
that must
recommendedpolicy.
pass before configuration
a locked account via GP, is set
unlocked
the following
and a user UI pathcantotry`15 to o
lo
---- Non-alphabetic
remote users to characters (for example, !, $, #, %)
full access data
Although on a seem
it might A denial like of a good
servicidea ``` to
To configure
establish thethe Navigate
value for to
recommended this
the policy
UI If
Although
setting
configuration
this policyto
it may
via asetting
GP, high seem
setvalue,
is like such
theenabled,a good
following aa configuration
idea
UI
locked-out
path to `10 accowio
---- A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category c
computer.
This policy setting determines the number Computer Configuration\Policies\Windows
of failed logon attempts before the account Settings\Security
is locked. Setting Settings\Account
this policy toPolicies`0` do
full Instead,
The recommended
This policy filesetting Setting
state for
determines anthisaccount
thesetting ```
length``ìs:
To of`15
timeorbefore
establish more minute(s)`.
Navigate
the recommended
the Account to the UI If threshold
lockout you enforce
configuration via resets
GP, thissetsetting
tothe
zero. an
following
Theattacker
default
UI pathcould
value caus
to `15 for ot
Each additional
sharing should character in a password increasesthe
To establish its complexity exponentially. For instance, a seven-character, all lower-c
fewer invalid logon attempt(s), Settings\Security but not 0`. Settings\Account Policies
be accomplished recommended
``` If you configure
full If you leave this policy Users setting
can accident
at its default``` value or configure Navigate the tovalue
the toUI an interval
do not that isthe
configuretooAccount
long,
this your Lockout
policy se Threshold
environment cout
The recommended
through the use state for this setting is: Ènabled`.
configuration via
Computer
To establish Configuration\Policies\Windows
the Settings\Security Settings\Account Policies
of network GP, set the
accepted The
This recommended
for`15
recommended local or policies.
more minute(s)`.
servers. This following UI path
configuration via
accepted user right is intentionally blank andto
This section
`No One`:
exists
GP, to ensure the structure of Windows benchmarks is consistent.
configure
supersedes the the following UI
**Access thiscontains recommendations ```
accepted This section path: for user rights assignments.
computer from Computer
This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, a
the network** Configuration\Pol
full If an account is gi ``` Navigate to the UI None - this is the default behavior.
This policy
user right if setting
an allows other users icies\Windows on the network to connect to the computer and is required by various network protoco
The recommended state for this setting is: `No One`.
Computer
account is setting Users Settings\Security
full This policy allows who can conn
a process Configuration\Pol
toTo assume
establish thethe identity Navigate
of any to
recommended userthe UI Ifthus
you gain
configuration
and remove
viaaccess
GP, the set **Access
tothethefollowingthis compu
resources UIthat
paththe to user
`No O
- **Levelto1both
subject - Domain Controller.** TheSettings\Local recommended state for this setting is: Àdministrators, Authenticated Users, ENTER
This policy setting allows a user to adjust icies\Windows
the maximum amount of memory that is available to a process. The ability to adju
-policies.
**Level 1 - Member Server.** The recommended Policies\User state for this setting is: Àdministrators, Authenticated Users`.
full The recommendedThe state **Act
for this
as part setting Settings\Security
``ìs:
To `No One`.
the recommended UI There should
configuration via GP, beset littletheor following
no impactUIb path to Àdm
This policy setting determines which users Rightsor groups have the right to log on as a Remote Desktop Services client. If your o
The recommended state for this setting Settings\Local
is: Àdministrators, LOCAL SERVICE, NETWORK Settings\Security SERVICE`. Settings\Local Policies\U
-This **Level 1This
-setting Assignment\Acce
full **Note:**
policy userA right
useriswith
the
which Policies\User
```
** users
To a establish
can interactively
the Navigate
recommended for on
log the
totopurposes
the
configuration
computers of auditing.
UI Organizations
in via
yourGP, that have not
environment.
configure therestricte
Logons
followingthat UI arepath:
initia
Restrict this user right to the Àdministrators`
Domain ss Credential group, and possibly the `Remote Desktop Users` group, to prevent unwanted
**Note:** A Member Server that holdsComputer Rights
the _WebConfiguration\Policies\Windows
Server (IIS)_ Role with _Web Server_ Settings\Security
Role Service Settings\Local
will require aPolicies\Uspecial e
Controller.** The Any Manager as a
full The `Guest` account is account
assignedwith Assignment\Acce
```
thist Touser
``` establish
right by the default. Navigate
Although
recommended to the
this UI
account
If you remove
configuration isvia
disabled
GP, these by default
configuredefault, groups,
the itfollowing
is recommended
y UI path:
- **Level 1 - Domain Controller.** Thetrusted
recommended recommendedcaller state for this setting is: Àdministrators`.
**Note #2:** A Member Server with Microsoft ss this computer
Computer SQL Server installed will require a Settings\Security
Configuration\Policies\Windows special exceptionSettings\Local to this recommendation Policies\U
-state
**Level 1 - Member
for thissetting Any UsersServer.**
who The
can ```
recommended
change the time state
on a for this
computer setting
could is: Àdministrators,
cause several Remote
problems. ForDesktop
example, Users`.
time stamps
This policy state
allows for
account
usersthiswith
tosetting from
```
``ìs:
t To
circumvent the
establishnetwork
Àdministrators`.
file and Navigate
the recommended
directory to the
permissions UI Removal
configuration
to backvia of the
upGP,the**Allow
set
system.the log onuser
following
This through
UIright
pathistoenable
Àdm
setting is to ```
**Note:**
include: A Member Server that holds the _Remote Desktop Services_ Role
The risk from these types of events is mitigated on most Domain Controllers, Member Servers, and end- with _Remote Desktop Connection Broker_ R
This policy setting Users state who
determines for this are setting
which able ```
``ìs:
users
establish
and groups Navigate
the recommended
can change to the
the UI Changes
configuration
time and date inon
via thethe
GP, membership
setinternal
the following of the
clock grou
ofUIthe
path computers
to Àdm
`Guests`. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
**Note
-The**Level #2:** - The
1This above lists are
- All client desktopto becomputers
treated as and whitelists,
Member which implies
Servers usethat
thethe above principals
authenticating Domain need not be present
Controller as theirfor inb
full **Note:**
recommended user right
stateisforconsidered
this setting ```
To a is:
``` "sensitive
Àdministrators,
the Navigate
recommended for the
LOCAL purposes
to SERVICE`.
the UI There
should
via GP, beset no theimpact, because
following t to Àdm
UI path
Member - All Domain Controllers in a domain nominate the Primary Domain Controller (PDC) Emulator operation
This setting determines which users can ComputerchangeConfiguration\Policies\Windows
the time zone of the computer. Settings\Security This ability holds no Settings\Local
great dangerPolicies\U for the c
**Note
Server.** #3:**TheIn all versions
- All PDCofEmulator Windowsoperations Server prior to Server
masters follow2008 theR2, **Remote
hierarchy DesktopinServices**
of domains the selection wasofknown as **Term
their inbound t
full **Note:** Discrepancies Changing between the time the To```
time on the local
``` establish computer
Navigateand
the recommended to theonUI the Domain
None
configuration viaControllers
- this is
GP, theset default
thein following
your environment
behavior. UI path tomay Àdm c
recommended - The PDC Emulator operations master at the root of the domain is authoritative for the organization. The
The recommended
This policy setting allows state for usersthistosetting Computer
change is: the
Àdministrators,
size of the pagefile.LOCALBy SERVICE`.
making theSettings\Security
pagefile extremely Settings\Local
large or extremely Policies\U sma
state for this ```
full This policy setting Users allows who can cha
a process toTo```
create
establish
an access Navigate
the recommended
token, which to the UI None
configuration
may provide - this
via is
elevated
GP, theset default
rights
the to behavior.
following
accessUI sensitive
path to data.`No O
setting is to This vulnerability becomes much more serious if an attacker is able to change the system time and then
The recommended
user for
determines this
account setting
whetherthatComputer
isis:
users Àdministrators`.
given can Configuration\Policies\Windows
this user right
create global has complete
objects that control Settings\Security
over the
are available to allsystem Settings\Local
sessions.and can Users leadcanPolicies\U
to still
the crea
sys
include: `Guests, ```
full The recommended state for this setting ``ìs:
To `No One`.
Local account
Users who can create The global
operating objectssystem Computer
could examines
affectConfiguration\Policies\Windows
a user's access
processes that runtoken undertoother
determine
Settings\Security
users' the level ofThis
sessions. Settings\Local
the user's
capability privileges.
Policies\U
could Ac
lead
and member of
full **Note:** This userUsers right iswho considered
can crea ```
To a establish
``` "sensitivethe privilege"Navigate
recommended for the to purposes
the UI None
- this
via is
the following UI path to `No O
Administrators
The recommended
This user right is useful statetofor this setting
kernel-mode Computer
components Configuration\Policies\Windows
that extend LOCAL theSERVICE, NETWORK
object namespace.Settings\Security SERVICE,
However, Settings\Local
SERVICE`.
components Policies\U
that run in k
This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects,
group`.
full Users who have the ```
``` implement the recommended
To Navigate to theconfiguration
UI None - this is theconfigure
state, default behavior.
**Note:**
The A Memberstate
recommended Server for with
this Microsoft
setting is: SQL
Computer Server
`No One`. _and_ its optional "Integration
Configuration\Policies\Windows Services" component
Settings\Security Settings\Local installed will req
Policies\U
Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reas
**Caution:**
full This policy setting Users determines who have whichthe ```
``` establish
user
To accountsthe Navigate
willrecommended
have to the
the right toUI Inyoumost
configuration
attach
If cases
arevoke
debugger
via GP, there
this set
to
user willright,
any
the be no noimpact
following
process one
orUItowill
path
thebetokernel,
able
Àdm t
Configuring a
- **Level 1 -(non-
standalone Domain Controller.** The recommended state for this setting is: Àdministrators`.
full The recommendedThe state **Debug
for this progra
setting ```
``ìs:
the recommended UI The service
configuration via GP,accountconfigurethat isthe used for theUI
following cluster
path:s
- **Level 1 - Member Server.** The recommended state for this setting is: Àdministrators` and (when the _Hyper-V_ Role i
domain-joined)
server as
full **Note:**
setting right iswho
can
which ```
To a establish
logaccounts
will the
not ablefortothe
beNavigate
log the
on UI Tools
If you
configuration
to the of auditing.
thatviaare
configure
computer GP, asused
the
set
a batchto manage
**Deny
the job.access
following processes
A batch UItopath
job istowill
not be
inclua
described above
Computer Configuration\Policies\Windows If you Settings\Security
assign the **DenySettings\Local log on as a batch Policies\U
job** u
may result in an
full user rightsetting
This security supersedes
Accounts
determines the
that **Log
hav To
which ```
on
```service
as a batch
establish accounts
thejob** Navigate
userprevented
recommended
are right,
to which
the UI could
configuration
from beviaused
registering GP,a to allow
process
set theaccounts
as
following
a service. to
UIschedule
path
Thistouser jobs
incluri
inability to
Computer Configuration\Policies\Windows For example,
Settings\Security
if you assign Settings\Local
this user right Policies\U
to the `
remotely
This policy setting determines whether users can log on as Remote Desktop clients. After the baseline Member Server is jo
This security setting Accounts
state for this
determines that which
setting
can To ```
``ùsers
is to include:
establish the `Guests`.
are prevented Navigate
recommended to the
from logging UIon
If at
you
configuration assign
the theset
computer.
via GP, **Deny
This log onsetting
the policy
following asUIa path
supersedes
to inclu
administer the
-server.
**Level 1 - Domain Controller.** The recommended state for this setting is: `Guests`.
full **Note:**
The This security
recommended Any
statesetting
account
for this does
with not
setting ```
``àpply
thTo is to the
to include:
establish the `System`,
`Guests`.
Navigate
recommended `Local
to theService`,
UI If youorassign
configuration `Network
via GP, Service`
theconfigure
**Deny log accounts.
theonfollowing
local UI path:
- **Level 1 - Member Server.** The recommended state for this setting is: `Guests, Local account`.
This policy setting allows users to change Computer Configuration\Policies\Windows
the Trusted for Delegation setting on aSettings\Security
computer object Settings\Localin Active Directory. Policies\U
Abus
**Note:** The
full **Important:** If you Any apply
accountthis security
with t To ```policy to the
establish the Èveryone`
Navigategroup,
recommended to the no
UIone
If you
configuration willassign
be
viaable
GP,theto log on log
**Deny
configure locally.
theonfollowing
throu UI path:
security identifier
- **Level 1 - Domain Controller.** TheComputer recommended Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
state for this setting is: Àdministrators`.
`Local account
full Misuse of the **EnTo ```
``` establish the recommended Navigate to the UI None - this
and member
**Note:** Theofsecurity identifier `Local account` is not available in Server 2008 R2 and Server 2012 (non-R2) unless [MSKB
- **Level
This policy 1 -setting
Member Server.**
allows users The
to recommended
shut Computer
down Configuration\Policies\Windows
Windows stateVista-based
for this setting and is: `No One`.
newer Settings\Security
computers from Settings\Local
remote locations Policies\U
on the net
Administrators
full group` is Any user who can ```
not In all versions s``` Navigate to the UI If you remove the **Force shutdown fr
**Note #2:** of Windows Server prior to Server 2008 R2, **Remote Desktop Services** was known as **Term
**Note:**
The This user right
recommended stateisforconsidered
this setting a is:
"sensitive
Computer privilege" for the purposes of Settings\Security
Àdministrators`.
Configuration\Policies\Windows auditing. Settings\Local Policies\U
available in
```
Server 2008 R2
and Server 2012
(non-R2) unless
[MSKB 2871997]
The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so t
This policy
Services setting
that determines
are started by thewhich users
Service or processes
Control Managercan generate
have audit
the built-in records
Service in theadded
group Security log.
by default to their access to
The recommended
Also, state for this
a user can impersonate an setting
access To is:establish
`LOCAL
token if anythe
SERVICE,
recommended
of NETWORK
the following configuration
SERVICE`.
conditions via GP, set the following UI path to `LOC
exist:
- The access token that is being impersonated is for this user.
full -**Note:**
The user,This
in this
userlogon
An
right
attacker
session,
is considered
couldlogged
uTo
```
a establish
"sensitive
on to the the network
privilege"
recommended
Navigate
with
for explicit
the
to purposes
the
configuration
credentials
UI On of most
auditing.
via
tocomputers,
create
GP, configure
the this
accessisthe
the
token.
following
defaul UI path:
- The requested level is less than Impersonate, Computer Configuration\Policies\Windows
such as Anonymous or Identify. Settings\Security Settings\Local Policies\U
full **Note #2:** A Member Server with
An attacker that th holds
```
To the _Web
``` establish theServer (IIS)_ to
recommended
Navigate Rolethe with
UI In_Web
most Server_
configuration cases
via GP,this Role Service
setconfiguration
the following willwill
require
UI a speci
path to Àdm
An attacker
This policy setting
with thedetermines
**Impersonatewhether a Computer
client
users after
can Configuration\Policies\Windows
authentication**
increase the base user priority
right could
classSettings\Security
create
of a process.
a service,
(It is
Settings\Local
trick
not aa client
privileged
toPolicies\U
make
operati
the
full **Note
This #3:**setting
policy A Member
A user
allows Server
who isthat
users toassi holds
```
dynamically
To the _Active
``` establish loadthe a Directory
newNavigate
recommended
deviceFederation
to the
driver UI Services_
onNone
configuration viaRole
- this
a system. is
An
GP,thewill require
default
attacker
set the a potentially
special
behavior.
could
following exception
UI path use thist
to Àdm
- **Level
The 1 - Domainstate
recommended Controller.** TheComputer
for this setting recommended
is: Àdministrators`. state for this setting is: `Àdministrators,
Configuration\Policies\Windows Settings\Security LOCAL SERVICE, Policies\U
Settings\Local NETWOR
full - **Level
The 1 - Member
recommended Server.**
Device
state for thisThe
drivers recommended
setting
run ```
``ìs:
To state
Àdministrators`.
establish the for this setting
Navigate
recommended to the is:
UI Àdministrators,
If you remove
configuration via GP, LOCAL
the
set**Load SERVICE,
and unload
the following UINETWORK
d to `No S
path O
This policy setting determines which users can change the auditing options for files and directories and clear the Security lo
This policy setting allows a process toComputer keep dataConfiguration\Policies\Windows
in physical memory, which prevents Settings\Security
the system from Settings\Local
paging thePolicies\U
data to vi
right iswith
considered
the **L To ```
```
a establish
"sensitivethe privilege"
Navigate
for the
the UI None of auditing.
via isGP,theconfigure
default behavior.
For environments running Microsoft Exchange Server, the Èxchange Servers` group must possess this privilege on Doma
is: `No One`.
full **Note #2:** A Member Servertowith
The ability manMicrosoft
```
``` establish
To SQLthe Server _and_ its
Navigate
recommended optional
to the UI None"Integration
via isGP, Services"
the default
set component
behavior.
the following installed
UI path willO
to `No
- **Level 1 - Domain Controller.** The recommended state for this setting is: Àdministrators` and (when Exchange is runni
This privilege determines which user Computer accounts can Configuration\Policies\Windows
modify the integrity label of objects, Settings\Security
such as files,Settings\Local
registry keys, Policies\U
or proce
- **Level 1 - Member Server.** The recommended state for this setting is: Àdministrators`.
full This policy setting By modifying
allows users to theconfigure
i To
```
``` establish
the system-wide Navigate
environment UI None
variables via is
that
GP,the default
affect
set the behavior.
hardware
following configuration.
UI path to ÀdmThis
is: `No One`.
full The recommendedAnyone state forwhothisissetting
assiTo
```
``ìs: Àdministrators`.
configuration via isGP,theset
default behavior.
This policy setting allows users to manage Computer Configuration\Policies\Windows
the system's volume or disk configuration, Settings\Security
which could Settings\Local
allow a user toPolicies\U
delete a v
full **Note:** This userArightuseriswho
considered
is assi To ```
a establish
``` "sensitivethe privilege" for the
Navigate
the UI None of auditing.
via isGP,theset
default behavior.
The recommended
This state for this
which Computer
usersis: Àdministrators`.
can useConfiguration\Policies\Windows
tools to monitor the performance Settings\Security
of non-system Settings\Local Policies\U
processes. Typically, y
allows**Profile sing ```
one process ```
Toorestablish
service tothe Navigate
recommended
start to the
another service UIorIfprocess
you remove
configuration via GP,
with the
set**Profile single UI
the following
a different security pr path to
access `Àdm
token, w
The recommended
This state for
users useComputer
tools Configuration\Policies\Windows
to view the performance of different Settings\Security
system processes, Settings\Local
which could be Policies\U
abused
full The recommendedThe state**Profile
for thissyst
setting```
``ìs:
To establish
`LOCALthe Navigate
SERVICE,
recommended to the
NETWORK UI None
SERVICE`.via isGP,theset
default behavior.
the following UI path to ``LO
NT SERVICE\WdiServiceHost`. Settings\Security Settings\Local Policies\U
full **Note:**
setting right iswith
the
which ```
**Rusers
```
Toa establish
"sensitive
can bypass privilege"
the Navigate
for the
recommended
file, to purposes
directory, the UI On of most
configuration
registry, auditing.
and computers,
other
via GP, thisfollowing
persistent
set the is the permissions
object defaul
UI path to Àdm
when
An attacker with the Computer
**RestoreConfiguration\Policies\Windows
files and directories** user rightSettings\Security
could restore sensitiveSettings\Local
data to aPolicies\U
compute
full **Note
The #2:** A Member
recommended stateServer
for thisthat holds
setting```
``ìs:
To the _Web Server
Àdministrators`.
establish the (IIS)_ to
Navigate
recommended Rolethe with
UI If_Web Server_
you remove
configuration via GP, Role
the
set Service
**Restore
the will and
files
following require
UI a speci
path to Àdm
**Note:**
This policy setting The abilityEven
determines towhich
shutif the
Computer
following
users
down who Configuration\Policies\Windows
Domain countermeasure
are Controllers andisMember
logged on locally configured, an
Settings\Security
to the computers
Servers attacker
should
in yourcould Settings\Local
still restore
beenvironment
limited to a very
candataPolicies\U
todown
shut
small anumb
com
full **Note
**Note:**
This #3:**
policyThisA user
Member
setting rightServer
allows isusers
considered
with
to takeMicrosoft
```
Toaownership
``` "sensitive
SQLthe
Server
of installed
for the
Navigate
files,
recommended
folders, will
purposes
require
toregistry
the Theofaimpact
UI keys,
configuration auditing.
special
processes,of exception
via GP, removing
set
or the to
these
threads. this
following recommendation
default
This UI
user
path
right
to Àdm
bypa
The recommendedWhen state a forDomain
this settingController
Computer
is Configuration\Policies\Windows
shut down, it is no longer available Settings\Security
to process logons, Settings\Local
serve Group Policies\U
Policy,
full The recommendedAny stateusers
for this the```
withsetting ``ìs: Àdministrators`. Navigate to the UI None - this is the default behavior.
This section user right is considered``à "sensitive
recommendations for securityprivilege"
options. for the purposes of auditing.

To establish default accounts. configuration via GP, set the following UI path to `Disa
recommended
This policy setting enables or disables the Administrator account during normal Maintenance
operation. issues
When cana computer
arise under is certain
booted circu
into
full In some organizatiTo ``` establish the recommended
UI Path articulated
via GP, setin the
theRemediation
following UI path section
to Ùse
and
The recommended
This state for users
policy setting prevents this setting
fromComputer
is: `Disabled`.
adding Configuration\Policies\Windows
new Microsoft accounts on If thecomputer.
this current
Settings\Security
AdministratorSettings\Local
password doesPolicies\S
not m
full This policy setting Organizations
determines whether ```
that To
```the
establish
Guest account ``ìs enabled configuration
the recommended Users will
or disabled. vianot
The GP, beset
Guest able
thetofollowing
accountlogallows
onto UI
th
unauthenticate
path to `Disa
is: ÙsersConfiguration\Policies\Windows
can't add
or log on with Microsoft Settings\Security
accounts`. Settings\Local Policies\S
full The recommendedThe state
default
for this
Guest ```
setting
``ìs:
To `Disabled`.
establish ```
the recommended
Navigate to the UI All network
configuration
Path via users
articulated
GP, setinwill
the
theneed to authe
Remediation
following UI path
section
to Èna
and
This policy setting determines whether Computer Configuration\Policies\Windows
local accounts that are not password protected Settings\Security
can be used Settings\Local
to log on fromPolicies\S
locations
full **Note:** This setting
Blankwillpasswords
have no impact
```
ar when applied
``` establish
To to
```the Domainconfiguration
the recommended Controllers organizational
None - this
via is
GP,theconfigureunitbehavior.
default via following
the group policy becau
UI path:
The recommendedThe state for this setting
Administrator Computer
is: Ènabled`.
account Configuration\Policies\Windows
exists HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
on all computers that run theSettings\Security
Windows 2000 or Settings\Local
later operating Policies\S
systems
full The built-in local ```
To ```
Navigate to the UI You will via
configuration haveGP, to configure
inform users the who ar UI path:
following
The built-in Administrator
Computer account
cannot be locked out, regardless Settings\Security
of how many Settings\Local
times an attacker
Policies\S
migh
full The built-in local The Guest account``` ``` Navigate to the UI There should be little impact, becaus
This policy setting allows administrators Computer
to enableConfiguration\Policies\Windows
the more precise auditing capabilitiesSettings\Security
present inSettings\Local
Windows Vista. Policies\S
To related tothe
auditing controls.
recommended
Navigate to the
configuration
UI Path articulated
via GP, setin the
theRemediation
following UI path section
to Èna
and
The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the n
full This policy setting Prior to the introd
determines whether ```the
To establish
systemthe shuts ```
recommended
Navigate
down if ittoisthe UI None
unable
configuration
Path - this
to log via is
articulatedtheset
Security
GP, indefault
events.
the Itbehavior.
theRemediation
following
is a requirement
UI path
section
to for
`Disa
andT
is: Ènabled`.
full If the Audit: Shut down
If thesystem
computer is ```
immediately
``` if unable to ```
log
``` security audits None
setting- this
is enabled,
is the default
unplanned
behavior.
system failures ca
**Important:** Be very cautious aboutComputeraudit settings thatHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
can generate a large volume
Configuration\Policies\Windows of traffic. ForSettings\Local
Settings\Security example, if you enable
Policies\S
accepted The
exists to ensure the ``` structure of Windows benchmarks is consistent.

To establish managing devices.
recommended
Navigate to the
configuration
UI Path articulated
via GP, setin thetheRemediation
following UI path
section
to Àdm
and
This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to
full Userstomay
For a computer to print be able
a shared ``` establish
printer,
To the driver
the for ```
recommended
Navigate
that sharedto the UI None
printer
configuration
Path - be
this is
mustarticulated theset
indefault
viainstalled
GP, the
onthethe behavior.
Remediation
following
local computer.
UI path
section
toThis
Èna
andse
Settings\Security Settings\Local Policies\S NT\Cu
full The recommendedItstatemay for
be this
appropri ```
setting``ìs: Ènabled`. ``` ``` None - this is the default behavior.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Pri
This section setting does not affect ```
recommendations therelated
ability to
to add a```
Domain local printer. This setting does not affect Administrators.
Controllers.
None - this is the default behavior. However, onl
To establish domain membership.
recommended
Navigate to the
configuration
UI Path articulated
via GP, setin thetheRemediation
following UI path
section
to Èna
and
determines
a computer
whether joins
all secure
a domain,channel
a computer
traffic that
account
is initiated
is- The
created.
by
ability
theAfter
domain
to create
it joins
member
orthe
delete
domain,
must
trust
be
the
relationships
signed
computer
or e
full To``` establish the recommended
```
Navigate to the UI -Path
Logons
configuration fromGP,clients
articulated
via set
in the running
the versions
Remediation
following UI pathof to
Window
section Èna
and
The recommended
This Digital
state a
policy setting When for
encryption
computer
whether and
Computer
ais:
joins signing
aÈnabled`.
domain Configuration\Policies\Windows
of
domain, the
member secure
a computer
shouldchannel
account
attemptis ais
to- good
The Settings\Security
ability
ideaAfter
created.
negotiate where
to authenticate
it is supported.
encryption
it joins Settings\Local
the
for other
all
domain, domains'
The
secure the secure
Policies\S
channel users
computerch
traf
full ```
``` ```
The recommendedDigital
state for
encryption
this setting
and
Computer
is:
signing
Ènabled`. channel is aYou
of the secure can enable this
good Settings\Security
idea where policy
it is setting The
supported.
Settings\Localaftersecure
you elimi
Policies\S
ch
``` ```
To establish the recommended Navigate to the configuration
UI Path articulated via GP, set in thetheRemediation
and
This policy setting Whendetermines a computer
whether joins
a domaina domain, membera computer
should account
attempt is to created.
negotiateAfter whetherit joinsall the
securedomain,channel the computer
traffic tha
full To
``` establish the recommended Navigate
``` to theconfiguration
UI None
Path articulated
- thisvia isGP, theset
indefault
the
theRemediation
following
behavior. UI path
section to `Disa
and
The recommended
This policy setting Digital
determines
state forencryption
this
whether
setting
and
Computer
ais: signing
domain
Ènabled`.
of
member
the secure
can periodically
channel is achange goodSettings\Security
ideaits computer
where it isaccount supported.
Settings\Local
password.
The secure
Policies\S
Comput ch
full This policy setting The determines
default the config ```
maximum
To
``` establishallowable ```
the recommended
age``` for a computer configuration
None
account - thisvia
password.
is
GP, thesetdefault
By
thedefault,
following
behavior. domain
UI path members
to `30 o
is: `Disabled`.
When Instate
this policy setting Active
isfor Director
this setting
enabled, aTo```
``` is:
secure `30channel
establish or fewer days,
``` onlybut
the recommended
can Navigate not
beto 0`.UI None
established
the
configuration
Pathwith - this
articulated
via is
Domain
GP, theset
indefault
Controllers
the behavior.
theRemediation
following that areUI path
section
capable to Èna
and of
full **Note:**
To enableAthis
value
policy
ofSession
`0`
setting,
does keys
all
notDomain
that
conform
```
``` Controllers
to the benchmark in the ```domain
as it disables
must bemaximum
None
able to - thisencrypt
password
is thesecure
default
age.channel
behavior. data with a stron
accepted This recommended
The section contains state
recommendations
for this setting ``` is:
To related
Ènabled`.
establish tothe
interactive
```
recommended
Navigate logons.
to theconfiguration
UI Path articulated via GP, set in thetheRemediation
and
This policy setting determines whether the account name of the last user to log on to the client computers in your organizat
full An attacker with a To ``` establish the recommended ```
Navigate to the UI ThePathname
configuration viaofGP,
articulated theset last
in the user
the to successf
Remediation
following UI path
section to `Disa
and
The recommended
This state for developed
policy setting Microsoft
whether Computer
is: Ènabled`.
users
this Configuration\Policies\Windows
feature
must press
to makeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
CTRL+ALT+DEL
it easier for users before Settings\Security
with they
certain on. ofSettings\Local
log types physical impairments Policies\S to
full Windows notices inactivity of a logon To ```
``` establish
session, andthe if the ```
```
recommended
Navigate
amount of the UI Users
toinactive
configuration
Path must
timearticulated
exceeds
via GP,press inCTRL+ALT+DEL
the
set the
inactivity
theRemediation
followinglimit, UIthenbefor
path
section
thetoscreen
`900
and
The recommendedAn state
attacker
for this could
setting
install
Computer
is: `Disabled`.
a Trojan
horse HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
program that looks likeSettings\Security
the standard Windows Settings\Local
logon dialog Policies\S box a
full The recommendedIfstate a user forforgets
this setting
t To```
``ìs: `900 orthe
establish fewer ```
```
second(s),
recommended
Navigate but
to the notThe 0`. screen
configuration
UI Path articulated
via GP,saver inwill
theautomatically
Displaying a warning Computer
message Configuration\Policies\Windows
beforeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
logon may help prevent UsersSettings\Security
will
an attack
have tobyacknowledge Settings\Local
warning the attacker
a dialog Policies\S
box
about con th
full **Note:**
This policy A settin
value of `0` does not conform ```
To to the benchmark
``` establish ```
``` as it disables
the recommended
Navigate to the UIthe
configuration
Path machine
articulated
via GP, inactivity
in thelimit.
**Note:** Any warning Computerthat you Configuration\Policies\Windows
display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
should first be approved **Note:** Settings\Security
byWindows
your organization's
VistaSettings\Local
and Windows
legal and Policies\S
XP human
Profe
full This policy setting Displaying a warni ``` ``` establish the recommended
To ```
```
configuration willviahave
Path articulated GP, to inacknowledge
set the followingaUI
theRemediation dialog
path
section box
to aandwith
val
This policy setting determines how farComputer in advance Configuration\Policies\Windows
usersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
are warned that their password Settings\Securitywill expire.Settings\Local
It is recommended Policies\S that
full It is recommended``` ``` implement the recommended
To ```
```
Navigate UI Users
to theconfiguration will via
Path articulated seeGP, a dialog
inset
thethe box prompt UI
Remediation
following t section
path toand Èn
The recommended
Logon information isstate for this
required setting
to unlock Computer
ais:locked
`betweenConfiguration\Policies\Windows
5 and
computer. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
14
Fordays`.
domain accounts,If you Settings\Security
this security
select Settings\Local
setting
`Lock Workstation`, determines Policies\S
NT\Cui
whether
the workstation
full By default, the co To ```
```
configuration the viaconsole
Path articulated GP, set in on
the
the aRemediation
computerUI
following is path
loc to `Lock
section and
The recommended
This state for this
what Computer
happens is: Ènabled`.
whenConfiguration\Policies\Windows
the smart If you Settings\Security
card for a logged-on select
user `Force
is removed Settings\Local
Logoff`,from users
the smart Policies\S
are automatica
cardNT\Cu rea
full Users sometimes fo ```
``` ```
```
is: `LockConfiguration\Policies\Windows
Workstation`.
ConfiguringThe Ifthis
youMicrosoft
setting
Settings\Security
select to `Disconnect
`Force Logoff`
if a will
client Remote
or `Disconnect
Desktop
Policies\S
not communicat NT\Cu if Se
a
determines whether ```packet
To relatedsigning
establish tothe ```
configuring
recommended
isNavigate
required theto
byMicrosoft
the
the network
configuration
UI
SMB Path client client.
articulated
via
component.
GP, set in thetheRemediation
and
Session hijacking uses tools that allow attackers who have Enforcing
The
None - thisthis
access
Windows to
is thesetting
2000 same onnetwork
Server,
default computers
Windows
behavior. used
as the 2000 byProfe
client peo
or s
full **Note:**
This policyWhen Windows
setting determines Vista-based
whether ```
Tocomputers
the establish
SMB client have this
``àttempt
the recommended
will policyto
Navigate setting
tothe UIenabled
configuration
negotiatePathSMB and
articulated theyset
viapacket
GP, connect
insigning.
the to file orUI
theRemediation
following print
path
sectionshares andon
to Èna
SMB is the
Session resource
hijacking Computer
uses sharing protocol
tools that allow HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported
attackers who haveby
Implementation
access
Windows Windows
to the ofsame
2000 operating
SMB Settings\Local
Server,signing
network systems.
Windowsmay
as the negatively
ItPolicies\S
2000 is the
client orbaa
Profe s
**Note:**
This policyEnabling state
this
setting determines for this
policy setting
setting
whether ```
on
To is:
```the
SMB Ènabled`.
establish
SMB clientstheon
redirector ```
your
``` willnetwork
recommended
Navigate sendto themakes
plaintext
configuration
UI Path them
passwords fully
articulated
via GP, effective
during
set
in thethe for packet signing
authentication
Remediation
following UI to
path
section with
third-party all c
to `Disa
and
SMB is the resource Computer
sharing protocol
Configuration\Policies\Windows When
None -SMB signing
that is supported by Implementation
Windows
this is policies
theofdefault
operating
SMB are
Settings\Local
signing enabled
systems.
behavior. may isonthe
negatively
ItPolicies\SDom baa
full The
It recommendedIfthat
is recommended state
youyou for disable
enablethis this
setting```
this is: Ènabled`.
```policy setting unless ```
``` there is a strong business case to enable it. If this policy settin
Computer Configuration\Policies\Windows WhenSettings\Security
SMBold signing
Some very policies
Settings\Local
and operating onsystem
Policies\S Dom
This sectionsetting
policy contains state
allows for
youthis
recommendations setting
to specify ``` is:
To the `Disabled`.
related
establish
amount tothe ```
configuring
ofrecommended
continuous
Navigate thetoMicrosoft
idle
the network
configuration
time
UI Paththat must viaserver.
articulated pass
GP, set in
in an
the
the SMB
Remediation
following
session UI before
path
section tothe`15
and seo
The Microsoft network server will not communica
full A value of 0 appears Eachto allow
SMB sessions
sessionTo ```
ctoestablish
persist indefinitely. ``` The to
the recommended
Navigate maximum
the UI Therevalue
configuration
Path will
is
via99999,
beGP,
articulated little
inwhich
setimpact
the isbecause
over 69UIdays;
theRemediation
following SMpath
section intoeffect
Èna
and
This policy setting Session
determines hijacking
whether Computer
usespacket Configuration\Policies\Windows
toolssigning
that isHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
allow required
attackers bywhothe SMB
have
Theserver Settings\Security
access
Windows
Microsoft component.
to the 2000 same
Server,
Enable
network
server Windows
this
will as policyPolicies\S
the2000
negotiate client
setting
Profe
SMBor s
This state for this
whether ``` is:
```the
To `15
SMBorserver
establish fewer minute(s),
```
``` negotiate
the recommended
will
Navigate tobut
thenot
UI0`.
configuration
SMB Path
packet articulated
signing
via GP,with set
in thethe
clients
Remediation
following
that request
UI path
section it.toIf Èna
and
no s
The recommendedSession SMB
stateisfor thethis
resource
setting
hijacking Computer
uses sharing
is:tools
Ènabled`.
protocol
that allow HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported
attackers who haveby
Implementation
access
Windows Windows
to the ofsame
2000 operating
SMB Settings\Local
Server,signing
network systems.
Windowsmay
as the negatively
ItPolicies\S
2000 is the
client orbaa
Profe s
full **Note:**
This Enable
security thisdetermines
setting policy setting onTo
whether```
```
SMB clientsthe
establish
to disconnect ```
on recommended
your``` network
users
Navigate whotoare to
themake them
configuration
connected
UI Path tofully
articulated
via
theGP,effective
local set for
in computer
the
the packet
Remediation
followingoutsidesigningtheirwith
UI path
section to
user allac
Èna
and c
This policy setting SMB controlsis thetheresource
level ofComputer
sharing protocol
validation Configuration\Policies\Windows
a computer with When
shared folders SMB
or signing
that is supported by
Implementation
Windows
printers of(thepolicies
operating
SMB are
Settings\Local
signing
server) enabled
systems.
may
performs isonthe
negatively
ItPolicies\S
on Dom baa
se
full The
If recommended
your organizationIfstate
your for
configures thislogon
organizati setting```
``ìs:
hours
To Ènabled`.
for users,
establish the this ```
```policy setting
recommended
Navigate to the is
UInecessary
None
configuration
All
Path - this
Windows viatois
articulated GP,ensure
theset
indefault
operating thethey
the behavior.
are effective.
Remediation
systems
following UII path
supportsection both
to Àcc
and
ac
The server message block (SMB) protocol Computer Configuration\Policies\Windows
provides basis for file and print When SMB and
sharing signing
the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
Settings\Security other policies are enabled
Settings\Local
networking on Dom
Policies\S
operations, suc
full The recommendedThe state for thisofsetting
identity a ``` ``ìs: Ènabled`. ``` ``` If configured to Àccept if provided by client`, the
The recommended
This state for this
which Computer
is: Àccept
registry Configuration\Policies\Windows
paths if provided
and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
sub-paths by client`.
will be Configuring
accessible Settings\Security
this setting
over the network,toSettings\Local
`Required
regardless from Policies\S
ofclient`
the use a
To related tothe network ``` access. configuration
recommended If configured via GP, to `Required
set the followingfrom client`,UI path thetoSMB `Disac
**Note:**
This policySince thedetermines
Insetting
Windows release
XP this of setting
the MSis[KB3161561](https://support.microsoft.com/en-us/kb/3161561)
whether an
called anonymous
"Networkuser access: can Remotely
request security
accessible identifierregistry (SID) security
attributes
paths," the patch,
for another
setting with this user,
that se
sa
full This policy setting If this policy
controls set To
the ability ``ànonymous
of establish theusers recommended
Navigate
to enumerate
to the None
configuration
UI
the Path - this
accounts via is
articulated in
GP, the indefault
theset Security
the behavior.
theRemediation
following
Accounts UI path
section
Manager to Èna
and (S
The
**Noterecommended
#2:** When you stateconfigure
for this setting
thisComputeris: `Disabled`.
setting youConfiguration\Policies\Windows
specify a list of one or more objects. Settings\Security
The delimiter Settings\Local
used when entering Policies\S the
This policy setting An state
unauthorized
controls forthe
thisability
setting```
usTo``ìs:
of Ènabled`.
anonymous
establish theusers ```to enumerate
recommended
Navigate to the None
configuration
UI
SAM - this
Pathaccounts via is
articulated GP, theset
as indefault
wellthe
the behavior.
asRemediation
following
shares. IfUI
youpath
section
enable to Èna
and this
To establish the recommended configuration via GP, set the following UI path to: `Sys
is: Configuration\Policies\Windows
System\CurrentControlSet\Services\Eventlog
full **Note:**
The
This policyThis
recommended policy
setting An has
state
determines no
for effect
unauthorized
this
whichon
setting
us ```
Domain
``ìs:
To
registryestablish Controllers.
Ènabled`.
paths the ```
``àccessible
willrecommended
beNavigate to the UI Itthewillnetwork,
configuration
over Path be via impossible
articulated GP, set
in the
regardless to establish
the Remediation
following
of the users t UI path
section
or groups to `Disa
andlis
This policy setting determines which communication Software\Microsoft\OLAP sessions, or pipes, will have attributes and permissions that allow ano
Server
This
``` policy setting determines what additional ComputerpermissionsConfiguration\Policies\Windows
are assigned for anonymous Settings\Securityconnections Settings\Local
to the computer. Policies\S
Software\Microsoft\Windows NT\CurrentVersion\Print
full policy
**Note:** This setting Anhas nonot
effect
unauthorized
System\CurrentControlSet\Control\Print\Printers
does on
exist ```
Domain
uinTo
``` establish
Windows Controllers.
theThere
XP. ```
``` was atosetting
recommended
Navigate the None
configuration
UIwithPaththat - thisvia is
articulated
name GP, the default
in configure
in behavior.
the Remediation
Windows the
XP,following
but it section UI path:
is called and"Ne
The recommended state for this setting is:
Software\Microsoft\Windows NT\CurrentVersion\Windows
The recommended state for this
System\CurrentControlSet\Services\Eventlog settingComputer
To is: `Disabled`.
establish Configuration\Policies\Windows
the recommended configuration Settings\Security
via GP, set the Settings\Local
following UI path Policies\S
to: `Sys
full **Note #2:** WhenLimiting
Software\Microsoft\OLAP you configurenamedthis
Server ```
setting ```
pipSystem\CurrentControlSet\Control\Server
``` you specifyNavigate```
a list of oneto theor UI Null
more Path
None session
objects.
Applications
articulated
- this is access
The over
thedelimiter
indefault
the null
usedsessio
Remediation
behavior. when Ifsection
entering
you and
choose the
- **Level 1 - Domain Controller.** TheSystem\CurrentControlSet\Control\Terminal
recommended state for this setting is: `LSARPC, ServerNETLOGON, SAMR` and (when th
Software\Microsoft\Windows NT\CurrentVersion\Print Computer Configuration\Policies\Windows
Software\Microsoft\Windows HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
None Settings\Security
NT\CurrentVersion` - this is the defaultSettings\Local behavior. However, Policies\S if yo
- **Level 1 - Member Server.** The recommended state for this setting is: `` (i.e. None),
System\CurrentControlSet\Control\Terminal or (when the legacy _Computer Br
Server\UserConfig
full The recommendedThe
Software\Microsoft\Windowsstateregistry
for this a ``` is:
issetting
NT\CurrentVersion\Windows ```
```
Navigate to the UI -Path articulated
COMNAP: SNAinsession
the Remediation
access section and
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
When ```
enabled, this policy setting restricts anonymous access to only those-None HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
**Note:** - this
COMNODE:
shares If
andyou
is pipes
thewant
SNA to allow
default
that
session remote
behavior.
are named
access inaccess,
However,
the `Netwo ifyou
yo
**Note:** A Member Server that holdsSoftware\Microsoft\Windows
the _Remote Desktop Services_ Role with _Remote Desktop Licensing_ Role Servic
full ```
The registry contaiTo Computer Configuration\Policies\Windows
Server
establish ```
```
the recommended
Navigate to theconfiguration
UI -Path Settings\Security
SQL\\QUERY:
articulated
via GP, set SQL
in thethe Settings\Local
instance
Remediation
following access
UI path Policies\S
section to Èna
and
System\CurrentControlSet\Services\SysmonLog`
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Terminal ``` Server\UserConfig
`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters` HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
-**Note:**
SPOOLSS: If you want to
Spooler allow remote access, you
service
full System\CurrentControlSet\Control\Server
Null sessions are To Applications
``` establish Server\DefaultUserConfiguration
```
the recommended
Navigate to the UI -PathLLSRPC:
configuration via License
articulated GP, set in theLogging
theRemediation
followingservice UI path
section to `ànd (i.e
```
Software\Microsoft\Windows
registry
This key.setting
policy This registry
determines valueNT\CurrentVersion
toggles
which Computer
networknull session Configuration\Policies\Windows
shares shares
canHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
beon or off toby
accessed control
- NETLOGON:
anonymous whether
Settings\Security
theNet
users. server
Logon
The Settings\Local
service
service
default restricts
configurationPolicies\S
unauthe for th
full ``` policy setting It
System\CurrentControlSet\Services\SysmonLog
This is very dangero
determines ```
how network``` establish
To logonsthe that ```
``` local accounts
recommended
use
Navigate to the UI -NoneLSARPC:
configuration
Path
are - thisvia is
authenticated.
articulated LSA
GP, access
theset
indefault
the
The behavior.
theRemediation
following
Classic option
UI path
section
allows
to `Clas
and pre
```
``` recommended state for this setting
The Computer Ènabled`.
is: `` (i.e.Configuration\Policies\Windows - SAMR: Remote access
None).HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
Settings\Security to SAM objects
Settings\Local Policies\S
When a server holds the _Active Directory Certificate Services_ Role with _Certificatio
full The recommendedWith statethe servers
forGuest
this onlthat
setting```
``ìs: hold the _Active
`Classic - local ```Directory
``` Certificate
users authenticate -None Services_
BROWSER:
as -themselves`.
this is the Role
Computer with _Certification
default Browser
configuratservice Authority_
When a server has the _WINS Server_ Feature installed, the above list should also in
```
**Note:** This setting does not affect ``` interactive logons that ``` are performedPrevious remotely to bythe usingrelease
suchof Windows
services as Server
Telnet or 2003 Re
System\CurrentControlSet\Services\CertSvc
`System\CurrentControlSet\Services\WINS`
```
The recommended state for servers that have the _WINS Server_ Feature installed includes the above list and:
related tothenetwork
recommended
Navigate
security.
to the
configuration
UI Path articulated
via GP, set in the
theRemediation
following UI path sectionto Èna
and
This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication ca
full This setting determines Whenifconnecting to
online identitiesTo
``` establish
are ablethe recommended
Navigate
```
to authenticate totothe
configuration
thisUIcomputer.
Services
Path articulated
via
running
GP, set inasthe
the
Local
Remediation
following
SystemUItha path
sectionto `Disa
and
The recommended
setting
Computer
NTLM
is: Ènabled`.
allowedHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to fall back to a NULL session Settings\Security
when usedSettings\Local
with LocalSystem. Policies\S
full NULL sessions
The Public Key Cryptography Based areTo
```
``` establish the
User-to-User (PKU2U)```
``` protocol
recommended
Navigate to the UI Any
Pathapplications
configuration
introduced articulated
in via
Windows
GP, set that
in 7therequire
the
and NULL
Remediation
following
Windows spath
UIServer
sectionto
2008
`Disa
andR
is: `Disabled`.
full With policy
This PKU2U, a new
setting Theextension
allowsPKU2U
you towas
protoco
set introduced
```
the``èncryption
To to the
establish the Negotiate
types ```
```
recommended
Navigate authentication
that Kerberos
to the None
Pathpackage,
configuration
is
UIallowed - this is
articulated
to
viause.
GP, the
`Spnego.dll`.
indefault
set the configurat
In previous
theRemediation
following UI path versions
section and o
to ÀES
If not selected,
Settings\Security
the encryption
Settings\Local
type will Policies\S
not be allo
full When
The
This recommended
computers
policy settingareThe
state
configured
strength
for this
determines ofsetting
toea
whether accept
```
```the
To is: authentication
ÀES128_HMAC_SHA1,
establish
LAN Manager ```
```requests
the recommended
Navigate
(LM) hash toby AES256_HMAC_SHA1,
theusing
value online
configuration
UI Path
for the IDs,GP,
articulated
new
via `Negoexts.dll`
in Future
password
set the
theis encryption
callswhen
Remediation
following
stored the PKU2U
types`.
UI path
section
the to SSP
passwo
Èna
and
LAN Manager (LM) was a family of early Computer Configuration\Policies\Windows
Microsoft HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
client/server **Note:**
software (predating Settings\Security
Windows Server NT) Settings\Local
that2008 (non-R2)
allowed Policies\S
users and be
to link
**Note:**
This policyOlder
Some
setting state
operating
legacy
The SAMfor
determines this
applications
systems setting
filewhether
can and
and
bTo
``` is:
```to
some `Disabled`.
OSes third-party
maythe
establish
disconnect require
```
applications
``` `RC4_HMAC_MD5`
users
recommended may
who are connected fail
None
configurationwhen
to-- we
this
this
the
viarecommend
is policy
local
GP, thesetdefault
setting
theyou
computer behavior.
istest
followingenabled.
outside inUIyour
theirAlso,
pathenvironm
user note
to Èna
acco
- Join a domain Computer Configuration\Policies\Windows
not_scored -The recommended
Authenticate Ifstate
between thisActive
setting
for this issetting
Directory ```
``ìs:
To Ènabled`.
forests
establish ```
the recommended
via is
indefault
the behavior.
theRemediation
following UI path
sectionto: and
`Sen
- Authenticate to down-level
Windows 2000 domains andComputer
WindowsConfiguration\Policies\Windows
XP clients were configuredClients Settings\Security
by defaultuse NTLMv2
to send LM Settings\Local
authentication Policies\S
and NTLM authentication
only and use
full -**Note:**
Authenticate
This policyThis recommendation
to computers
setting determines that isdolevel
the unscored
not
```
``òf
To run Windows
because
establish
data the 2000,
signing there
``` isWindows
recommended
that
Navigatenot a documented
requested
to theServer 2003,
configuration
UI
onPath
behalf registry
orclients
Windows
articulated
of
via GP, value
set that
inthat
theXP
the corresponds
issue
Remediation
following
LDAPUIBIND to it.
path
sectiontoWeandst
requests
`Neg
- Authenticate to computers
The Windows that are95, not
Windows
Computer
in the 98,
domain
and Windows
NT operating **Note:**
systems
Settings\Security
For cannot
information
useSettings\Local
the
about Kerberos
a hotfixversion
Policies\S
to ensure5
full **Note:** This policy Unsigned
setting does
network ```
not To
thave
``` establish
any impact ```
on```LDAP simple
the recommended
Navigate to the bind
None(`ldap_simple_bind`)
configuration
UI Path - this
via is
articulated
GP, theset
indefault
the or behavior.
LDAP simple
theRemediation
following UI path bind
section thro
to `Req
and
The Network
This security:
policy setting LAN Manager
determines Computer
authentication
which behaviors Configuration\Policies\Windows
are levelHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LD
allowed setting determines
by clients which
for applications Settings\Security
challenge/response
using the NTLM Settings\Local
authentication
Security Policies\S
Support proto
Pro
full The
This recommended
policy setting You state forenable
can
which bot```
``ìs:
behaviors
To `Negotiate
establisharethe signing`.
```
allowed
recommended
Navigate Configuring
``` by servers
to the this setting
NTLM
configuration
for
UI applications
Path articulated
via GP,to `Require
connections
usingset
inthewill
the
theNTLMsigning`
fail if NTLMv2
Remediation
following also
Security conforms
UI path
section
Support
to `Req
andPrt
The recommended state for this setting Computer `Send
is: `Require NTLMv2 response
sessiononly.
NTLMv2 Refuse LM & 128-bit
NTLM`.encryption`.
security, Require
Settings\Security Settings\Local **Note:**
Policies\S
These
full The recommendedYou statecan
forenable all```
this setting ``ìs: `Require NTLMv2 ```
``` session security, NTLM Require
connections
128-bitwillencryption`.
fail if NTLMv2
accepted **Note:** These
This section values are dependent
is intentionally blank and``` on theto_Network
exists ensure the ```
security: LAN
structure of Manager
Windows Authentication
benchmarks isLevel_ consistent. security setting value
Toaestablish
computer the Windows
canrecommended
be
Navigate shutdown
shut down
to the
when functionality.
configuration
UI Path
a user
articulated
via
is not
GP,logged
set
in the
the
on.
Remediation
following
If this policy
UI path
section
setting
to `Disa
and
is e
full The recommendedUsers state who

for this
cansetting
acce ``ìs: `Disabled`. ``` None - this is the default behavior.
accepted **Note:** In Server
This section 2008 R2blank
is intentionally and older
and```versions,
exists this setting
to ensure ``` structure
the had no impact on Remote
of Windows Desktop
benchmarks is (RDP) / Terminal Services s
consistent.

To establish system objects.to the
recommended
Navigate configuration
UI Path articulated
via GP, setin the
theRemediation
following UI path
section
to Èna
and
This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is
full Because WindowsTo ```
is establish the recommended
```
Path articulated
GP,theset
indefault
the behavior.
theRemediation
following UI path
section
to Èna
and
The recommended
This state for this
policy setting determines thesetting
Computer
strengthis: Ènabled`.
of theConfiguration\Policies\Windows
defaultHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
Settings\Security
discretionary access control Settings\Local
list (DACL) for Policies\S
objects. Active Directo
full This setting deter `````` ```
is: Ènabled`.
This section is intentionally blank and``` exists to ensure the``` structure of Windows benchmarks is consistent.
One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate
To establish User Account Control.
recommended
Navigate to the
configuration
UI Path articulated
via GP, set
in the
theRemediation
following UI path
section
to Èna
and
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
- If the computer is not joined to a domain, the first user account you create has the equivalent permissio
full ``` establish the recommended
To ```
Pathbuilt-in
configuration Administrator
articulated
via GP, set
in the accountUIu path
theRemediation
following section
to `Disa
and
- If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Do
The recommended
policy setting controls this settingComputer
User is:Interface
Ènabled`.
Accessibility (UIAccess or UIA) Settings\Security Settings\Localdisable
programs can automatically Policies\S
the
```
via is
Path articulated
GP,theset
indefault
the behavior.
theRemediation
following UI path
section
to `Prom
and
Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly
The recommended
This state forthe
setting
Computer
is: `Disabled`.
prompt for administrators. Settings\Security Settings\Local Policies\S
```
configuration anvia
operation
Path articulated
GP, set (including
in the executio
theRemediation
following UI path
section
to Àuto
and
The recommended
This state forthe
setting
Computer
is: `Prompt
for consent
prompton forthe secure
standard When desktop`.
Settings\Security
users.
an operation requires Settings\Local Policies\S
elevation of privilege
full This policy setting One of the
controls whether ```
risks t applications
``` establishthat
To ```
``` to run
therequest
recommended
Navigate to with
the
configuration
UI Path Interface
a User articulated
via GP,Accessibility
set
in the
theRemediation
following UI path
(UIAccess)section
to Èna
and l
integrity
The recommended
This state forthe
policy setting UIAccess
Computer
behavior
Integrity is: Àutomatically
of application
allows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
deny
installation
an application elevation
detection
to bypass Userrequests`.
**Note:**
Settings\Security
for the
Interface With this setting
computer.
Privilege Settings\Local
Isolation configured as
Policies\S
recomm
(UIPI) restrictions w
full - `…\Program Files\`, Some malicious
including ```
sofTo
subfolders ```
```
configuration anvia
application
Path articulated
GP, set
in the installation
the followingpack
Remediation UI path
section
to Èna
and
-The recommended- state
`…\Windows\system32\`To setforthethis setting
Computer
foreground is:window.
Ènabled`.
full - `…\Program
This Files-controls
policy setting (x86)\`,
To drivetheincluding
any ```
application
subfolders
behavior``` of
To allwindow
establish (for
User the ```
64-bit
using
Account```versions
SendInput
recommended
Navigate to of
Control thefunction.
Windows)
(UAC)UI None
configuration
Path - settings
this
via is
policyarticulated
GP,theindefault
for
setthe behavior.
thecomputer.
Remediation
following UI
If you
path
section
change
to Èna
andth
- To use read inputComputer for all integrity
levels
using low-level hooks, Settings\Security
raw input, GetKeyState,
Settings\Local
GetAsyncKeySt
Policies\S
full **Note:**
The Windows-This
recommended enforces
To set
state journal
is for
the asetting
thispublic
hooks.
```
key
setting infrastructure
``ìs:
To Ènabled`.
establish (PKI)
```
``` signature
the recommended
Navigate to the check
UI None onarticulated
configuration
Path -any
viainteractive
this is
GP,theset application
indefault
the
the behavior.
Remediation
following that requests
UI path
section andto
to Èna
This policy setting controls whether application write failures are redirected to defined registry and file system locations. Th
This policy setting -controls
To useswhether
AttachThreadInput
Computer
the torequest
attachHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
aprompt
threadistodisplayed
elevationConfiguration\Policies\Windowsa higher integrity input queue.
onSettings\Security
the interactive Settings\Local
user's desktop orPolicies\S
the secur
**Note:** state
If this policy
Standard for elevation
setting this setting``ìs:
is disabled,
```
To theÈnabled`.
Security
establish Center
```
``` notifies
the recommended
Navigate you
to the UIthat
None the
configuration
Path overall
- this
via is
articulated
GP, security
theindefault
setthe of the operating
behavior.
theRemediation
following UI path system
section andh
to Èna
- `%ProgramFiles%`
is: Ènabled`.
- `%Windir%`
full This setting reduce``` ``` ```
- `%Windir%\system32`
- `HKEY_LOCAL_MACHINE\Software`
accepted This section contains recommendations for configuring the Windows Firewall.
accepted This section contains recommendations for the Domain

To establish Profile of to
the recommended
Navigate thethe
Windows
UI Path Firewall.
via GP, setin the
theRemediation
following UI path
sectionto Òn
and (
To ```
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto ``Blo
and
The recommended
forbehavior
this setting
Computer
for is:
inbound
Òn (recommended)`.
connections
that do not match an Settings\Security
rule. Firewa
full If the firewall al ```
To ```
```
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto Àllo
and
The recommended
forbehavior
this setting
Computer
for is: `Block
outbound Configuration\Policies\Windows
(default)`.
connections that do not matchSettings\Security
an outbound firewall Settings\Windows
rule. Firewa
full Select this option toSome
havepeople
Windows believ```
``` establish
Firewall
To with Advanced ```
``` Security
the recommended
display
configuration
Path - this
via is
notifications
articulated the
GP, default
toset
in
the
the
the
user behavior.
Remediation
following
when a UIprogram
path
sectiontois`No`:
and
bloc
is: Àllow Configuration\Policies\Windows
(default)`.
full The recommendedFirewallstate fornotificat
this setting
```
``ìs:
To `No`. the recommended
establish ```
```
Navigate to the UI Windows
configuration Firewall
Path articulated
via inwill
GP, set thenot
the display UI
Remediation
following a notification
path
section andw
to `%SY
information. Firewa
eventslocal
are not
firewall
```
```rules`
To establishsetting
the is ```
configured
```
recommended
Navigate totothe`No`,
UI The
it's recommended
configuration
Path log file
via will
GP,be
set to
the
the alsoinconfigure
the specif
Remediation
UI path
sectionto `16,3
and
The recommended
Use state for
sizesetting
Computer
limit ofis:the
`%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log`.
```
Pathlog
configuration file
via size
articulated will
in the
and
The recommended
whenforWindows
this setting
Computer
is: `16,384
Advanced greater`.
log
full If events are not ``` To ```
```
configuration
via GP, indropped
setthe packets
theRemediation
following UI will
path
sectionto `Yes
and
The recommended
whenforWindows
this setting
Computer
is: `Yes`.
To for the Private ```
Profile
the recommended
Navigate of the
to theWindows
UI PathFirewall.
via GP, setin the
theRemediation
following UI path
sectionto Òn
and (
To ```
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto ``Blo
and
The recommended
forbehavior
this setting
Computer
rule. Firewa
full If the the
behavior ```
``` establish
To
for outboundthe ```
```
connections
recommended
Navigate that
to do
the UI None
configuration
not Path - an
this
viaoutbound
GP, indefault
the
the behavior.
firewall
Remediation
following
rule. UI path
sectionto Àllo
and
(default)`.
Select Some
this option to state
havepeople
for this believ
Windows ```
setting
``ìs:
Firewall
To Àllow
establish
with Advanced ```
(default)`.
``` Security
the recommended
display
configuration
Path - this
via is
notifications
articulated the
GP, default
toset
in
the
the
the
user behavior.
Remediation
following
when a UIprogram
path
sectiontois`No`:
and
bloc
full **Note:**
The If you setFirewall
recommended Outbound connections
state fornotificat
this ```
setting
``ìs:
To to Blockthe
`No`.
establish and ```
then
``` deploy
recommended
Navigate the
to the firewall
UI Path policy
Windows
configuration by using
Firewall
articulated
via GP, inwill
setthe anot
the GPO, computers
display
Remediation
following that
a notification
UI path
section rece
to `%SY
and w
information. Firewa
eventslocal firewall
are not ```
```rules`
To establishsetting
the is ```
configured
```
recommended
UI The
configuration
Path log file
via will
GP,be
articulated to
in stored
setthe
the alsoinconfigure
the specif
Remediation
UI path
sectionto `16,3
and
The recommended
Use state for
sizesetting
Computer
limit ofis:the
`%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log`.
```
Pathlog
configuration file
via size
articulated will
in the
and
The recommended
whenforWindows
this setting
Computer
is: `16,384
Advanced greater`.
log
```
configuration
via GP, indropped
setthe packets
theRemediation
following UI will
path
sectionto `Yes
and
The recommended
whenforWindows
this setting
Computer
is: `Yes`.
To for the Public ```
Profile of the
the recommended
Navigate to Windows
the
configuration
UI Path Firewall.
articulated
via GP, setin the
theRemediation
following UI path
sectionto Òn
and (
To ```
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto ``Blo
and
The recommended
forbehavior
this setting
Computer
rule. Firewa
full If the the
behavior ```
``` establish
To
for outboundthe ```
```
connections
recommended
Navigate that
to do
the UI None
configuration
not Path - an
this
viaoutbound
GP, indefault
the
the behavior.
firewall
Remediation
following
rule. UI path
sectionto Àllo
and
(default)`.
full The recommendedSome state people
for this believ```
setting
``ìs:
To establish ```
Àllow (default)`.```
the recommended
via is
GP, indefault
the behavior.
theRemediation
following UI path
sectionto 'No':
and
Select this option to have Windows Firewall Computer withConfiguration\Policies\Windows
Advanced HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Security display notificationsSettings\Security
to the user Settings\Windows
when a programFirewa is bloc
full **Note:**
This If you
setting setSome
Outbound
controls whether connections
organizations
local ``` to Block
``` establish
administrators
To areand
the ```
then
``` deploy
allowed
recommended
Navigateto create the
to the firewall
Windows
configuration
local
UI Path policy
firewall by using
Firewall
articulated
viarules
GP, inwill
that
setthe anot
the
applyGPO, computers
display
Remediation
following
together a with
UI path that
notification
section rece
firewall
to `No`:
and wru
is: `No`.Configuration\Policies\Windows
full The recommendedWhen state in
forthe
thisPublic ```
setting
``ìs:
To establish ```
`No`. the recommended
```
Navigate to the UI Administrators
configuration via GP,can
Path articulated set still
in the create
theRemediationfirewall
following UI path
sectionto `No`:
and
This setting controls whether local administrators HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
are allowed to create connection Settings\Security
security rules that Settings\Windows
apply together withFirewa co
full **Note:** When theUsersÀpply local
with firewall
adminis ```
```rules`
To establishsetting
the is ```
configured
```
recommended
UI Administrators
configuration
Path via GP,can
articulated set to
still
in the
the also configure
create local
Remediation
UIcpath
sectionto `%SY
and
The recommended
Use state for
path setting
Computer
and is: `No`.
information. Firewa
```
Pathlog
configuration file
via will
GP,be
setthe in the specif
theRemediation
following UI path
sectionto `16,3
and
The recommended
Use state for
sizesetting
Computer
limit ofis:the
`%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log`.
```
Pathlog
configuration file
via size
articulated will
in the
and
The
Use recommended
whenforWindows
this setting
Computer
is: `16,384
Advanced greater`.
log
```
configuration
via GP, indropped
setthe packets
theRemediation
following UI will
path
sectionto `Yes
and
The
Use recommended
whenforWindows
this setting
Computer
is: `Yes`.
security
whereas group
for to local
by changes
accounts. Events
accounts, the
application
for this
local computer
groups such asis
subcategory
authoritative.
the following: In
include:
domain
-environments, Application
accepted -This 4727: A
mostsection
group ofisthecreated, is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
security-enabled
Account Logon
changed, or
accepted global
This section group is was
events
deleted. occur inintentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
created.
-the Security
Member is log
accepted -This 4728: A
of thesection
added Domain
or is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
member was
Controllers
removed from thatan
accepted added
Thisauthoritative to a is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
section
are
application
security-enabled
for the domain
group.
accepted global
This section group.contains recommendations for configuring the Windows audit facilities.
accounts.
-This
However,
subcategory
4729: A these
Application
reports other
member wascontains recommendations for configuring the Account Logon audit policy.
accepted This section
events
groups can
are occur To establish the recommended configuration via GP, set the following UI path to `Suc
account from a
removed
on otherby
utilized To establish the
management
security-enabled
full computers in the Auditing these everecommended
Windows ``` Navigate to the UI If no audit settings are configured,
events.group.
global Events
organization
Authorization Computer Configuration\Policies\Windows
configuration via Settings\Security Settings\Advanced Audit
-for this A
4730:
accepted This section
when
Manager, localwhich contains recommendations ```
To for
setconfiguring
GP,establish the Account Management
the the recommended configuration audit via GP, policy.
set the following UI path to `Suc
subcategory
security-enabled
This subcategory reports each event of user account management, such as when a user account is created, changed, or d
accounts
is
This a flexible
subcategoryare reports each event following of computer account management, such as when a computer account is created, cha
UI path
include:group was
global
full used to log on.
framework Auditing events in To ````Success
to establish and Navigate to the
-deleted. 4720: A user account was created.
Events
-created 4741: for this
Abycomputer account was created. Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
Failure`:
-subcategory 4782: A
4731:
4722: The user account was enabled.
full Microsoft
- 4742: A computer for Auditing
accountevents in ```
was changed. ``` establish the recommended
To Navigate to the UI If no audit
password
-security-enabled 4723: An hash
attempt was made to change an account's password.
include:
-integrating 4743: A computer role- account was deleted. Computer
``` Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
an4724:
-local account
group was
An attempt was made to reset an account's password.
full based access Auditing these eve``` ```
Computer Navigate to the UI If no audit settings are configured,
accessed.
-created.
- 4725:
control
The 4774: A
Anuser account
(RBAC)
recommended
was disabled.
state for this setting Computer
is: `Success
Configuration\PolConfiguration\Policies\Windows
and Failure`. Settings\Security Settings\Advanced Audit
- 4726: 4793: A
4732: The user account was deleted.
full account
into applications. was Auditing these eveTo ``` establish the recommended
icies\Windows Navigate to the UI If no audit
Password
-member 4738: Afor was Policy
user account was changed.
mapped
More information Settings\Security
Checking
-added 4740: toA a API account was locked out.
user
full logon.
on Windows Auditing these eveSettings\Advanc
was
-security-enabled called.
- 4765:
This
Authorization 4775: SID
An History
subcategory was added
reports to an account.
the creation of a process and the name of the program or user that created it. Events for this subc
ed Audit Policy
-local 4766:group.An attempt to add SID History to an account failed.
accepted account
Manager
This section could
is contains recommendations Configuration\Au
```
To for configuring
establish the Detailed Tracking
the recommended configurationauditviapolicy.
GP, set the following UI path to `Suc
-The
not
4733:
4767:
4688: user process
A new
be mapped account has wasbeen unlocked.created.
available at dit
recommended
-member 4780:
4696: A was
The ACL
primary was
token set wason accounts
assigned which
to are
process. members of administrators groups.
full for
[MSDN logon. - Auditing these evePolicies\Account
``` Navigate to the UI If no audit settings are configured, or if audit sett
state
-removed for thisfrom a of an account was changed:
- 4781:
Windows 4776: The The name
Management\Au
setting
-security-enabled
Refer 4794: to is:
An attempt
Microsoft was made
Knowledge to
Base set the Directory
article 947226: Services
[DescriptionRestore Mode. events in Windows Vista and in Windows Serve
of security
accepted Domain
Authorization
This section contains recommendations dit Security
``` for configuring the Directory Services Access audit policy.
`Success
-local 5376:group. and
Credential Manager credentials were backed up.
Controller
Manager] Group
-Failure`.
The
attempted
4734:
5377: A
Credential
recommended to contains Manager
state for credentials
this setting were restored from a backup.
is: `Success`.
accepted (https://msdn.mic
This section
subcategory recommendations
reports when a Management
user's
To for configuring
account
establish isthe
locked theout
Logon/Logoff
recommended as a result audit
toopolicy.
configuration
of many via failed
GP, set logon
the attempts.
following UI Events
path for
to `Suc
this
security-enabled
validate the
rosoft.com/en- ```
localrecommended
The
This group was reports
subcategory state for whenthis a setting
user is:
logs `Success
off from and
the Failure`.
system. These events occur on
other logon/logoff-related events, such as Remote Desktop Services session disconnects and rec the accessed computer. For interac
full credentials
us/library/bb8974
-deleted. 4625: An account for an Auditing
failed totheselog on. eveTo ``` establish the recommendedNavigate to the UI If no audit
This
account.
01.aspx). subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. Fo
-- 4634: 4735:
4649: A
An account was logged
replay attack was detected. off.
full The 4777: The
recommended state forthese
Auditing this setting
eveTo```
``ìs: `Success
establish theand Failure`.to the
Navigate
security-enabled
-The 4647: A
4624:
4778: User
An session initiated
account was logoff.
was successfullytologged
reconnected a Window on. Station.
Domain Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
-local
Controller
recommended 4625:group An
4779: A session was
account
failed was failed to log on.
disconnected from a Window Station.
full changed. Auditing these eveTo ```
``` establish the recommendedNavigate to the UI If no audit
-The
to4800:
state recommended
4648: Athis
forThe
validate logon
the wasstate
workstation for this
attempted
was setting
using
locked. is: `Success`.
explicit credentials.
This
-credentials policy
4737: A setting allows you to auditComputerevents generatedConfiguration\Policies\Windows
by the management of task Settings\Security
scheduler jobsSettings\Advanced
or COM+ objects. Audit
setting 4675: is:
4801: SIDsfor
The were filtered.
workstation
an reports was unlocked.
full This
security-enabled subcategory Auditing these
when a eve ```
```
special
To establish
logon is used.
the Navigate
recommended
A special to the
logon UI If no
configuration
is a audit
logon that
viasettings
GP,
has set are configured,
administrator-equivalent
the following UI path toprivileg
`Suc
-`Success
account. 4802: The and screen saver was invoked.
For
global scheduler
group jobs, the following are audited:
was Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
The
-Failure`. recommended state
4803: The screen saver was dismissed. for this setting is: `Success and Failure`.
full -changed. 4964created.
Job : Special groups Auditinghave these
beeneve ```
assigned
``` to a new logon. Navigate to the UI If no audit settings are configured,
-The 5378: The requested credentials delegation was disallowed by policy.
-- Job 4754: deleted.
A Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
recommended 5632: request was made to authenticate to a wireless network.
accepted -The
This
security-enabled Jobrecommended
section
enabled. contains state for this setting
To for`Success`.
configuring
establish the Object Access
-state 5633: Athis
request was made to authenticate to a wired network.
-universal Job for
disabled.group
full -setting
This policyis: settingreports
Jobcreated.
updated.
subcategory The
allows unexpected
you
changesto auditincre
```
To
user
audit establish
attempts Navigate
thetorecommended
access fileto the
system UIobjects
IfEvents
no audit
configuration onforsettings
viaathis
GP, setare
removable theconfigured,
storage
following device.
UI pathAtosecurit
`Suc
was
The
`Success recommended and state for this setting is: policy
`Success including SACL
and Failure`. changes. subcategory include:
This
- 4755: subcategory
A reports changes in Computer authentication Configuration\Policies\Windows
policy. Events for this subcategory Settings\Security
include: Settings\Advanced Audit
full Failure`.
For
-The COM+
4715: Theobjects,
recommended audit policythe following
Auditing
state forremovable
(SACL) this on areanaudited:
setting```
``` is: `Success
object was changed.andNavigate
Failure`.to the UI If no audit settings are configured,
security-enabled
-universal
This Catalog
4719:
4706: A
subcategoryobject
System
new trust
group added.
audit policy
was
reports created
whenwasato Computer
changed.
a domain.
user account or Configuration\Policies\Windows
service uses a sensitive privilege. Settings\Security Settings\Advanced
A sensitive privilege includes the Audit
follow
accepted -**Note:**
This
was changed. Catalog
4902:
4707:section
The
A object
A
trustWindows updated.
contains
Per-user
to a 8,
audit
domain Server
recommendations
policy
was 2012table
removed.(non-R2)
```
To for
was
establishor
created. higher
configuringthe OS
the is required
Policy
recommended Change to access
audit
configuration and
policy.
via set
GP, this
set value
the in Group
following UIPolicy.
path to `Suc
-- Act Catalog
4904:
4713:
4756: An
asKerberosobject
Apart attempt
of thedeleted.
was made
policy was changed.
operating to register a security event source.
system
full -This
member was 4905:
4716:
Back An
Trusted
subcategory
up attempt
files Auditing
was
domain
and reports made these
information
directorieschanges to unregister
eve
inwas``` establish
To a security
modified.
authorization the event
Navigate
source.
recommended
policy. Events to
forthe UIsubcategory
If no audit
configuration
this viasettings
GP, setare
include: theconfigured,
-The
added recommended
4906:
4717:
Create The
toSystem
aatoken stateaccess
CrashOnAuditFail
security
object for this setting
value
was has is:
Computer
granted `Success
changed.
to an and Failure`.
account. Settings\Security Settings\Advanced Audit
full -security-enabled 4907: A
4718:
4704:
Debug Auditing
System
user right
programs settings
security
Auditing onthese
was access object
assigned. was were
eve ```
``` changed.
removed
To fromthe
establish anrecommended
account.
-universal 4908:
4739:
4705:
EnableA Special
Domain
user right
computer
group. Groups
Policy
waswas
and Logon
removed.
user table modified.
changed.
accounts Computer
to be trusted Configuration\Policies\Windows
for delegation Settings\Security Settings\Advanced Audit
full -- Generate 4912:
4864:
4706:
4757: A Per
A new User
namespace Audit
trust
security Policy
collision
Auditing
was
audits created was
these was changed.
adetected.
toeve ```
domain.
-This
member 4865:
4707:
ImpersonateAwas
subcategorytrusted
trust forest
atoclient
a domain
reports information
after onwasthe removed.
authenticationentry was
Computer
activities of theadded.
Internet Protocol security (IPsec)Settings\Security driver. Events forSettings\Advanced
this subcategory includ Audit
accepted -The
This
removed from aLoadrecommended
4866:
4714: A
and
subcategorytrusted
Encrypted
section contains
unload state
forest
data
device
reports for
recovery this
information
recommendations
drivers
on other setting
entry
policy```
To
system is:
was
for`Success
was removed.
changed.
configuring
establish
events. the and theFailure`.
Privilege
recommended
Events for this Use
subcategory audit
configuration policy.
via
include: GP, set the following UI path to `Suc
-security-enabled
4867:
Manage
4960: A trusted
IPsecauditing forest
droppedand an information
security
inbound entry was
log packet thatmodified.
failed an integrity check. If this problem persists, it could indicate a network i
full -The
universal recommended
Modify
4961:
5024 firmware
:IPsec
Thegroup. Windows
dropped state
anfor
environment
Auditing
Firewall thisService
these
inbound setting
values
eve
packet is:that
```has `Success`.
started Navigate
failedsuccessfully.
a replay check.to the UI Ifproblem
If this no auditpersists,
settingsitare configured,
could indicate a replay attack
The
-- 5025 recommended
Replace
4962:
4758: :IPsec
AThe a process-level
Windows
dropped state
anfor
Firewall thisService
token
inbound setting
packet is:that
Computer
has `Success`.
been Configuration\Policies\Windows
failed a replay check. The inboundSettings\Security
stopped. packet had too low Settings\Advanced
a sequence number Auditt
accepted -This Restore
4963:
5027 section
security-enabled :IPsec
The files and directories
contains
Windows
dropped recommendations
Firewall
an inbound Service ```was
clear
To for configuring
text
establish
unable
packet the
to
that the System
recommended
retrieve
should thehave audit
security policy.
configuration
been policy
secured.from
via
This
the
GP,islocal
set
usually
the
storage.
following
due to Thethe
UI
service
remote
path towill
comp
`Suc
con
-universalTake ownership
4965:
5028 :IPsec
Thegroup Windows of files
received or other
a packet
Firewall objects
from
Service a was
remote computer
unable to parse withtheannewincorrect Security
security policy.Parameter
The service Index (SPI). This
will continue is usually
with currentlyc
full -was 5478:
5029: IPsec
The
deleted. Services
Windows Auditing
has these
Firewall started eve
Service successfully.
```
To failed
establish
to initialize Navigate
the driver.toThe
the recommended the UI If no will
configuration
service auditviasettings
continue
GP, set toare
theconfigured,
enforce
following
the current
UI pathpolicy.
to `Suc
-Auditing
- 5030:5479:
4764: The Athis
IPsec subcategory haswill
ServicesFirewall
Windows
group's beencreateshutaComputer
Service high
failedvolume
down of events.
successfully. The Events
to start. shutdown for of
this subcategory
IPsec Servicesinclude:
Settings\Security
can putSettings\Advanced
the computer at greater Audit
full -type 5480:
5032:was IPsec Services
Windows Firewall failed
Capturing tounable
wasthese get authe
```
tocomplete
``` notify thelist of network
user that
Navigate interfaces
it blocked onno the
to theanUIapplication
If computer.
audit from
settings This
are poses
accepting a potential
configured,
incoming security
connections
4672::IPsec
5483:
-changed.
5033 Special
The Windows privileges
Services failedassigned
Firewall toDriver toComputer
initializenew
has RPClogon.
server.
started IPsec Services could not be
successfully. started.
Settings\Security Settings\Advanced Audit
4673::IPsec
5484:
- 5034 ATheprivileged
Services
Windows service wasDriver
has experienced
Firewall called. hasa been
``` criticalstopped.
failure and has been shut down. The shutdown of IPsec Services can put
-The 4674::IPsec
5485:
5035 An
The operation
Services
Windows was attempted
failed
Firewall toDriver
processon asome
failed privileged
IPsecobject.
to start. filters on a plug-and-play event for network interfaces. This poses a po
-recommended
5037 : The Windows Firewall Driver detected critical runtime error. Terminating.
-The recommended
5058:
state forKey thisfile operation. state for this setting is: `Success and Failure`.
- 5059: Key migration operation.
This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. E
This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include:
This subcategory reports the loading To establish the
of extension code recommended
such as authentication configuration via GP,byset
packages the the following
security UI path toEvents
subsystem. `Suc
- 4608: Windows is starting up.
4609::Windows
- 4612 is shuttingallocated
Internal resources down. for the queuing of audit messages have been exhausted, leading to the loss of some a
full - 4610: An authentication
Auditingpackage
these eve has To```been
establish
loaded thebyrecommended
the
NavigateLocal to Security
the
configuration
UI Authority.
If no audit viasettings
following UIorpath if audit
to `Suc
sett
4616::The
- 4615 system
Invalid time
use of LPC was changed.
port.
- 4611: A trusted logon process has been Computer registeredConfiguration\Policies\Windows
with the Local Security Authority. Settings\Security Settings\Advanced Audit
4621::Administrator
- 4618 recovered
A monitored security eventsystem
pattern from has CrashOnAuditFail.
occurred. Users who are not administrators will now be allowed to lo
full - 4614: A notification Auditing
package thesehaseve been```
To``` establish
loaded bythe therecommended
Security
NavigateAccount to the
configuration
UI
Manager.
If no audit viasettings
- 4816 : RPC detected an integrity violation while decrypting an incoming message.
- 4622: A security package has been To Computer
loaded by Configuration\Policies\Windows
establish thethe Local Security Authority. Settings\Security Settings\Advanced Audit
-The recommended
5038 : Code integrity state for this setting
determined that the is: `Success`.
image hash of a file is not valid. The file could be corrupt due to unauthorized m
full - 4697: A service was Auditing
installed
these in eve
the ```system.
- 5056: A cryptographic self test was recommended performed.
configuration via Settings\Security Settings\Advanced Audit
- 5057: A cryptographic primitive operation failed.
accepted The
This recommended
computer-based ```
GP, is:set
`Success
recommendations
the and Failure`.
from Group Policy Administrative Templates (ADMX).
- 5060: Verification operation failed. To establish the
This section contains recommendations for Control
following UI path Panel settings.
- 5061: Cryptographic operation. recommended
accepted to Ènabled`:
- 5062: A kernel-mode cryptographic configuration self test was performed. via
Group Policy
theControl
for Groupthe Policy
Panel template `Windows.admx/adml`
personalization
recommended settings.via GP, set
configuration thatthe is included
UI path to Èna
accepted GP, set the
``` Navigate to the UI Path articulated in the Remediation section and
The recommended state for this setting is: `Success
following UI and Failure`.
This Group
Disables thePolicy sectioncamera
lock screen is provided toggleTobyswitch
``` the Group
establish
Computer in path
PC
thePolicy
Settings template
recommended `ControlPanelDisplay.admx/adml`
and prevents a camera
configuration via from
GP, set being theinvoked thaton
the
path lock with
toscree
Èna
full Disabling the lock to Ènabled`:
Configuration\Pol Navigate ``` to the UI IfPathyouarticulated
enableTemplates\Control
thisinsetting, users
the Remediation Panel\Personaliza
will no longerand
section be
The recommended
Disables state slide
the lock screen for this setting
show ``` is: Ènabled`.
settings in PC Settings
icies\Administrati HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
and prevents a slide show from playing on the lock screen.
```
full In May 2015, Microsoft Disabling
releasedthe lock Computer
the Local
ve Administrator Configuration\Policies\Administrative
```
```
Password Solution If you
(LAPS) enableTemplates\Control
tool, this
whichsetting,
is free users
and Panel\Personaliza
will no longer
supported be
softw
Computer
The recommended
``` is:
forÈnabled`.
This Group
configuring
Templates\LAPS HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path
Microsoft Localmay not exist by
Administrator default. ItSolution
Password is provided by the Group
(LAPS).
Configuration\Pol
accepted The LAPS tool requires a small ActiveIn \DoDirectory
order to utilize
not allow Schema ``ùpdate
LAPS,
The LAPS
a minor
inAdmPwd
order
Active
to implement,
GPO
DirectoryExtension
Schema
as well / CSE
as
updateinstallation
canisberequired,
verified
of a Group
to
and beains
Po
G
icies\Administrati
This
In Group
May 2015, Policy section
Microsoft is provided
released **Note:**
by the
password
the Local Group
This Group
Administrator PolicyPassword
template
Policy path ÀdmPwd.admx/adml`
mayNo
Solution not exist tool,
impact.
(LAPS) byWhendefault.
that
which is
It
is is
installed included
freeprovided
and withbyLAPS.
andregistered the Group
supported proper
softw
ve
full LAPS supports Windows Due to Vista
the difficu
or newer ``` workstation
expiration time OSes, ``` and Server
Navigate to the 2003
UI Path or articulated
newer server in theOSes. Remediation
LAPS does section
not suppor
and
Templates\LAPS
The
In LAPS
May 2015,toolMicrosoft
requires released
a small Active C:\Program
longer
the Local Directory thanSchema
AdministratorFiles\LAPS\CSE\AdmPwd.dll
update in order
Password SolutiontoInimplement,
a disaster
(LAPS) tool,recovery
aswhich
well as isscenario andwhere
installation
free of aActive
supported NT\Cu
Group Dire
softwPo
\Enable Local
full **Note:** Organizations
The recommended Due
statetothat
for utilize
thethis
difficu 3rd-party
setting ```
required commercial
is: Ènabled`.
by ```softwaretotothe
```
Navigate manage unique
UI Planned
Path & complex
password
articulated in the local
expiration Administrator
Remediation longer section passwo
and
Admin Password
LAPS
The
In supports
LAPS
May 2015, Windows
toolMicrosoft
requires a Vista
smallor
released newer
Active
the policy workstation
Directory
Local Schema
Administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
OSes, and Server
update
Password in order 2003
SolutiontoThe orlocal
newer
implement,
(LAPS) administrator
server
tool, wellOSes.
aswhich as password
LAPS
installation
is free does
isofmanaged
and supported anot Services
suppor
Groupsoftw(p
Po
Management
full **Note #2:**
**Note:** Organizations
LAPSDue is only
tothat
designed
the utilize
difficu3rd-party
to```manage commercial
_local_ Administrator
```softwaretotothe
```
Navigate manage
passwords,
UI Path unique and&iscomplex
articulated therefore
in thelocal not recommended
Administrator
Remediation section passwo
(or
andsup
```
LAPS
The
In recommended
supports
LAPS
May 2015, statereleased
Windows
toolMicrosoft
requires afor
Vista
smallthisorsetting
newer
Active
the **Note:**
is:
Directory
Local This
Ènabled`.
workstation Schema
Administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
OSes, and Server
update
Password in order
SolutiontoInimplement,
2003 aordisaster
(LAPS)newer tool,recovery
serverwellOSes.
aswhich isscenario
as andwhere
LAPS
installation
free does Active
of anot
supported Services
suppor
Group Dire
softwPo
**Note:**
To``` establish Thisthe recommended configuration via GP, set the following UI path to Èna
full **Note #2:** LAPSDue is only designed
to the difficu toGroup manage Policy_local_ Administrator
```
```
Navigate to thepasswords, and is therefore
UI LAPS-generated
Path articulated inpasswords not recommended
the Remediation will be req section(or andsup
Group Policy
Computer Configuration\Policies\Administrative Templates\LAPS\Password Settings
**Note:**
LAPS
The Organizations
recommended
supports
LAPS stateathat
Windows
tool requires for
Vista
smallutilize
thisor 3rd-party
setting
newer
Active path is: does commercial
Ènabled:
workstation
Directory not
Schema Large
OSes, software into
and Server
update manage
2003 unique
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
letters +order
small toletters
or newer
implement, & server
+ numberscomplex
as well +OSes. local
special
as Administrator
characters`.
LAPS
installation doesof anot passwo
Services
suppor
Group Po
path
```
To does notthe recommended configuration via GP, set the following UI path to Èna
``` establish
full **Note #2:** LAPSDue is only designed
to the difficu toexist manage by default.
_local_ Administrator
```
```
Navigate to thepasswords, and is therefore
UI LAPS-generated
Path articulated inpasswords not recommended
the Remediation will be req section(or andsup
exist by default.
**Note:**
Computer This
Group Policy path does not exist by Templates\LAPS\Password
default. An additional Group Settings
Policy
**Note
**Note:**
The
LAPS
This #2:**
Organizations
recommended
supports
setting LAPS is
Windows
controls only
state that
designed
for
whetherVistautilize
this toAn
3rd-party
orsetting
local newer
accounts additional
manage
is: commercial
_local_
Ènabled:
workstation
can be used15Administrator
software to administration
manage
passwords, unique and
OSes,or formore`.
and
remoteServer 2003 or newer &isserver
via complex
therefore
network local
OSes. notLAPS
logon recommended
Administrator
(e.g., doesNET USE, passwo
(orconn
notServices
supporsup
An``` additional
```
full Due to the difficu Group Policy ```
``` LAPS-generated passwords will be re
Group Policy
**Note:**
Computer This
Group Policy path does not exist by Templates\LAPS\Password
default. An additional Group Settings
Policy
**Note
**Note:**
The
This #2:**
section
**Enabled:**Organizations
recommendedLAPS
contains
Appliesis only
state
UAC that
designed
for
settings utilize
this
forsettingtotemplate
3rd-party
manage
configuring
token-filtering is: commercial
_local_
to Ènabled:
additional
local 30Administrator
accounts software to manage
passwords, unique and&is
or fewer`.
settings
on from
network the MS Security
logons. Membership complex
therefore
Guide. local
in powerful not recommended
Administrator
group such as passwo
(or
Services
Admisup
template
```
accepted Since September 2016, (ÀdmPwd.admx/
Microsoft has ```strongly to
Navigate the UI Paththat
encouraged articulated
SMBv1 in the
be Remediation
disabled and no sectionused
longer and
(ÀdmPwd.admx/
**Note
**Note:**
This #2:**
Group Organizations
**Disabled:** LAPS
Policy islocal
only
section
Allows that
designed
is provided
accounts toadml`)
utilize 3rd-party
to manage
by
have iscommercial
thefull _local_
Group Administrator
Policy
administrative software
template
rights to`SecGuide.admx/adml`
manage
passwords,
when unique and&iscomplex
authenticating therefore
viathat
networklocal
is not recommended
Administrator
available
logon, from passwo
(or sup
Microsoft
by configuring
adml`)
To is
``` establish
full This setting configuresLocalthe
More
Since accounts
information
start type
September areonrequired
for
2016, this
the can - itbeisthe
Server
Microsoft
found
Message
has ```
Navigate
at the
stronglyBlock
following
to version
the UI None
links:
encouraged Path
1 - this
(SMBv1) isclient
articulated
that SMBv1 thebe
indefault
driver
the behavior.
Remediation
disabled service
and (`MRxSmb10`),
no section
longer and
used
required - itConfiguration\Policies\Administrative
Computer is Templates\MS Security Guide\Apply U
**Note
For more#2:** LAPS is only
information aboutdesigned toincluded
local accounts manage andwith _local_ Administrator
credential theft, reviewpasswords, and isPass-the-Hash
the "[Mitigating therefore not recommended(PtH) Attacks and (or sup
Ot
included
```
To establish withthe recommended configuration via GP, set the following UI path to `Disa
full The recommendedMore [Stop
stateinformation
using
for this SMB1
setting
onMicrosoft
|Microsoft
Storage
this canLocal
is: Ènabled:at
be Microsoft](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-us
Disable
found ``` at
Navigate driver`.
the following
to the UI Some
links:
Path legacy
articulated OSesin (e.g.
the Windows
Remediation XP, S
section and
**Note:**
Computer
To establish Local
This Group Policy pathconfiguration
the recommended does not exist viaby default.
Templates\MS
GP, set the Anfollowing
additional Group
path toPolicy
SecurityUIGuide\Config Èna
For more
This settinginformation
configuresaboutthe server-side Administrator
`LocalAccountTokenFilterPolicy`,
processing of theUI see Microsoft Knowledge
version Base
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\m
Server
Path Message Block 1 (SMBv1) articleprotocol.
951016: [Description o
Administrator
```
full **Note:** Do not, _under
[Disable
[Stop any
usingSMB SMB1v1 inPassword
circumstances_,
| Managed
StorageconfigureatEnvironments```
this overall
with toinGroup
setting Policy
as `Disabled`,
– "StayOSes Safe"
asin doing
Microsoft](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-us
```
Navigate
articulated the
theUI Some
Path legacy
articulated Cyber
(e.g.
the so Security
will delete
Windows
Remediation Blog](https:/
XP, the
S underl
section and
Password
**Note:**
Computer
``` This Group Policy path
Configuration\Policies\Administrative does not exist by default. An additional
Templates\MS Group Policy
Security Guide\Config
The recommended
Windows
When includes
WDigest state forforthis
support
authentication is setting
Structured
enabled,Solution (LAPS).
Ènabled`.
is:Exception
`Disabled`.
Lsass.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
Handling
retains aOverwrite
Remediation copy of the Protection (SEHOP).
user's plaintext We recommend
password in memory, enabling
where itthis ca
Solution
```
Computer (LAPS).
Configuration\Policies\Administrative Templates\MS
To establish the recommended configuration via GP, set the following UI path to `Disa Security Guide\Enable
full [Disabling
[Disable
This feature SMBSMBv1 deinthrough
is v1 Managed Group Policy
Environments``` – Microsoft
```
Navigate
section with
and theSecurity
to Group PolicyGuidance
UI After
Path you– "Stay
enable
articulated blog](https://blogs.technet.micros
Safe"
SEHOP,
in theCyber Security
existing
Remediation verBlog](https:/
section and
```
The more
For recommended
information state
aboutfor local
this setting
accounts is: Ènabled`.
and credential HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
theft, review
confirm it is setthe "[Mitigating Pass-the-Hash (PtH) Attacks and Ot
**Note:**
``` This Group Policy path does not exist by default. An additional Group Policy
full [Disabling
PreventingSMBv1 the pla through Group Policy ``` – Microsoft Security
``` prescribed.
as NoneGuidance
- this is also blog](https://blogs.technet.micros
the default confi
Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDige
For more
This sectioninformation
contains about ÙseLogonCredential`,
recommendations for the Microsoft see This
Microsoft groupKnowledge
Solutions for Security
policy Base
(MSS) article 2871997: [Microsoft Security Adv
settings.
More
``` establish the recommended configuration via GP, setenable
To information is available at [MSKB 956607: How to Structured
the following UI pathException
to `Disa
accepted This setting is separate from the Welcome screen feature ``` in Windows
setting is backed XP and Windows Vista; if that feature is disabled, thi
The recommended
This Group Policy sectionstate for is this setting
provided byis: the`Disabled`.
Group Policy by template
the following `MSS-legacy.admx/adml` that is available from this Tec
full For additional information,
If you configure
see Microsofta Knowledge Base registry
articlelocation:
Navigate 324737:
to the UI [How
None to
- this
turnison
Path articulated theautomatic
indefault behavior.
logon in Windows](http
the Remediation section and
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (Auto
IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through th
```
full The recommendedAn state for this
attacker setting is: `Disabled`. Navigate
could ``` to the UI AllPath incoming
**Note:** This
Templates\MSS (Legacy)\MSS:Group Policy (Disa
Thesource
IP recommended
routing is state for this setting
a mechanism that allowsis: Ènabled:
the sender HKEY_LOCAL_
Highest
protection,
to determine thesource
IP route routing
that aisdatagram
completely disabled`.
should take through the
```
To``` establish the recommended configuration via GP, set the following UI path to ```Dis
full An attacker could MACHINE\SOFT
```
```
Navigate to the UI AllPath incoming
**Note:** This
Templates\MSS (Legacy)\MSS:Group Policy (Disa
The recommended
Internet Control Messagestate for this setting
Protocol (ICMP) is: Ènabled:
redirects cause WARE\Microsoft\
Highest
theprotection,
IPv4 stacksource to plumb routing
host is completely
routes. Thesedisabled`.
routes override the O
The DLL search order can be configured ```
To``` establish
to searchthe forrecommended
DLLs that are configuration
requested by via GP, set
running the following
processes in one UIofpath
two to Èna
ways:
full This NetBT
The behavior is ex is designed not toNavigate
protocol Windows
```
``` to the UI When
use authentication, Path Routing
andarticulated
is thereforeandin theRemote
vulnerable Access
Remediation Servi
to spoofing.
sectionSpoofand
**Note:** This
Templates\MSS (Legacy)\MSS:Group Policy (Enab
The recommended
NetBIOS over TCP/IP state
is afor this setting
network protocol is: `Disabled`. NT\CurrentVersi
that among HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T
other things provides a way to easily resolve NetBIOS names that
- Search folders specified in the system ```
To``` path
establishfirst, the
andrecommended
then search the configuration
current working via GP,folder.
full An attacker could send a request overNavigate on\Winlogon:Aut
```
```the network to the and
UI query
None -athis
computer
Path articulated is theindefault
totherelease behavior.
Remediationits NetBIOS section name.
and
- Search current working folder first, and **Note:**
Computer This
then search Group Policy specified
path doesinnot
the folders theexist
systemby default.
path. An additional
Templates\MSS (Legacy)\MSS:Group Policy (NoN
oAdminLogon
The recommended state for this setting is: Ènabled`. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
```
full The result
If a user of such an attack could beNavigate
unknowin ```
to
``` cause to intermittent
the UI None
Path connectivity
- this is the
articulated issues the on
indefault the target computer,
behavior.
Remediation section andor
When enabled, the registry value is set **Note:**
Computer
to 1. With This a Group
settingPolicy path
of 1, the does first
system not exist
searchesby default.
Templates\MSS
the folders An additional
that
(Legacy)\MSS:Group Policy
are specified (Safe
in th
Windows includes a grace period between when the screen HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
saver is launched and when the console is actually locked auto
```
full The default
This setting can generate grace audit in the SecurityNavigate
a security ```
```
event logtowhen the UItheUsers
Path will haveato
log articulated
reaches in enter
user-defined their passwo
the Remediation threshold. section and
Applications will be forced to search for **Note:**
DLLs inThis
Computer the Group
systemPolicy path first.
path For
Configuration\Policies\Administrative does applications
not exist by that
default.
require
Templates\MSS Anunique
additional versions
(Legacy)\MSS:GroupofPolicythese
(Scre
The recommended state for this setting is: Ènabled: 5 or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
fewer seconds`. NT\Cu
```
```
full The recommendedIfstate the Security
for this setting
lo is: Ènabled: 90% ```
``òr less`. An audit event will be generated whe
**Note:**
Computer This Group Policy path does not exist by
Templates\MSS (Legacy)\MSS:Group Policy (War
This section contains recommendations for network settings. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E
```
accepted **Note:** If log settings are configured to Overwrite events ``` as needed or Overwrite events older than x days, this event will
Group Policy
is intentionally providedand by existsthe to Group
ensure Policy template `Windows.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Bits.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `PeerToPeerCaching.admx/adml`
accepted
This Group Policy section is provided by the Group Policy template `nca.admx/adml` that is included with the Microsoft 8.0
(broadcast)
multicast over a take effect until
```
system
local only uses
network link the computer has
Computer
broadcasts.
on a single been restarted.
Configuration\Pol
- A P-node
subnet from a icies\Administrati
(point-to-point)
client computer **Note #2:**
ve
system
to another uses only
client Although
Templates\Netw
This section contains recommendations related to DNS Client.
name queries
computer on the to Microsoft does
ork\DNS
accepted
a name
same subnet
serverthat not provide off
Client\Turn an
This Group Policy section is provided by the Group Policy template `DnsClient.admx/adml` that is included with all versions
(WINS).
also has LLMNR ADMX template
multicast name
full In order to help m Navigate to the UI ReNetBIOS
Path articulated
name resolution
in the Remediation
queries will section and
- An M-node
enabled. LLMNR to configure this
resolution
An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and
(mixed)
does notsystem
require registry value, a
```
full ``` In the event DNS is unavailable a sy
broadcasts
a DNS server first,
or custom .ADM
**Note:** blank
To completely
and existsmitigate
to ensure local
the
name
structure
resolution
of Windows
poisoning,
benchmarks
in addition is consistent.
to this setting, the propertie
then queries
DNS client the template (`Set-
**Note:** This
```
name server
configuration, NetBIOS-node-
Group Policy
This section
Group Policyis intentionally
section isblank
provided
and byexists
the to
Group
ensure Policy
the structure
template `GroupPolicy.admx/adml`
of Windows benchmarks isthat consistent.
is included with the Micro
(WINS).
and provides type-may not
path
accepted
- An H-node
name resolution KB160177.adm`)
exist by default.
Group Policy
and by the to
exists Group
ensure Policy template `hotspotauth.admx/adml`
the structure of Windows benchmarks is that is included with the Micro
consistent.
(hybrid)
in scenariossystem in is is
It provided
provided in by
the
accepted
queries the name
which CISGroup
the Benchmark
Policy
Group Policy
and by the to
exists Group
ensure Policy template `LanmanServer.admx/adml`
the structure of Windows benchmarks is consistent. that is included with the M
server (WINS)
conventional Remediation Kit
template
first, then
DNS name to facilitate its
`DnsClient.admx/
Group Policy
recommendations theLink-Layer
Topology `LanmanWorkstation.admx/adml`
Discovery settings. that is included with t
broadcasts.
resolution is not configuration.
adml` that is Be
accepted aware though
possible. included with the
This Group Policy
The section section
contains is providedthat
recommendations by forthe Group Policy
Microsoft
simply template Networking
Peer-to-Peer `LinkLayerTopologyDiscovery.admx/adml`
Services settings. that is includ
Microsoft
accepted
recommended
The turning off8.0
Windows the&
This Group
for thisPolicy
statesection
recommended section isblank
is intentionally provided by
andServer thepolicy
exists
group Group
to ensure
2012 Policy template `P2P-pnrp.admx/adml`
is consistent.
accepted settingforis:this
state setting in the
(non-R2)
This Group
is: Policy
section
`NodeType
setting 0x2 section
- contains is providedTo
.ADM thetemplate
for Groupthe
Network
Administrative Policy templatesettings.
Connections
recommended `P2P-pnrp.admx/adml`
configuration via GP, set thatthe
is included
UI path to Èna
accepted (2)`.
Ènabled`. will not "undo"
Templates (or Navigate to the UI Path articulated in the Remediation section and
This can
You Group usePolicy section
this procedure is to
The Network provided
controls
Bridgebysetting,
```
To
the the Group
user's ability
establish
newer).change the
oncePolicy
if enabled, template
torecommended
install
allows `NetworkConnections.admx/adml`
and users
configure
to create
a Network
configuration a via
Layer
Bridge.
GP, 2 set
Mediathe Access thatControl
path(MAC)with
br
to Èna
full Computer Configuration\Policies\Administrative
applied. Instead, ```
Path cannotTemplates\Network\Network
articulated create
in theor configure
Remediation a N Connect
section and
The recommended
This policy setting In state
an enterprise
for this
determines setting
managed
whetherthetois:
``` Ènabled`.
environment,
require
opposite domain HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
where
users tothere is awhen
elevate needsetting
to control network location.
a network's traffic to only authorize
full Allowing blank
This section is intentionally regularand
u Computer
exists to ensure
setting must be ```
the```structure of Domain
Windows users
Templates\Network\Network
benchmarks must iselevate
consistent.when setti Connect
``` toThis Group
is: Ènabled`.
applied Policy path is provided by the Group Policy template `NetworkCo
accepted This Group Policy section is providedchange by the Group
the Policy ``` template `WindowsFirewall.admx/adml` that is included with all v
This section is intentionally blank and**Note:** exists to
registry This
ensure
value Group
to Policy path
Windows by default.
consistent.
accepted **Note:** This section was initially named _Windows
the opposite Firewall_ but was renamed by Microsoft to _Windows Defender Firew
Group Policy
is intentionally provided by
andstate. the to
exists Group
ensure Policy template `NCSI.admx/adml`
included
consistent.with all versions of t
In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Polic
Group Policy
Group PolicyProvidertemplate `NetworkIsolation.admx/adml` that is included with the
settings.
Once the new GPO template is in place, Navigate
the following
to the UIare
Path
thearticulated
minimum requirements
in the Remediation to remediate
sectionthe
andG
accepted This policy setting configures secure `\\*\NETLOGON
access to UNC paths. RequireMutualAuthentication=1, RequireIntegrity=1`
This Group Policy section is provided`\\*\SYSVOL by the GroupRequireMutualAuthentication=1,
Policy template `NetworkProvider.admx/adml`
RequireIntegrity=1` that is included with the
`\\*\NETLOGON RequireMutualAuthentication=1, ``` RequireIntegrity=1`
full The recommended state for this setting is: Ènabled, with "Require Mutual Windows Authentication"
only allows
and "Require
access toIntegrity"
the spe set for al
`\\*\SYSVOL RequireMutualAuthentication=1, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
RequireIntegrity=1`
This section is intentionally blank and ``` exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** If the environment exclusively Computer
containsConfiguration\Policies\Administrative
Windows 8.0 / Server 2012 or higherTemplates\Network\Network
systems, then the "`Privacy`" Provider
setting
**Note:** A reboot may be required after ``` the setting is applied to a client machine to access the above p
Group Policy
is intentionally and```
provided by the to
exists Group
ensure Policy template ÒfflineFiles.admx/adml`
the structure of Windows benchmarks that is included with all version
is consistent.
accepted **Note:** This Group Policy path does not exist by default. An additional Group Policy
Additional guidance on the deployment of this security setting is available from the Microsoft Premier Fie
Group Policy
and by the to
exists Group
ensure Policy template `QOS.admx/adml`
included
consistent.with all versions of th
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Snmp.admx/adml`
consistent.
accepted
Group Policy
configuration Group Policy template `CipherSuiteOrder.admx/adml` that is included with all
accepted
Group Policy
and by the to
exists Group Policy
ensure template `tcpip.admx/adml`
is consistent.
accepted
Group Policy
TCP/IP by configuration
parameter the Group Policy template `tcpip.admx/adml` that is included with the Microsoft W
settings.
accepted
Group Policy
Connect Now `tcpip.admx/adml`
settings. that is included with the Microsoft W
accepted
Group Policy
theWindows
Connection
recommended `WindowsConnectNow.admx/adml`
Manager settings.
configuration via GP, set the following thatUI
is path
included with
to Èna
Group setting
preventsiscomputers
provided```by the connecting
from Group Policy to template `WCM.admx/adml`
both a domain based networkthat andisaincluded with the
non-domain basedMicrosoft
networkW
full Blocking simultaneComputer Configuration\Policies\Administrative
``` None - thisTemplates\Network\Windows
is the default behavior. Connec
The recommended
This state forblank
accepted ```
This Group
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
`Windows.admx/adml`
is is is provided
included
consistent. byall
with theversions
Group
accepted
This Group
Group Policy template `Windows.admx/adml` that is included with the Microso
settings.
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
settings byauditing
related to the Group Policy template
of process creationàppv.admx/adml`
events. that is included with the Microsoft W
accepted
This Group Policy section is provided by the Group Policy template ÀuditSettings.admx/adml` that is included with the Mic
This policy setting determines what information
``` is logged in security audit events when a new process has been created.
full When this policy s Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Audit
is the default behavior. Process Cre
The recommended
settings
for this
related
setting
```
to is:
To Credential
`Disabled`.
establish Delegation.
the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
accepted Remote host allows delegation of non-exportable credentials. ```
Navigate When
to the
using
UI Path
credential
articulated
delegation,
in the devices
Remediation
provide
section
an export
and
_Restricted
is provided **Note:**
Admin```Mode_
by the GroupThisdesigned
was Group Policy
Policy template path
to help may administrator
protect not exist by default.
`CredSsp.admx/adml` that isIt included
accounts isbyprovided
ensuringbythat
with the
all Group
versions
reusabl
full The recommended_Windows
state for this
Defender
setting
Computer
Remote
is: Ènabled`.
Credential
``` Guard_ helps you Theprotect
host will
Templates\System\Credentials
your
support
credentials
the _Restric
over a RemoteDeleg
Desk
Both features
blankshould
and```
exists
be enabled
to ensureandthe
supported,
structure as
of Windows
they reduce
benchmarks
the chanceisof consistent.
credential theft.
accepted **Note:** More detailed information on Windows Defender ``` Remote Credential Guard and how it compares to Restricted Ad
This section
Group Policy
is intentionally
provided by
exists
the to This
Group
ensureGroup
Policy Policy path
the structure
`DeviceGuard.admx/adml`
isthatis is
provided
includedbywith
consistent. the the
Group
Mic
accepted
Group Policy
and by the to
exists Group Policy
ensure template `TPM.admx/adml`
is consistent.
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DeviceRedirection.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DiskNVCache.admx/adml`
the structure that is included with all vers
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DiskQuota.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Display.admx/adml`
accepted
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an E
Group Policy
and by the to
exists Group Policy
ensure template `DCOM.admx/adml`
the structure of Windows benchmarksthat is
is included with all versions of
consistent.
accepted
- `Good`: The driver has been signed and has not been tampered with.
Group Policy
theconfiguring
boot-start
recommended `DeviceInstallation.admx/adml`
driver initialization
configuration viasettings. that is included
GP, set the following UI path with all
to Èna
- `Bad`: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initiali
- `Bad, but required for boot`: The driver has been identified as malware, but the computer cannot successfully boot withou
This Group Policy section is provided``` by the Group Policy template ÈarlyLaunchAM.admx/adml` that is included with the M
- Ùnknown`: This driver has not been attested to by your malware detection application and has not been classified by the
full This policy settin Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Early
is the default behavior. Launch Antim
This section is intentionally blank and```
exists to ensure theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Ea
If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is
accepted ```
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
ÈnhancedStorage.admx/adml`
Windows benchmarks is It is provided by the with
that is included
consistent. Groupthe
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launc
accepted
Group Policy
and by the to
exists Group Policy
consistent.
The recommended state for this setting is: Ènabled: Good, unknown and bad but critical`.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FileServerVSSAgent.admx/adml`
This Group Policy section is provided by the Group Policy templates `FileServerVSSProvider.admx/adml` that is included w
accepted This Group Policy section is provided by the Group Policy template `FileSys.admx/adml` that is included with all versions o
accepted **Note:** This section was initially named _NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with
Group Policy
theconfiguring
policy-related
configuration that is included
via GP, set the following UI path with all
to Èna
This "Do
The Group
notPolicy
apply section is provided
during periodic byestablish
background
```
To the Group Policy
processing"
the template `GroupPolicy.admx/adml`
option prevents
recommended the system
configuration fromset
via GP, that
updating is included
affected
the following UIwith
pathall
toversio
policies in th
Èna
full Setting this optio Computer Configuration\Policies\Administrative
```
Policy\Conf
and
recommended
The "Process even state
if the for this Policy
Group setting
To is: Ènabled:
``òbjects
establishhave FALSE`
thenot HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
(unchecked).
changed"
recommended option updates and
configuration reapplies
via GP, set the policies even
following UIifpath
the policies
to `Disa
full ```
Setting this optio Computer Configuration\Policies\Administrative
```
Policy\Conf
and
The recommended
This state for Group
policy setting prevents **Note:**
this setting
Policy
``` is:from This
beingGroup
Ènabled: TRUE` Policy path
themay not exist byuse.
default.
This Itpolicy
updated (checked).
while computer is in is provided
settingby the Group
applies to Gr
full ```
This setting ensur Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Group
is the default behavior. Policy\Turn
The recommended
This state forblank
this setting
and``` to This
is: `Disabled`.
exists Group
ensure Policy pathof may not exist by default. is It
consistent.
accepted ```
Group Policy
Policy template
to Internet path is provided by the Group Policy template
`GroupPolicyPreferences.admx/adml`
Communication Management. that is`GroupPoli
included w
accepted
Group Policy
the Group
related tothePolicy
Internet template `Windows.admx/adml`
Communication
configuration via GP, setthattheis included
UI path to Èna
Group setting
controlsiswhether
provided bycomputer
the
```
To the Group
establish Policy
can
the template
download
recommended `Windows.admx/adml`
print driverPrint
packages
drivers
configuration over
via GP, that
cannot
HTTP.
set is included
be
the downloaded
To set up
following with
HTTP
UI all versions
over
path printing,
HTTP.
to Èna
full Users might downlo Computer Configuration\Policies\Administrative
```
Navigate Templates\System\Internet
to the UI Path articulated in the Remediation section Communiand
The recommended
``` is:
Windows
To Ènabled`.
will download **Note:**
a list of providers
the recommended for the
configuration This
viaWeb
GP,policy setting
publishing
set the does
and
following notpath
online
UI prevent
ordering the
to Ènaw
full ```
Although the risk Computer Configuration\Policies\Administrative
```
Navigate to the UI Windows isTemplates\System\Internet
Path articulatedprevented from downloadin
in the Remediation Communi
section and
The
setting
```
to disable is: Thiscomputer's
theÈnabled`.
client Group Policy path
to is provided by computer
thewhich
Groupallows
ability printThe
over
client
HTTP, Policy
will template
notthe
be able toÌCM.admx
computer print
to print
to Int
full ```
Information that i Computer Configuration\Policies\Administrative
``` Templates\System\Internet Communi
The
this setting
and``` to This
is: Ènabled`.
exists ensureGroup Policy path of is provided byThis
the Group
the structure **Note:**
Windows benchmarks policy Policy template
is setting affects the
consistent. ÌCM.admx
client side
accepted ```
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
ìSCSI.admx/adml`
Windows by thethat
isisincluded ÌCM.admx
with all versions
consistent. of t
accepted
Group Policy
and by the to
exists Group Policy
ensure template `KDC.admx/adml`
is consistent.
Group Policy
recommendations theLocale
GroupServices
Policy template `Kerberos.admx/adml` that is included with all versions
settings.
accepted
This Group Policy section is provided by the Group Policy template `Globalization.admx/adml` that is included with all versi
This section contains recommendations related tothe
To establish therecommended
logon process configuration
and lock screen.
via GP, set the following UI path to Èna
This policy
Group setting
Policy section
allows you
is provided
to control
```
bywhether
To the Group
establish anyone
Policy
the cantemplate
recommendedinteract`Logon.admx/adml`
with availablevia
configuration networks
GP,thatset
isUIthe
included
onfollowing
the logon
withUIall
screen.
versions
path of
to Èna
full An unauthorized usComputer Configuration\Policies\Administrative
Navigate
``` to the UI The
PathPC's
articulated
network
Templates\System\Logon\Do
inconnectivity
the Remediation state section
notand
disp
The recommended
This policy setting prevents
state for connected
this setting
``ùsers
To is: Ènabled`.
from the
establish being HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
enumerated configuration
recommended on domain-joined
via GP, computers.
set the following UI path to `Disa
full A malicious user c Computer Configuration\Policies\Administrative
```
```
PathLogon Templates\System\Logon\Do
UI willinnot
articulated theenumerate
Remediation an section
notand
enu
The recommended
This policy setting allows
state for
local
this
users **Note:**
setting
to
```
To be
is: Thisthe
enumerated
Ènabled`.
establish Group on Policy pathconfiguration
maycomputers.
not existviabyGP,
default. It isfollowing
domain-joined
recommended set the providedUIbypaththe to
Group
Èna
full A malicious user c Computer Configuration\Policies\Administrative
```
```
Navigate to the UI None - thisTemplates\System\Logon\Enumerate
is theindefault
the Remediation
The recommended
state for
youthis **Note:**
to prevent
setting
```
To is:
app Thisthe
`Disabled`.Group
notifications
establish Policy pathconfiguration
mayonnot
theexist by default. It isfollowing
from
recommended appearing lock
via screen.
GP, set the providedUIbypaththe to
Group
Èna
full This policy setting App notifications
allows you to control Computer
To whether
establishConfiguration\Policies\Administrative
a the
domain ```
``ùser can
Navigate
recommended to the
sign inNo
UI Pathapp
using anotifications
articulated
configuration picture
via GP, password.
in the
set areRemediation
the displayedUIonpath
following tooff
section ap
and
`Disa
``` is: Ènabled`.
Policy path may not exist by default. It is provided by the Group
This policy setting Picture
state for
allows passwords
you this setting
Computer
to control
``` is: Ènabled`.
whether Configuration\Policies\Administrative
a domain ``` user can
Navigate to the inUsers
signUI Path will not
usingarticulated bein
a convenience able to
thePIN. setInup
Remediation or si section
Windows 10,off pic
conve
and
**Note:** This
```
Computer Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path may not exist by
Configuration\Policies\Administrative default. It is provided by the Group
Templates\System\Logon\Turn on con
full **Note:** The
If theuser's
picture
A PIN
domain
password
is created
password
feature
f ```will
is be
permitted,
cached thein```
```
the
user's
system
domain
vaultpassword
when
Noneusing
- this
is cached
this
is the
feature.
default
in the system
behavior.vault when using
exists to This
ensureGroup HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the Policy path
structure of may not exist
Windows by default.
consistent.
is: `Disabled`.
This Group ``` Policy path may not exist by default. It is provided by the Group
Group Policy
and by the to
exists Group
ensurePolicy template `GroupPolicy.admx/adml`
the structure of Windows benchmarks isthat is included with the Micro
consistent.
Group Policy
and by the to
exists Group
ensurePolicy template `Netlogon.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÒSPolicy.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `PerfCenterCPL.admx/adml`
accepted
Group Policy
recommendations thePower
GroupManagement
Policy template `Passport.admx/adml` that is included with the Microso
settings.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
and by the to
exists Group Policy
consistent.
accepted
Group Policy
the Group
related tothePolicy
Power template `Power.admx/adml`
Management
recommended Sleep mode.
configuration via GP,thatsetis the
included withUI
following the Microsoft
path to ÈnaW
This Group
Specifies Policy section
whether is provided
or not the byestablish
user is prompted
```
To the Group Policy
for athe
passwordtemplate
when `Power.admx/adml`
recommended the system resumes
configuration via GP,that
from
setissleep.
included
the withUI
following allpath
versions of
to Èna
```
Navigate to the UI None - thisTemplates\System\Power
is theindefault
Path articulated behavior. section
the Remediation Managemeand
The recommended
Specifies whether orstate for this
not the usersetting ``` is: Ènabled`.
is prompted HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
for a password when the system resumes from sleep.
full ```
Enabling this sett Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Power
is the default behavior. Manageme
The recommended
This state forblank
and```**Note:** to This
is: Ènabled`.
exists ensureGroup Policy pathof may not exist by default. is It
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
consistent.
accepted ```
Group Policy
byestablish This
the Group
related totheGroup
Policy
Remote Policy
templatepath
Assistance.
`ReAgent.admx/adml`
configuration byGP,
default.
that
set theisIt included
isfollowing
provided UIbypath
with theMicroso
the Group
to `Disa
accepted This policy setting allows you to turn on or turn off Offer Navigate(Unsolicited)
to theRemote
UI PathAssistance
articulatedon inthis
the computer.
``` the Groupthe Policy template `RemoteAssistance.admx/adml`
recommended configuration via GP, set the following that is included
UI path towith al
`Disa
full Help desk and support
A userpersonnel
might bewilltr Computer
not be able Configuration\Policies\Administrative
to proactively
```
Navigate offer assistance,
to the UI None -although
thisTemplates\System\Remote
is the
Path articulated they
indefault
the can still
behavior.
respondsection
Remediation toAssistanc
userand
ass
This policy setting allows you to turn on HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
``` or turn off Solicited (Ask for) Remote Assistance on this computer.
full The recommendedThere state is
forslight
this setting is: `Disabled`.
ri Computer ```
``` Users on thisTemplates\System\Remote
computer cannot use e- Assistanc
The recommended
```
To is: This
`Disabled`.
related
establishtotheGroup Policy pathconfiguration
may not existviabyGP,
default.
Remote Procedure
recommended Call. set the It isfollowing
providedUIbypaththe to
Group
Èna
accepted This policy setting controls whether RPC clients authenticate ```
Navigatewithtothe
theEndpoint
UI Path Mapper
articulated
Service
in thewhen Remediation
the call they
section
are and
mak
This Group Policy section is provided``` **Note:**
Policy template may not exist bythat
`RPC.admx/adml` default. It is provided
is included with allby the Group
versions of th
full **Note:** This policy
Anonymous
will not be access
in effect
Computer
t until theConfiguration\Policies\Administrative
system ``ìs rebooted. RPC clientsTemplates\System\Remote
will authenticate to the Procedure
accepted The recommended state for this setting is: Ènabled`. ```
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
`RemovableStorage.admx/adml`
that is included
consistent. with a
accepted
This Group
and by the to
exists Group Policy
ensure template `Scripts.admx/adml`
consistent.
accepted
This Group
and by the to
exists Group Policy
ensure template `ServerManager.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
of Windows benchmarks is included with the Microsoft
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Winsrv.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `StorageHealth.admx/adml`
accepted
This Group Policy section is provided by the Group Policy template `SystemRestore.admx/adml` that is included with all ve
This section contains recommendations related to Troubleshooting and Diagnostics.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Windows.admx/adml`
that
is is
consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `pca.admx/adml`
that is included
is consistent.
with all versions of the
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `FileRecovery.admx/adml`
of Windows benchmarks isthat
consistent.
is included with all versi
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DiskDiagnostic.admx/adml`
accepted
Group Policy
to the template
Support that is included with the Microsoft W
Diagnostic Tool.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MSDT.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Msi-FileRecovery.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `sdiagschd.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `sdiageng.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `PerformanceDiagnostics.admx/adml`
accepted
Group Policy
to Windows `LeakDiagnostic.admx/adml`
Performance PerfTrack. that is included with all ve
accepted
Group Policy
and by the to
exists Group Policy
ensure template `PerformancePerftrack.admx/adml`
accepted
Group Policy
to User template `TPM.admx/adml` that is included with all versions of th
Profiles.
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÙserProfiles.admx/adml`
the structure of Windows benchmarks isthat is included with all versio
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsFileProtection.admx/adml`
the structure that is included wi
accepted
Group Policy
to the template
Service. that is only included with the Micr
accepted
Group Policy
to Time template `W32Time.admx/adml` that is included with all versions
Providers.
accepted
Group Policy
Component `W32Time.admx/adml` that is included with all versions
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template àdfs.admx/adml`
is consistent.
This Group Policy section is provided by the Group Policy template ÀctiveXInstallService.admx/adml` that is included with
**Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
and by the to
exists Group Policy
ensure template ÀppxPackageManager.admx/adml`
the structure of Windows benchmarks is consistent. that is included wit
accepted
Group Policy
theApp
for Group Policy
runtime
the template ÀppPrivacy.admx/adml`
settings.
recommended configuration via GP, setthat theisfollowing
includedUIwith paththe
toMicro
Èna
Group setting
lets youiscontrol
provided by theMicrosoft
whether
``` Group Policy
accountstemplate ÀppXRuntime.admx/adml`
are optional for Windows Store apps that thatis included
requirewith the Mic
an accoun
``` Windows Store Templates\Windows
apps that typically Components\Ap
requ
The recommended
This state forblank
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
accepted ```
Group Policy
byestablish
for Thisthe
theAutoPlay
Group Group
Policy Policy path
template
policies.
ÀppCompat.admx/adml`
configuration byGP,
default.
setthat It isis
the provided
included
following UIby
withtheallto
path Group
versio
Èna
Group setting
disallows is AutoPlay
providedTo by
``` the Group
forestablish
MTP Policy
devices
the liketemplate
camerasÀutoPlay.admx/adml`
recommended or phones. via GP, set
configuration thattheis included
UI path to Èna
full An attacker could Computer Configuration\Policies\Administrative
```
Navigate to the UI AutoPlay will
Templates\Windows
Path articulated notin
bethe allowed for Components\Au
Remediation MTPsection and
The
This recommended state
policy setting sets fordefault
the this setting
```
To is:
behavior Ènabled`.
for Autorun
commands. Autorun
the recommended commands
configuration via GP, are
setgenerally
the following storedUIinpath
àutorun.inf
to Èna
full Priorfrom
Autoplay starts to read to Windows VComputer
a drive as soon as you insert```
```media in
Navigate tothe UI AutoRun
thedrive,
Path
which commands
Templates\Windows
articulated
causes in
thethe will
setup befile
completel
Remediation Components\Au
for programs
section and or au
``` This Group
is: Ènabled: Policy pathany
DoHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
not execute autorun commands`.
full **Note:** You cannotAn use
attacker
this policy
could setting
Computer to enable ```
Autoplay
``` on computer Autoplay
drives inwill
Templates\Windows
which
be disabled
it is disabled- users byComponents\Au
wil
default, such a
exists to This
of may not exist by default.is It
consistent.
accepted The recommended state for this setting is: Ènabled: All``` drives`.
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
by the Group
ÙserDataBackup.admx/adml`
Windows Policythattemplate
is consistent. ÀutoPlay.a
is only included with
Group Policy
and by the to
exists Group Policy
ensure template `Biometrics.admx/adml`
is consistent.
accepted
This Group Policy section is provided by the Group Policy template `VolumeEncryption.admx/adml` that is included with all
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Camera.admx/adml`
thatisisconsistent.
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `CloudContent.admx/adml`
that is included with the Mic
This section
Group Policy
contains
section
recommendations
related
the Grouptothe
the
Policy
Credential
template
recommended User
`WirelessDisplay.admx/adml`
Interface. via GP, set the that
configuration is included
following UI path with the M
to Èna
This policy
Group setting
Policy section
allows you
is provided
to configure
```
byestablish
To the
theGroup
display
Policy
the of thetemplate
password
recommended `CredUI.admx/adml`
reveal buttonvia
configuration in GP,
password
that
setisthe
included
entry user
withUI
following experiences.
allpath
versions of
to `Disa
full This is a useful f Computer Configuration\Policies\Administrative
```
PathpasswordTemplates\Windows
articulated reveal
in thebutton will Components\Cre
Remediation not section and
The recommended
``` is: Ènabled`.
administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accounts are displayed when a user attempts to elevate a running applica
full Users could see thComputer Configuration\Policies\Administrative
```
is the default behavior. Components\Cre
The recommended
This state forblank
and```
**Note:**
is: `Disabled`.
ensure HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the Policy path
structure of may not exist
Windows by default.
consistent.
```
Group Policy
and**Note:**
by the to
exists Group
This Group
Policy
ensure template
Policy path
the structure `Windows.admx/adml`
Windows by the Groupthat
is is
Policy
included
template
`CredUI.ad
Microso
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DeliveryOptimization.admx/adml`
Group Policy
and by the to
exists Group Policy
accepted
This section Group Policy section isblank
and by the to
exists Group
ensure Policy template `DWM.admx/adml`
the structure of Windows benchmarks that isisincluded
consistent.with all versions of t
This Group Policy section is provided by the Group Policy template `DeviceCompat.admx/adml` that is included with the M
accepted This setting Group Policy section
determines is provided by EMET
if recommended the Group Policy template
mitigations are applied`WorkplaceJoin.admx/adml`
to the following popular software: that is included with the M
This section contains is intentionally blank and exists
Enhanced benchmarks
Mitigation Experienceis consistent.
Toolkit (EMET).
accepted -**Note:** 7-Zip This section was initially named _Workplace Join_ but was renamed by Microsoft to _Device Registration_ startin
This
-The section
Group
Enhanced
Adobe is intentionally
Policy
Photoshop Mitigation isblank
sectionExperience and Toolkit
provided exists
by the to ensure
Group
(EMET) isthe
Policyfree structure
template `DigitalLocker.admx/adml`
of Windows
ÈMET.admx/adml`
and supported benchmarks
security that
isincluded
that isdeveloped
software is included
consistent. with with allthat
Microsoft
by Microsoft versi
EME a
accepted - Foxit Reader
This
EMET
-More Group
is freePolicy
information
Google Chromeand onsection
supported
EMET, is including
provided by
security softwarethe Group
download andPolicy
developed User by template
Microsoft
Guide, ÈdgeUI.admx/adml`
can that
be allows an
obtained here: that is to
enterprise included with the
apply exploit Microsoft
mitigations
accepted -This setting
Google Talkconfigures the default action after detection and advanced ROP mitigation.
**Note:**
iTunes Although
-[Enhanced Mitigation EMET is quite Toolkit
Experience effective at enhancing
- EMET - TechNet exploit protection on Windows server OSes prior to Server 2016, it
Security](https://technet.microsoft.com/en-us/security/jj653751
Microsoft EMET
These
Live Writer mitigations
state for
advanced hInstall
this setting is: EMET
mitigations for 5.52
ROPNavigate
mitigations to apply
`Control Panel\Program\Programs
to all configured software in EMET: and Featu
```
**Note
-**Note:** #2:**
Microsoft EMET
Although
Lync has been
EMET
Communicator reported
is quite to beatvery
effective problematic
enhancing exploit onprotection
32-bit OSes on -Windows
we only recommend
server OSesusing it with
prior to Server64-bit OSe
2016, it
full Default Action
- Microsoft Photoand - **Deep
Mitigation
Gallery Hooks**
Settings
protects
- Ènabled`
critical APIs and theto
Navigate subsequent
the UI The Pathlower
advanced level mitigations
articulated APIs
in the used by
available
the topin
Remediation level critica
section and
Templates\Windows Components\EM
**Note
Deep
-This #3:**
#2:**
Hooks
setting
Microsoft Microsoft
- Ènabled` has
- **Anti
determines
SkyDrive announced
Detours**
if recommended that
renders EMET
EMET will beexploits
ineffective
mitigations End-Of-Life (EOL)
that evade
are applied on Julyby
hooks
to Internet 31, 2018. This
executing
Explorer. doesofnot
a copy themean
hooked thefuncti
softw
``` HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
To configuration via GP, set the following UI path to Èna
full Antisetting
- mIRC
This Detours - Ènabled`
-Applying
determines **Banned EMETFunctions**
if recommended mitig EMET will block callsNavigate
mitigations to are
``` `ntdll!LdrHotPatchRoutine`
to the to
applied EMET
UIthePath to mitigate
mitigations
articulated
following inwill
software:thebe potential
applied exploits
Remediation to Isection abusin
and
**Note:** This
Computer Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Policy path does not exist by
Components\EM
**Note
Banned
-The #3:** EMET state
Functions
recommended
Mozilla Firefox has been
- Ènabled` reported
for this settingtois:beÈnabled`.
very problematic on 32-bit OSes - we only recommend using it with 64-bit OSe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
```
``` ```
full Exploit Acrobat
Mozilla
- Adobe Action -` User
Thunderbird Configured`
Applying EMET miti ```
```
Path articulated thebe applied to th
**Note:** This
Components\EM
Opera Acrobat Reader
- Adobe HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
```
```
full Pidgin
- Microsoft Office suite
Applying
applications
EMET miti ```
```
Path articulated thebe applied to section and
Remediation
**Note:** This
Components\EM
QuickTime
- Oracle
This Java
setting Player
determines how applications become enrolled HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
in Address Space Layout Randomization (ASLR).
```
To
full RealPlayer
- WordPad ASLR reduces the p ```
```
Navigate to the UI ASLR protectionsinwill
Path articulated thebe enabled onsection and
Remediation
**Note:** This
Components\EM
- Safari
The
This recommended
setting determines statehowfor this setting is:become
in DataOpt-In`.
Execution Protection (DEP).
```
To
full - Skype
The recommendedDEP statemarks
for this setting
pages of is: Ènabled`. Navigate ```
``` to the UI DEP Path protections
articulated in willthebeRemediation
enabled on *a section and
**Note:** This
Components\EM
- VideoLAN
The
This recommendedVLC statehow
setting determines for this setting is:become
Opt-Out`.
in Structured Exception Handler Overwrite Protection (SEHOP).
```
```
full - Winamp When a software co ```
``` SEHOP protections will be enabled on
**Note:** This
Components\EM
- Windows
The
This sectionLive
recommended Mailstate forblank
is intentionally this setting is: Ènabled:
and exists to ensureApplication
the structure Opt-Out`.
```
accepted - Windows Media Player ```
- WinRAR
This Group Policy
section section
Event Log ÈventForwarding.admx/adml`
Service. that is included with the
accepted - WinZip To establish the recommended configuration via GP, set the following UI path to `Disa
Group Policy
ApplicationÈventLog.admx/adml`
Event Log. that is included with all versions
This state forEvent
LogTo``` is: Ènabled`.
behavior
establish when the the Navigate
log file reaches
maximum
size.set
via GP, in thetheRemediation
to Èna
full The recommendedIfstate new forevents
this are
setting
``` is: `Disabled`. Navigate ``` None
to the UI When -event
this islogs
Path articulated theinfill
default
the behavior.
to Remediation
capacity, theysection
will stop
and
rec
This policy setting specifies the maximum Computersize of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
configured betw
not **Note:**
be establish
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
by
viatheGP,Group when
setof Policy
this
the full_
template
policyUI setting.
configuration
following ÈventLog.
pathis that old
to `Disa
The recommended
configuring 32,768
the or greater`.
Security Event Log.
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to theisUIprovided
its PathAdministrative
Ideally,
maximum
configuration by
all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored thisevents
template
Remediation
following setting
UI was
ÈventLog.
should
section
path to andinib
Èna
this are **Note
setting
``` #2:** In older
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
theinfill
default
the this
behavior.
to Remediation
capacity, setting
they section was
will stop
andini
rec
configured betw
not **Note:**
be establish
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
by
viatheGP,Group when
setof Policy
this
the full_
template
policyUI setting.
configuration
following ÈventLog.
pathis that old
to `Disa
The recommended
configuring 196,608
the or greater`.
Setup Event Log.
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
recommended
Navigate Windows
path
file reaches
to theisUIprovided
configuration
its PathAdministrative
Ideally,
maximum by
all
viathe
articulated
GP,
size. inTemplates,
specifically
Group
set the Policy
the monitored thisevents
template
Remediation
following setting
UI path was
ÈventLog.
should
sectionto inib
Èna
and
this are **Note
setting
``` #2:** In older
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
theinfill
default
the this
behavior.
to Remediation
capacity, setting
they section was
will stop
andini
rec
configured betw
If events may not ```
not **Note:**
be retained Thisaccording
Group ```
```Policy
to thepath_Backup
is provided
log consequence
The automatically
by the Group when
of Policy
this full_
template
policy setting.
configuration ÈventLog.
is that old
The recommended state for this setting is: Ènabled: 32,768 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
or greater`.
**Note #2:**
older``` Microsoft
Policy path Windows
is provided Administrative
Ideally, by
all the Templates,
specifically
Group Policy
ÈventLog.
should
**Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
This section contains recommendations for configuring the System Event Log.
accepted This policy setting controls Event LogTo ```
behavior
establish when
the theNavigate
log file reaches
maximum
size.set
via GP, in the theRemediation
to Èna
This Group Policy section is providedComputer by the Group Configuration\Policies\Administrative
Policy template ÈventLog.admx/adml` Templates\Windows
that is includedComponents\Eve
with all versions
full The recommendedIfstate new for
eventsthis are
setting
``` is: `Disabled`. Navigate
``` to the UI When
None
Path articulated
-event
this islogs
theinfill
default
the
to Remediation
capacity,
behavior. theysection
will stop
andrec
This policy setting specifies the maximum Computersize ofConfiguration\Policies\Administrative
the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
configured betw
full **Note:** Old eventsIf events
may orare may notnot ```
**Note:**
be retained This
according
Group```
```Policy
to thepath
_Backup
is provided
The
log consequence
automatically
by the Group of
whenthis
Policy
full_
configuration
template
policy setting.
ÈventLog.
is that old
The recommended
state forblank
this setting
and exists
is: Ènabled:
to ensure32,768
the
structure
or greater`.
accepted **Note #2:**
older
``` Microsoft
Policy path Windows Administrative
is provided
Ideally, by
all the Templates,
specifically
Group Policy
ÈventLog.
should
This section
Group Policy
is intentionally
section isblank
provided
and byexists
the toGroup
ensurePolicy
the structure
template ÈventLogging.admx/adml`
of Windows benchmarks is that consistent.
is included with the Mic
accepted This section is intentionally blank and**Note exists #2:** In older
to ensure the Microsoft
structure ofWindows
Windows Administrative
benchmarksTemplates,
is consistent. this setting was ini
This Group Policy section is provided by the Group Policy template ÈventViewer.admx/adml` that is included with all versio
Groupthe Policy template
availability of `ParentalControls.admx/adml`
options such as menu items and that is only
tabs included
in dialog boxes.with
accepted **Note:**
This Group
Disabling This
Policy
Data section
section
wasPrevention
Execution isinitially
providednamed
by the
can _Parental
allowGroup Policy
Controls_
certain legacytemplate
Navigate buttowas
plug-in`WindowsExplorer.admx/adml`
the renamed
applications bytoMicrosoft
UI Path articulated
function
in theto _Family
without that isSafety_
Remediation included
terminating starting
withand
section allw
Explorer.
``` establish the recommended configuration via GP, set the following UI path to `Disa
To
full **Note:**
The recommended
This section
Data
state
was
Execution
forinitially
this setting
named
PreComputer
is:_Windows
`Disabled`.
Explorer_
```
Navigate but
towas renamed
the UI None - by
thisMicrosoft
Templates\Windows
is theindefault
Path articulated to _File
the behavior.
Explorer_
Remediation Components\File
starting
section and wi
Without heap termination on corruption, ``` legacy
To establish plug-in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
applications
the recommended may continue tovia
configuration function
GP, setwhen a File Explorer
the following UI pathsession
to `Disah
full **Note:** Some legacy plug-in
Allowing an applications
applic Computer and Configuration\Policies\Administrative
other software
```
```
Navigate mayto not
the function
UI None with
- thisData
is theExecution
Templates\Windows
Path articulated indefault Prevention
behavior.
the Remediation and will
Components\File
section andreq
The recommended
This state for
**Note:**
to configure
``` is: the
`Disabled`.
This Group
amount ofHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy paththat
functionality maythe notshell
existprotocol
by default.
can Ithave.
is provided
When usingby thetheGroup
full f
full ```
Limiting the openinComputer Configuration\Policies\Administrative
is the default behavior. Components\File
The recommended
This state forblank
and```
**Note:**
is: `Disabled`.
exists to This
ensureGroupHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the Policy path
structure of is providedbenchmarks
Windows by the Group Policy template Èxplorer.a
is consistent.
accepted ```
Group Policy
and**Note:**
by the to
exists Group
This
ensureGroup
Policy template
Policy path
the structure `PreviousVersions.admx/adml`
Windows by the Group Policy
thattemplate
is consistent. is included`WindowsE
with all
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FileHistory.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FindMy.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `GameExplorer.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Handwriting.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Sharing.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
settings by theand
for Locations Group Policy template ÌIS.admx/adml` that is included with all versions of the
Sensors.
accepted
Group Policy
settings by theLocation
for Windows Group Policy template `Sensors.admx/adml` that is included with the Microsof
Provider.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `LocationProviderAdm.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `msched.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WinMaps.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MDM.admx/adml`
of Windows benchmarks included with the Microsoft W
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Messaging.admx/adml`
is consistent.
Group Policy
and by the to
exists Group Policy
ensure template `MSAPolicy.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `FidoAuth.admx/adml`
the structure that
consistent.
accepted
This Group
and by the to
exists Group Policy
ensure template `DeviceCredential.admx/adml`
accepted
This Group
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `NAPXPQec.admx/adml`
the structure that
of Windows benchmarks is is only included with the M
consistent.
accepted This section contains recommendations related to OneDrive.
This Group Policy section is provided by the Group Policy template `NetworkProjection.admx/adml` that is only included wi
accepted The Group Policy settings contained within this section are provided by the Group Policy template `SkyDrive.admx/adml` th
**Note:** This section was initially named _SkyDrive_ but was renamed by Microsoft to _OneDrive_ starting with the Micros
``` Navigate to the UI Path articulated in the Remediation section and

This policy setting lets you prevent apps Computer
To and features
establish from working with
the recommended files
Users
on OneDrive
configuration can't
access
GP, using
set OneDrive
thethe Nextfrom
following Generation
Components\On
UIthe OneDrive
path toSync
Èna
full This policy setting Enabling
lets you prevent
this settapps
``` and features from Navigate
``` workingto with
the UI
files
Path
on articulated
OneDrive using
in thetheRemediation
legacy OneDrive/SkyD
section and
The recommended state for this setting ``` is: Ènabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
**Note:**
Users can't
If your
access
organization
OneDrive uses from Office
the OneDrive
365, be
full The recommendedEnabling
state for this
this sett **Note:**
setting
Computer This Group
is: Ènabled`. ```
```Policy path may not exist by
Configuration\Policies\Administrative default. It is provided
Templates\Windows by the Group
Components\On
structure of Windows
**Note:**
benchmarks
If your organization
is consistent. uses Office 365, be
accepted **Noteit #2:**
**Note:** Despite the name of this setting, In older
is applicable Microsoft
```to Windows
the legacy OneDrive Administrative
client on any Templates,
Windows OS. this setting was na
This section
Group Policy
is intentionally
provided by
exists
the to This
Group Group
ensure
Policy Policy path
the structure
`HelpAndSupport.admx/adml`
Windows benchmarks is It isthat
provided
consistent. by thewith
is included Group
all v
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `PswdSync.admx/adml`
is consistent.
is only included with the M
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÈxternalBoot.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MobilePCPresentationSettings.admx/adml`
the structure of Windows benchmarks is consistent. that is inclu
accepted This section contains recommendations related to Remote Desktop Services.
This Group Policy section is provided by the Group Policy template `PushToInstall.admx/adml` that is included with the Mic
and by the to
exists Group Policy
accepted **Note:**
This Group This section
section providednamed _Terminal
by the Services_
that is included Service
with all ve
This section contains recommendations for the Remote
To establish Desktop Connection
the recommended Client.via GP, set the following UI path to Èna
configuration
accepted **Note:**
setting helpswas initiallyRemote
prevent named Desktop
_TS Licensing_
clients but was
Navigate
from torenamed
saving by Microsoft
thepasswords
UI Path toin_RD
articulated
on a computer.the Licensing_
Remediation starting
sectionwith
andth
This Group Policy section is provided``` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full The recommendedAn state
attacker
for this
with
setting
Computer
is: Ènabled`.
``` The password Templates\Windows
saving checkbox Components\Re
will be
This section is intentionally blank and``` exists to ensure theHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted **Note:**
This If this
section policy recommendations
contains setting was previously configured
for the Remote ```
as Disabled
Desktop or NotHost.
Session configured, any previously saved passwords wi
Policy template is provided by the Group Policy
`TerminalServer.admx/adml` that istemplate
included`TerminalS
with the M
accepted **Note:** This section was initially named _Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session H
Group Policy
Group Policytotemplate `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included wit
accepted
Group setting
section
contains
preventsisusers
provided
recommendations
from bysharing
To the Group
related
establish tothe
the Policy
Remote
local template
Desktop
recommended
drives `TerminalServer.admx/adml`
Session
on their client Host
configuration Device
computers toand
via GP, set thethat
Resource
Remote is included
following
Desktop with
Redirection.
UI
Servers
path all
tothat
Ènave
th
This Group Policy section is provided```
`\\TSClient\$` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full Data could be forwComputer Configuration\Policies\Administrative
``` Drive redirection
Templates\Windows
will not be possible
Components\Re
If local
This drivesisare
section shared they
intentionally are and
blank left```
vulnerable to intruders
exists to ensure HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the who want
structure to exploitbenchmarks
of Windows the data thatisisconsistent.
stored on them.
accepted ```
The recommended
This Group Policy
section state for
section this
isblank
is intentionally setting
and**Note:**
provided by is: Ènabled`.
the
exists This
Group
to ensure Group
Policy Policy path
template
by the Group
Windows Policy
that istemplate
is consistent. included`TerminalS
with all ve
accepted
Group Policy
and by the to
exists Group Policy
the structure of Windows benchmarks is consistent. that is included with all ve
This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
accepted **Note:** This section was initially named _TS Connection
To establish Broker_ but
the recommended was renamed
configuration viabyGP, Microsoft to _RD Connection
set the following UI path to Èna Brok
Group Policy
Session Host Security. that is included with all ve
Group setting
specifiesis whether
providedRemote
byestablish
To the Group
the Services
recommended always prompts thevia
configuration client set thethat
Templates\Windows
GP,computer forisaincluded
following password with
Components\Re
UI path to all
upon
Ènave
co
allows have
you tothe opt``` whether RemoteNavigate
specify ``` the UI Users
DesktoptoServices Path cannot
requires
articulatedautomatically
secure inRemote log on tosection
the Remediation
Procedure Call (RPC)
and
To Ènabled`.
full You can use this policy
Allowing
setting
unsecure **Note:**the
to strengthen
Computer This Group``òfPolicy path
to theisUI
provided
security ```
NavigateRPC communication Remote by
with the
Desktop Group thePolicy
Templates\Windows
clients
Path articulated inServices
by allowing template
accepts
Remediation only `TerminalS
Components\Re
authenticated
req
section and
This policy setting specifies whether to ```require the use of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
a specific encryption level to secure communications between clie
full The recommendedIfstateRemotefor this
Desktop **Note
setting #2:** In the ```
is: Ènabled`.
Computer Microsoft WindowsNone
``` Vista- Administrative
thisTemplates\Windows
is the default Templates,
behavior. this setting wa
Components\Re
The recommended
for this setting
``` is: This
Ènabled:
related Group
High
to Remote Policy path is provided
Host by the Group
TimePolicy
Level`.
Desktop Session Session Limits.template `TerminalS
accepted ```
Group Policy
Policy template
to Remote Desktop path is provided
Host by the Group
Session Session Policy
Temporarythat istemplate
included`TerminalS
folders. with all ve
Group setting
specifiesis whether
providedRemote
byestablish
To the Group
the Services
recommended retains a user's per-session
configuration thethat
GP, set temporary isfolders
followingincluded with
Components\Re
UI atpath to all
logoff. ve
`Disa
full By default, RemoteSensitive
Desktop informat
Services```creates a separate ```temporary
folder Path
on thethis is theindefault
articulated
RD Session the
Host behavior.
Remediation
server for each sectionactive
ands
full To reclaim disk space,
Disabling
the temporary **Note:**
this set To
Computer
folder This
is deleted
establish Group
the ```
```Policy pathconfiguration
the user
recommended is provided
when logs off
Nonefrom by
- this
a the Group
viasession. Policy
Templates\Windows
is
GP,thesetdefault
the template
behavior.
following `TerminalS
Components\Re
UI path to Èna
This section contains recommendations ``` related to RSS HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
feeds.
accepted The recommended state for this setting **Note
``` #2:** In older
is: `Disabled`. ``` Microsoft
Navigate Windows
to the UI Path Administrative
articulated inTemplates,
the Remediation this setting
section wasandna
Group setting
preventsistheprovided **Note:**
by the
user from
Computer
havingThis
Group Group Policy
Policy template path is provided
enclosures (file attachments) by the
ÌnetRes.admx/adml`
downloaded Group
that is Policy
included
Templates\Windows
from an RSS template
with
feed to`TerminalS
all versions
the user'so
Components\RS
full Allowing attachmen``` ``` Users cannot set the Feed Sync Engi
The recommended
forÈnabled`.
Searchthe
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet
settings.
recommended configuration via GP, set the following UI path to `Disa
accepted **Note:** This Group ``` Policy path
Navigate to theisUI
Path articulated in thePolicy templatesection
Remediation ÌnetRes.ad
and
Group setting
controlsiswhether
encrypted
``` itemsPolicy template
are allowed `Search.admx/adml`
to be indexed. When thisthat is included
setting is changed,with alltheversions
index isofr
full **Note #2:**
Indexing and allowiComputer In older
``` Microsoft Windows
None Administrative Templates,
is the default this
behavior. setting was na
Components\Se
```
**Note:** This Group Policy path is provided by the Group Policy template `Search.ad
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SearchOCR.admx/adml`
consistent.
is only included with the
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SecurityCenter.admx/adml`
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Snis.admx/adml`
that is only
is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `WinInit.admx/adml`
that is
is included
consistent.
with all versions of
accepted
Group Policy
to the template
Protection Platform. that is included with all version
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÀVSValidationGP.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Speech.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `SettingSync.admx/adml`
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `TextInput.admx/adml`
the structure of Windows benchmarksthat
is is only included with the Mic
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
To establish Windows Defenderconfiguration
recommended Antivirus. via GP, set the following UI path to `Disa
This Group Policy section is provided by the Group Policy template `CEIPEnable.admx/adml` that is included with all versio
accepted This Group Policy section is provided``` by the Group Policy template
Navigate to `WindowsDefender.admx/adml`
the UI Path articulated in the Remediationthat is included with
section andall
This policy setting It
turns
is important
off Windows
to ensure
Computer
Defendera current,
Antivirus.
updated
If theantivirus
setting isproduct
configured
is scanning
toTemplates\Windows
Disabled,
each Windows
computerDefender
Components\Win
for malicious
Antiviru
file
full **Note:** This section was originally named ``` _Windows Defender_
``` but wasNone
renamed
- thisbyisMicrosoft
the default to behavior.
_Windows Defender An
The recommended
This Organizations
state forblank
that
and choose
is: `Disabled`.
exists totoensure
purchaseHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the astructure
reputableof 3rd-party
Windows antivirus
benchmarks solution may choose to exempt th
is consistent.
accepted **Note:** This Group ``` Policy path is provided by the Group Policy template `WindowsD
Group Policy
and by the to
exists Group Policy
the structure of Windows benchmarks is consistent. that is included with the
Group Policy
the Group
related Policy
tothe
Microsoft template `WindowsDefender.admx/adml`
Active Protection
recommended Service
configuration (MAPS).
via GP, that is included
set the following with
UI path to the
`Disa
Group setting
configuresis provided by the Group
a local override
``` for thePolicy templateto`WindowsDefender.admx/adml`
configuration join Microsoft Active Protection that is included
Service (MAPS), with the
whic
full The decision on whComputer Configuration\Policies\Administrative
The recommended
This state forblank
exists to ensure theHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted ```
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
that is included
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
relatedTo
to the Groupthe
establish Policy template `WindowsDefender.admx/adml`
Protection.
configuration via GP, set the following with
UI path to the
Èna
Group setting
allows you by the
to configure
``` Group monitoring
behavior Policy template `WindowsDefender.admx/adml`
for Windows Defender Antivirus. that is included with the
full When running an an Computer Configuration\Policies\Administrative
is the default configuratio
Components\Win
The recommended
This state forblank
accepted ```
Group Policy
contains settings related**Note:**
is provided byWindows
to ThisDefender
Policy template path may not exist by default. It is provided
Reporting. by the Group
accepted
This Group
settings relatedTobyWindows
to the Groupthe
establish Policy
Defender template `WindowsDefender.admx/adml`
scanning.
configuration via GP, set the following UI path to with the
Èna
policy setting allows youis provided
to manage byestablish
```
To the Groupor
whether Policy
thenot to template `WindowsDefender.admx/adml`
scan for malicious
recommended software
configuration andset
via GP, unwanted that is included
software
the following with
in theto
UI path the
conte
Èna
full It is important to Computer Configuration\Policies\Administrative
```
Navigate to the UI Removable Templates\Windows
drives
Path articulated in will
the be scannedComponents\Win
Remediation du
section and
The recommended
This state for
``` is: e-mail
to configure Ènabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
scanning. When e-mail scanning is enabled, the engine will parse the mai
full ```
Incoming e-mails sComputer Configuration\Policies\Administrative
``` E-mail scanning
Templates\Windows
by Windows DefenderComponents\Win
The recommended
This state forblank
this setting
and``` to This
is: Ènabled`.
exists Group
ensure Policy path
of may not exist by default.
is It is provided by the Group
accepted ```
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
that is included
accepted
This Group Policy section is provided by the Group Policy template `WindowsDefender.admx/adml` that is included with the
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `WindowsDefender.admx/adml`
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template ÀppHVSI.admx/adml`
that
is is
consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template ÈxploitGuard.admx/adml`
consistent.
is included with the Micr
accepted
This section
Group Policy
contains
section
Windows
is provided
Defenderby theSmartScreen
Group Policy settings.
template `WindowsDefenderSecurityCenter.admx/adml` that is in
Group Policy
recommendations theExplorer-related
Group Policy template Windows `SmartScreen.admx/adml`
Defender SmartScreen settings. that is included with the Mic
accepted ```
The Group
This Policy settings
policy setting allows youcontained
to managewithinthethis
Computer section
behavior ofare provided by the GroupWindows
Windows SmartScreen. Policy template
Templates\Windows
SmartScreen `WindowsExplorer.admx
helps
Components\Win
keep PCs s
```
full Windows SmartScre ``` Users will be warned before they ar
The recommended
recommendations To is: Ènabled:
related
establish tothe Warn
Windows and prevent
Error
recommended bypass`. via GP, set the following UI path to `Disa
Reporting.
configuration
accepted **Note:** This Group Policy path
Navigate to themay not exist
UI Path by default.
articulated in theIt Remediation
is provided bysection
the Groupand
```
Group setting
controlsiswhether
memory
``` dumps Policy template
in support ÈrrorReporting.admx/adml`
of OS-generated error reports canthat is included
be sent with allautom
to Microsoft ver
full Memory dumps may **Note #2:**
Computer In older```Microsoft Windows
Configuration\Policies\Administrative Administrative
All memory dumpsTemplates,
Templates\Windows
are uploaded this setting was ini
Components\Win
accord
The recommended
This state forblank
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted ```
Group Policy
byestablish
the Group
related This
totheGroup
Policy
Windows template
Policy
Errorpath
recommended ÈrrorReporting.admx/adml`
may not
Reporting existvia
consent.
configuration byGP,
default.
set the Itthat
isfollowing
provided
is included
UIbypath
the
withto
Group
all ver
Èna
Group Policy
This setting allowssection is provided
you to set the defaultby consent
``` the Group Policy template
handling ÈrrorReporting.admx/adml` that is included with all ver
for error reports.
full Error reports may Computer Configuration\Policies\Administrative
The recommended
This state forblank
and``` is: Ènabled:
exists to ensureAlwaysHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the ask before
structure sendingbenchmarks
of Windows data` is consistent.
Policy template is provided by the Group
`GameDVR.admx/adml` thatPolicy template
is included withÈrrorRepo
the Micros
**Note:** This section was initially named _Microsoft
To establish thePassport
recommended for Work_ but was renamed
configuration via GP, set by Microsoft
the following to _Windows
UI path to Hello
`Disa
Group Policy
to Windows `WindowsInkWorkspace.admx/adml` that is included w
Installer.
Group Policy
This setting controlssection is provided
whether users
or not arebypermitted
Windows
To the Group
Computer
establish Policy
Installer
the template
recommended
should `MSI.admx/adml`
to change installation
use system options
configurationthatvia
permissions that
GP,
whenisset
typically included
Templates\Windows
itare
the available
installs with
any all
following UIversions
only
Components\Win
to system
program
path on of
thethe
to `Disaas
full In an enterprise m ``` ```
Navigate to the UI None - this is theindefault
the Remediation
The recommended
**Note:** This settingstate for this
appears setting
both in```
theis:Computer
`Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration and User Configuration folders. To make this setting effe
full **Note:** This
Users with limited Computer Group```
```Policy path is provided
Configuration\Policies\Administrative by the
None - this Group
Templates\Windows
is the default Policy template
behavior. `MSI.admx
Components\Win
**Caution:**
This section If enabled,
contains skilled users can
recommendations ``` establish
To take advantage
related tothe
WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
of the permissions
Logon
recommended
Navigate to Options.
the thisarticulated
configuration
UI Path setting
via GP,grants
set
in the to Remediation
the change
following their privileges
UI path
section an
to `Disa
and
accepted **Note #2:** In older ``` Microsoft Windows Administrative Templates, this setting was na
The recommended
This Group setting
policy state for
Policy section
iswhether
provided **Note:**
byis:
a```
device `Disabled`.
the This
Group
will Group
Policy
automatically
ThisPolicy
template
grouppath
sign-in is provided
policy
the setting isby
`WinLogon.admx/adml` the Group
last interactive
backed user
bythat Policy
isfollowing
after
the template
included
Windows with `MSI.admx
all versions
registry
Update location
restar
full Disabling this fea Computer Configuration\Policies\Administrative The deviceTemplates\Windows
does no Components\Win
The recommended
This state forblank
exists to ensure the ```structure of Windows benchmarks is consistent.
accepted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
Group Policy
provided by the to
exists This
Group
ensure Group``` structure
Policy
the Policy path
`WindowsMail.admx/adml`
is that is is
provided
consistent. by the with
only included Groupthe
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MediaCenter.admx/adml`
the structure of Windows benchmarks isthat is only included with the
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsMediaDRM.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsCollaboration.admx/adml`
the structure that is only include
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsMessenger.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MobilePCMobilityCenter.admx/adml`
accepted
Group Policy
the Group
related Policy
tothe
Windows template `MovieMaker.admx/adml`
configuration via GP, set that
PowerShell.
recommended is only included
the following UI pathwith the
to `Disa
accepted This policy setting enables logging of all PowerShell script Navigate
input totothe
theMicrosoft-Windows-PowerShell/Operational
UI Path articulated in the Remediation section event
andlo
``` the GroupthePolicy template `PowerShellExecutionPolicy.admx/adml`
recommended configuration via GP, set the following UIthat is to
path include
`Disa
full The recommendedThere state are
for this
potentia
setting
Computer
is: `Disabled`.
```
Navigate to the UI Logging of Templates\Windows
PowerShell
Path articulated script input
in the Remediation Components\Win
issection and
This Policy setting lets you capture the ``ìnput and output HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
of Windows PowerShell commands into text-based transcripts.
full **Note:** In Microsoft's
If thisown hardening
setting is guidance,
Computer they recommend the opposite
None value,
``` isÈnabled`,
the defaultbecause
- thisTemplates\Windows behavior.having this data
Components\Win
The recommended
This state forblank
this setting
and``` to This Group
is: `Disabled`.
exists ensure Policy path of may not exist by default.is It is provided by the Group
accepted ```
Group Policy
Policy template
to Windows Remotepath may not exist(WinRM).
by default.that
`RacWmiProv.admx/adml`
Management It is is
provided
includedbywith
the the
Group
Mic
accepted
Group Policy
to the template
Windows `WindowsRemoteManagement.admx/adml`
Remote Management (WinRM) client. that is inclu
accepted
This Group Policy section is provided by the Group Policy template `WindowsRemoteManagement.admx/adml` that is inclu
This policy setting allows you to manage ``` establish
To whether the Windows
GP, set the client uses Basic
following UI path authentica
to `Disa
Navigate
``` to the UI None
Path articulated
is theindefault
the Remediation
behavior.
Components\Win
section and
The recommended
state for
youthis
to manage
setting
``` is:
To whether
`Disabled`.
establish the Windows
GP, set the client sendsUI
following and receives
path to Ènau
full Encrypting WinRMComputer
n ```
Navigate
``` to the UI None
Path articulated
is theindefault
the Remediation
behavior.
Components\Win
section and
The recommended
state for
youthis **Note:**
to manage
setting
``` Thisthe
is:whether
`Disabled`.Group
WindowsPolicyRemote
path is Management
provided by the Group client
Policywill
(WinRM) template
not use`WindowsR
Digest au
full Digest authenticat Computer Configuration\Policies\Administrative
```
``` The WinRMTemplates\Windows
client will not use Digest
Components\Win
The recommended
This section contains state
for this setting
```
To is:
related This
Ènabled`.
establishtotheGroup
the PolicyRemote
Windows pathconfiguration
is provided by
viathe Group Policy
recommended Management (WinRM)
GP, set theservice.template
to `Disa
accepted ```
This policy
Group setting
Policy section
allows you
to manage
```
byestablish
To the
whetherThisthe
Group Group
Policy
WindowsPolicyRemote
template
recommended path is Management
provided by viathe Group
`WindowsRemoteManagement.admx/adml`
GP, Policy
service
set the template
accepts
Basic
thattois`Disa
authe
inclu
```
is theindefault
section and
The recommended
This state for
``` is:
to manage
To `Disabled`.
whether
the Windows
GP, set the service sends
following UI and
pathreceives
to Èna
full This policy setting Encrypting
allows you to WinRM Computer
managen whether Configuration\Policies\Administrative
```
```
the Windows
Navigate Remote
to the UI None
Management- thisTemplates\Windows
is
(WinRM) behavior.
theservice willComponents\Win
Remediation allowsection
RunAs andcre
``` is: `Disabled`.
Policy path is provided
The WinRM by the Groupwill
service Policy template
not allow the `WindowsR
RunAsUse
full The recommendedAlthough
state for the
thisabili
setting
Computer
is: Ènabled`.
```
``` Templates\Windows Components\Win
This section contains settings related``` **Note:**
to Windows ThisRemote
GroupHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path is provided
Shell (WinRS). If this setting
by theisGroup
later Disabled
Policy template
again, any`WindowsR
values
accepted **Note:** If you enable and then disable this policy setting, ``` any values that were previously configured for RunAsPassword
Group Policy
and**Note:**
by the to
exists Group
This
ensureGroup
Policy template
Policy path
the structure `WindowsRemoteShell.admx/adml`
of may
Windowsnot exist by default.
benchmarks is It is provided
consistent.that isbyincluded
the Group with
This policy setting specifies whether computers in your environment will receive security updates from Windows Update or
accepted
Group Policy
and by the to
exists Group Policy
ensure template `SideShow.admx/adml`
the structure of Windows benchmarksthat is only included with the M
is consistent.
After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Upda
accepted
Group Policy
This section containssection is providedTo
the Group
related Policy
tothe
Windows template
Update.`SystemResourceManager.admx/adml`
recommended configuration via GP, set the following UI that is only
path incl
to Èna
- 2 - Notify for download and auto install _(Notify before downloading any updates)_
- 3 - Auto download and notify for install _(Download the updates automatically and notify when they are ready to be install
``` the Groupthe Policy template `WindowsUpdate.admx/adml`
recommended configuration via GP, set the followingthat is included
UI pathwith
to `0all-vE
- 4 - Auto download and schedule the install _(Automatically download updates and install them on the schedule specified
full This policy setting Although each vers
specifies when Computer
computers
To in Configuration\Policies\Administrative
establish your ```
theenvironment
Navigate
recommended to
will
the UI Critical
receive
Path operating
security
configuration articulated insystem
updates
GP, setthefrom
the updates
Remediation
Windows
following Components\Win
and
UI Update
section
path to or
and
`DisaW
- 5 - Allow local admin to choose setting _(Leave decision on above choices up to the local Administrators (Not Recommen
``` HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
This policy setting Although
state for that
specifies each
this Automatic
setting
vers```
Computer
is: `0 - Every
Updates will ```
day`.``` for computers
Navigate
wait to the UI IfPath
to`4be
- articulated
Auto Templates\Windows
download
restarted by theand
in the schedule
Remediation
users who Components\Win
th
aresection
loggedand on
**Note:** This
```
Computer Group Policy path is provided by the Group Policy template
Configuration\Policies\Administrative Templates\Windows `WindowsU
Components\Win
full **Note:**
The
This This
section is setting
recommended is only
Some
state applicable
security
forblank
intentionally this setting
upda
and``` ifis:`4`Disabled`.
exists -toAuto download
ensure the``` and schedule
```structure the install`
None
of Windows is the
- this is
benchmarks selected
defaultinbehavior.
Rule 18.9.101.2. It will
is consistent.
**Note:** The sub-setting "_Configure automatic updating:_" has 4 possible values – all of them are valid depending on spe
**Note:** This Group Policy path is provided by the Group Policy template `WindowsU
**Note:**
This GroupThis setting
Policy applies
section only when
by you configure
the GroupThis Group
Automatic
Policy``` template
Policy path
Updatesis provided
to performby the
scheduled
`WindowsUpdate.admx/adml` Group Policy
update
that template
isinstallations.
included`WindowsU
withIf the
youM
**Note #2:** Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting,
This section section user-based **Note
named #2:** Windows
_Defer In older Microsoft
Updates_
from Group Windows
but
Policy was Administrative Templates,
renamedTemplates
Administrative by Microsoft this setting
to _Windows
(ADMX). was inif
Update
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÀddRemovePrograms.admx/adml`
accepted This section contains recommendations for personalization settings.
the Groupthe Policy template `ControlPanelDisplay.admx/adml`
path to with
Èna
accepted This Group Policy section is provided by the Group Policy template
Navigate to `ControlPanelDisplay.admx/adml`
the UI Path articulated in the Remediation that is included
section with
and
This policy setting enables/disables the ``` use
To of desktop
establish screen savers.
full **Note:**
setting If a was
user initially
specifies forgets named
t User
the screen _Desktop
saver for the Themes_ buttowas
therenamed
``` desktop.
user's
Navigate UI A by Microsoft
screen
Path in to
Templates\Control
saver runs,
articulated _Personalization_
theprovided starting
Panel\Personalization\E
that thsection
Remediation and w
To Ènabled`.
establish HKEY_USERS\[USER
the recommended SID]\SOFTWARE\Policies\Microsoft\Window
This setting specifies Ifstate
ahow
user
forforgets
this user
much setting
t Useris:time
idle ```
Ènabled: scrnsave.scr`.
``` beforetothe
Navigate
must elapse UI The
thescreenPath system
Templates\Control
displays
articulated
saver in thethe
is launched. Panel\Personalization\F
specified scsection and
Remediation
This setting determines whether screen **Note:**
```
To savers This
establishused Group
the on thePolicy pathconfiguration
HKEY_USERS\[USER
computer
recommended maypassword
are not exist by default.
protected.
via GP, It isfollowing
set the providedUIbypath
SID]\SOFTWARE\Policies\Microsoft\Window the to
Group
Èna
full **Note:**
The If the specified
recommended Ifstate screen
a user this saver
forforgets isis:
t User
setting not installed 900
onNavigate
```
aseconds
computer to which
Ènabled: ``` toorthe UI All
fewer, this setting
screen
Path
but applies,
Templates\Control
savers
articulated
not 0`. inare the
thepassword setting is section
ignored.and
Panel\Personalization\P
Remediation prote
``` This Group
is: Ènabled`. Policy path may not exist
HKEY_USERS\[USER by default. It is provided by the Group
full **Note:** This setting If a has
usernoforgets
effect tunder
Userthe ```
following circumstances:
``` The screen
Templates\Control
saver will automatically
Panel\Personalization\S
a
ensure Policy path
of is
HKEY_USERS\[USER
the structure provided
Windows by the Group Policy template `ControlPa
accepted - The wait time is set to zero. ```
- Thesection
This "Enable
Group isScreen
Policy Saver"
section
intentionally setting
isblank andis
provided **Note:**
bydisabled.
the to
exists This
Group Group
Policy
ensure Policy path
template
`Windows.admx/adml`
Windows by default.
benchmarks that It
is is is provided
included
consistent. withbyall
theversions
Group
accepted - A valid screen existing saver is not selected manually or via the "Screen saver executable name" setting
Group Policy
and by the to
exists Group Policy
the structure of Windows benchmarks that
is is included with all versions
consistent.
accepted
Group Policy
Group Policy
Menu andtemplate
settings. that is included with all ver
accepted
Group Policy
theNotification
for Groupthe
Policy template `Windows.admx/adml`
settings.
recommended thatthe
configuration via GP, set is included
UI path to Èna
policy setting turns offistoast
notifications
``` on thePolicy template `WPN.admx/adml` that is included with the Microsoft W
lock screen.
full While this feature User Configuration\Policies\Administrative
``` Applications
Templates\Start
will not beMenu
able to
andraise
Taskbar\Notific
The
This recommended
section containsstate for this setting
recommendations ``` isforÈnabled`. HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\Window
System settings.
accepted ```
Group Policy
provided by
existsthe to This
Group Group
Policy
ensure Policy path
template
`Windows.admx/adml`
is is is provided
included
consistent. byall
with theversions
Group
accepted
Group Policy
and by the to
exists Group Policy
ensure template `CtrlAltDel.admx/adml`
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
This Group Policy section is provided by the Group Policy template `FolderRedirection.admx/adml` that is included with all
accepted
This section
Group Policy
contains
section
recommendations
the Group
to Internet
Policy template
Communication
`GroupPolicy.admx/adml`
Management. that is included with all versio
accepted
This section
Group Policy
contains
section
recommendations
the Group
to Internet
Policy template
Communication
`Windows.admx/adml`
settings. that is included with all versions
accepted
This section
Group Policy
contains
section
recommendations
is provided by for
theWindows
Group Policy
Component
templatesettings.
`Windows.admx/adml` that is included with all versions
This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
accepted **Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
and by the to
exists Group Policy
ensure template ÀppXRuntime.admx/adml`
accepted
Group Policy
the Group
related tothePolicy
Attachmenttemplate
recommended ÀppCompat.admx/adml`
Manager.configuration via GP, setthat the is included
following UIwith
pathalltoversio
`Disa
accepted This policy setting allows you to manage whether Windows Navigate
markstofile
theattachments
UI Path articulated
with information
in the Remediation
about their section
zone ofand orig
``` the Groupthe Policy template ÀttachmentManager.admx/adml`
path to with
Ènaa
This policy setting Astate
file that
manages for this
is dow
the setting
User
behavior is:for
`Disabled`. ```
notifying registered
Navigate antivirus None Templates\Windows
- thisIfismultiple
to the UIprograms.
the behavior.
programsComponents\Attachm
Remediation
are registered,
section and the
``` HKEY_USERS\[USER SID]\SOFTWARE\Microsoft\Windows\Curre
full **Note:** The Attachment
The recommended Antivirus
state forManager
programs feature
this setting
User warns users``` when opening or executing
is: Configuration\Policies\Administrative
Ènabled`. ``` Windows files the
which
Templates\Windows
tells are marked
registered as being from a
Components\Attachm
antiviru
exists to This
ensureGroup
HKEY_USERS\[USER
the Policy path
structure of is provided
Windows SID]\SOFTWARE\Microsoft\Windows\Curre
by the Group
benchmarks Policy template Àttachmen
is consistent.
accepted **Note:** An updated antivirus program must be installed ```for this policy setting to function properly.
Group Policy
and**Note:**
by the to
exists Group
This
ensureGroup
Policy template
Policy path
the structure ÀutoPlay.admx/adml`
Windows by the Groupthatis is
Policy
included
template
consistent. with all
Àttachmen
versions
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÙserDataBackup.admx/adml`
the structure that is included only with
Group Policy
and by the to
exists Group Policy
ensure template `CloudContent.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template `CredUI.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DataCollection.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DWM.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
ensure template `DigitalLocker.admx/adml`
consistent.
This Group Policy section is provided by the Group Policy template ÈdgeUI.admx/adml` that is included with the Microsoft
accepted This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
accepted **Note:** This section was initially named _Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting wi
Group Policy
and by the to
exists Group Policy
ensure template `FileRevocation.admx/adml`
accepted
Group Policy
and by the to
exists Group Policy
ensure template ÈAIME.admx/adml`
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WordWheel.admx/adml`
the structure that
of Windows benchmarks is is included with all versio
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `Sensors.admx/adml`
of Windows benchmarks included with the Microsof
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
ensure template `MMC.admx/adml`
of Windows benchmarks included with all versions of t
consistent.
accepted
This Group
and by the to
exists Group Policy
accepted
This Group
and by the to
exists Group Policy
is consistent.
accepted
Group Policy
the Group
related Policy
tothe
Network template
Sharing.`NetworkProjection.admx/adml`
recommended that is only
configuration via GP, set the following included
UI path to Èna wi
Group setting
determines whether by
``` the Group
users Policy
can share template
files `Sharing.admx/adml`
within their profile. By default,that is included
users with to
are allowed allshare
versions
fileso
full If not properly co User Configuration\Policies\Administrative
``` UsersTemplates\Windows
cannot share files within
Components\Network
their
The recommended
This state forblank
exists HKEY_USERS\[USER
to ensure the structure of WindowsSID]\SOFTWARE\Microsoft\Windows\Curre
accepted ```
Policy template is provided by the Group Policy template `Sharing.ad
`MobilePCPresentationSettings.admx/adml` that is inclu
accepted **Note:** This section was initially named _Terminal Services_ but was renamed by Microsoft to _Remote Desktop Service
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template ÌnetRes.admx/adml`
thatisisconsistent.
included with all versions o
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Search.admx/adml`
that is included
consistent.
with the Microsoft
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SoundRec.admx/adml`
is consistent.
is included with all version
accepted
Group Policy
and by the to
exists Group Policy
is consistent.
accepted
Group Policy
and by the to
exists Group Policy
the structure that
consistent.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
and by the to
exists Group
ensurePolicy template `SmartScreen.admx/adml`
the structure of Windows benchmarks isthat is included with the Mic
consistent.
This Group Policy section is provided by the Group Policy template ÈrrorReporting.admx/adml` that is included with all ver
section controls
This setting containswhether
recommendations
or not Windowsrelated
To establish tothe
Windows
Installer shouldInstaller.
recommended
use system
configuration
permissionsvia GP,
when setit the
installs
following
any program
UI path onto `Disa
the s
accepted **Note:** This section was initially named _Microsoft Passport Navigate forto
Work_
the UIbut was
Path renamed in
articulated bytheMicrosoft to _Windows
Remediation sectionHello
and
This Group
**Note:** Policy
This section
setting is provided
appears by
thethe
both in``` Group Policy
Computer templateand
Configuration `MSI.admx/adml`
User Configurationthat isfolders.
included To with
makeallthis
versions
settingofeffe
the
full Users with limited User Configuration\Policies\Administrative
``` None Templates\Windows
Components\Window
**Caution:**
This section If
is enabled, skilled
intentionally users
blank andcan
``` taketoadvantage
exists ensure the HKEY_USERS\[USER
ofstructure
the permissions
of WindowsthisSID]\SOFTWARE\Policies\Microsoft\Window
setting grantsisto
benchmarks change their privileges an
consistent.
accepted ```
The recommended
This Group Policy
section state for
section
isblank setting
and**Note:**
provided by is: `Disabled`.
the
exists This
Group
to ensureGroup
Policy Policy path
template
by the Group
`WinLogon.admx/adml`
Windows that Policy template
is included
is consistent. with `MSI.admx
all versions
accepted
Group Policy
and by the to
exists Group Policy
ensure template `WindowsMail.admx/adml`
the structure of Windows benchmarks is that is only included with the
consistent.
accepted
Group Policy
to Windows `MediaCenter.admx/adml` that is only included with the
Media Player.
accepted
Group Policy
and by the to
exists Group Policy
accepted
Group Policy
Media Player playback. that is included with
accepted
This Group Policy section is provided by the Group Policy template `WindowsMediaPlayer.admx/adml` that is included with
notes CIS controls CCE-ID references
major impact of this configurati TITLE:Ensure Work

CCE-37166-6
Maximum password age settingTITLE:Ensure
i Work
CCE-37167-4
administrator sets a password f TITLE:Ensure Work CCE-37073-4

uirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure loc
TITLE:Ensure
default password complexity configuration WorkCCE-36534-6
is retained, additional help desk calls for locked-out accounts could occur because users might not be accustom
e:** Older versions of Windows such as Windows 98 and Windows NT 4.0 do not support passwords that are longer than 14 characters. Computers that ru
ur organization has more stringent
TITLE:Ensure
security requirements,
WorkCCE-37063-5
you can create a custom version of the `Passfilt.dll` file that allows the use of arbitrarily complex p
urthe
organization
use of ALTuses
key character
TITLE:Ensure
can
Work
greatly
CCE-36286-3
enhance the complexity of a password. However, such stringent password requirements can result
sugh it may
policy seem
setting like a good
is enabled, idea
TITLE:Configure
a locked-out ACCE-37034-6
account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setti
u enforce this setting an attackerTITLE:Configure

could cause a denial
ACCE-36008-1
of service condition by deliberately generating failed logons for multiple user, therefore you should al
u configure the Account

do not configure Lockout
this policy Threshold to 0, there
se TITLE:Configure is a possibility that an attacker's attempt to discover passwords with a brute force password attack m
ACCE-36883-7
u remove the **Access this compu

e should be little or no impact b TITLE:Minimize AnCCE-36876-1
nizations that have not restricte TITLE:Minimize AnCCE-37071-8
u remove these default groups, yTITLE:Account MoCCE-37659-0
oval of the **Allow log on throughTITLE:Account MoCCE-37072-6
nges in the membership of the grou

e should be no impact, because T

t ITLE:Minimize AnCCE-37452-0
uost casesthis
revoke there willright,
user be nonoimpactTITLE:Minimize AnCCE-35823-4
one will be able to debug programs. However, typical circumstances rarely require this capability on production computers. If a p
service account that is used for the

TITLE:Minimize
cluster service
Anneeds
CCE-37075-9
the **Debug programs** user right; if it does not have it, Windows Clustering will fail.
us configure
that are used to manage
the **Deny processes
access will be unable
toTITLE:Account to affect processes that are not owned by the person who runs the tools. For example, the Windows Se
MoCCE-37954-5
u assign the **Deny log on as a batch job** user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to
TITLE:Account MoCCE-36923-1
xample, if you assign this user right to the ÌWAM_`_(ComputerName)_ account, the MSM Management Point will fail. On a newly installed computer that r
u assign the **Deny log on as a TITLE:Account MoCCE-36877-9
u assign the **Deny log on local TITLE:Account MoCCE-37146-8
u assign the **Deny log on throu TITLE:Account MoCCE-36867-0
u remove the **Force shutdown frTITLE:Minimize AnCCE-37877-8

ost cases this configuration will TITLE:Minimize AnCCE-37106-2
u remove the **Load and unload TITLE:Minimize

d AnCCE-36318-4
u remove the **Profile single pr TITLE:Minimize AnCCE-37131-0
u remove the **Restore files andTITLE:Minimize AnCCE-37613-7
mpact of removing these defaultTITLE:Minimize AnCCE-38328-1
tenance issues can arise under certain circumstances if you disable the Administrator account. For example, if the secure channel between a member com
current Administrator password does not meet the password requirements, you will not be able to re-enable the Administrator account after it is disabled. I
s will not be able to log onto th TITLE:Account MoCCE-36147-7
etwork users will need to authe TITLE:Perform RegCCE-37432-2
will have to inform users who ar TITLE:Account MoCCE-38233-3
e should be little impact, becausTITLE:Account MoCCE-38027-9
e - this is the default behavior. TITLE:Ensure Audit

CCE-37850-5
e - this is the default behavior. TITLE:Maintenance

CCE-35907-5
e - this is the default behavior. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system sup
ability to create or delete trust relationships with clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled.
ons from clients running versions TITLE:Data
of WindowsProte
earlier
CCE-36142-8
than Windows NT 4.0 with SP6a will be disabled.
ability to authenticate other domains' users from a Domain Controller running a version of Windows earlier than Windows NT 4.0 with SP6a in a trusted do
can enable this policy setting after you eliminate all Windows 9x clients from the domain and upgrade all Windows NT 4.0 servers and Domain Controllers f
name of the last user to successfTITLE:Data Prote CCE-36056-0
s must press CTRL+ALT+DEL befor

TITLE:Malware D CCE-37637-6
screen saver will automatically TITLE:Ensure Work CCE-38235-8

s will have to acknowledge a dialog box containing the configured text before they can log on to the computer.
CCE-37226-8
e:** Windows Vista and Windows XP Professional support logon banners that can exceed 512 characters in length and that can also contain carriage-retu
s will have to acknowledge a dialog box with the con
CCE-37512-1
s will see a dialog box prompt t TITLE:Account MoCCE-37622-8

u select `Lock Workstation`, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, an
n the console on a computer is loc TITLE:Configure AcCCE-38240-8
u select `Force Logoff`, users are automatically logged off when their smart card is removed.
TITLE:Ensure Work CCE-38333-1
uMicrosoft
select `Disconnect if a will
network client Remote Desktop Services
not communicate with asession`,
Microsoftremoval
networkofserver
the smart card
unless disconnects
that the session
server agrees without
to perform SMBlogging the users off. This allows th
packet signing.
rcing
- thisthis
eWindows setting
2000
is the on computers
Server,
default Windowsused
behavior. 2000 byProfessional,
people who must log onto
Windows multiple
Server 2003,computers
Windows XP in order to perform
Professional andtheir duties Vista
Windows couldimplementations
be frustrating andoflower product
the SMB file
ementation
Windows Server each
2003, packet needs
XP Professional and
and verified.Vista
of the SMB ser
n -SMB
ementation
e this issigning policies
theofdefault
SMB are may
signing enabled
behavior. on Domain
because eachServer
packet2003
needs and member
n very
e SMBold signing policies and
operatingonsystems
Domainsuch
Controllers running
as MS-DOS, Windows
Windows forServer 2003 and
Workgroups member
3.11, computers
and Windows 95arunning
may notWindows
be able toVista SP1 or Windows
communicate with th
Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing.
e will be little impact because SMTITLE:Secure ConfCCE-38046-9
Windows network
Microsoft 2000 Server,
serverWindows 2000 Professional,
will negotiate Windows
SMB packet signing as Server 2003,
requested by Windows
the client.XP Professional
That is, if packetand Windows
signing Vistaenabled
has been implementations of the
on the client, SMB sign
packet file
ementation
Windows Server each
2003, packet needs
XP Professional and
and verified.Vista
of the SMB ser
n SMB signing
ementation policies
of SMB are may
signing enabled on Domain
because eachServer
packet2003
needsand member
eindows
- this isoperating
the default behavior.
systems I TITLE:Account
support MoCCE-37972-7
both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, an
n SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows
nfigured to Àccept if provided byTITLE:Controlled
client`, the SMB server
CCE-36170-9
will accept and validate the SPN provided by the SMB client and allow a session to be established
nfigured to `Required from client`, the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server tha
be impossible to establish t TITLE:Account MoCCE-36077-6
e - this is the default behavior. TITLE:Controlled CCE-36148-5
esession
- this isaccess over behavior.
the default null sessio TITLE:Implement
If you NCCE-38258-0
choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipe
e - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Mic
MNAP: SNA session access TITLE:Controlled CCE-37194-8
e:**
eMNODE: If you
- this want
is the
SNA to allow
default remote
behavior.
session access access, ifyou
However, youmust alsothe
remove enable theregistry
default Remotepaths
Registry
fromservice.
the list of accessible ones, remote management tools such as the Mic
L\\QUERY: SQL instance accessTITLE:Controlled CCE-36347-3
e:** If you
OOLSS: want to
Spooler allow remote access, you must also enable the Remote Registry service.
service
SRPC: License Logging service TITLE:Controlled CCE-36021-4
TLOGON: Net Logon service
ARPC:
e - this isLSAtheaccess
default behavior. TITLE:Controlled CCE-38095-6
MR: Remote access to SAM objects
eOWSER: Computer
- this is the default Browser service
configurat TITLE:Controlled CCE-37623-6
ous to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increas
ces running as Local System thaTITLE:Account MoCCE-38341-4
applications that require NULL s TITLE:Controlled CCE-37035-3
e - this is the default configurat TITLE:Configure AcCCE-38047-7

selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selection
TITLE:Encrypt/HashCCE-37755-6
e:** Windows Server 2008 (non-R2) and below allow DES for Kerberos by default, but later OS versions do not.
e - this is the default behavior. TITLE:Encrypt/Hash CCE-36326-7

ts use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; Domain Controllers refuse LM and NTLM (accept only NTLM
e:** For information about a hotfix to ensure that this setting works in networks that include Windows NT 4.0-based computers along with Windows 2000, W
built-in Administrator account u TITLE:Minimize AnCCE-36494-3
n an operation (including executioTITLE:Minimize AnCCE-37029-6

n an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard
e:** With this setting configured as recommended, the default error message displayed when a user attempts to perform an operation or run a program req
n an application installation packTITLE:Minimize AnCCE-36533-8

CCE-36062-8

CCE-38117-8

CCE-36146-9

CCE-37482-7

CCE-36088-3

TITLE:Ensure Audit
CCE-37523-8

TITLE:Ensure Audit
CCE-36393-7

CCE-38239-0

CCE-38042-8

CCE-38332-3

CCE-37569-1

CCE-38178-0

TITLE:Ensure Audit
CCE-35972-9

TITLE:Ensure Audit
CCE-37387-8

CCE-37862-0

CCE-36057-8

CCE-37434-8
nistrators can still create firewallTITLE:Minimize AnCCE-37861-2
nistrators can still create local c TITLE:Minimize AnCCE-36268-1

CCE-37266-4

CCE-36395-2

TITLE:Ensure Audit
CCE-37265-6

TITLE:Ensure Audit
CCE-36394-5
audit settings are configured, TITLE:AutomaticalCCE-37741-6
nt audit policy.
audit settings are configured, TITLE:Inventory CCE-38004-8
Access audit policy.
audit settings are configured, TITLE:Configure ACCE-37133-6
audit settings are configured, TITLE:AdministratoCCE-36266-5
audit settings are configured, TITLE:Ensure Audit

CCE-37620-2
audit settings are configured, TITLE:Limit Use OCCE-37617-8
audit settings are configured, TITLE:Minimize AnCCE-36267-3
audit settings are configured, TITLE:Data Prote CCE-37853-9
audit settings are configured, TITLE:Leverage Hos

CCE-38030-3

CCE-36144-4

CCE-37132-8
ministrative Templates (ADMX).
gs.
nelDisplay.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
u enable this setting, users will no longer be abl CCE-38347-1
u enable this setting, users will no longer be able CCE-38348-9

trator Password Solution (LAPS).
dmx/adml`
mpact. Whenthat is included
installed with LAPS.
and registered properly, ÀdmPwd.dll` takes no action unless given appropriate GPO commands during Group Policy refresh. It is no
TITLE:Configure Account Access Centrally CONTROL:16.9 DESCRIPTION:Configure access for all accounts through a ce
disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using
ned password expiration longer TITLE:All Accounts Have A Monitored Expiration Date CONTROL:16.2 DESCRIPTION:Ensure that all accounts have an e
ocal administrator password is managed (provided that the LAPS AdmPwd GPO Extension / CSE is installed on the target computer (see Rule 18.2.1), the
TITLE:Configure Account Access Centrally CONTROL:16.9 DESCRIPTION:Configure access for all accounts through a ce
disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using
S-generated passwords will be req TITLE:User Accounts Shall Use Long Passwords CONTROL:5.7 DESCRIPTION:Where multi-factor authentication is not s
S-generated passwords will be req

TITLE:User Accounts Shall Use Long Passwords CONTROL:5.7 DESCRIPTION:Where multi-factor authentication is not s
S-generated passwords will be reTITLE:Ensure Workstation Screen Locks Are Configured CONTROL:16.5 DESCRIPTION:Configure screen locks on syste
ecurity Guide.
admx/adml` that is available from Microsoft at [this link](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators

e - this is the default behavior. TITLE:AdministratoCCE-37069-2

TITLE:Limit

TITLE:Limit
you enable SEHOP, existing verTITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
e - this is also the default confi TITLE:Encrypt/Hash

CCE-38444-6
(MSS) settings.
y.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/sec
n Routing and Remote Access Servi

e - this is the default behavior. TITLE:Limitation CCE-36879-5
s will have to enter their passwoTITLE:Ensure Work

CCE-37993-3
udit event will be generated wheTITLE:Ensure Audit

CCE-36880-3
dmx/adml`
benchmarksthat
consistent.

is consistent.
erCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
IOS name resolution queries willTITLE:Limitation and Control of Network Ports, Protocols, and Services CONTROL:9 DESCRIPTION:Limitation and Contro
e event DNS is unavailable a sy TITLE:Limitation CCE-37450-4

cy.admx/adml`
benchmarks isthat
consistent.
is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
h.admx/adml` that
consistent.
rver.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
orkstation.admx/adml`
ings. that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
TopologyDiscovery.admx/adml`
Services settings. that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
is consistent.
onnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot create or configure a NTITLE:Minimize AnCCE-38002-2
ain users mustiselevate

benchmarks when setti
consistent. TITLE:Minimize AnCCE-38188-9
rewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
x/adml` that is is
consistent.
olation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ovider.admx/adml` that is included with the [MS15-011](https://technet.microsoft.com/library/security/MS15-011) / [MSKB 3000483](https://support.microso

ows only allows access to the spe
TITLE:Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CONTRO
s.admx/adml`
benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
x/adml` that is is
consistent.

consistent.
eOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.

is consistent.
onnectNow.admx/adml`
ngs. that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Boundary CCE-38338-0
dmx/adml`
benchmarksthat
consistent.
dmx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
dmx/adml`
benchmarksthat
consistent.
mx/adml` that is
consistent.
/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
gs.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default behavior. TITLE:Encrypt/Hash
CCE-36925-6
host will support the _Restric TITLE:Account Monitoring and Control CONTROL:16 DESCRIPTION:Account Monitoring and Control;
ard.admx/adml`
benchmarks isthat
consistent.
is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

benchmarks with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
irection.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
che.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
is consistent.
mx/adml` that is
mx/adml` that is
consistent.
allation.admx/adml`
ation settings. that is included with all versions of the Microsoft Windows Administrative Templates.
chAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Storage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
mx/adml` that is
consistent.
VSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
rVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
d by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
tings.
e - this is the default behavior. TITLE:Deploy SystCCE-37712-7

cyPreferences.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
nagement.
ngs.
dmx/adml`
drivers thatbe
cannot is included
downloadedwithover
all versions
HTTP. of the Microsoft Windows Administrative Templates.
TITLE:Inventory CCE-36625-2
e:** This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits downloading
ows is prevented from downloadin TITLE:Email and CCE-36096-6
client computer will not be able to print to Internet printers over HTTP.
TITLE:Assess DataCCE-36920-7
e:** This policy
benchmarks is setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing serve
consistent.

consistent.

benchmarks with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
is consistent.
on.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
creen.
PC's network connectivity state TITLE:Controlled CCE-38353-9
Logon UI will not enumerate an TITLE:Configure Ac

CCE-37838-0
e - this is the default behavior. TITLE:Configure Ac

CCE-35894-5
pp notifications are displayed onTITLE:Ensure Work

CCE-35893-7
s will not be able to set up or si TITLE:Ensure Work

CCE-37830-7

CCE-37528-7
cy.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
dmx/adml` that
consistent.
admx/adml`
benchmarksthat
consistent.
CPL.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
dmx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).

consistent.

consistent.

consistent.

consistent.

consistent.
mx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
mode.
e - this is the default behavior. TITLE:Ensure Work CCE-36881-1

CCE-37066-8
sistance.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Limit Open CCE-36388-7
s on this computer cannot use e-TITLE:Minimize AnCCE-37281-3
clients will authenticate to the TITLE:Limit Open CCE-37346-4
eStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
mx/adml` that is
consistent.
ager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
mx/adml` that is
consistent.
mx/adml` that is
consistent.
alth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
store.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
stics.
dmx/adml`
benchmarksthat
is is
consistent.
adml`
benchmarks
that is included
is consistent.
ery.admx/adml`
benchmarks isthat
consistent.
ostic.admx/adml`
x/adml`
ostic that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Tool.

consistent.
covery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
admx/adml`
is consistent.
dmx/adml`
benchmarksthat
is is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
consistent.
ceDiagnostics.admx/adml`
ostic.admx/adml`
rack. that is included with all versions of the Microsoft Windows Administrative Templates.
cePerftrack.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
es.admx/adml`
consistent.
leProtection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
dmx/adml`
benchmarksthat
consistent.
adml` that is only

benchmarks included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
is consistent.
tallService.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ageManager.admx/adml`
benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
y.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
ows Store apps that typically requ
TITLE:Configure AcCCE-38354-7
Play will not be allowed for MTP TITLE:Limit Use OCCE-37636-8
Run commands will be completelTITLE:Limit Use OCCE-38217-6
play will be disabled - users wil TITLE:Limit Use OCCE-36875-3

ackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Administrative Templates (except for the
.admx/adml`
is consistent.
cryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml`
benchmarks
thatisisconsistent.
included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
ent.admx/adml`
splay.admx/adml`
. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
password reveal button will not TITLE:Account MoCCE-37534-5

dmx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
ptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

consistent.
mpat.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Join.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks
igation is consistent.
by Microsoft to _Device Registration_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
er.admx/adml`
benchmarks
that isisincluded
consistent. with all versions
mx/adml`
ws that is to
an enterprise included with the
applications Server
mitigations were later coded directly into Windows 10 and S
Windows server OSes prior to Server 2016, it is highly recommended that compatibility testing is done on typical server configurations (including all CIS-reco
nel\Program\Programs and Featu TITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
we only recommend using it with 64-bit OSes.
advanced mitigations available inTITLE:Enable AntiCCE-38427-1
July 31, 2018. This does not mean the software will stop working, only that Microsoft will not update it any further past that date, nor troubleshoot new prob
T mitigations will be applied to I TITLE:Enable AntiCCE-38428-9
T mitigations will be applied to thTITLE:Enable AntiCCE-36750-8
T mitigations will be applied to TITLE:Enable AntiCCE-36515-5
R protections will be enabled on TITLE:Enable AntiCCE-38437-0
protections will be enabled on *aTITLE:Enable AntiCCE-38438-8
OP protections will be enabled on

TITLE:Enable AntiCCE-38439-6
arding.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
admx/adml`
og. that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.

TITLE:Ensure
Audit
CCE-37948-7
en -event
this islogs
the fill
default behavior.

TITLE:Ensure
Audit
CCE-37695-4
en -event
this islogs
the fill
default behavior.

TITLE:Ensure
Audit
CCE-37526-1
en -event
this islogs
the fill
default
to capacity,
behavior.
they TITLE:Ensure
will stop recording
AuditCCE-36160-0
consequence of this configuration TITLE:Ensure

Audit
CCE-36092-5
ing.admx/adml`
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
er.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ontrols.admx/adml`
h as menu items and that is only
tabs included
in dialog with the Microsoft Windows Vista through the Windows 10 RTM (Release 1507) Administrative Templates.
boxes.
dxplorer.admx/adml`
by Microsoft to _Family
that isSafety_
included
starting
with allwith
versions
the Microsoft
of the Microsoft
WindowsWindows
8.0 & Server
Administrative
2012 (non-R2)
Templates.
Administrative Templates.
ed- by
thisMicrosoft
is the default
to _File
behavior.
Explorer_TITLE:Enable
starting with the
AntiCCE-37809-1
Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.

ersions.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
is consistent.
mx/adml` that is
orer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
g.admx/adml` that
consistent.
dml` that is included with all versions of the Microsoft Windows Administrative Templates.
oviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
admx/adml`
benchmarksthat
consistent.
x/adml` that is is
consistent.
.admx/adml`
is consistent.
.admx/adml`
is consistent.
dmx/adml` that
consistent.
dential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

is consistent.
c.admx/adml` that
benchmarks is is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administr
consistent.
up Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
osoft to _OneDrive_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
s can't access OneDrive from the OneDrive app and file picker. Windows Store apps can't access OneDrive using the `WinRT` API. OneDrive doesn't appe
se:**
can't
If your
access
organization
OneDrive uses
from Office
the OneDrive
365, beapp
aware
andthat
file this
picker.
setting
Windows
will prevent
Store users
apps can't
from access
saving files
OneDrive
to OneDrive/SkyDrive.
using the `WinRT` API. OneDrive doesn't appe
e:**
benchmarks
If your organization
is consistent.
uses Office 365, be aware that this setting will prevent users from saving files to OneDrive/SkyDrive.
upport.admx/adml`
.admx/adml`
benchmarksthat
is consistent.
is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
ot.admx/adml`
benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
PresentationSettings.admx/adml`
benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
tall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
d by Microsoft to _Remote
erver.admx/adml` Desktop
with starting
Administrative 2008 R2 Administrative Templates.
Templates.
ient.
Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
password saving checkbox will be TITLE:AutomaticallCCE-36223-6
erver.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver-Server.admx/adml`
p Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
erver.admx/adml`
ost that is included
Device and Resource with all versions of the Microsoft Windows Administrative Templates.
Redirection.
redirection will not be possible TITLE:Data Prote CCE-36509-8
amed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver.admx/adml`
ost Security. that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot automatically log on to TITLE:Encrypt/Hash CCE-37929-7
ote Desktop Services accepts req

TITLE:Use Only SeCCE-37567-5
e - this is the default behavior. TITLE:Use Only SeCCE-36627-8

ost Session Time Limits.
erver.admx/adml`
ost that isfolders.
Session Temporary included with all versions of the Microsoft Windows Administrative Templates.
s cannot set the Feed Sync EngiTITLE:Uninstall/Di CCE-37126-0
e - this is the default behavior. TITLE:Assess DataCCE-38277-0
R.admx/adml`
benchmarks isthat
consistent.
is only included with the Microsoft Windows 7 & Server 2008 R2 through the Windows 10 Release 1511 Administrative Templates.
nter.admx/adml`
/adml`
benchmarks
that is only
is consistent.
included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
mx/adml`
benchmarks
that is
is included
consistent.
.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
orm.
tionGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
.admx/adml`
is consistent.
mx/adml` that is
I.admx/adml`
benchmarks that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsStore
is consistent.
c.admx/adml` that
consistent.
dmx/adml`
benchmarksthat
consistent.
admx/adml`
benchmarksthat
is is only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and Microsoft Windows 10 Release 1511 A
consistent.

.
e.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
efender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
emed
- thisbyisMicrosoft to behavior.
the default _Windows Defender Antivirus_
TITLE:Deploy Autom starting with the Microsoft Windows 10 Release 1703 Administrative Templates.
CCE-36082-6
efender.admx/adml`
ervice (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default configuratio TITLE:Deploy Autom
CCE-38389-3
ovable drives will be scanned duTITLE:Data Prote CCE-38409-9
ail scanning by Windows Defender

efender.admx/adml`
admx/adml`
benchmarksthat
is is
consistent.
rd.admx/adml`
benchmarks isthat
consistent.
efenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
ren.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
up Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
s will be warned before they ar TITLE:Inventory CCE-35859-8
emory dumps are uploaded accord TITLE:Data Prote CCE-36978-5
rting.admx/adml`
nsent. that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
kWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
Disable this polic TITLE:Ensure Work CCE-36977-7
ail.admx/adml`
consistent.
er.admx/adml`
benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
consistent.
ediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
essenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
MobilityCenter.admx/adml`
er.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
lExecutionPolicy.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ing of PowerShell script input is TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
e - this is the default behavior. TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
ov.admx/adml`
ent (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
emoteManagement.admx/adml`
gement (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
CCE-36310-1

CCE-37726-7
WinRM client will not use Digest TITLE:User/Accoun

CCE-38318-2
gement (WinRM) service.
CCE-36254-1
e - this is the default behavior. TITLE:User/Accoun CCE-38223-4

WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser
TITLE:AutomaticallCCE-36000-8
s setting is later Disabled again, any values that were previously configured for RunAsPassword will need to be reset.
emoteShell.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
benchmarksthat is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Admi
is consistent.
sourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates
pdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
al operating system updates andTITLE:Use Automat CCE-36172-5
Auto download and schedule thTITLE:Use Automat

CCE-36172-5
e benchmarks
is consistent. TITLE:Use Automat
CCE-37027-0
pdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
enamed by Microsoft
trative Templates to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
(ADMX).
dmx/adml`
benchmarksthat
consistent.
vePrograms.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
deen
by Microsoft to provided
saver runs, _Personalization_ starting withWork
that thTITLE:Ensure theCCE-37970-1
Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
system displays the specified sc TITLE:Ensure Work

CCE-37907-3
creen savers are password proteTITLE:Ensure Work

CCE-37658-2
screen saver will automatically aTITLE:Ensure Work

CCE-37908-1
dmx/adml`
benchmarksthat
consistent.
dmx/adml`
benchmarksthat
consistent.
ders.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
cations will not be able to raise TITLE:Ensure WorkCCE-36332-5
dmx/adml`
benchmarksthat
consistent.
admx/adml`
is consistent.
nagement.
ngs.
tManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Email and CCE-37424-9
ows tells the registered antiviru TITLE:Scan All InbCCE-36622-9

dmx/adml` that
consistent.
ackup.admx/adml` that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well
ent.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

consistent.
tion.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

consistent.
er.admx/adml`
consistent.
mx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
d by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).

benchmarks with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
el.admx/adml` that
consistent.
x/adml` that is is
consistent.

is consistent.
s cannot share files within their TITLE:Protect InfoCCE-38070-9
PresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
mx/adml`
benchmarks
thatisisconsistent.
mx/adml`
benchmarks
that is included
consistent.
with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
.admx/adml`
benchmarksthat
is consistent.
I.admx/adml`
benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012
is consistent.
dmx/adml`
benchmarksthat
consistent.

en.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
consistent.
admx/adml`
is consistent.
ail.admx/adml`
consistent.
er.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
back.
es (or newer).
access for all accounts through a centralized point of authentication, for example Active Directory or LDAP. Configure network and security devices for cen
N:Ensure that all accounts have an expiration date that is monitored and enforced.;
access for all accounts through a centralized point of authentication, for example Active Directory or LDAP. Configure network and security devices for cen
re multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).;
re multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).;
ON:Configure screen locks on systems to limit access to unattended workstations.;
ity-baseline-for-windows-10-creators-update-v1703-final/).
ps://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/)
DESCRIPTION:Limitation and Control of Network Ports, Protocols, and Services;
KB 3000483](https://support.microsoft.com/en-us/kb/3000483) security update and the Microsoft Windows 10 RTM (Release 1507) Administrative Templat
Workstations, and Servers CONTROL:3 DESCRIPTION:Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and
ring and Control;
es (or newer).
plates (or newer).

strative Templates.
(or newer).

lates (or newer).
inistrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
es (or newer).
coded directly into Windows 10 and Server 2016.
configurations (including all CIS-recommended EMET settings) before widespread deployment to your environment.
that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to Server 2016.
7) Administrative Templates.
plates.
ative Templates.
ates (or newer).
ates (or newer).
& Server 2012 R2 Update Administrative Templates.

2 Update Administrative Templates.
ve Templates.
1511 Administrative Templates.
ate Administrative Templates.
roup Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
crosoft Windows 10 Release 1511 Administrative Templates.
ve Templates.
lates (or newer).

rative Templates.
e Templates.
ve Templates.

ws 8.0 & Server 2012 (non-R2) Administrative Templates.
2 (non-R2) Administrative Templates.
tes (or newer).
strative Templates.
(or newer).
2) Administrative Templates, as well as the Microsoft Windows 10 RTM (Release 1507) and Windows 10 Release 1511 Administrative Templates.
ative Templates.

Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsStore.admx/adml` that is included with the Mi
rative Templates.
e Templates.
and security devices for centralized authentication as well.;
and security devices for centralized authentication as well.;
n 14 characters).;
n 14 characters).;
Laptops, Workstations, and Servers;
trative Templates.
section
recommendation
# # title status scoring status description rationale statement
1 Account Policies accepted This section contains recommendations for account policies.
1.1 Password Policy accepted This section contains recommendations for password policy.
1.2 Account Lockout Paccepted This section contains recommendations for account lockout policy.
2 Local Policies accepted This section contains recommendations for local policies.
2.1 Audit Policy accepted This section is intentionally blank and exists to ensure the structure of Windo
2.2 User Rights Assi accepted This section contains recommendations for user rights
To establish assignments. configu
the recommended
This policy setting allows accounts to log on using the task scheduler service
2.2 2.2.29 (L2) Ensure 'Log on
acceptedfull The **Log on as a b```
The recommended state for this settingComputer
Configuration\Windows Setti
2.3 Security Options accepted This section contains recommendations ``` for security options.
2.3.1 Accounts accepted This section contains recommendations related to default accounts.
2.3.2 Audit accepted This section contains recommendations related to auditing controls.
2.3.3 DCOM accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.4 Devices accepted This section contains recommendations related to managing devices.
2.3.5 Domain controller accepted This section contains recommendations related to Domain Controllers.
2.3.6 Domain member accepted This section contains recommendations related to domain membership.
2.3.7 Interactive logon accepted This section contains recommendations related to interactive logons.
2.3.8 Microsoft network accepted This section contains recommendations related to configuring the Microsoft
2.3.10 Network access accepted sectionsetting

ToCredential
establish network
Manager access.
recommended
(formerly configu
called
2.3.10 2.3.10.4 (L2) Ensure 'Netwoacceptedfull The recommendedPasswords

state for this
that
setting
ar ``ìs: Ènabled`.
Computer Configuration\Policies\Windo
2.3.11 Network security accepted **Note:** Changes
This section to recommendations
contains this setting will not
``` related
take effect until Windows
to network security.is restarte
2.3.12 Recovery console accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.13 Shutdown accepted This section contains recommendations related to the Windows shutdown fu
2.3.14 System cryptogra accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.15 System objects accepted This section contains recommendations related to system objects.
2.3.16 System settings draft This section is intentionally blank and exists to ensure the structure of Windo
2.3.17 User Account Contaccepted This section contains recommendations related to User Account Control.
3 Event Log accepted This section is intentionally blank and exists to ensure the structure of Windo
4 Restricted Groups accepted This section is intentionally blank and exists to ensure the structure of Windo
5 System Services accepted This section is intentionally blank and exists to ensure the structure of Windo
6 Registry accepted This section is intentionally blank and exists to ensure the structure of Windo
7 File System accepted This section is intentionally blank and exists to ensure the structure of Windo
8 Wired Network (IEaccepted This section is intentionally blank and exists to ensure the structure of Windo
9 Windows Firewall accepted This section contains recommendations for configuring the Windows Firewa
9.1 Domain Profile accepted This section contains recommendations for the Domain Profile of the Windo
9.2 Private Profile accepted This section contains recommendations for the Private Profile of the Window
9.3 Public Profile accepted This section contains recommendations for the Public Profile of the Window
10 Network List Manaaccepted This section is intentionally blank and exists to ensure the structure of Windo
11 Wireless Network accepted This section is intentionally blank and exists to ensure the structure of Windo
12 Public Key Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
13 Software Restricti accepted This section is intentionally blank and exists to ensure the structure of Windo
14 Network Access Praccepted This section is intentionally blank and exists to ensure the structure of Windo
15 Application Controaccepted This section is intentionally blank and exists to ensure the structure of Windo
16 IP Security Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
17 Advanced Audit Poaccepted This section contains recommendations for configuring the Windows audit fa
17.1 Account Logon accepted This section contains recommendations for configuring the Account Logon a
17.2 Account Managemaccepted This section contains recommendations for configuring the Account Manage
17.3 Detailed Tracking accepted This section contains recommendations for configuring the Detailed Tracking
17.4 DS Access accepted This section contains recommendations for configuring the Directory Service
17.5 Logon/Logoff accepted This section contains recommendations for configuring the Logon/Logoff aud
17.6 Object Access accepted This section contains recommendations for configuring the Object Access au
17.7 Policy Change accepted This section contains recommendations for configuring the Policy Change a
17.8 Privilege Use accepted This section contains recommendations for configuring the Privilege Use au
17.9 System accepted This section contains recommendations for configuring the System audit pol
18 Administrative Te accepted This section contains computer-based recommendations from Group Policy
Group Policy
recommendations theControl
Group Policy template `Window
Panel personalization se
Group Policy
Microsoft `Control
Local Adm
18.2 LAPS accepted
Group Policy
settings by the Group
for configuring Policy
additional template
settings fromÀdmPw
the MS
18.3 MS Security Guid accepted
Group Policy
recommendations thethe
Group PolicySolutions
Microsoft template for
`SecGui
Secu
To establish the recommended configu
Groupcontrols
This value Policy section is provided
how often by the to
TCP attempts Group
verifyPolicy template
that an `MSS-le
idle connection
``` establish the recommended configu
To
18.4 18.4.5 (L2) Ensure 'MSS: acceptedfull An attacker who is
Computer Configuration\Policies\Admin
The recommended
This setting is used state for this
to enable setting is:
or disable theÈnabled: 300,000
Internet Router or 5 minutes
Discovery Proto(
```
To
18.4 18.4.7 (L2) Ensure 'MSS: acceptedfull An attacker who h
**Note:** This
Computer Group Policy path does
Configuration\Policies\Admin
The recommended
This setting controlsstate for this setting
the number of timesis:that
`Disabled`.
TCP retransmits an individual
```
To
18.4 18.4.10 (L2) Ensure 'MSS:acceptedfull A malicious user c
**Note:** This
The recommended
Ènabled: 3`.
```
```
**Note:** This
The recommended
recommendations forÈnabled: 3`.
network settings.
```
**Note:** This Group Policy path does
Group Policy
and by the to
exists Group
ensurePolicy
the template
structure `Window
of Windo
18.5.1 Background Intelli accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Bits.adm
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `PeerTo
of Windo
18.5.3 DirectAccess Clie accepted
This Group
to DNS template `nca.adm
Client.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DnsClie
of Windo
18.5.5 Fonts draft
Group Policy
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.5.6 Hotspot Authentic accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `hotspot
of Windo
This Group Policy section is provided by the Group Policy template `Lanman
This section is intentionally blank and exists to ensure the structure of Windo
18.5.8 Lanman Workstati draft
This section
Group Policy
containssection
recommendations
for
theLink-Layer
Groupthe PolicyTopology
template
recommended Discovery
`Lanman
configus
18.5.9 Link-Layer Topolo accepted This policy setting changes the operational behavior of the Mapper I/O netw
byestablish
the Groupthe Policy template `LinkLay
recommended configu
18.5.9 18.5.9.1 (L2) Ensure 'Turn acceptedfull LLTDIO
This allows
policy a computer
setting To help protect
changes to
thediscover
fr Computer
the topology
operational Configuration\Policies\Admin
behavior ofofathe
network it's connect
Responder netwo
```
18.5.9 18.5.9.2 (L2) Ensure 'Turn acceptedfull The Responder
recommended allows
To
state
help
a computer
forprotect
this setting
frtoComputer
participate
is: `Disabled`.
in Link Layer Topology Disc
This section contains recommendations **Note:**
```
To Thisthe
for Microsoft
establish Group Policy path
Peer-to-Peer
recommended is pro
Networki
configu
18.5.10 Microsoft Peer-to accepted recommended
The Peer state for Protocol
Name Resolution this setting is: `Disabled`.
(PNRP) allows for distributed resolution
by the GroupThis Group
Policy template
Policy path`P2P-pn
is pro
18.5.10 18.5.10. (L2) Ensure 'Turn acceptedfull Peer-to-Peer protocols
This allow
settingforenhan
applications
Computer in the
areas of RTC, collaborat
This section is intentionally blank and``` exists to ensure the structure of Windo
18.5.10.1 Peer Name Resolut
accepted The recommended state for this setting is: Ènabled`.
Group Policy
This section containssection is provided**Note:**
recommendations by for
theNetwork
Group
This Group
Policy template
Policy path
Connections `P2P-pn
is pro
settings.
18.5.11 Network Connecti accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `Network
18.5.11.1 Windows Defenderaccepted This Group Policy section is provided by the Group Policy template `Window
18.5.12 Network Connectiviaccepted **Note:** This section was initially named _Windows Firewall_ but was rena
Group Policy
and by the to
exists Group
ensurePolicy
the template
structure `NCSI.a
of Windo
Group Policy
Provider `Network
settings.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Network
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÒfflineF
of Windo
18.5.16 QoS Packet Schedaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `QOS.ad
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Snmp.a
of Windo
18.5.18 SSL Configurationaccepted
Group Policy
configuration Group Policy template `CipherS
Group Policy
and by the to
exists Group Policy
ensure the template
structure `tcpip.ad
of Windo
18.5.19.1 IPv6 Transition T accepted To establish the recommended configu
Group Policy
TCP/IP parameter by configuration
the Group Policy template `tcpip.ad
settings.
18.5.19.2 Parameters accepted ```
This Group
Internet Policyversion
Protocol section6is(IPv6)
provided by the Group Policy template `tcpip.ad
is aHKEY_LOCAL_MACHINE\SYSTEM\C
set of protocols that computers use to
18.5.19. 18.5.19.2(L2) Disable IPv6 acceptedfull Since the vast maj```
The recommended
for`DisabledComponents
Windows
establish the Connect Now
recommended - 0xff (255
settings.
configu
18.5.20 Windows Connect accepted **Note:** This change does not take ef
Group setting
allows the byestablish
configuration
```
To the
ofGroup Policy
wireless
the template
settings
recommendedusing`Window
Window
configu
18.5.20 18.5.20. (L2) Ensure 'Confi acceptedfull **Note #2:**
This setting enhanComputer Although Microsoft does n
The recommended
This state foraccess
policy setting prohibits this setting
to``` is: `Disabled`.
Windows Connect Now (WCN) wizard
18.5.20 18.5.20. (L2) Ensure 'Prohi acceptedfull Allowing standard Computer Configuration\Policies\Admin
The recommended
for this setting
``` is: This Group
forÈnabled`.
Windows Policy path
Connection is pros
Manager
18.5.21 Windows Connect accepted
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`WCM.a n
Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.7 Start Menu and T accepted
Group Policy
settings.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.1 Access-Denied Asaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
This Group
settings byauditing
of process creationàppv.ad
events.
18.8.3 Audit Process Cre accepted
This Group
settings byCredential
related to the Group Delegation.
Policy template ÀuditSe
18.8.4 Credentials Deleg accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CredSs
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DeviceG
of Windo
18.8.6 Device Health Atteaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `TPM.ad
of Windo
18.8.7 Device Installationdraft
This Group Policy section is provided by the Group Policy template `DeviceI
18.8.8 Device Redirectio accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DeviceR
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskNV
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskQu
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Display
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DCOM.
of Windo
Group Policy
boot-start `DeviceI
driver initia
18.8.14 Early Launch Anti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈarlyLa
of Windo
18.8.15 Enhanced Storageaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure Ènhanc
of Windo
18.8.16 File Classification accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
18.8.17 File Share Shado accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FileServ
of Windo
18.8.18 File Share Shado accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy templates `FileSe
18.8.19 Filesystem (forme accepted This Group Policy section is provided by the Group Policy template `FileSys
18.8.20 Folder Redirectionaccepted **Note:** This section was initially named _NTFS Filesystem_ but was renam
Group Policy
group `FolderR
policy-related
Group Policy
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.8.21.1 Logging and traci accepted
Group Policy
to Internet `GroupPM
Communication
18.8.22 Internet Communi accepted
Group Policy
the Group
related tothePolicy
Internet template `Window
Communication
recommended configus
18.8.22.1 Internet Communicaccepted This setting turns off data sharing from the handwriting recognition personal
``` the Groupthe Policy template `Window
recommended configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The handwriting
Turns recognition
A person's
off the handwriting personalization
handwriComputer
recognition toolConfiguration\Policies\Admin
enables
error reporting tool. Tablet PC users to
To
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull recommended
The handwriting Astate
recognitionfor this
person's errorsetting
handwri is: Ènabled`.
reporting
Computer tool Configuration\Policies\Admin
enables users to report error
This policy setting specifies whether the **Note:**
```
To InternetThis
establish Group
Connection
the Policy
recommended pathcan
Wizard may n
con
configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull The recommendedInstate for this setting
an enterprise is: Ènabled`.
m Computer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting
the
```
To is: Thisthe
Ènabled`.
Windows
establish Group Policy
Registration
recommended pathconfigu
Wizard isconn
pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull Users in an enterpComputer Configuration\Policies\Admin
The recommended
this setting is:
Search
```
To Thisthe
Ènabled`.
Companion
establish Group Policyautomatical
should
is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull This policy setting There is awhether
specifies small r the
Computer
"Order Configuration\Policies\Admin
Prints Online" task is availab
```
To is: Thisthe
Ènabled`.
establish Group Policy pathconfigu
recommended is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The Order Prints Online
In an enterprise
Wizard is used
m Computer
to download
a list of providers and a
```
To Thisthe
tasks Publish
establish Group
this Policy pathWeb,
file to the
recommended is pro
P
configu
18.8.22. 18.8.22. (L2) Ensure 'Turn oacceptedfull The recommendedUsers state may
for this setting
publish c is: Ènabled`.
The recommended
this setting is:
Windows
```
To Thisthe
Ènabled`. Group
Messenger
establish Policy
can
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Large enterprise Computer Configuration\Policies\Admin
The recommended
this setting is:
Windows
```
To Thisthe
Ènabled`. Group
Messenger
establish Policy
can
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull This policy setting Large
controlsenterprise
whether orComputer
not errorsConfiguration\Policies\Admin
are reported to Microsoft.
Microsoft uses information collected through **Note:**the
``` This Group Policy
Windows Customer pathExperie
is pro
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Error Reporting is used
If a Windows
to reportError
information
Computer about
a system or application th
exists to This
the structure of is pro
Windo
18.8.23 iSCSI accepted The recommended state for this setting is: Ènabled`.
Group Policy
provided by the to
exists This
Group
ensureGroup
Policy Policy path
the template
structure of is pro
ìSCSI.a
Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `KDC.ad
of Windo
This Group
theLocale
for Groupthe
Policy
Servicestemplate `Kerbero
settings.
recommended configu
Group prevents
automatic copying byofthe
``` Group
user inputPolicy template
methods to the`Globaliz
system
18.8.26 18.8.26. (L2) Ensure 'Disal acceptedfull This is a way to i Computer Configuration\Policies\Admin
The recommended
This state
section contains for this setting
recommendations ``` is: Ènabled`.
related to the logon process and loc
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may n
`Logon.a
Windo
This Group Policy section is provided by the Group Policy template `GroupP
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Netlogo
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÒSPolic
of Windo
18.8.31 Performance Contraccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `PerfCen
of Windo
This section
Group Policy
contains
section
recommendations
is provided by for
thePower
GroupManagement
Policy template
settings.
`Passpo
18.8.33 Power Managemeaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.2 Energy Saver Settaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.3 Hard Disk Setting accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.4 Notification Settin accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.5 Power Throttling Saccepted
Group Policy
recommendations the Group PolicyManagement
to Power template `Power.a
Slee
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
Group Policy
to Remote `ReAgen
Assistance.
18.8.35 Remote Assistanc accepted
Group Policy
to Remote `Remote
Procedure Call.
18.8.36 Remote Procedureaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `RPC.ad
of Windo
18.8.37 Removable Storagaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Remova
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Scripts.
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `ServerM
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinInit.
of Windo
18.8.41 Shutdown Optionsaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Winsrv.
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Storage
of Windo
Group Policy
to Troubleshooting `System
Diag
18.8.44 Troubleshooting a accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.44.1 Application Compataccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `pca.adm
of Windo
18.8.44.2 Corrupted File Re accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FileRec
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DiskDia
of Windo
18.8.44.4 Fault Tolerant He accepted
Group Policy
the Group
related Policy
tothe
the template
Microsoft
recommended `fthsvc.a
Support Dia
configu
18.8.44.5 Microsoft Support accepted
Group setting
configures Microsoft bySupport
Diagnostic `MSDT.a
Tool (MSDT) inte
18.8.44. 18.8.44.5(L2) Ensure 'Microacceptedfull Due to privacy conComputer Configuration\Policies\Admin
The recommended
This state forblank
exists to ensure the structure of Windo
18.8.44.6 MSI Corrupted Fil accepted
This Group
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may n
`Msi-File
Windo
18.8.44.7 Scheduled Mainte accepted
This Group
and by the to
exists Group Policy
ensure the template
structure `sdiagsc
of Windo
18.8.44.8 Scripted Diagnost accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `sdiagen
of Windo
18.8.44.9 Windows Boot Peraccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Perform
of Windo
18.8.44.10 Windows Memory accepted
Group Policy
to Windows `LeakDia
Performance Pe
18.8.44.11 Windows Performaaccepted
This Group Policy section is provided by the Group Policy template `Perform
This policy setting specifies whether to ``ènable or disable tracking of respons

18.8.44. 18.8.44. (L2) Ensure 'Enablacceptedfull When enabled the Computer
a Configuration\Policies\Admin
The recommended
state forblank
this setting
and```
exists
is: `Disabled`.
to ensure the structure of Windo
18.8.45 Trusted Platform accepted
This section
Group Policy
contains
section
recommendations**Note:**
is providedTo This
byestablish
related
the Group Group
tothe
User
Policy Policy path
Profiles.
template
recommended may n
`TPM.ad
configu
This policy
Group setting
Policy section
turns offisthe
provided
advertising
```
by the ID,Group
preventing
Policyapps
template
fromÙserPro
using th
18.8.46 18.8.46. (L2) Ensure 'Turn oacceptedfull Tracking user acti Computer Configuration\Policies\Admin
The recommended
state forblank
this setting
and```
exists
is: Ènabled`.
18.8.47 Windows File Prot accepted
Group Policy
and**Note:**
by the to
exists Group
This Group
Policy
ensure the template
Policy path
structure `Window
of may n
Windo
Group Policy
to the template
Windows Time`HotStar
Servic
18.8.49 Windows Time Seraccepted
Group Policy
the Group
related Policy
tothe
Time template `W32Tim
Providers.
recommended configu
Group setting
This policy Policy section is whether
specifies providedtheby Windows
``` the GroupNTP
Policy template
Client `W32Tim
is enabled. En
18.8.49. 18.8.49.1(L2) Ensure 'Enablacceptedfull A reliable and acc Computer Configuration\Policies\Admin
The recommended
This state
forÈnabled`.
Windows Component settings.
18.9 Windows Componaccepted
Group Policy
and**Note:**
by the to
exists Group
This Group
Policy
ensure the template
Policy path
structure `Window
of is pro
Windo
18.9.1 Active Directory F accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure àdfs.ad
of Windo
18.9.2 ActiveX Installer accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÀctiveX
18.9.3 Add features to W accepted This Group Policy section is provided by the Group Policy template `Window
18.9.4 App Package Dep draft **Note:** This section was initially named _Windows Anytime Upgrade_ but
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀppxPa
of Windo
Group Policy
recommendations theApp
Group Policysettings.
runtime template ÀppPriv
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀppXRu
of Windo
18.9.7 Application Compataccepted
Group Policy
recommendations theAutoPlay
Group Policy template ÀppCom
policies.
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀutoPla
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÙserDa
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Biometr
of Windo
18.9.11 BitLocker Drive Enaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Volume
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Camera
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CloudC
of Windo
Group Policy
to the template
Credential `Wireles
User Interf
18.9.15 Credential User In accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CredUI.
of Windo
18.9.16 Data Collection a draft
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.17 Delivery Optimizataccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Delivery
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sidebar
of Windo
18.9.19 Desktop Window accepted
This Group
and by the to
exists Group Policy
ensure the template
structure `DWM.a
of Windo
18.9.20 Device and Driver accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `DeviceC
18.9.21 Device Registratioaccepted This Group Policy section is provided by the Group Policy template `Workpla
is intentionally
This section contains blank and exists
Microsoft of Windo
Enhanced
18.9.22 Digital Locker accepted **Note:** This section was initially named _Workplace Join_ but was rename
sectionPolicy
This Group is intentionally
section isblank and by
provided exists
the to ensure
Group the template
Policy `DigitalL
structure ÈMET.a
of Windo
This Group
EMET Policy
is free section is provided
and supported by the Group
security software Policyby
developed template ÈdgeUI
Microsoft that a
**Note:** Although EMET is quite effective at enhancing exploit protection on
**Note #2:** EMET has been reported to be very problematic on 32-bit OSes
**Note #3:** Microsoft has announced that EMET will be End-Of-Life (EOL)
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Event Log
ÈventFo
Servic
18.9.26 Event Log Serviceaccepted
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Application
ÈventLo
Even
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Security ÈventLo
Event L
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Setup Event
ÈventLo
Log
Group Policy
Group Policy
thetemplate ÈventLo
System Event Lo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈventLo
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈventLo
of Windo
18.9.28 Event Viewer accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÈventV
18.9.29 Family Safety (for accepted Group Policy
Groupthe
Policy template
availability of `Parenta
options
18.9.30 File Explorer (for accepted **Note:**

section providednamed _Parental
by the Controls_
template renam
`Window
18.9.30.1 Previous Versions accepted **Note:** This section was initially named _Windows Explorer_ but was rena
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Previou
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FileHist
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FindMy
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `GameE
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Handwr
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sharing
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Capture
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÌnetRes
of Windo
18.9.38 Internet Informati accepted
Group Policy
settings byestablish
theand
for Locations
To Group Policy
Sensors.
the template ÌIS.adm
recommended configu
18.9.39 Location and Sensaccepted
Group setting
turns offisthe
provided
locationbyfeature
``` the Group Policy
for the template `Sensors
computer.
18.9.39 18.9.39. (L2) Ensure 'Turn oacceptedfull This setting affec Computer Configuration\Policies\Admin
The recommended
This state
section contains for this
settings forsetting
``` is:
Windows
To Ènabled`.
Location
establish theProvider.
recommended configu
18.9.39.1 Windows Locationaccepted
Group setting
turns offisthe
provided
Windows**Note:**
by the
``` ThisProvider
Group
Location Group Policy path
Policy template
feature may
`Locatio
for n
the co
18.9.39. 18.9.39.1(L2) Ensure 'Turn acceptedfull This setting affec Computer Configuration\Policies\Admin
The recommended
This state forblank
18.9.40 Maintenance Scheaccepted
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`mschedn
Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinMap
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MDM.a
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Messag
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MSAPo
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `Microso
of Windo
18.9.46 Microsoft FIDO Auaccepted
This Group
and by the to
exists Group Policy
ensure the template
structure `FidoAut
of Windo
18.9.47 Microsoft Secondaaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DeviceC
of Windo
18.9.48 Microsoft User Expaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÙserEx
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Conf.ad
of Windo
18.9.50 Network Access Praccepted
This Group Policy section is provided by the Group Policy template `NAPXP
18.9.51 Network Projector accepted This section contains recommendations related to OneDrive.
18.9.52 OneDrive (formerl accepted The Group Policy settings contained within this section are provided by the G
18.9.53 Online Assistance accepted **Note:** This section was initially named _SkyDrive_ but was renamed by M
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `HelpAn
of Windo
18.9.54 Password Synchroaccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `PswdSy
of Windo
18.9.55 Portable Operatin accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure Èxterna
of Windo
18.9.56 Presentation Setti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MobileP
of Windo
18.9.57 Push To Install accepted This section contains recommendations related to Remote Desktop Services
This Group Policy section is provided by the Group Policy template `PushTo
18.9.58 Remote Desktop Se
and by the to
exists Group Policy
ensure the template
structure `Termina
of Windo
18.9.58.1 RD Licensing (for accepted **Note:**

section providednamed
by the_Terminal Services_
template rena
`Termina
This section contains recommendations for the Remote Desktop Connection
18.9.58.2 Remote Desktop Caccepted **Note:** This section was initially named _TS Licensing_ but was renamed
Group Policy
and by the to
exists Group
ensure Policy
the template
structure `Termina
of Windo
18.9.58.2.1 RemoteFX USB Dev
accepted This section contains recommendations for the Remote Desktop Session Ho
This Group Policy section is provided by the Group Policy template `Termina
18.9.58.3 Remote Desktop Se
accepted This Group Policy section is provided by the Group Policy template `Termina
18.9.58.3.1 Application Compataccepted **Note:** This section was initially named _Terminal
To establish theServer_ but wasconfigu
recommended renam
Group Policy
Group Policytotemplate `Termina
the Remote Des
18.9.58.3.2 Connections accepted ```
Group setting
allows you byusers
to restrict the Group
Computer PolicyRemote
template `Termina
toConfiguration\Policies\Admin
a single Desktop S
18.9.58.318.9.58.3(L2) Ensure 'Restracceptedfull This setting ensur ```
The recommended
recommendations To is: Ènabled`.
related
establish tothe
Remote Desktop Session
recommended configu
18.9.58.3.3 Device and Resouraccepted **Note:** This Group Policy path is pro
Group setting
specifiesis whether
providedto byprevent
```
To the Group
establishthethePolicy template
redirection `Termina
of data
recommended to clie
configu
18.9.58.318.9.58.3(L2) Ensure 'Do noacceptedfull **Note #2:**
In a more security Computer In older Microsoft Window
The recommended
policy setting specifies this setting
to is: Ènabled`.
```prevent
To establishthethe
redirection of dataconfigu
recommended to clie
18.9.58.318.9.58.3(L2) Ensure 'Do notacceptedfull In a more security Computer Configuration\Policies\Admin
The recommended
This state for
setting
to control
``` the This Group
is: Ènabled`.
redirection Policy path
of supported is pro
Plug an
18.9.58.318.9.58.3(L2) Ensure 'Do noacceptedfull In a more security Computer Configuration\Policies\Admin
The recommended
This state forblank
this setting
and``` to This
is: Ènabled`.
exists ensureGroup Policy path
Windo
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of is pro
`Termina
Windo
18.9.58.3.5 Printer Redirectio accepted
Group Policy
and by the to
exists Group
ensurePolicy
the template
structure `Termina
of Windo
18.9.58.3.6 Profiles accepted This section is intentionally blank and exists to ensure the structure of Windo
18.9.58.3.7 RD Connection Broaccepted This Group Policy section is provided by the Group Policy template `Termina
18.9.58.3.8 Remote Session Eaccepted **Note:** This section was initially named _TS Connection Broker_ but was
Group Policy
to Remote Desktop `Termina
Session
18.9.58.3.9 Security accepted To establish the recommended configu
Group Policy
Session
18.9.58.3.10 Session Time Limiaccepted ```
Group setting
allows you bythe
to specify themaximum
Computer
To Group
establish Policy template `Termina
the amount of time
recommended that an
configu
18.9.58. 18.9.58.3(L2) Ensure 'Set t acceptedfull This setting helps ```
The recommended
This state for
``` is: aÈnabled:
to configure time limit15
forminutes or less`.
disconnected Rem
18.9.58. 18.9.58.3(L2) Ensure 'Set ti acceptedfull **Note:** This
This setting helps Computer Group Policy path is pro
The recommended
recommendations ``` is: Ènabled:
related 1 minute`.
to Remote Desktop Session
18.9.58.3.11 Temporary foldersaccepted **Note #2:** In older Microsoft Window
This Group
the Group Group
Policy
to RSS Policy path
template
feeds. is pro
`Termina
This Group
recommendations theSearch
Group settings.
Policy template ÌnetRes
This Group
Various Policy
levels section is provided
of information by thewith
can be shared Group Policy
Bing template
in Search, `Search.u
to include
```
18.9.60 18.9.60. (L2) Ensure 'Set wacceptedfull Limiting the searc
The recommended
This state forblank
section is intentionally this setting is: Ènabled:
and exists to ensureAnonymous info`.
the structure of Windo
```
**Note:** This Group Policy path may n
Group Policy
and by the to
exists Group Policy
ensure the template
structure `SearchO
of Windo
This Group Policy section is provided by the Group Policy template `Security
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Snis.ad
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `WinInit.
of Windo
This section
Group Policy
contains
section
recommendations
is providedTo
byestablish
related
the Group
tothe
the
Policy
Software
template
Protection
recommended `SmartCP
configu
18.9.65 Software Protectioaccepted
This Key
The Group
Management
Policy section
Service
is provided
(KMS)```by
is athe
Microsoft
Group Policy
licensetemplate
activation
ÀVSVa
metho
18.9.65 18.9.65. (L2) Ensure 'Turn acceptedfull Even though the KM Computer Configuration\Policies\Admin
The recommended
This state forblank
Group Policy
and**Note:**
by the to
exists Group
This Group
Policy
ensure the template
Policy path
structure `SoundR
of may n
Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Speech
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinSto
of Windo
18.9.69 Sync your settingsaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `SettingS
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `TaskSc
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `TextInp
of Windo
18.9.73 Windows Calenda accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinCal
of Windo
18.9.74 Windows Color S accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.75 Windows Customeraccepted This section contains recommendations related to Windows Defender Antivi
This Group Policy section is provided by the Group Policy template `CEIPEn
18.9.76 Windows Defenderaccepted This Group Policy section is provided by the Group Policy template `Window
18.9.76.1 Client Interface accepted **Note:**
This This
policy section
setting wasyou
allows originally named _Windows
to join Microsoft Defender_
Active Protection but was
Service (MA re
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.76.2 Exclusions accepted Possible options are:
Group Policy
the Group
related Policy
tothe template
Microsoft `Window
Active Protectio
recommended configu
18.9.76.3 MAPS accepted - (0x0) Disabled (default)
-This Group
(0x1) BasicPolicy section
membership is provided
The information bywould
that
be sent templatethings
can include `Windowlike
18.9.76. 18.9.76.3(L2) Ensure 'Join acceptedfull - (0x2) Advanced membership Computer Configuration\Policies\Admin
For privacy
This section is intentionally reasons
blank and``ìn high
exists tosecurity environments,
ensure the structure ofitWindo
is be
18.9.76.4 MpEngine accepted **Basic membership** will send basic information to Microsoft about softwar
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`Window
Windo n
18.9.76.5 Network Inspecti accepted **Advanced membership** in addition to basic information will send more inf
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.76.6 Quarantine accepted The recommended state for this setting is: `Disabled`.
Group Policy
related to the GroupProtection.
Policy template `Window
18.9.76.7 Real-time Protecti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
settings byWindows
relatedTo
to the Groupthe
establish Policy
Defendertemplate `Window
Reporting.
recommended configu
Group setting
allows you by the
to configure
``` Groupor
whether Policy template
not Watson `Window
events are
18.9.76. 18.9.76.9(L2) Ensure 'Confi acceptedfull Watson events areComputer Configuration\Policies\Admin
The recommended
This state
settings setting
related ```
to is: `Disabled`.
Windows Defender scanning.
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`Windown
Windo
18.9.76.11 Signature Update accepted
This Group
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.76.13 Windows Defenderaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.77 Windows Defenderaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀppHVS
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈxploitG
of Windo
This Group Policy section is provided by the Group Policy template `Window
This section contains Windows Defender SmartScreen settings.
18.9.80 Windows Defendeaccepted
This section
Group Policy
contains
section
recommendations
is provided by for
theExplorer-related
Windows
`SmartS
Defen
The Group
This sectionPolicy
contains
settings
recommendations
contained within
related
this section
to Windows
are provided
Error Reporting
by the G
18.9.81 Windows Error Reaccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÈrrorRe
of Windo
18.9.81.1 Advanced Error Reaccepted
This section
Group Policy
contains
section
recommendations
the Group
to Windows
Policy template
Error Reporting
ÈrrorRe
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈrrorRe
of Windo
18.9.82 Windows Game Rec
accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `GameD
18.9.83 Windows Hello for accepted This Group Policy section is provided by the Group Policy template `Passpo
18.9.84 Windows Ink Wor draft **Note:** This section was initially named _Microsoft
To establish thePassport for Work_
recommended but
configu
Group Policy
to Windows `Window
Installer.
18.9.85 Windows Installer accepted ```
Group setting
controlsiswhether
Web-based
Computer Policy template `MSI.adm
programs are allowed to ins
18.9.85 18.9.85. (L2) Ensure 'Preven
acceptedfull Suppressing the sy```
The recommended
This section containsstate for this setting is:
recommendations `Disabled`.
related to Windows Logon Options.
18.9.86 Windows Logon Op
accepted **Note:** This Group Policy path is pro
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinLog
of Windo
18.9.87 Windows Mail accepted **Note #2:** In older Microsoft Window
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.88 Windows Media C accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MediaC
of Windo
18.9.89 Windows Media Diaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.90 Windows Media Placcepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.91 Windows Meeting accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.92 Windows Messengaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.93 Windows Mobility accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MobileP
of Windo
18.9.94 Windows Movie Maccepted
Group Policy
to Windows `MovieM
PowerShell.
18.9.95 Windows PowerShaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `PowerS
of Windo
18.9.96 Windows Reliabilitaccepted
Group Policy
to Windows Remote`RacWm
Manag
18.9.97 Windows Remote accepted
Group Policy
to the template
Windows `Window
Remote Ma
18.9.97.1 WinRM Client accepted To establish the recommended configu
Group Policy
to the template
Windows `Window
Remote Ma
18.9.97.2 WinRM Service accepted ```
Group setting
allows you to manage by the
Computer Group
whether Policy template `Window
Configuration\Administrative
the Windows Remote Man
18.9.97. 18.9.97.2(L2) Ensure 'Allo acceptedfull Any feature is a p ```
The recommended
settings setting
related to is:
To `Disabled`.
Windows
establish Remote
the Shell (WinRS).
recommended configu
18.9.98 Windows Remote accepted This policy setting allows you to manage **Note:** This Group
configuration Policy access
of remote path is pro
to a
This Group Policy section is provided``` by the Group Policy template `Window
18.9.98 18.9.98. (L2) Ensure 'Allowacceptedfull The recommendedAny state
feature
for this **Note
is setting
a p Computer #2:** In older Microsoft Window
is: `Disabled`.
18.9.99 Windows SideShoaccepted **Note:** The GPME help text for this setting is incorrectly worded, implying
Group Policy
is intentionally providedand**Note:**
by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of is pro
`SideSh
Windo
18.9.100 Windows System accepted
This Group
to Windows Update.`System
18.9.101 Windows Update accepted This section is intentionally blank and exists to ensure the structure of Windo
18.9.101.1 Windows Update fodraft This Group Policy section is provided by the Group Policy template `Window
19 Administrative Te accepted **Note:** Thiscontains

This section section user-based
named _Defer Windows Updates_
from Group Policybut
Admwa
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.1.1 Add or Remove P accepted
This Group Policy section is provided by the Group Policy template ÀddRem
19.1.2 Display accepted This section contains recommendations for personalization settings.
This Group Policy section is provided by the Group Policy template `Control
19.1.3 Personalization ( accepted This Group Policy section is provided by the Group Policy template `Control
19.2 Desktop accepted **Note:** This section was initially named _Desktop Themes_ but was renam
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Window
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Window
of Windo
Group Policy
Group Policy
Menu andtemplate
Taskbar`Shared
settings
Group Policy
recommendations theNotification
settings.
Group Policy
Group Policy template `WPN.ad
settings.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.6.1 Ctrl+Alt+Del Opti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CtrlAltD
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DeviceI
of Windo
19.6.3 Folder Redirectionaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FolderR
of Windo
Group Policy
Communication
Group Policy
the Group
related Policy
tothe
Communication
19.6.5.1 Internet Communicaccepted
Group setting
specifies providedusers
by the
``` Group
can Policy template
participate `Window
in the Help Exper
19.6.5.1 19.6.5.1. (L2) Ensure 'Turn acceptedfull Large enterprise User Configuration\Policies\Administra
The recommended
forÈnabled`.
19.7 Windows Componaccepted This section is intentionally blank and exists to ensure the structure of Windo
Policy template is pro
`Window
19.7.2 App runtime accepted **Note:** This section was initially named _Windows Anytime Upgrade_ but
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀppXRu
of Windo
Group Policy
to Attachment ÀppCom
Manager.
19.7.4 Attachment Managaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure Àttachm
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀutoPla
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÙserDa
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CloudC
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CredUI.
of Windo
19.7.9 Data Collection a accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DataCo
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sidebar
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DWM.a
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DigitalL
of Windo
19.7.13 Edge UI accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÈdgeUI
19.7.14 File Explorer (for accepted This Group Policy section is provided by the Group Policy template `Window
19.7.15 File Revocation accepted **Note:** This section was initially named _Windows Explorer_ but was rena
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FileRev
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈAIME.
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Capture
of Windo
This Group Policy section is provided by the Group Policy template `WordW
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÌnetRes
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Sensors
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Microso
of Windo
19.7.22 Microsoft Manage accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `MMC.a
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÙserEx
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Conf.ad
of Windo
Group Policy
to Network Sharing.`Network
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sharing
of Windo
19.7.27 Presentation Setti accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `MobileP
19.7.29 RSS Feeds accepted **Note:** This section was initially named _Terminal Services_ but was rena
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÌnetRes
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Search.
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `SoundR
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinSto
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `TaskSc
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinCal
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `SmartS
of Windo
19.7.38 Windows Error Reaccepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÈrrorRe
This section contains recommendations related to Windows Installer.
19.7.40 Windows Installer accepted **Note:** This section was initially named _Microsoft Passport for Work_ but
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MSI.adm
of Windo
accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinLog
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
to Windows `MediaC
Media Player.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
the Group
related Policy
tothe
Windows template `Window
Media Player
recommended pl
configu
Group Policy
This setting section
controls is provided
whether Windows byMedia
``` the Group
PlayerPolicy template
is allowed `Window
to download
19.7.44. 19.7.44.2(L2) Ensure 'Preveacceptedfull This has some potenUser Configuration\Policies\Administra
The recommended state for this setting``` is: Ènabled`.
**Note:** This Group Policy path is pro

audit procedure impact statement notes CIS controls CCE-ID references
r account policies.
r password policy.
r account lockout policy.

r local policies.
ts to ensure the structure of Windows benchmarks is consistent.
r user rights assignments.
Navigate to the UI If you configure the **Log on as a b TITLE:Minimize AnCCE-38080-8
r security options.
elated to default accounts.
elated to auditing controls.
elated to managing devices.
elated to Domain Controllers.
elated to domain membership.
elated to interactive logons.
elated to configuring the Microsoft network client.
elated to configuring the Microsoft network server.
elated to network access.

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
``` Credential Manager will not store pa TITLE:Encrypt/Hash

CCE-38119-4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa:DisableDomainCreds
``` security.
elated to network
elated to the Windows shutdown functionality.
elated to system objects.
elated to User Account Control.
r configuring the Windows Firewall.
r the Domain Profile of the Windows Firewall.
r the Private Profile of the Windows Firewall.
r the Public Profile of the Windows Firewall.

r configuring the Windows audit facilities.
r configuring the Account Logon audit policy.
r configuring the Account Management audit policy.
r configuring the Detailed Tracking audit policy.
r configuring the Directory Services Access audit policy.
r configuring the Logon/Logoff audit policy.
r configuring the Object Access audit policy.
r configuring the Policy Change audit policy.
r configuring the Privilege Use audit policy.
r configuring the System audit policy.
ommendations from Group Policy Administrative Templates (ADMX).

r Control Panel settings.
he Group Policy
r Control template `Windows.admx/adml`
Panel personalization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r configuring template
Microsoft `ControlPanelDisplay.admx/adml`
Local that(LAPS).
Administrator Password Solution is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
he
ng Group Policy
additional template
settings fromÀdmPwd.admx/adml` that is included with LAPS.
the MS Security Guide.
he Group
r the PolicySolutions
`SecGuide.admx/adml`
Security (MSS) settings.that is available from Microsoft at [this link](https://blogs.technet.microsoft.com/secguide/2017/08/30/secu
he Group Policy template `MSS-legacy.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](ht
```
Navigate to the UI Keep-alive packets
Path articulated areRemediation
in the not sent by dsection
TITLE:Limitation
and confirmCCE-36868-8
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:KeepAliveTime
```
```
Navigate to the UI Windows will notinautomatically
Path articulated the Remediationdete section
TITLE:Limitation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:PerformRouterDiscovery
```
```
Navigate to the UI TCP
Path starts a retransmission
articulated timer whTITLE:Limitation
in the Remediation section and confirmCCE-37846-3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:TcpMaxDataRetransmissions
```
``` TCP starts a retransmission timer whTITLE:Limitation CCE-36051-1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:TcpMaxDataRetransmissions
r network settings.
```
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml`
of Windows benchmarks thatis is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Bits.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `PeerToPeerCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or n
he Group
elated Policy
to DNS template `nca.admx/adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Client.
he Group
ts to Policy
ensure the template
structure `DnsClient.admx/adml`
of Windows benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `GroupPolicy.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
consistent.
he Group
ts to Policy
ensure the template
structure `hotspotauth.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
consistent.
he Group Policy template `LanmanServer.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnDomain
he
r Link-Layer
Group Policy
Topology
template
Discovery
`LanmanWorkstation.admx/adml`
settings. that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnDomain
```
he Group Policy template `LinkLayerTopologyDiscovery.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnPublicNet
```
None - this is the default behavior. TITLE:Limitation CCE-38170-7
```
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnPublicNet
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableLLTDIO
```
r Microsoft Peer-to-Peer Networking Services settings.
```
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableRspndr
he Group Policy template `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitLLTDIOOnPrivateNet
```
``` Microsoft Peer-to-Peer Networking Ser TITLE:Limit Open CCE-37699-6
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet:Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitRspndrOnPrivateNet
```
```
he Group Policy
r Network templatesettings.
Connections `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `NetworkConnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsFirewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_Windows Firewall_ but was renamed by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative T
he Group
ts to Policy
ensure the template
structure `NCSI.admx/adml`
of Windows benchmarksthat is is
consistent.
he Group Policy
r Network template
Provider `NetworkIsolation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates
settings.
he Group
ts to Policy
ensure the template
structure `NetworkProvider.admx/adml` that is included with the [MS15-011](https://technet.microsoft.com/library/security/MS15-011) / [MS
he Group
ts to Policy
ensure the template
structure ÒfflineFiles.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `QOS.admx/adml` that is is
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Snmp.admx/adml` that isisincluded
consistent.
nhesettings.
Group Policy template `CipherSuiteOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `tcpip.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group Policy
onfiguration template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
settings.
Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. E
he Group Policy template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Navigate to the UIReThis
Pathregistry change
articulated in theis Remediation
documented section
inTITLE:Limitation
Microsoft Knowledge
and
and confirm Control
it is Base
set asarticle
of Network
929852:
prescribed.Ports,
[How
This Protocols,
to disable
group policyand
IPv6
Services
settingorisits components
CONTROL:9
backed in
by the fo
r Windows Connect Now settings.
``` **Note:** This registry change does not take effect until the next reboot.
he Group Policy template `WindowsConnectNow.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:EnableRegistrars
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableUPnPRegistrar
Navigate to the UI WCN operationsinare
Path articulated thedisabled over alTITLE:Configure
Remediation section and confirmOn
CCE-37481-9
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableInBand802DOT11Registrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableFlashConfigRegistrar
``` The WCN wizards are turned off and TITLE:Configure
us On
CCE-36109-7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableWPDRegistrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI:DisableWcnUi
r Windows Connection Manager settings.
```
he Group
ts to Policy
ensure the template
structure `WCM.admx/adml` that isisincluded
of Windows benchmarks with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
r System template `Windows.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `srm-fci.admx/adml` that is
of Windows benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)
consistent.
he Group
uditing Policy template
events. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
he Group Delegation.
redential Policy template ÀuditSettings.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer
he Group
ts to Policy
ensure the template
structure `CredSsp.admx/adml` thatisisconsistent.
he Group
ts to Policy
ensure the template
structure `DeviceGuard.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
consistent.
he Group
ts to Policy
ensure the template
structure `TPM.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
he Group Policy template `DeviceInstallation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `DeviceRedirection.admx/adml`
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he
ts to
Group
ensure
Policy
the template
structure `DiskNVCache.admx/adml`
he
ts to
Group
ensure
Policy
the template
structure `DiskQuota.admx/adml`
is consistent.
he
ts to
Group
ensure
Policy
the template
structure `Display.admx/adml`
that is
is consistent.
he Group
ts to Policy
ensure the template
structure `DCOM.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
boot-start `DeviceInstallation.admx/adml`
driver initialization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure ÈarlyLaunchAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (
he Group
ts to Policy
ensure the template
structure ÈnhancedStorage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `FileServerVSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
he Group Policy templates `FileServerVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group Policy template `FileSys.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group Policy
policy-related settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
of Windows benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated Policy template
to Internet `GroupPolicyPreferences.admx/adml`
Communication Management. that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Template
he Group
Communication settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI Tablet PC users in
Path articulated cannot choose to sha
the Remediation TITLE:Data
section Prote CCE-37911-5
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC:PreventHandwritingDataSharing
```
```
Navigate to the UI Users cannot start
Path articulated handwriting rec
in the Remediation TITLE:Data
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports:PreventHandwritingErrorReports
```
```
Path"Choose a list
articulated of Internet
in the Servicsection
Remediation TITLE:Data Prote CCE-37163-3
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard:ExitOnMSICW
```
```
Navigate to the UI Users are blocked
Path articulated in from connecting to
the Remediation Microsoft.com
section forCCE-36352-3
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration
Search Companion does not download content updates during Wizard Control:NoRegistration
searches.
```
```
Navigate to the UI Path articulated in the Remediation section TITLE:Data Prote CCE-36884-5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion:DisableContentFileUpdates
**Note:** Internet searches will still send the search text and information about the search to Microsoft and the chosen sear
```
```
Pathtask "Order Prints
articulated Online" is remTITLE:Data
in the Remediation Prote CCE-38275-4
section and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoOnlinePrintsWizard
```
```
Path"Publish to Web"
articulated in thetask is removed
Remediation TITLE:Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoPublishingWizard
```
```
Navigate to the UI Windows Messenger
Path articulated in thewill not collect section
Remediation us
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client:CEIP
```
``` All users are opted out of the Win TITLE:Data Prote CCE-36174-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows:CEIPEnable
```
``` Users are not given the option to repoTITLE:Data Prote CCE-35964-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting:Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting:DoReport
```
he Group
ts to Policy
ensure the template
structure ìSCSI.admx/adml`
of Windows benchmarks that isisincluded with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `KDC.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
is consistent.
he GroupServices
r Locale Policy template `Kerberos.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
he Group Policy template `Globalization.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Users will have input methods enableTITLE:Ensure Work CCE-36343-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control
elated to the logon process and lock screen. Panel\International:BlockUserInputMethodsForSignIn
```
he Group
ts to Policy
ensure the template
structure `Logon.admx/adml` that isisincluded
consistent.
he Group Policy template `GroupPolicy.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newe
he
ts to
Group
ensure
Policy
the template
structure `Netlogon.admx/adml`
is is
consistent.
he
ts to
Group
ensure
Policy
the template
structure ÒSPolicy.admx/adml`
is is
consistent.
he
ts to
Group
ensure
Policy
the template
structure `PerfCenterCPL.admx/adml`
that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non
he
r Power
GroupManagement
Policy template
settings.
`Passport.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
of Windows benchmarks with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or ne
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
elated PolicyManagement
to Power template `Power.admx/adml`
Sleep mode. that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
consistent.
he Group
to Remote `ReAgent.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Assistance.
he Group
to Remote `RemoteAssistance.admx/adml`
Procedure Call. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `RPC.admx/adml` that is included
is consistent.
he Group
ts to Policy
ensure the template
structure `RemovableStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Scripts.admx/adml` that is
consistent.
he Group
ts to Policy
ensure the template
structure `ServerManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `WinInit.admx/adml` that is
consistent.
he Group
ts to Policy
ensure the template
structure `Winsrv.admx/adml` that is
consistent.
he Group
ts to Policy
ensure the template
structure `StorageHealth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
elated Policy template and
Diagnostics. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `pca.admx/adml` that is included
is consistent.
he Group
ts to Policy
ensure the template
structure `FileRecovery.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
structure `DiskDiagnostic.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Support that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Diagnostic Tool.
he Group Policy template `MSDT.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` MSDT cannot run in support mode, and TITLE:Data Prote CCE-38161-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy:DisableQueryRemoteServer
```
he Group
ts to Policy
ensure the template
structure `Msi-FileRecovery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he Group
ts to Policy
ensure the template
structure `sdiagschd.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `sdiageng.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
structure `PerformanceDiagnostics.admx/adml`
of Windows benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
to Windows `LeakDiagnostic.admx/adml`
Performance PerfTrack. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `PerformancePerftrack.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or
``` Responsiveness events are not proc TITLE:Data Prote CCE-36648-4

ts to ensure the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}:ScenarioExecutionEna
```
elated
he Groupto User
Policy
Profiles.
template `TPM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template ÙserProfiles.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` The advertising ID is turned off. App TITLE:Data Prote CCE-36931-4
ts to ensure the
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\AdvertisingInfo:DisabledByGroupPolicy
```
he Group
ts to Policy
ensure the template
structure `WindowsFileProtection.admx/adml`
of Windows benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Service. that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Ad
he Group
elated Policy
to Time template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Providers.
he Group Policy template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` You can set the local computer clockTITLE:Use At LeasCCE-37843-0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient:Enabled
r Windows Component settings.
```
he Group
ts to Policy
ensure the template
of Windows benchmarks that
consistent.
he Group
ts to Policy
ensure the template
structure àdfs.admx/adml` that is only
of Windows benchmarks included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Admin
is consistent.
he Group Policy template ÀctiveXInstallService.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates
_Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R
he Group
ts to Policy
ensure the template
structure ÀppxPackageManager.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Temp
he Group
r App Policysettings.
runtime template ÀppPrivacy.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure ÀppXRuntime.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or
he Group Policy
r AutoPlay template ÀppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
policies.
he Group
ts to Policy
ensure the template
structure ÀutoPlay.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
structure ÙserDataBackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Adm
he Group
ts to Policy
ensure the template
structure `Biometrics.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `VolumeEncryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Camera.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or n
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
he Group
elated Policy
to the template
Credential `WirelessDisplay.admx/adml`
User Interface. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
he Group
ts to Policy
ensure the template
structure `CredUI.admx/adml` that is included
consistent.
he Group
ts to Policy
ensure the template
of Windows benchmarks is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `DeliveryOptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates
he Group
ts to Policy
ensure the template
structure `Sidebar.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `DWM.admx/adml` that isisincluded
consistent.
he Group Policy template `DeviceCompat.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
he Group Policy template `WorkplaceJoin.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
ts to ensure the
r configuring structure
Enhanced benchmarks
Mitigation is consistent.
_Workplace Join_ but was renamed by Microsoft to _Device Registration_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Tem
ts to
he ensure
Group the template
Policy `DigitalLocker.admx/adml`
structure ÈMET.admx/adml`
of Windows benchmarks that is included
that isisincluded
consistent. with all versions
he Group
ware Policyby
developed template ÈdgeUI.admx/adml`
Microsoft that is to
that allows an enterprise included with the
applications Server
mitigations were later
at enhancing exploit protection on Windows server OSes prior to Server 2016, it is highly recommended that compatibility testing is done on typical server
be very problematic on 32-bit OSes - we only recommend using it with 64-bit OSes.
t EMET will be End-Of-Life (EOL) on July 31, 2018. This does not mean the software will stop working, only that Microsoft will not update it any further past
he
r configuring
Group Policy
thetemplate
Event Log
ÈventForwarding.admx/adml`
Service. that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or ne
he
r configuring
Group Policy
thetemplate
Application
ÈventLog.admx/adml`
Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he
r configuring
Group Policy
thetemplate
Security ÈventLog.admx/adml`
he
r configuring
Group Policy
thetemplate
Setup Event
Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r configuring thetemplate ÈventLog.admx/adml`
System Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure ÈventLog.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure ÈventLogging.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
he Group Policy template ÈventViewer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
hecontrol
Groupthe
Policy template
availability of `ParentalControls.admx/adml` that
options such as menu items and is only
tabs included
in dialog with the Microsoft Windows Vista through the Windows 10 RTM (Release 150
boxes.
_Parental
he Controls_
template renamed by Microsoft to _Family
`WindowsExplorer.admx/adml` that isSafety_ starting
Administrative Administrative Tem
Templates.
_Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group
ts to Policy
ensure the template
structure `PreviousVersions.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `FileHistory.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
is consistent.
he Group
ts to Policy
ensure the template
structure `FindMy.admx/adml` that is
he Group
ts to Policy
ensure the template
structure `GameExplorer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Handwriting.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `Sharing.admx/adml` thatisisconsistent.
he Group
ts to Policy
ensure the template
structure `CaptureWizard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administr
he Group
ts to Policy
ensure the template
structure ÌnetRes.admx/adml` thatisisconsistent.
he Group
s and Policy template ÌIS.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Sensors.
he Group Policy template `Sensors.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
``` The location feature is turned off, a TITLE:Data Prote CCE-36886-0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableLocation
s Location Provider.
```
he Group Policy template `LocationProviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templ
``` The Windows Location Provider feature is turned off, a CCE-38225-9
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableWindowsLocationProvider
```
he Group
ts to Policy
ensure the template
structure `msched.admx/adml`
of Windows benchmarks thatisisconsistent.
included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newe
he Group
ts to Policy
ensure the template
structure `WinMaps.admx/adml` that
of Windows benchmarks is is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `MDM.admx/adml` that is is
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
consistent.
he Group
ts to Policy
ensure the template
structure `Messaging.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `MSAPolicy.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `MicrosoftEdge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or ne
he Group
ts to Policy
ensure the template
structure `FidoAuth.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
structure `DeviceCredential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templ
he Group
ts to Policy
ensure the template
structure ÙserExperienceVirtualization.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administr
he Group
ts to Policy
ensure the template
structure `Conf.admx/adml` that is included
is consistent.
he Group Policy template `NAPXPQec.admx/adml` that is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update
elated to OneDrive.
he Group Policy template `NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
n this section are provided by the Group Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administr
_SkyDrive_ but was renamed by Microsoft to _OneDrive_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `HelpAndSupport.admx/adml`
he
ts to
Group
ensure
Policy
the template
structure `PswdSync.admx/adml`
is consistent.
is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R
he Group
ts to Policy
ensure the template
structure ÈxternalBoot.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or n
consistent.
he Group
ts to Policy
ensure the template
structure `MobilePCPresentationSettings.admx/adml`
elated to Remote Desktop Services.
he Group Policy template `PushToInstall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_Terminal
he Services_
with starting
Administrative 2008 R2 Administrative
Templates.
r the Remote Desktop Connection Client.
_TS Licensing_ but was renamed by Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group
ts to Policy
ensure the template
r the Remote Desktop Session Host.
he Group Policy template `TerminalServer.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrat
he Group Policytotemplate
r Connections `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (o
``` None - this is the default behavior. CCE-37708-5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
elated to Remote Desktop Session Host Device and Resource Redirection. NT\Terminal Services:fSingleSessionPerUser
```
```
Navigate to the UI Users in a Remote
Path articulated Desktop
in the Servicessection
Remediation TITLE:Limit
se Open CCE-37696-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableCcm
```
```
se Open CCE-37778-8
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableLPT
```
``` Users in a Remote Desktop ServicesTITLE:Limit
se Open CCE-37477-7
ts to ensure the structure of Windows benchmarks is consistent. NT\Terminal Services:fDisablePNPRedir
```
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
_TS Connection Broker_ but was renamed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
Session Host Security. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
to Remote Desktop `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Session Host Session Time Limits.
```
Navigate to the UI Remote DesktopinServices
Path articulated will automat
the Remediation TITLE:Ensure
section Work
and confirm CitCE-37562-6
is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:MaxIdleTime
```
``` Disconnected Remote Desktop sessions TITLE:Ensure Work CCE-37949-5
elated to Remote Desktop Session Host Session Temporary folders. NT\Terminal Services:MaxDisconnectionTime
```
he Group
elated Policy
to RSS template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
feeds.
he Group settings.
r Search Policy template ÌnetRes.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `Search.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Usage information from Search is shar TITLE:Data Prote CCE-36937-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows
ts to ensure the structure of Windows benchmarks is consistent. Search:ConnectedSearchPrivacy
```
he Group
ts to Policy
ensure the template
structure `SearchOCR.admx/adml`
of Windows benchmarks isthat is only included with the Microsoft Windows 7 & Server 2008 R2 through the Windows 10 Release
consistent.
he Group Policy template `SecurityCenter.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `Snis.admx/adml`
that is only
is consistent.
included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Upd
he
ts to
Group
ensure
Policy
the template
structure `WinInit.admx/adml`
that is
is included
consistent.
elated
he Groupto the
Policy
Software
template
Protection
`SmartCard.admx/adml`
Platform. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template ÀVSValidationGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or
``` The computer is prevented from sending data to Microsoft regarding its KMS client activation state.
ts to ensure the structure of Windows benchmarks is consistent. NT\CurrentVersion\Software Protection Platform:NoGenTicket
```
he Group
ts to Policy
ensure the template
structure `SoundRec.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `Speech.admx/adml` that is
he Group
ts to Policy
ensure the template
structure `WinStoreUI.admx/adml`
of Windows benchmarks that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the G
is consistent.
he Group
ts to Policy
ensure the template
structure `SettingSync.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `TaskScheduler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `TextInput.admx/adml`
is is only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and M
consistent.
he Group
ts to Policy
ensure the template
structure `WinCal.admx/adml` that is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsColorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
elated to Windows Defender Antivirus.
he Group Policy template `CEIPEnable.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsDefender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d _Windows Defender_ but was renamed by Microsoft to _Windows Defender Antivirus_ starting with the Microsoft Windows 10 Release 1703 Administrat
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
he Group
to Microsoft `WindowsDefender.admx/adml`
Active Protection Service (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is in effect when th
he Group Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
ts to ensure the structure of Windows benchmarks is consistent. Defender\Spynet:SpynetReporting
```
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newe
he Group
ts to Policy
ensure the template
he GroupProtection.
eal-time Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
he Group
ts to Policy
ensure the template
he GroupDefender
Windows Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Reporting.
``` Watson events will not be sent to MicTITLE:Data Prote CCE-36950-4
Windows Defender scanning. Defender\Reporting:DisableGenericRePorts
```
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure ÀppHVSI.admx/adml` that
consistent.
he Group
ts to Policy
ensure the template
structure ÈxploitGuard.admx/adml`
consistent.
he Group Policy template `WindowsDefenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Temp
he
r Explorer-related
Windows
`SmartScreen.admx/adml`
elated
n this section
to Windows
are provided
Error Reporting.
by the Group Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Admi
he
ts to
Group
ensure
Policy
the template
structure ÈrrorReporting.admx/adml`
elated
he Group
to Windows
Policy template
Error Reporting
ÈrrorReporting.admx/adml`
consent. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure ÈrrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `GameDVR.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer
he Group Policy template `Passport.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
_Microsoft Passport for Work_ but was renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Se
he Group
to Windows `WindowsInkWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative
Installer.
he Group Policy template `MSI.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Email and CCE-37524-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer:SafeForScripting
elated to Windows Logon Options.
```
he Group
ts to Policy
ensure the template
structure `WinLogon.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMail.admx/adml`
of Windows benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Adminis
consistent.
he Group
ts to Policy
ensure the template
structure `MediaCenter.admx/adml`
of Windows benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `WindowsCollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrat
he Group
ts to Policy
ensure the template
structure `WindowsMessenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `MobilePCMobilityCenter.admx/adml`
he Group
to Windows `MovieMaker.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templa
PowerShell.
he Group
ts to Policy
ensure the template
structure `PowerShellExecutionPolicy.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative T
he Group
to Windows Remote`RacWmiProv.admx/adml`
Management (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
elated Policy
to the template
Remote Management (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Remote Management (WinRM) service. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the fo
he Group Policy template `WindowsRemoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Use Only SeCCE-37927-1
Windows Remote HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service:AllowAutoConfig
Shell (WinRS).
```
he Group Policy template `WindowsRemoteShell.admx/adml`
New Remote Shell connections that is not
are included
allowedwith all are
and versions of the
rejected Microsoft
by the server.Windows Administrative Templates.
``` TITLE:Use Only SeCCE-36499-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS:AllowRemoteShellAccess
ts to ensure the **Note:**
structure of Windows On Serveris2012
benchmarks (non-R2) and higher, due to design changes in the OS after Server 2008 R2, configuring this set
consistent.
```
he Group
ts to Policy
ensure the template
structure `SideShow.admx/adml`
of Windows benchmarksthat is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windo
is consistent.
he Group
to Windows Update.`SystemResourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 201
he Group Policy template `WindowsUpdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsUpdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
_Defer Windows
endations Updates_
from Group Policybut was renamedTemplates
Administrative by Microsoft to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Admin
(ADMX).
he Group
ts to Policy
ensure the template
consistent.
he Group Policy template ÀddRemovePrograms.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
r personalization settings.
he Group Policy template `ControlPanelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_Desktop Themes_ but was renamed by Microsoft to _Personalization_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he
ts to
Group
ensure
Policy
the template
that
is is
consistent.
he
ts to
Group
ensure
Policy
the template
that
is is
consistent.
he Group
r Start Policy
Menu andtemplate
settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r Notification template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
he Group Policy
r System template `WPN.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `CtrlAltDel.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `DeviceInstallation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `FolderRedirection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
Communication Management. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
``` Users cannot participate in the Hel TITLE:Data Prote CCE-37542-8
HKEY_USERS\[USER
r Windows Component settings. SID]\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0:NoImplicitFeedback
``` structure of Windows benchmarks is consistent.
ts to ensure the
he Group
ts to Policy
ensure the template
he Group
to Attachment ÀppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Manager.
he Group
ts to Policy
ensure the template
structure ÀttachmentManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure ÙserDataBackup.admx/adml` that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `DataCollection.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `DigitalLocker.admx/adml`
consistent.
he Group Policy template ÈdgeUI.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
he Group
ts to Policy
ensure the template
structure `FileRevocation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
he Group
ts to Policy
ensure the template
structure ÈAIME.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
consistent.
he Group
ts to Policy
ensure the template
he Group Policy template `WordWheel.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure ÌnetRes.admx/adml`
thatisisconsistent.
he
ts to
Group
ensure
Policy
the template
structure `Sensors.admx/adml`
thatisisconsistent.
included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he
ts to
Group
ensure
Policy
the template
structure `MicrosoftEdge.admx/adml`
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or ne
he
ts to
Group
ensure
Policy
the template
structure `MMC.admx/adml`
that is is
included
consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
is consistent.
he Group
to Network Sharing.`NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
he Group
ts to Policy
ensure the template
he Group Policy template `MobilePCPresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_Terminal Services_ but was renamed by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `Search.admx/adml` that is included
consistent.
he Group
ts to Policy
ensure the template
is consistent.
he Group
ts to Policy
ensure the template
of Windows benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and M
is consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `SmartScreen.admx/adml`
consistent.
he Group Policy template ÈrrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
elated to Windows Installer.
he Group
ts to Policy
ensure the template
structure `MSI.admx/adml` that is included
is consistent.
he Group
ts to Policy
ensure the template
is consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
to Windows `MediaCenter.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
Media Player.
he Group
ts to Policy
ensure the template
he Group
Media Player playback. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Windows Media Player is prevented frTITLE:Inventory CCE-37445-4
HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer:PreventCodecDownload
```
erver 2012 (non-R2) Administrative Templates (or newer).
et.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/).
ings – Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/)
ative Templates.
ver 2008 R2 Administrative Templates (or newer).
7 & Server 2016 Administrative Templates (or newer).
12 (non-R2) Administrative Templates (or newer).
008 R2 Administrative Templates (or newer).

(Release 1507) Administrative Templates (or newer).
osoft Windows Administrative Templates.
ndows Administrative Templates.

ws Administrative Templates.
Windows 10 Release 1709 Administrative Templates.

trative Templates.
er 2012 (non-R2) Administrative Templates (or newer).
rosoft.com/library/security/MS15-011) / [MSKB 3000483](https://support.microsoft.com/en-us/kb/3000483) security update and the Microsoft Windows 10 R
dministrative Templates.
rative Templates.
strative Templates.
ows Administrative Templates.
ministrative Templates (or newer).

Ports, Protocols, and Services CONTROL:9 DESCRIPTION:Limitation and Control of Network Ports, Protocols, and Services;
Windows Administrative Templates.
n-R2) Administrative Templates (or newer).
R2 Administrative Templates (or newer).
on-R2) Administrative Templates (or newer).
rver 2016 Administrative Templates (or newer).
inistrative Templates.
ase 1507) Administrative Templates (or newer).

er 2008 R2 Administrative Templates (or newer).
istrative Templates.
r 2012 (non-R2) Administrative Templates (or newer).
r 2008 R2 Administrative Templates (or newer).
& Server 2012 (non-R2) Administrative Templates (or newer).

nistrative Templates.
ver 2008 R2 Administrative Templates.

ver 2008 (non-R2) Administrative Templates (or newer).
strative Templates.
Administrative Templates (or newer).
strative Templates.
se 1507) Administrative Templates (or newer).

rough the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
dministrative Templates (or newer).
strative Templates.
strative Templates.
erver 2016 Administrative Templates (or newer).
strative Templates.
strative Templates.
strative Templates.
2 Administrative Templates (or newer).
dows Administrative Templates.
rative Templates.
s Administrative Templates.
ative Templates.
strative Templates.
t Windows Administrative Templates.
erver 2008 R2 Administrative Templates (or newer).

rative Templates.
he Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
indows Administrative Templates.

& Server 2008 R2 Administrative Templates (or newer).

Server 2012 (non-R2) Administrative Templates (or newer).
hrough the Windows 10 Release 1511 Administrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
Server 2016 Administrative Templates (or newer).
M (Release 1507) Administrative Templates (or newer).
trative Templates.

10 RTM (Release 1507) Administrative Templates.

2 Administrative
dows. Templates
mitigations were later coded directly into Windows 10 and Server 2016.
ompatibility testing is done on typical server configurations (including all CIS-recommended EMET settings) before widespread deployment to your environ
Microsoft will not update it any further past that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to S
hrough the Windows 10 RTM (Release 1507) Administrative Templates.
& Server
ows 2012 (non-R2)
Templates.
& Server 2012 (non-R2) Administrative Templates.

d Windows Server 2008 (non-R2) Administrative Templates.
tive Templates.
non-R2) Administrative Templates (or newer).
ease 1507) Administrative Templates (or newer).
e 1607 & Server 2016 Administrative Templates (or newer).
s 10 Release 1607 & Server 2016 Administrative Templates (or newer).
rative Templates.
8 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
ft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e 1507) Administrative Templates.

h the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
crosoft Windows Administrative Templates.

Windows 7 & Server

s Administrative 2008 R2 Administrative Templates.
Templates.
er 2008 R2 Administrative Templates.


ft Windows 7 & Server 2008 R2 Administrative Templates.

Server 2008 R2 Administrative Templates (or newer).
Windows 7 & Server 2008 R2 Administrative Templates.

2008 R2 through the Windows 10 Release 1511 Administrative Templates.
Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
Release 1507) Administrative Templates (or newer).

ent activation state.
12 R2 Administrative Templates, or by the Group Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511
ease 1507) Administrative Templates and Microsoft Windows 10 Release 1511 Administrative Templates.
soft Windows 10 Release 1703 Administrative Templates.

se 1703 Administrative Templates (or newer).
dows 10 Release 1709 Administrative Templates (or newer).

Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
e 1507) Administrative Templates (or newer).

Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates.

Release 1607 & Server 2016 Administrative Templates (or newer).
ative Templates.
ugh the Windows 10 Release 1703 Administrative Templates.
ugh Windows 10 Release 1511 Administrative Templates.
Vista and Server 2008 (non-R2) Administrative Templates.
Server 2008 (non-R2) Administrative Templates.
8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
strative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ws Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Microsoft Windows 10 Release 1709 Administrative Templates.

& Server 2008 R2 Administrative Templates.


hrough Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well as the Microsoft Windows 10 RTM (Release 1507) and Windows 10 Relea
trative Templates.


trative Templates.
rative Templates.


12 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsS

ative Templates.

e and the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
2 Administrative Templates).
pread deployment to your environment.
nding that servers be upgraded to Server 2016.

crosoft Windows 10 Release 1511 Administrative Templates (or newer).
ease 1507) and Windows 10 Release 1511 Administrative Templates.
Group Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
section
recommendation
# # title status scoring status description rationale statement
1 Account Policies accepted This section contains recommendations for account policies.
1.1 Password Policy accepted This section contains recommendations for password policy.
1.2 Account Lockout Paccepted This section contains recommendations for account lockout policy.
2 Local Policies accepted This section contains recommendations for local policies.
2.1 Audit Policy accepted This section is intentionally blank and exists to ensure the structure of Windo
2.2 User Rights Assi accepted This section contains recommendations for user rights assignments.
2.3 Security Options accepted This section contains recommendations for security options.
2.3.1 Accounts accepted This section contains recommendations related to default accounts.
2.3.2 Audit accepted This section contains recommendations related to auditing controls.
2.3.3 DCOM accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.4 Devices accepted This section contains recommendations related to managing devices.
2.3.5 Domain controller accepted This section contains recommendations related to Domain Controllers.
2.3.6 Domain member accepted This section contains recommendations related to domain membership.
2.3.7 Interactive logon accepted This section contains recommendations related tothe
To establish interactive logons.configu
recommended
This policy setting The
determines
numberwhether
that is assigned
a user can to this
log on
policy
to asetting
Windowsindicate
dom
2.3.7 2.3.7.6 (L2) Ensure 'Interaacceptedfull ```
The recommendedUsers state who
for this
access
setting
Computer
theis:computer
`4 or Configuration\Policies\Windo
fewer
console
logon(s)`.
will have their lo
2.3.8 Microsoft network accepted This section contains recommendations ``` related to configuring the Microsoft
2.3.10 Network access accepted sectionsetting

ToCredential
establish network
Manager access.
recommended
(formerly configu
called
2.3.10 2.3.10.4 (L2) Ensure 'Netwoacceptedfull The recommendedPasswords

state for this
that
setting
ar ``ìs: Ènabled`.
Computer Configuration\Policies\Windo
2.3.11 Network security accepted **Note:** Changes
This section to recommendations
contains this setting will not
``` related
take effect until Windows
to network security.is restarte
2.3.12 Recovery console accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.13 Shutdown accepted This section contains recommendations related to the Windows shutdown fu
2.3.14 System cryptogra accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.15 System objects accepted This section contains recommendations related to system objects.
2.3.16 System settings draft This section is intentionally blank and exists to ensure the structure of Windo
2.3.17 User Account Contaccepted This section contains recommendations related to User Account Control.
3 Event Log accepted This section is intentionally blank and exists to ensure the structure of Windo
4 Restricted Groups accepted This section is intentionally blank and exists to ensure the structure of Windo
5 System Services accepted This section is intentionally blank and exists to ensure the structure of Windo
6 Registry accepted This section is intentionally blank and exists to ensure the structure of Windo
7 File System accepted This section is intentionally blank and exists to ensure the structure of Windo
8 Wired Network (IEaccepted This section is intentionally blank and exists to ensure the structure of Windo
9 Windows Firewall accepted This section contains recommendations for configuring the Windows Firewa
9.1 Domain Profile accepted This section contains recommendations for the Domain Profile of the Windo
9.2 Private Profile accepted This section contains recommendations for the Private Profile of the Window
9.3 Public Profile accepted This section contains recommendations for the Public Profile of the Window
10 Network List Manaaccepted This section is intentionally blank and exists to ensure the structure of Windo
11 Wireless Network accepted This section is intentionally blank and exists to ensure the structure of Windo
12 Public Key Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
13 Software Restricti accepted This section is intentionally blank and exists to ensure the structure of Windo
14 Network Access Praccepted This section is intentionally blank and exists to ensure the structure of Windo
15 Application Controaccepted This section is intentionally blank and exists to ensure the structure of Windo
16 IP Security Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
17 Advanced Audit Poaccepted This section contains recommendations for configuring the Windows audit fa
17.1 Account Logon accepted This section contains recommendations for configuring the Account Logon a
17.2 Account Managemaccepted This section contains recommendations for configuring the Account Manage
17.3 Detailed Tracking accepted This section contains recommendations for configuring the Detailed Tracking
17.4 DS Access accepted This section contains recommendations for configuring the Directory Service
17.5 Logon/Logoff accepted This section contains recommendations for configuring the Logon/Logoff aud
17.6 Object Access accepted This section contains recommendations for configuring the Object Access au
17.7 Policy Change accepted This section contains recommendations for configuring the Policy Change a
17.8 Privilege Use accepted This section contains recommendations for configuring the Privilege Use au
17.9 System accepted This section contains recommendations for configuring the System audit pol
18 Administrative Te accepted This section contains computer-based recommendations from Group Policy
Group Policy
recommendations theControl
Panel personalization se
Group Policy
Microsoft `Control
Local Adm
18.2 LAPS accepted
Group Policy
settings by the Group
for configuring Policy
additional template
settings fromÀdmPw
the MS
18.3 MS Security Guid accepted
Group Policy
recommendations thethe
Group PolicySolutions
`SecGui
Secu
Groupcontrols
This value Policy section is provided
how often by the to
TCP attempts Group
verifyPolicy template
that an `MSS-le
idle connection
To
18.4 18.4.5 (L2) Ensure 'MSS: acceptedfull An attacker who is
The recommended
This setting is used state for this
to enable setting is:
or disable theÈnabled: 300,000
Internet Router or 5 minutes
Discovery Proto(
```
To
18.4 18.4.7 (L2) Ensure 'MSS: acceptedfull An attacker who h
**Note:** This
The recommended
`Disabled`.
```
To
**Note:** This
The recommended
Ènabled: 3`.
```
```
**Note:** This
The recommended
recommendations forÈnabled: 3`.
network settings.
```
**Note:** This Group Policy path does
Group Policy
and by the to
exists Group
ensurePolicy
the template
structure `Window
of Windo
18.5.1 Background Intelli accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Bits.adm
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `PeerTo
of Windo
18.5.3 DirectAccess Clie accepted
This Group
to DNS template `nca.adm
Client.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DnsClie
of Windo
18.5.5 Fonts draft
Group Policy
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.5.6 Hotspot Authentic accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `hotspot
of Windo
This Group Policy section is provided by the Group Policy template `Lanman
18.5.8 Lanman Workstati draft
This section
Group Policy
containssection
recommendations
for
theLink-Layer
Groupthe PolicyTopology
template
recommended Discovery
`Lanman
configus
18.5.9 Link-Layer Topolo accepted This policy setting changes the operational behavior of the Mapper I/O netw
byestablish
the Groupthe Policy template `LinkLay
recommended configu
18.5.9 18.5.9.1 (L2) Ensure 'Turn acceptedfull LLTDIO
This allows
policy a computer
setting To help protect
changes to
thediscover
fr Computer
the topology
operational Configuration\Policies\Admin
behavior ofofathe
network it's connect
Responder netwo
```
18.5.9 18.5.9.2 (L2) Ensure 'Turn acceptedfull The Responder
recommended allows
To
state
help
a computer
forprotect
this setting
frtoComputer
participate
is: `Disabled`.
in Link Layer Topology Disc
```
To Thisthe
for Microsoft
Peer-to-Peer
recommended is pro
Networki
configu
18.5.10 Microsoft Peer-to accepted recommended
The Peer state for Protocol
Name Resolution this setting is: `Disabled`.
(PNRP) allows for distributed resolution
by the GroupThis Group
Policy template
Policy path`P2P-pn
is pro
18.5.10 18.5.10. (L2) Ensure 'Turn acceptedfull Peer-to-Peer protocols
This allow
settingforenhan
applications
Computer in the
areas of RTC, collaborat
18.5.10.1 Peer Name Resolut
accepted The recommended state for this setting is: Ènabled`.
Group Policy
This section containssection is provided**Note:**
recommendations by for
theNetwork
Group
This Group
Policy template
Policy path
Connections `P2P-pn
is pro
settings.
18.5.11 Network Connecti accepted This section is intentionally blank and exists to ensure the structure of Windo
18.5.11.1 Windows Defenderaccepted This Group Policy section is provided by the Group Policy template `Window
18.5.12 Network Connectiviaccepted **Note:** This section was initially named _Windows Firewall_ but was rena
Group Policy
and by the to
exists Group
ensurePolicy
the template
structure `NCSI.a
of Windo
Group Policy
Provider `Network
settings.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Network
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÒfflineF
of Windo
18.5.16 QoS Packet Schedaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `QOS.ad
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Snmp.a
of Windo
18.5.18 SSL Configurationaccepted
Group Policy
configuration Group Policy template `CipherS
Group Policy
and by the to
exists Group
ensurePolicy
the template
structure `tcpip.ad
of Windo
18.5.19.1 IPv6 Transition T accepted To establish the recommended configu
Group Policy
TCP/IP parameter by configuration
the Group Policy template `tcpip.ad
settings.
18.5.19.2 Parameters accepted ```
This Group
Internet Policyversion
Protocol section6is(IPv6)
provided by the Group Policy
is aHKEY_LOCAL_MACHINE\SYSTEM\C
set of protocols template `tcpip.ad
that computers use to
18.5.19. 18.5.19.2(L2) Disable IPv6 acceptedfull Since the vast maj```
The recommended
for`DisabledComponents
Windows
establish the Connect Now
recommended - 0xff (255
settings.
configu
18.5.20 Windows Connect accepted **Note:** This change does not take ef
Group setting
allows the byestablish
configuration
```
To the
ofGroup
wirelessPolicy
the template
settings
recommendedusing`Window
Window
configu
18.5.20 18.5.20. (L2) Ensure 'Confi acceptedfull **Note #2:**
This setting enhanComputer Although Microsoft does n
The recommended
This state foraccess
policy setting prohibits this setting
to``` is: `Disabled`.
Windows Connect Now (WCN) wizard
18.5.20 18.5.20. (L2) Ensure 'Prohi acceptedfull Allowing standard Computer Configuration\Policies\Admin
The recommended
for this setting
```
To is: Thisthe
forÈnabled`.
Windows
Connection
recommended is pros
Manager
configu
18.5.21 Windows Connect accepted
Group setting
preventsiscomputers **Note:**
provided```by This Group
the connecting
from Group Policy Policya path
to template
both mayban
`WCM.a
domain
18.5.21 18.5.21. (L2) Ensure 'Prohi acceptedfull The potential concComputer Configuration\Policies\Admin
The recommended
This state forblank
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`Windown
Windo
Group Policy
settings.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.1 Access-Denied Asaccepted
This Group
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
This Group
settings byauditing
of process creationàppv.ad
events.
18.8.3 Audit Process Cre accepted
Group Policy
settings byCredential
related to the Group Delegation.
Policy template ÀuditSe
18.8.4 Credentials Deleg accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CredSs
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DeviceG
of Windo
18.8.6 Device Health Atteaccepted
This Group Policy section is provided by the Group Policy template `TPM.ad
18.8.7 Device Installationdraft
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DeviceI
of Windo
18.8.8 Device Redirectio accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DeviceR
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskNV
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskQu
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Display
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DCOM.
of Windo
Group Policy
boot-start `DeviceI
driver initia
18.8.14 Early Launch Anti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈarlyLa
of Windo
18.8.15 Enhanced Storageaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure Ènhanc
of Windo
18.8.16 File Classification accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
18.8.17 File Share Shado accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FileServ
of Windo
18.8.18 File Share Shado accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy templates `FileSe
18.8.19 Filesystem (forme accepted This Group Policy section is provided by the Group Policy template `FileSys
18.8.20 Folder Redirectionaccepted **Note:** This section was initially named _NTFS Filesystem_ but was renam
Group Policy
group `FolderR
policy-related
Group Policy
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.8.21.1 Logging and traci accepted
Group Policy
Communication
Group Policy
the Group
related tothePolicy
Communication
18.8.22.1 Internet Communicaccepted This setting turns off data sharing from the handwriting recognition personal
``` the Groupthe Policy template `Window
recommended configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The handwriting
Turns recognition
A person's
off the handwriting personalization
handwriComputer
recognition toolConfiguration\Policies\Admin
enables
error reporting tool. Tablet PC users to
To
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull recommended
The handwriting Astate
recognitionfor this
person's errorsetting
handwri is: Ènabled`.
reporting
Computer tool Configuration\Policies\Admin
enables users to report error
```
To InternetThis
establish Group
Connection
the Policy
recommended pathcan
Wizard may n
con
configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull The recommendedInstate for this setting
an enterprise is: Ènabled`.
m Computer Configuration\Policies\Admin
The recommended
this setting
the
```
To is: Thisthe
Ènabled`.
Windows
establish Group Policy
Registration
Wizard isconn
pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull Users in an enterpComputer Configuration\Policies\Admin
The recommended
this setting is:
Search
```
To Thisthe
Ènabled`.
Companion
establish Group Policyautomatical
should
is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull This policy setting There is awhether
specifies small r the
Computer
"Order Configuration\Policies\Admin
Prints Online" task is availab
```
To is: Thisthe
Ènabled`.
establish Group Policy pathconfigu
recommended is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The Order Prints Online
In an enterprise
Wizard is used
m Computer
to download
a list of providers and a
```
To Thisthe
tasks Publish
establish Group
this Policy pathWeb,
file to the
recommended is pro
P
configu
18.8.22. 18.8.22. (L2) Ensure 'Turn oacceptedfull The recommendedUsers state may
for this setting
publish c is: Ènabled`.
The recommended
this setting is:
Windows
```
To Thisthe
Ènabled`. Group
Messenger
establish Policy
can
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Large enterprise Computer Configuration\Policies\Admin
The recommended
this setting is:
Windows
```
To Thisthe
Ènabled`. Group
Messenger
establish Policy
can
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull This policy setting Large
controlsenterprise
whether orComputer
not errorsConfiguration\Policies\Admin
are reported to Microsoft.
Microsoft uses information collected through **Note:**the
``` This Group Policy
Windows Customer pathExperie
is pro
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Error Reporting is used
If a Windows
to reportError
information
Computer about
a system or application th
exists to This
Windo
18.8.23 iSCSI accepted The recommended state for this setting is: Ènabled`.
This Group
provided by the to
exists This
Group
ensureGroup
Policy Policy path
the template
structure of is pro
ìSCSI.a
Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `KDC.ad
of Windo
Group Policy
theLocale
for Groupthe
Policy
Servicestemplate `Kerbero
settings.
recommended configu
Group prevents
automatic copying byofthe
``` Group
user inputPolicy template
methods to the`Globaliz
system
18.8.26 18.8.26. (L2) Ensure 'Disal acceptedfull This is a way to i Computer Configuration\Policies\Admin
The recommended
This state
recommendations ``` is: Ènabled`.
related to the logon process and loc
Policy template may n
`Logon.a
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `GroupP
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Netlogo
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÒSPolic
of Windo
18.8.31 Performance Contraccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `PerfCen
of Windo
Group Policy
recommendations thePower
GroupManagement
Policy template `Passpo
settings.
18.8.33 Power Managemeaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.2 Energy Saver Settaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.3 Hard Disk Setting accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.4 Notification Settin accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.5 Power Throttling Saccepted
Group Policy
recommendations the Group PolicyManagement
to Power template `Power.a
Slee
Group setting
section
controlsishow
blank and
the by the
exists
RPC Group
to
server Policy
ensure the
runtime template
structure
handles `Power.a
of Windo
unauthentic
Group setting
section
contains isallprovided
recommendations
impacts by related
the Group
RPC applications. to aPolicy
InRemote
domaintemplate `ReAgen
Assistance.
environment th
18.8.35 Remote Assistanc accepted
This
A Group
section
client Policy
will be section
contains
considered is
anprovided
theclient
Group
related
authenticated
To tothe Policy
ifRemote
it usestemplate
named`Remote
aProcedure
recommended Call.
pipe
configu
to
18.8.36 Remote Procedureaccepted
This
-- Group Policy
"**None**" allowssection
all RPCis clients
provided by
to``` the Group
connect Policy
to RPC template
Servers `RPC.ad
running on th
18.8.36 18.8.36. (L2) Ensure 'Restracceptedfull Unauthenticated RComputer Configuration\Policies\Admin
-- "**Authenticated**"
This allowsblank
section is intentionally only authenticated
and``` RPC Clients
exists to ensure (per theofdefiniti
the structure Windo
18.8.37 Removable Storagaccepted
-- "**Authenticated
This Group Policy
section withoutisexceptions**"
section
is intentionally blank and**Note:**
provided by allows
the
exists This
onlyGroup
Group
to authenticated
Policy
ensure Policy path
the template
structureRPC
of may
Clie
`Removan
Windo
**Note:**
This GroupThis
section is policy
Policy setting
section
intentionally will
isblanknot
provided
andbeby
applied
the to
exists until
Group
ensurethe system
Policy
the is rebooted.
template
structure `Scripts.
of Windo
The recommended
This Group Policy
section state for
section
isblank setting
provided
and by is:
the
existsÈnabled:
Group
to Authenticated`.
Policy
ensure the template
structure `ServerM
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinInit.
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Winsrv.
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Storage
of Windo
Group Policy
to Troubleshooting `System
Diag
18.8.44 Troubleshooting a accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.44.1 Application Compataccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `pca.adm
of Windo
18.8.44.2 Corrupted File Re accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FileRec
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DiskDia
of Windo
18.8.44.4 Fault Tolerant He accepted
Group Policy
the Group
related Policy
tothe
the template
Microsoft
recommended `fthsvc.a
Support Dia
configu
18.8.44.5 Microsoft Support accepted
configures Microsoft bySupport
Diagnostic `MSDT.a
Tool (MSDT) inte
18.8.44. 18.8.44.5(L2) Ensure 'Microacceptedfull Due to privacy conComputer Configuration\Policies\Admin
The
18.8.44.6 MSI Corrupted Fil accepted
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may n
`Msi-File
Windo
18.8.44.7 Scheduled Mainte accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `sdiagsc
of Windo
18.8.44.8 Scripted Diagnost accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `sdiagen
of Windo
18.8.44.9 Windows Boot Peraccepted
This Group Policy section is provided by the Group Policy template `Perform
18.8.44.10 Windows Memory accepted
This section
Group Policy
contains
section
recommendations
is providedTo
byestablish
related
the Group
tothe
Windows
Policy template
Performance
recommended `LeakDia
Pe
configu
18.8.44.11 Windows Performaaccepted
This policy
Group setting
Policy section
specifies
is whether
providedto```
byenable
the Group
or disable
Policytracking
template
of`Perform
respons
18.8.44. 18.8.44. (L2) Ensure 'Enablacceptedfull When enabled the Computer
a Configuration\Policies\Admin
The recommended
state forblank
this setting
and```
exists
is: `Disabled`.
18.8.45 Trusted Platform accepted
This section
Group Policy
contains
section
recommendations**Note:**
is providedTo This
byestablish
related
the Group Group
tothe
User
Policy Policy path
Profiles.
template
recommended may n
`TPM.ad
configu
Group setting
turns offisthe
provided by the
advertising
``` ID,Group Policyapps
preventing template
fromÙserPro
using th
18.8.46 18.8.46. (L2) Ensure 'Turn oacceptedfull Tracking user acti Computer Configuration\Policies\Admin
The recommended
This state forblank
18.8.47 Windows File Prot accepted
Group Policy
and**Note:**
by the to
exists Group
This Group
Policy
ensure the template
Policy path
structure `Window
of may n
Windo
Group Policy
to the template
Windows Time`HotStar
Servic
18.8.49 Windows Time Seraccepted
Group Policy
the Group
related Policy
tothe
Time template `W32Tim
Providers.
recommended configu
Group setting
specifies is whether
providedthe
byestablish
```
To the Groupthe
Windows Policy
NTP template
Client `W32Tim
is enabled.
recommended En
configu
18.8.49. 18.8.49.1(L2) Ensure 'Enablacceptedfull This policy setting A reliable
allows youand acc Computer
to specify whetherConfiguration\Policies\Admin
the Windows NTP Server is
The recommended state for this setting ``` is: Ènabled`.
18.8.49. 18.8.49.1(L2) Ensure 'Enablacceptedfull The recommendedThe stateconfiguration
for this setting
Computer
is: `Disabled`.
``` This Group
for Windows Policy path
Component is pro
settings.
18.9 Windows Componaccepted **Note:** In most enterprise managed environments, you should _not_ disab
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of is pro
`Window
Windo
18.9.1 Active Directory F accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure àdfs.ad
of Windo
18.9.2 ActiveX Installer accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÀctiveX
18.9.4 App Package Dep draft **Note:** This section was initially named _Windows Anytime Upgrade_ but
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀppxPa
of Windo
Group Policy
recommendations theApp
Group Policysettings.
runtime template ÀppPriv
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀppXRu
of Windo
Group Policy
recommendations theAutoPlay
Group Policy template ÀppCom
policies.
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀutoPla
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÙserDa
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Biometr
of Windo
18.9.11 BitLocker Drive Enaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Volume
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Camera
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CloudC
of Windo
Group Policy
to the template
Credential `Wireles
User Interf
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CredUI.
of Windo
18.9.16 Data Collection a draft
This Group
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.17 Delivery Optimizataccepted
This Group
and by the to
exists Group Policy
ensure the template
structure `Delivery
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sidebar
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DWM.a
of Windo
18.9.20 Device and Driver accepted This section is intentionally blank and exists to ensure the structure of Windo
18.9.21 Device Registratioaccepted This Group Policy section is provided by the Group Policy template `Workpla
**Note:** This section was initially named _Workplace Join_ but was rename
is intentionally
This section contains blank and exists
Microsoft of Windo
Enhanced
sectionPolicy
This Group is intentionally
section isblank and by
provided exists
the to ensure
Group the template
Policy structure ÈMET.a
`DigitalL
of Windo
This Group
EMET is free
Policy
and supported
section is provided
security software
by the Group
developed
Policyby
template
Microsoft
ÈdgeUI
that a
**Note:**
This section
Although
is intentionally
EMET isblank
quite and
effective
existsattoenhancing
ensure the
exploit
structure
protection
of Windo
on
**Note
This #2:**Policy
Group
section EMETsection
has
contains been reportedby
recommendations
is provided tofor
beconfiguring
the very
Groupproblematic
Policy on 32-bit
thetemplate
Event Log OSes
ÈventFo
Servic
18.9.26 Event Log Serviceaccepted
**Note
This #3:**Policy
Group
section Microsoft
contains has isannounced
section that
provided by
recommendations theEMET
for Groupwill bethe
Policy
configuring End-Of-Life
template (EOL)
ÈventLo
Application Even
Group Policy
Group Policy
thetemplate
Security ÈventLo
Event L
Group Policy
Group Policy
Setup Event Log
Group Policy
Group Policy
System Event Lo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈventLo
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈventLo
of Windo
18.9.28 Event Viewer accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÈventV
18.9.29 Family Safety (for accepted Group Policy
Groupthe
Policy template
availability of `Parenta
options
18.9.30 File Explorer (for accepted **Note:**

section providednamed _Parental
by the Controls_
template renam
`Window
18.9.30.1 Previous Versions accepted **Note:** This section was initially named _Windows Explorer_ but was rena
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Previou
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FileHist
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FindMy
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `GameE
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Handwr
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sharing
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Capture
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÌnetRes
of Windo
18.9.38 Internet Informati accepted
Group Policy
settings byestablish
theand
for Locations
To Group Policy
Sensors.
the template ÌIS.adm
recommended configu
Group setting
turns offisthe
provided
locationbyfeature
for the template `Sensors
computer.
18.9.39 18.9.39. (L2) Ensure 'Turn oacceptedfull This setting affec Computer Configuration\Policies\Admin
The recommended
This state
settings forsetting
``` is:
Windows
To Ènabled`.
Location
establish theProvider.
recommended configu
18.9.39.1 Windows Locationaccepted
Group setting
turns offisthe
provided
Windows**Note:**
by the
``` ThisProvider
Group
Location Group Policy path
Policy template
feature may
`Locatio
for n
the co
18.9.39. 18.9.39.1(L2) Ensure 'Turn acceptedfull This setting affec Computer Configuration\Policies\Admin
The recommended
This state forblank
18.9.40 Maintenance Scheaccepted
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`mschedn
Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinMap
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `MDM.a
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `Messag
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MSAPo
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Microso
of Windo
18.9.46 Microsoft FIDO Auaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FidoAut
of Windo
18.9.47 Microsoft Secondaaccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÙserEx
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Conf.ad
of Windo
18.9.50 Network Access Praccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `NAPXP
of Windo
18.9.51 Network Projector accepted This section contains recommendations related to OneDrive.
18.9.52 OneDrive (formerl accepted The Group Policy settings contained within this section are provided by the G
18.9.53 Online Assistance accepted **Note:** This section was initially named _SkyDrive_ but was renamed by M
Group Policy
and by the to
exists Group Policy
ensure the template
structure `HelpAn
of Windo
18.9.54 Password Synchroaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `PswdSy
of Windo
18.9.55 Portable Operatin accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure Èxterna
of Windo
18.9.56 Presentation Setti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MobileP
of Windo
18.9.57 Push To Install accepted This section contains recommendations related to Remote Desktop Services
This Group Policy section is provided by the Group Policy template `PushTo
and by the to
exists Group Policy
ensure the template
structure `Termina
of Windo
18.9.58.1 RD Licensing (for accepted **Note:**

section providednamed
by the_Terminal Services_
template rena
`Termina
This section contains recommendations for the Remote Desktop Connection
18.9.58.2 Remote Desktop Caccepted **Note:** This section was initially named _TS Licensing_ but was renamed
Group Policy
and by the to
exists Group
ensure Policy
the template
structure `Termina
of Windo
18.9.58.2.1 RemoteFX USB Dev
accepted This section contains recommendations for the Remote Desktop Session Ho
18.9.58.3 Remote Desktop Se
18.9.58.3.1 Application Compataccepted **Note:** This section was initially named _Terminal
To establish theServer_ but wasconfigu
recommended renam
Group Policy
Group Policytotemplate `Termina
the Remote Des
18.9.58.3.2 Connections accepted ```
Group setting
allows you byusers
to restrict the Group
Computer PolicyRemote
template `Termina
toConfiguration\Policies\Admin
a single Desktop S
18.9.58.318.9.58.3(L2) Ensure 'Restracceptedfull This setting ensur ```
The recommended
recommendations To is: Ènabled`.
related
establish tothe
Remote Desktop Session
recommended configu
18.9.58.3.3 Device and Resouraccepted **Note:** This Group Policy path is pro
Group setting
specifiesis whether
providedto byprevent
```
To the Group
establishthethePolicy template
redirection `Termina
of data
recommended to clie
configu
18.9.58.318.9.58.3(L2) Ensure 'Do noacceptedfull **Note #2:**
In a more security Computer In older Microsoft Window
The recommended
policy setting specifies this setting
to is: Ènabled`.
```prevent
To establishthethe
redirection of dataconfigu
recommended to clie
18.9.58.318.9.58.3(L2) Ensure 'Do notacceptedfull In a more security Computer Configuration\Policies\Admin
The recommended
This state for
setting
to control
``` the This Group
is: Ènabled`.
redirection Policy path
of supported is pro
Plug an
18.9.58.318.9.58.3(L2) Ensure 'Do noacceptedfull In a more security Computer Configuration\Policies\Admin
The recommended
This state forblank
this setting
and``` to This
is: Ènabled`.
exists ensureGroup Policy path
Windo
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of is pro
`Termina
Windo
18.9.58.3.5 Printer Redirectio accepted
Group Policy
and by the to
exists Group
ensurePolicy
the template
structure `Termina
of Windo
18.9.58.3.6 Profiles accepted This section is intentionally blank and exists to ensure the structure of Windo
18.9.58.3.7 RD Connection Broaccepted This Group Policy section is provided by the Group Policy template `Termina
18.9.58.3.8 Remote Session Eaccepted **Note:** This section was initially named _TS Connection Broker_ but was
Group Policy
Session
18.9.58.3.9 Security accepted To establish the recommended configu
Group Policy
Session
18.9.58.3.10 Session Time Limiaccepted ```
allows you bythe
to specify themaximum
Computer
To Group
establish Policy template `Termina
the amount of time
recommended that an
configu
18.9.58. 18.9.58.3(L2) Ensure 'Set t acceptedfull This setting helps ```
The
``` is: aÈnabled:
to configure time limit15
forminutes or less`.
disconnected Rem
18.9.58. 18.9.58.3(L2) Ensure 'Set ti acceptedfull **Note:** This
This setting helps Computer Group Policy path is pro
The recommended
recommendations ``` is: Ènabled:
related 1 minute`.
to Remote Desktop Session
18.9.58.3.11 Temporary foldersaccepted **Note #2:** In older Microsoft Window
Group Policy
the Group Group
Policy
to RSS Policy path
template
feeds. is pro
`Termina
Group Policy
recommendations theSearch
Group settings.
Policy template ÌnetRes
This Group Policy section is provided by the Group Policy template `Search.
Various levels of information can be shared with Bing in Search, to include u
```
18.9.60 18.9.60. (L2) Ensure 'Set wacceptedfull Limiting the searc
The recommended
state forblank
this setting
and exists
is: Ènabled:
to ensureAnonymous
the structure
info`.
of Windo
```
**Note:** This Group Policy path may n
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `SearchO
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Security
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Snis.ad
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinInit.
of Windo
Group Policy
the Group
related Policy
tothe
the template
Software `SmartC
Protection
recommended P
configu
18.9.65 Software Protectioaccepted
This Key
The Group Policy section
Management is provided
Service (KMS)```by
is athe Group Policy
Microsoft licensetemplate ÀVSVa
activation metho
18.9.65 18.9.65. (L2) Ensure 'Turn acceptedfull Even though the KM Computer Configuration\Policies\Admin
The recommended
This state forblank
Group Policy
and**Note:**
by the to
exists Group
This Group
Policy
ensure the template
Policy path
structure `SoundR
of may n
Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Speech
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinSto
of Windo
18.9.69 Sync your settingsaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `SettingS
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `TaskSc
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `TextInp
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinCal
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.75 Windows Customeraccepted This section contains recommendations related to Windows Defender Antivi
This Group Policy section is provided by the Group Policy template `CEIPEn
18.9.76 Windows Defenderaccepted This Group Policy section is provided by the Group Policy template `Window
18.9.76.1 Client Interface accepted **Note:**
This This
policy section
setting wasyou
allows originally named _Windows
to join Microsoft Defender_
Active Protection but was
Service (MA re
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.76.2 Exclusions accepted Possible options are:
Group Policy
the Group
related Policy
tothe template
Microsoft `Window
Active Protectio
recommended configu
18.9.76.3 MAPS accepted - (0x0) Disabled (default)
-This Group
(0x1) BasicPolicy section
membership is provided
The information bywould
that
be sent templatethings
can include `Windowlike
18.9.76. 18.9.76.3(L2) Ensure 'Join acceptedfull - (0x2) Advanced membership Computer Configuration\Policies\Admin
For privacy
This section is intentionally reasons
blank and``ìn high
exists tosecurity environments,
ensure the structure ofitWindo
is be
18.9.76.4 MpEngine accepted **Basic membership** will send basic information to Microsoft about softwar
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`Window
Windo n
18.9.76.5 Network Inspecti accepted **Advanced membership** in addition to basic information will send more inf
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.76.6 Quarantine accepted The recommended state for this setting is: `Disabled`.
Group Policy
related to the GroupProtection.
Policy template `Window
18.9.76.7 Real-time Protecti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
settings byWindows
relatedTo
to the Groupthe
establish Policy
Defendertemplate `Window
Reporting.
recommended configu
allows you by the
to configure
``` Groupor
whether Policy template
not Watson `Window
events are
18.9.76. 18.9.76.9(L2) Ensure 'Confi acceptedfull Watson events areComputer Configuration\Policies\Admin
The
This recommended
section containsstate for this
settings setting
related ```
to is: `Disabled`.
Windows Defender scanning.
Group Policy
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`Windown
Windo
18.9.76.11 Signature Update accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.76.13 Windows Defenderaccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÀppHVS
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÈxploitG
of Windo
This section
Group Policy
contains
section
Windows
is provided
Defender
by the
SmartScreen
Group Policy
settings.
template `Window
This section
Group Policy
contains
section
recommendations
is provided by for
theExplorer-related
Windows
`SmartS
Defen
The Group
This sectionPolicy settings
contains contained within
recommendations this section
related are provided
to Windows by the G
Error Reporting
18.9.81 Windows Error Reaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈrrorRe
of Windo
18.9.81.1 Advanced Error Reaccepted
Group Policy
to Windows ÈrrorRe
Error Reporting
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÈrrorRe
of Windo
18.9.82 Windows Game Rec
accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `GameD
18.9.84 Windows Ink Wor draft **Note:** This section was initially named _Microsoft
To establish thePassport for Work_
recommended but
configu
Group Policy
to Windows `Window
Installer.
18.9.85 Windows Installer accepted ```
Group setting
controlsiswhether
Web-based
Computer Policy template `MSI.adm
programs are allowed to ins
18.9.85 18.9.85. (L2) Ensure 'Preven
acceptedfull Suppressing the sy```
The recommended
This section containsstate for this setting is:
recommendations `Disabled`.
related to Windows Logon Options.
accepted **Note:** This Group Policy path is pro
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinLog
of Windo
18.9.87 Windows Mail accepted **Note #2:** In older Microsoft Window
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MediaC
of Windo
18.9.89 Windows Media Diaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.91 Windows Meeting accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.92 Windows Messengaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.93 Windows Mobility accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MobileP
of Windo
18.9.94 Windows Movie Maccepted
Group Policy
to Windows `MovieM
PowerShell.
18.9.95 Windows PowerShaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `PowerS
of Windo
18.9.96 Windows Reliabilitaccepted
Group Policy
to Windows Remote`RacWm
Manag
18.9.97 Windows Remote accepted
Group Policy
to the template
Windows `Window
Remote Ma
18.9.97.1 WinRM Client accepted To establish the recommended configu
Group Policy
to the template
Windows `Window
Remote Ma
18.9.97.2 WinRM Service accepted ```
Group setting
allows you to manage by the
Computer Group
whether Policy template `Window
the Windows Remote Man
18.9.97. 18.9.97.2(L2) Ensure 'Allo acceptedfull Any feature is a p ```
The recommended
settings setting
related to is:
To `Disabled`.
Windows
establish Remote
the Shell (WinRS).
recommended configu
18.9.98 Windows Remote accepted This policy setting allows you to manage **Note:** This Group
configuration Policy access
of remote path is pro
to a
This Group Policy section is provided``` by the Group Policy template `Window
18.9.98 18.9.98. (L2) Ensure 'Allowacceptedfull The recommendedAny state
feature
for this **Note
is setting
a p Computer #2:** In older Microsoft Window
is: `Disabled`.
18.9.99 Windows SideShoaccepted **Note:** The GPME help text for this setting is incorrectly worded, implying
Group Policy
is intentionally providedand**Note:**
by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of is pro
`SideSh
Windo
18.9.100 Windows System accepted
Group Policy
to Windows Update.`System
18.9.101 Windows Update accepted This section is intentionally blank and exists to ensure the structure of Windo
18.9.101.1 Windows Update fodraft This Group Policy section is provided by the Group Policy template `Window
**Note:** This section was initially named _Defer Windows Updates_ but wa
19 Administrative Te accepted This section contains user-based recommendations from Group Policy Adm
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Window
of Windo
19.1.1 Add or Remove P accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÀddRem
of Windo
19.1.2 Display accepted This section contains recommendations for personalization settings.
This Group Policy section is provided by the Group Policy template `Control
19.1.3 Personalization ( accepted This Group Policy section is provided by the Group Policy template `Control
19.2 Desktop accepted **Note:** This section was initially named _Desktop Themes_ but was renam
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
Group Policy
Menu andtemplate
Taskbar`Shared
settings
Group Policy
recommendations theNotification
settings.
Group Policy
Group Policy template `WPN.ad
settings.
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.6.1 Ctrl+Alt+Del Opti accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CtrlAltD
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DeviceI
of Windo
19.6.3 Folder Redirectionaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `FolderR
of Windo
Group Policy
Communication
Group Policy
the Group
related Policy
tothe
Communication
19.6.5.1 Internet Communicaccepted
Group setting
specifies providedusers
by the
``` Group
can Policy template
participate `Window
in the Help Exper
19.6.5.1 19.6.5.1. (L2) Ensure 'Turn acceptedfull Large enterprise User Configuration\Policies\Administra
The recommended
forÈnabled`.
19.7 Windows Componaccepted This section is intentionally blank and exists to ensure the structure of Windo
Policy template is pro
`Window
19.7.2 App runtime accepted **Note:** This section was initially named _Windows Anytime Upgrade_ but
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀppXRu
of Windo
Group Policy
to Attachment ÀppCom
Manager.
19.7.4 Attachment Managaccepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure Àttachm
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÀutoPla
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÙserDa
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CloudC
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `CredUI.
of Windo
19.7.9 Data Collection a accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DataCo
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `Sidebar
of Windo
This Group
and by the to
exists Group Policy
ensure the template
structure `DWM.a
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `DigitalL
of Windo
19.7.13 Edge UI accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÈdgeUI
19.7.14 File Explorer (for accepted This Group Policy section is provided by the Group Policy template `Window
19.7.15 File Revocation accepted **Note:** This section was initially named _Windows Explorer_ but was rena
This Group Policy section is provided by the Group Policy template `FileRev
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÈAIME.
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Capture
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `WordW
of Windo
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure ÌnetRes
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sensors
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Microso
of Windo
19.7.22 Microsoft Manage accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MMC.a
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÙserEx
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Conf.ad
of Windo
Group Policy
to Network Sharing.`Network
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Sharing
of Windo
19.7.27 Presentation Setti accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `MobileP
19.7.29 RSS Feeds accepted **Note:** This section was initially named _Terminal Services_ but was rena
Group Policy
and by the to
exists Group Policy
ensure the template
structure ÌnetRes
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Search.
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `SoundR
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinSto
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `TaskSc
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinCal
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `SmartS
of Windo
19.7.38 Windows Error Reaccepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template ÈrrorRe
This section contains recommendations related to Windows Installer.
19.7.40 Windows Installer accepted **Note:** This section was initially named _Microsoft Passport for Work_ but
Group Policy
and by the to
exists Group Policy
ensure the template
structure `MSI.adm
of Windo
accepted
Group Policy
and by the to
exists Group Policy
ensure the template
structure `WinLog
of Windo
Group Policy
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
Group Policy
to Windows `MediaC
Media Player.
This Group
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
This Group
the Group
related Policy
tothe
Windows template `Window
Media Player
recommended pl
configu
Group Policy
This setting section
controls is provided
whether Windows byMedia
``` the Group
PlayerPolicy template
is allowed `Window
to download
19.7.44. 19.7.44.2(L2) Ensure 'Preveacceptedfull This has some potenUser Configuration\Policies\Administra
The recommended state for this setting``` is: Ènabled`.
**Note:** This Group Policy path is pro

audit procedure impact statement notes CIS controls CCE-ID references
r account policies.
r password policy.
r account lockout policy.

r local policies.
r user rights assignments.
r security options.
elated to default accounts.
elated to auditing controls.
elated to managing devices.
elated to Domain Controllers.
elated to domain membership.
elated to interactive logons.

``` Users will be unable to log on to any TITLE:Account MoCCE-37439-7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon:CachedLogonsCount
```
elated to configuring the Microsoft network client.
elated to configuring the Microsoft network server.
elated to network access.

``` Credential Manager will not store pa TITLE:Encrypt/Hash

CCE-38119-4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa:DisableDomainCreds
``` security.
elated to network
elated to the Windows shutdown functionality.
elated to system objects.
elated to User Account Control.
r configuring the Windows Firewall.
r the Domain Profile of the Windows Firewall.
r the Private Profile of the Windows Firewall.
r the Public Profile of the Windows Firewall.

r configuring the Windows audit facilities.
r configuring the Account Logon audit policy.
r configuring the Account Management audit policy.
r configuring the Detailed Tracking audit policy.
r configuring the Directory Services Access audit policy.
r configuring the Logon/Logoff audit policy.
r configuring the Object Access audit policy.
r configuring the Policy Change audit policy.
r configuring the Privilege Use audit policy.
r configuring the System audit policy.
ommendations from Group Policy Administrative Templates (ADMX).

he Group Policy
r Control template `Windows.admx/adml`
Panel personalization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
Microsoft `ControlPanelDisplay.admx/adml`
Local that(LAPS).
Administrator Password Solution is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
he
ng Group Policy
additional template
settings fromÀdmPwd.admx/adml` that is included with LAPS.
the MS Security Guide.
he Group
r the PolicySolutions
`SecGuide.admx/adml`
Security (MSS) settings.that is available from Microsoft at [this link](https://blogs.technet.microsoft.com/secguide/2017/08/30/secu
he Group Policy template `MSS-legacy.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](ht
```
Navigate to the UI Keep-alive packets
Path articulated areRemediation
in the not sent by dsection
TITLE:Limitation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:KeepAliveTime
```
```
Navigate to the UI Windows will notinautomatically
Path articulated the Remediationdete section
TITLE:Limitation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:PerformRouterDiscovery
```
```
Navigate to the UI TCP
Path starts a retransmission
articulated timer whTITLE:Limitation
in the Remediation section and confirmCCE-37846-3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:TcpMaxDataRetransmissions
```
``` TCP starts a retransmission timer whTITLE:Limitation CCE-36051-1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:TcpMaxDataRetransmissions
r network settings.
```
he Group
ts to Policy
ensure the template
of Windows benchmarks thatis is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Bits.admx/adml` that is included
is consistent.
he Group
ts to Policy
ensure the template
structure `PeerToPeerCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or n
he Group
elated Policy
to DNS template `nca.admx/adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Client.
he Group
ts to Policy
ensure the template
structure `DnsClient.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
consistent.
he Group
ts to Policy
ensure the template
structure `hotspotauth.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
consistent.
he Group Policy template `LanmanServer.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnDomain
he
r Link-Layer
Group Policy
Topology
template
Discovery
`LanmanWorkstation.admx/adml`
settings. that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnDomain
```
he Group Policy template `LinkLayerTopologyDiscovery.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnPublicNet
```
```
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnPublicNet
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableLLTDIO
```
r Microsoft Peer-to-Peer Networking Services settings.
```
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableRspndr
he Group Policy template `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitLLTDIOOnPrivateNet
```
``` Microsoft Peer-to-Peer Networking Ser TITLE:Limit Open CCE-37699-6
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet:Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitRspndrOnPrivateNet
```
```
he Group Policy
r Network templatesettings.
Connections `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `NetworkConnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsFirewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_Windows Firewall_ but was renamed by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative T
he Group
ts to Policy
ensure the template
structure `NCSI.admx/adml`
of Windows benchmarksthat is is
consistent.
he Group Policy
r Network template
Provider `NetworkIsolation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates
settings.
he Group
ts to Policy
ensure the template
structure `NetworkProvider.admx/adml` that is included with the [MS15-011](https://technet.microsoft.com/library/security/MS15-011) / [MS
he Group
ts to Policy
ensure the template
structure ÒfflineFiles.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `QOS.admx/adml` that is is
consistent.
he Group
ts to Policy
ensure the template
structure `Snmp.admx/adml` that isisincluded
consistent.
nhesettings.
Group Policy template `CipherSuiteOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `tcpip.admx/adml` that is included
is consistent.
he Group Policy
onfiguration template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
settings.
Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. E
he Group Policy template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Navigate to the UIReThis
Pathregistry change
articulated in theis Remediation
documented section
inTITLE:Limitation
Microsoft Knowledge
and
and confirm Control
it is Base
set asarticle
of Network
929852:
prescribed.Ports,
[How
This Protocols,
to disable
group policyandIPv6
Services
settingorisits components
CONTROL:9
backed in
by the fo
r Windows Connect Now settings.
``` **Note:** This registry change does not take effect until the next reboot.
he Group Policy template `WindowsConnectNow.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:EnableRegistrars
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableUPnPRegistrar
Navigate to the UI WCN operationsinare
Path articulated thedisabled over alTITLE:Configure
Remediation section and confirmOn
CCE-37481-9
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableInBand802DOT11Registrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableFlashConfigRegistrar
``` The WCN wizards are turned off and TITLE:Configure
us On
CCE-36109-7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableWPDRegistrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI:DisableWcnUi
r Windows Connection Manager settings.
```
Pathcomputer
articulated
responds
in the Remediation
to automaticsection
and manual
and confirm
networkit is
connection
set as prescribed.
attempts This
basedgroup
on the
policy
following
settingcircumstances:
is backed by the fo
he Group Policy template `WCM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
``` _Automatic connection attempts_ - When TITLE:Boundary
the computer CCE-37627-7
is already connected to a domain based network, all automatic con
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy:fBlockNonDomain
``` _Manual connection attempts_ - When the computer is already connected to either a non-domain based network or a doma
he Group
ts to Policy
ensure the template
consistent.
he Group Policy
r System template `Windows.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
uditing Policy template
events. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
he Group Delegation.
redential Policy template ÀuditSettings.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer
he Group
ts to Policy
ensure the template
structure `CredSsp.admx/adml` thatisisconsistent.
he Group
ts to Policy
ensure the template
structure `DeviceGuard.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
consistent.
he Group Policy template `TPM.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he
ts to
Group
ensure
Policy
the template
structure `DeviceInstallation.admx/adml`
he
ts to
Group
ensure
Policy
the template
structure `DeviceRedirection.admx/adml`
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he
ts to
Group
ensure
Policy
the template
structure `DiskNVCache.admx/adml`
he
ts to
Group
ensure
Policy
the template
structure `DiskQuota.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `Display.admx/adml` that is
he Group
ts to Policy
ensure the template
structure `DCOM.admx/adml` that is
consistent.
he Group Policy
boot-start `DeviceInstallation.admx/adml`
driver initialization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure ÈarlyLaunchAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (
he Group
ts to Policy
ensure the template
structure ÈnhancedStorage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `FileServerVSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
he Group Policy templates `FileServerVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group Policy template `FileSys.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group Policy
policy-related settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
consistent.
he Group
to Internet `GroupPolicyPreferences.admx/adml`
Communication Management. that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Template
he Group
```
Navigate to the UI Tablet PC users in
Path articulated cannot choose to sha
the Remediation TITLE:Data
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC:PreventHandwritingDataSharing
```
```
Navigate to the UI Users cannot start
Path articulated handwriting rec
in the Remediation TITLE:Data
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports:PreventHandwritingErrorReports
```
```
Path"Choose a list
articulated of Internet
in the Servicsection
Remediation TITLE:Data Prote CCE-37163-3
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard:ExitOnMSICW
```
```
Navigate to the UI Users are blocked
Path articulated in from connecting to
the Remediation Microsoft.com
section forCCE-36352-3
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration
Search Companion does not download content updates during Wizard Control:NoRegistration
searches.
```
```
Navigate to the UI Path articulated in the Remediation section TITLE:Data Prote CCE-36884-5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion:DisableContentFileUpdates
**Note:** Internet searches will still send the search text and information about the search to Microsoft and the chosen sear
```
```
Pathtask "Order Prints
articulated Online" is remTITLE:Data
in the Remediation Prote CCE-38275-4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoOnlinePrintsWizard
```
```
Path"Publish to Web"
articulated in thetask is removed
Remediation TITLE:Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoPublishingWizard
```
```
Navigate to the UI Windows Messenger
Path articulated in thewill not collect section
Remediation us
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client:CEIP
```
``` All users are opted out of the Win TITLE:Data Prote CCE-36174-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows:CEIPEnable
```
``` Users are not given the option to repoTITLE:Data Prote CCE-35964-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting:Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting:DoReport
```
he
ts to ensure the template
Group Policy structure ìSCSI.admx/adml`
of Windows benchmarks that isisincluded with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `KDC.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
is consistent.
he GroupServices
r Locale Policy template `Kerberos.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
he Group Policy template `Globalization.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Users will have input methods enableTITLE:Ensure Work CCE-36343-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control
elated to the logon process and lock screen. Panel\International:BlockUserInputMethodsForSignIn
```
he Group Policy template `Logon.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
consistent.
is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newe
he
ts to
Group
ensure
Policy
the template
structure `Netlogon.admx/adml`
is is
consistent.
he
ts to
Group
ensure
Policy
the template
structure ÒSPolicy.admx/adml`
is is
consistent.
he
ts to
Group
ensure
Policy
the template
structure `PerfCenterCPL.admx/adml`
that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non
he GroupManagement
r Power Policy template `Passport.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
elated PolicyManagement
to Power template `Power.admx/adml`
Sleep mode. that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
consistent.
he Group
to Remote `ReAgent.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Assistance.
he Group
to Remote Procedure`RemoteAssistance.admx/adml`
Call. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `RPC.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Only authenticated RPC Clients will TITLE:Limit Open CCE-36559-3
ts to ensure the structure of Windows benchmarks is consistent. NT\Rpc:RestrictRemoteClients
```
he Group
ts to Policy
ensure the template
structure `RemovableStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Scripts.admx/adml` that is
consistent.
he Group
ts to Policy
ensure the template
structure `ServerManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `Winsrv.admx/adml` that is
consistent.
he Group
ts to Policy
ensure the template
structure `StorageHealth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
elated Policy template and
Diagnostics. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `pca.admx/adml` that is included
is consistent.
he Group
ts to Policy
ensure the template
structure `FileRecovery.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
structure `DiskDiagnostic.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Support that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Diagnostic Tool.
he Group Policy template `MSDT.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` MSDT cannot run in support mode, and TITLE:Data Prote CCE-38161-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy:DisableQueryRemoteServer
```
he Group
ts to Policy
ensure the template
structure `Msi-FileRecovery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he Group
ts to Policy
ensure the template
structure `sdiagschd.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `sdiageng.admx/adml`
consistent.
he Group Policy template `PerformanceDiagnostics.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
elated
he Groupto Windows
Policy template
Performance
`LeakDiagnostic.admx/adml`
PerfTrack. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `PerformancePerftrack.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or
``` Responsiveness events are not proc TITLE:Data Prote CCE-36648-4
ts to ensure the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}:ScenarioExecutionEna
```
elated
he Groupto User
Policy
Profiles.
template `TPM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template ÙserProfiles.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` The advertising ID is turned off. App TITLE:Data Prote CCE-36931-4
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\AdvertisingInfo:DisabledByGroupPolicy
```
he Group
ts to Policy
ensure the template
structure `WindowsFileProtection.admx/adml`
he Group
elated Policy
to the template
Service. that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Ad
he Group
elated Policy
to Time template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Providers.
he Group Policy template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI You
Pathcan set the local
articulated in thecomputer clockTITLE:Use
Remediation At LeasCCE-37843-0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient:Enabled
```
``` None - this is the default behavior. TITLE:Limit Open CCE-37319-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer:Enabled
r Windows Component settings.
```
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure àdfs.admx/adml` that is only
of Windows benchmarks included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Admin
is consistent.
he Group Policy template ÀctiveXInstallService.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure ÀppxPackageManager.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Temp
he Group
r App Policysettings.
runtime template ÀppPrivacy.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
he Group Policy
r AutoPlay template ÀppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
policies.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure ÙserDataBackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Adm
he Group
ts to Policy
ensure the template
structure `Biometrics.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `VolumeEncryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Camera.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or n
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
he Group
elated Policy
to the template
Credential `WirelessDisplay.admx/adml`
User Interface. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
of Windows benchmarks is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `DeliveryOptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
consistent.
he Group Policy template `DeviceCompat.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
he Group Policy template `WorkplaceJoin.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
_Workplace Join_ but was renamed by Microsoft to _Device Registration_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Tem
ts to ensure the
r configuring structure
Enhanced benchmarks
Mitigation is consistent.
ts to
he ensure
Group the template
Policy structure ÈMET.admx/adml`
`DigitalLocker.admx/adml`
that isisincluded
that
consistent.
ware
he Group
developed
Policyby
template
Microsoft
ÈdgeUI.admx/adml`
that allows an enterprise
that is to
included
apply exploit
with themitigations
Microsoft to
Windows
applications
8.1 &that
Server
run 2012
on Windows.
R2 Administrative
Many of these
Templates
mitigations
(or newer).
were later
tsattoenhancing
ensure the
exploit
structure
protection
of Windows
on Windows
benchmarks
serverisOSes
consistent.
prior to Server 2016, it is highly recommended that compatibility testing is done on typical server
be
he very problematic
r configuring
Group Policy on 32-bit
thetemplate
Event Log OSes - we only recommendthat
ÈventForwarding.admx/adml`
Service. using it with 64-bit
is included withOSes.
the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or ne
trEMET
he Groupwill bethe
Policy
configuring End-Of-Life
template (EOL)
EventonLog.
July 31, 2018.
Application This
that does notwith
is included meanall the software
versions willMicrosoft
of the stop working, only Administrative
Windows that Microsoft will not update it any further past
Templates.
he Group Policy
r configuring thetemplate
Security ÈventLog.admx/adml`
he Group Policy
Setup Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
System Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure ÈventLog.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure ÈventLogging.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
he Group Policy template ÈventViewer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
hecontrol
Groupthe
Policy template
availability of `ParentalControls.admx/adml` that
options such as menu items and is only
tabs included
in dialog with the Microsoft Windows Vista through the Windows 10 RTM (Release 150
boxes.
_Parental
he Controls_
template renamed by Microsoft to _Family
`WindowsExplorer.admx/adml` that isSafety_ starting
Administrative Administrative Tem
Templates.
he Group
ts to Policy
ensure the template
structure `PreviousVersions.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `FileHistory.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
is consistent.
he Group
ts to Policy
ensure the template
structure `FindMy.admx/adml` that is
he Group
ts to Policy
ensure the template
structure `GameExplorer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Handwriting.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
s and Policy template ÌIS.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Sensors.
he Group Policy template `Sensors.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
``` The location feature is turned off, a TITLE:Data Prote CCE-36886-0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableLocation
s Location Provider.
```
he Group Policy template `LocationProviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templ
``` The Windows Location Provider feature is turned off, a CCE-38225-9
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableWindowsLocationProvider
```
he Group
ts to Policy
ensure the template
structure `msched.admx/adml`
of Windows benchmarks thatisisconsistent.
included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newe
he Group
ts to Policy
ensure the template
structure `WinMaps.admx/adml` that
consistent.
he Group
ts to Policy
ensure the template
structure `MDM.admx/adml` that is is
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
consistent.
he Group
ts to Policy
ensure the template
structure `Messaging.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `MSAPolicy.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `FidoAuth.admx/adml`
consistent.
he Group Policy template `DeviceCredential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templ
he
ts to
Group
ensure
Policy
the template
he
ts to
Group
ensure
Policy
the template
structure `Conf.admx/adml`
that is included
is consistent.
he
ts to
Group
ensure
Policy
the template
structure `NAPXPQec.admx/adml`
that
consistent.
is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update
elated to OneDrive.
he Group Policy template `NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
n this section are provided by the Group Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administr
_SkyDrive_ but was renamed by Microsoft to _OneDrive_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
he Group
ts to Policy
ensure the template
structure `HelpAndSupport.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `PswdSync.admx/adml`
of Windows benchmarksthat is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R
is consistent.
he Group
ts to Policy
ensure the template
structure ÈxternalBoot.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
structure `MobilePCPresentationSettings.admx/adml`
elated to Remote Desktop Services.
he Group Policy template `PushToInstall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
_Terminal
he Services_
with starting
Administrative 2008 R2 Administrative
Templates.
r the Remote Desktop Connection Client.
_TS Licensing_ but was renamed by Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group
ts to Policy
ensure the template
r the Remote Desktop Session Host.
he Group Policy template `TerminalServer.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
_Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrat
he Group Policytotemplate
r Connections `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (o
``` None - this is the default behavior. CCE-37708-5
elated to Remote Desktop Session Host Device and Resource Redirection. NT\Terminal Services:fSingleSessionPerUser
```
```
se Open CCE-37696-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableCcm
```
```
se Open CCE-37778-8
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableLPT
```
``` Users in a Remote Desktop ServicesTITLE:Limit
se Open CCE-37477-7
ts to ensure the structure of Windows benchmarks is consistent. NT\Terminal Services:fDisablePNPRedir
```
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
_TS Connection Broker_ but was renamed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
Session Host Security. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
to Remote Desktop `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Session Host Session Time Limits.
```
Navigate to the UI Remote DesktopinServices
Path articulated will automat
the Remediation TITLE:Ensure
section Work
and confirm CitCE-37562-6
is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:MaxIdleTime
```
``` Disconnected Remote Desktop sessions TITLE:Ensure Work CCE-37949-5
elated to Remote Desktop Session Host Session Temporary folders. NT\Terminal Services:MaxDisconnectionTime
```
he Group
elated Policy
to RSS template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
feeds.
he Group settings.
r Search Policy template ÌnetRes.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `Search.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Usage information from Search is sharTITLE:Data Prote CCE-36937-1

ts to ensure the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows
structure of Windows benchmarks is consistent. Search:ConnectedSearchPrivacy
```
he
ts to
Group
ensure
Policy
the template
structure `SearchOCR.admx/adml`
consistent.
is only included with the Microsoft Windows 7 & Server 2008 R2 through the Windows 10 Release
he
ts to
Group
ensure
Policy
the template
structure `SecurityCenter.admx/adml`
he
ts to
Group
ensure
Policy
the template
structure `Snis.admx/adml`
that is only
is consistent.
included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Upd
he Group
ts to Policy
ensure the template
consistent.
he Group
elated Policy
to the template
Protection Platform. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template ÀVSValidationGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or
``` The computer is prevented from sending data to Microsoft regarding its KMS client activation state.
ts to ensure the structure of Windows benchmarks is consistent. NT\CurrentVersion\Software Protection Platform:NoGenTicket
```
he Group
ts to Policy
ensure the template
is consistent.
he Group
ts to Policy
ensure the template
structure `Speech.admx/adml` that is
he Group
ts to Policy
ensure the template
of Windows benchmarks that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the G
is consistent.
he Group
ts to Policy
ensure the template
structure `SettingSync.admx/adml`
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `TextInput.admx/adml`
is is only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and M
consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
elated to Windows Defender Antivirus.
he Group Policy template `CEIPEnable.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsDefender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
d _Windows Defender_ but was renamed by Microsoft to _Windows Defender Antivirus_ starting with the Microsoft Windows 10 Release 1703 Administrat
he Group
ts to Policy
ensure the template
he Group
to Microsoft `WindowsDefender.admx/adml`
Active Protection Service (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is in effect when th
ts to ensure the structure of Windows benchmarks is consistent. Defender\Spynet:SpynetReporting
```
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he GroupProtection.
eal-time Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
he Group
ts to Policy
ensure the template
he GroupDefender
Windows Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Reporting.
``` Watson events will not be sent to MicTITLE:Data Prote CCE-36950-4
Windows Defender scanning. Defender\Reporting:DisableGenericRePorts
```
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newe
he
ts to
Group
ensure
Policy
the template
structure ÀppHVSI.admx/adml`
that
is is
consistent.
he
ts to
Group
ensure
Policy
the template
structure ÈxploitGuard.admx/adml`
consistent.
he
SmartScreen
Group Policy
settings.
template `WindowsDefenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Temp
he
r Explorer-related
Windows
`SmartScreen.admx/adml`
n this section
elated are provided
to Windows by the Group Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Admi
Error Reporting.
he Group
ts to Policy
ensure the template
he Group
to Windows ÈrrorReporting.admx/adml`
Error Reporting consent. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
he Group Policy template `GameDVR.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer
he Group
to Windows `WindowsInkWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative
Installer.
he Group Policy template `MSI.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Email and CCE-37524-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer:SafeForScripting
elated to Windows Logon Options.
```
he Group
ts to Policy
ensure the template
is consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `MediaCenter.admx/adml`
of Windows benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `WindowsCollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrat
he Group
ts to Policy
ensure the template
structure `WindowsMessenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `MobilePCMobilityCenter.admx/adml`
he Group
to Windows `MovieMaker.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templa
PowerShell.
he Group
ts to Policy
ensure the template
structure `PowerShellExecutionPolicy.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative T
he Group
to Windows Remote`RacWmiProv.admx/adml`
Management (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
elated Policy
to the template
Remote Management (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Remote Management (WinRM) service. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsRemoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Use Only SeCCE-37927-1
Windows Remote HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service:AllowAutoConfig
Shell (WinRS).
```
he Group Policy template `WindowsRemoteShell.admx/adml`
New Remote Shell connections that is not
are included
allowedwith all are
and versions of the
rejected Microsoft
by the server.Windows Administrative Templates.
``` TITLE:Use Only SeCCE-36499-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS:AllowRemoteShellAccess
ts to ensure the **Note:**
structure of Windows On Serveris2012
benchmarks (non-R2) and higher, due to design changes in the OS after Server 2008 R2, configuring this set
consistent.
```
he Group
ts to Policy
ensure the template
structure `SideShow.admx/adml`
of Windows benchmarksthat is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windo
is consistent.
he Group
to Windows Update.`SystemResourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 201
he Group Policy template `WindowsUpdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsUpdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
_Defer Windows Updates_ but was renamed by Microsoft to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Admin
endations from Group Policy Administrative Templates (ADMX).
he
ts to
Group
ensure
Policy
the template
that
is is
consistent.
he
ts to
Group
ensure
Policy
the template
structure ÀddRemovePrograms.admx/adml`
r personalization settings.
_Desktop Themes_ but was renamed by Microsoft to _Personalization_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
r Start Policy
Menu andtemplate
settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r Notification template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
he Group Policy
r System template `WPN.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `CtrlAltDel.admx/adml`
is consistent.
he Group
ts to Policy
ensure the template
structure `DeviceInstallation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `FolderRedirection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
Communication Management. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
``` Users cannot participate in the Hel TITLE:Data Prote CCE-37542-8
HKEY_USERS\[USER
r Windows Component settings. SID]\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0:NoImplicitFeedback
``` structure of Windows benchmarks is consistent.
ts to ensure the
he Group
ts to Policy
ensure the template
he Group
to Attachment ÀppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Manager.
he Group
ts to Policy
ensure the template
structure ÀttachmentManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure ÙserDataBackup.admx/adml` that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `DataCollection.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
structure `DigitalLocker.admx/adml`
consistent.
he Group Policy template ÈdgeUI.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
he Group Policy template `FileRevocation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
he
ts to
Group
ensure
Policy
the template
structure ÈAIME.admx/adml`
that is included
consistent.
with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
he
ts to
Group
ensure
Policy
the template
structure `CaptureWizard.admx/adml`
that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administr
he
ts to
Group
ensure
Policy
the template
structure `WordWheel.admx/adml`
that
consistent.
he
ts to
Group
ensure
Policy
the template
structure ÌnetRes.admx/adml`
thatisisconsistent.
he Group
ts to Policy
ensure the template
structure `Sensors.admx/adml` thatisisconsistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `MMC.admx/adml` that is is
consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
is consistent.
he Group
to Network Sharing.`NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
he Group
ts to Policy
ensure the template
he Group Policy template `MobilePCPresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
_Terminal Services_ but was renamed by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `Search.admx/adml` that is included
consistent.
he Group
ts to Policy
ensure the template
is consistent.
he Group
ts to Policy
ensure the template
of Windows benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and M
is consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
he Group
ts to Policy
ensure the template
structure `SmartScreen.admx/adml`
consistent.
he Group Policy template ÈrrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
elated to Windows Installer.
he Group
ts to Policy
ensure the template
structure `MSI.admx/adml` that is included
is consistent.
he Group
ts to Policy
ensure the template
is consistent.
he Group
ts to Policy
ensure the template
consistent.
he Group
to Windows `MediaCenter.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
Media Player.
he Group
ts to Policy
ensure the template
he Group
Media Player playback. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Windows Media Player is prevented frTITLE:Inventory CCE-37445-4
HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer:PreventCodecDownload
```
et.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/).
ings – Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/)
ative Templates.

(Release 1507) Administrative Templates (or newer).
osoft Windows Administrative Templates.

Windows 10 Release 1709 Administrative Templates.

trative Templates.
er 2012 (non-R2) Administrative Templates (or newer).
rosoft.com/library/security/MS15-011) / [MSKB 3000483](https://support.microsoft.com/en-us/kb/3000483) security update and the Microsoft Windows 10 R
rative Templates.
strative Templates.

Ports, Protocols, and Services CONTROL:9 DESCRIPTION:Limitation and Control of Network Ports, Protocols, and Services;

er 2008 R2 Administrative Templates (or newer).
r 2012 (non-R2) Administrative Templates (or newer).
r 2008 R2 Administrative Templates (or newer).
& Server 2012 (non-R2) Administrative Templates (or newer).

ver 2008 R2 Administrative Templates.

ver 2008 (non-R2) Administrative Templates (or newer).
strative Templates.
strative Templates.
se 1507) Administrative Templates (or newer).
rough the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
strative Templates.
strative Templates.
erver 2016 Administrative Templates (or newer).
strative Templates.
strative Templates.
strative Templates.
rative Templates.
ative Templates.
strative Templates.

erver 2008 R2 Administrative Templates (or newer).
rative Templates.
he Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
indows Administrative Templates.


hrough the Windows 10 Release 1511 Administrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
M (Release 1507) Administrative Templates (or newer).
trative Templates.

10 RTM (Release 1507) Administrative Templates.

dows.
2 Administrative
Many of these
Templates
mitigations
(or newer).
were later coded directly into Windows 10 and Server 2016.
ompatibility testing is done on typical server configurations (including all CIS-recommended EMET settings) before widespread deployment to your environ
Microsoft will
ministrative not update it any further past that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to S
Templates.
hrough the Windows 10 RTM (Release 1507) Administrative Templates.
& Server
ows 2012 (non-R2)
Templates.

tive Templates.
e 1607 & Server 2016 Administrative Templates (or newer).

rative Templates.
8 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
ft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e 1507) Administrative Templates.

h the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.

Windows 7 & Server

s Administrative 2008 R2 Administrative Templates.
Templates.
er 2008 R2 Administrative Templates.


ft Windows 7 & Server 2008 R2 Administrative Templates.

Server 2008 R2 Administrative Templates (or newer).

2008 R2 through the Windows 10 Release 1511 Administrative Templates.
Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
Release 1507) Administrative Templates (or newer).

ent activation state.
12 R2 Administrative Templates, or by the Group Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511
ease 1507) Administrative Templates and Microsoft Windows 10 Release 1511 Administrative Templates.
soft Windows 10 Release 1703 Administrative Templates.


dows 10 Release 1709 Administrative Templates (or newer).
Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
e 1507) Administrative Templates (or newer).


Release 1607 & Server 2016 Administrative Templates (or newer).
ative Templates.
Vista and Server 2008 (non-R2) Administrative Templates.
Server 2008 (non-R2) Administrative Templates.
8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
strative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ws Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Microsoft Windows 10 Release 1709 Administrative Templates.


& Server 2008 R2 Administrative Templates.


hrough Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well as the Microsoft Windows 10 RTM (Release 1507) and Windows 10 Relea
trative Templates.


trative Templates.
rative Templates.


12 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsS

ative Templates.

e and the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
2 Administrative Templates).
pread deployment to your environment.
nding that servers be upgraded to Server 2016.

crosoft Windows 10 Release 1511 Administrative Templates (or newer).
ease 1507) and Windows 10 Release 1511 Administrative Templates.
Group Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
Apply UAC Esta Para
restrictions configuraci establecer
to local ón controla la
accounts si las configuraci
6.1 cuentas ón x
on network
logons' is locales se recomenda
set to pueden da vía
'Enabled' utilizar para GPO,
la establezca
Cuando
administracse Para
el siguiente
habilita la establecer
WDigest ión remota
autenticaci
valor
la
vía
Authenticat ón de inicio prescrito
de sesión configuraci
anteriorme
6.2 ion' is set WDigest, ón x
to de red (por nte:
Lsass.exe recomenda
'Disabled' ejemplo,
retiene una da vía
NET USE, Computer
copia
conexión la
de a GPO,
Configurati
contraseña
C $, etc.). establezca
on\Policies\
de
Lastexto sin el siguiente
Administrat
formato
cuentas del valor
ive
usuario
locales en prescrito
Templates\
la
tienen un anteriorme
SCM: Pass
memoria,
alto riesgo nte:
the Hash
donde
de robo de Mitigations\
puede
credenciale Computer
Apply UAC
estar
s cuandoen la Configurati
restrictions
riesgo
misma de on\Policies\
to local
robo.
cuenta y Administrat
accounts
contraseña ive
on network
El estado
están Templates\
logons
recomenda
configurad SCM: Pass
do
as enpara the Hash
esta
varios Mitigations\
configuraci
sistemas. WDigest
ón es:
Habilitar Authenticat
deshabilita
esta ion
do.
política (disabling
reduce may
significativa require
mente ese KB287199
riesgo. 7)
El estado
recomenda
do para
esta
configuraci
ón es:
Activado.
Entrada no
aparece en
el servidor
Entrada no
aparece en
el servidor

CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0

Uploaded by

Copyright:

Available Formats

License

Please see our terms of service here: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

1 Account Policies accepted

1.1 Password Policy accepted

1.2 Account Lockout Policy accepted

2 Local Policies accepted

2.1 Audit Policy accepted

2.2 User Rights Assignment accepted

2.2 2.2.11 (L1) Ensure 'Create a pagefile' is set to 'Administrators' accepted

2.2 2.2.15 (L1) Configure 'Create symbolic links' accepted

2.2 2.2.16 (L1) Ensure 'Debug programs' is set to 'Administrators' accepted

2.2 2.2.25 (L1) Configure 'Impersonate a client after authentication' accepted

2.3 Security Options accepted

2.3.1 Accounts accepted

2.3.1 2.3.1.5 (L1) Configure 'Accounts: Rename administrator account' accepted

2.3.1 2.3.1.6 (L1) Configure 'Accounts: Rename guest account' accepted

2.3.2 Audit accepted

2.3.3 DCOM accepted

2.3.4 Devices accepted

2.3.5 Domain controller accepted

2.3.7 Interactive logon accepted

2.3.8 Microsoft network client accepted

2.3.9 Microsoft network server accepted

2.3.10 Network access accepted

2.3.11 Network security accepted

2.3.12 Recovery console accepted

2.3.13 Shutdown accepted

2.3.14 System cryptography accepted

2.3.15 System objects accepted

2.3.16 System settings draft

2.3.17 User Account Control accepted

3 Event Log accepted

4 Restricted Groups accepted

5 System Services accepted

7 File System accepted

8 Wired Network (IEEE 802.3) Policies accepted

9.1 Domain Profile accepted

9.2 Private Profile accepted

9.3 Public Profile accepted

10 Network List Manager Policies accepted

11 Wireless Network (IEEE 802.11) Policies accepted

12 Public Key Policies accepted

13 Software Restriction Policies accepted

15 Application Control Policies accepted

16 IP Security Policies accepted

17 Advanced Audit Policy Configuration accepted

17.1 Account Logon accepted

17.2 Account Management accepted

17.3 Detailed Tracking accepted

17.4 DS Access accepted

17.5 Logon/Logoff accepted

17.5 17.5.2 (L1) Ensure 'Audit Logoff' is set to 'Success' accepted

17.6 Object Access accepted

17.7 Policy Change accepted

17.8 Privilege Use accepted

17.9 System accepted

18 Administrative Templates (Computer) accepted

18.1 Control Panel accepted

18.1.1 Personalization accepted

18.2 LAPS accepted

18.3 MS Security Guide accepted

18.3 18.3.5 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' accepted