Last active
October 20, 2020 15:12
-
-
Save ffalor/f98e58f7946c93ed05fb3ac271c0251a to your computer and use it in GitHub Desktop.
Create a mono baseline file for Powershell Dsc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import csv | |
| from pytablewriter import MarkdownTableWriter | |
| DSC_FILE_NAME = "w2019MonoLayerZero.ps1" | |
| CSV_FILE_NAME = "DSCResources.csv" | |
| def mdtable(value_matrix): | |
| """ | |
| Generate Markdown table for resource. | |
| """ | |
| writer = MarkdownTableWriter( | |
| headers=["Variable Name", "Default Value"], | |
| value_matrix=value_matrix, | |
| margin=1 | |
| ) | |
| return writer | |
| MD_FILE = open("./reference.md", mode='w') | |
| CSV_DATA = csv.reader(open(f'./{CSV_FILE_NAME}', mode='r')) | |
| next(CSV_DATA) | |
| HEADER = """ | |
| Configuration w2019MonoLayerZero { | |
| [CmdletBinding()] | |
| param ( | |
| """ | |
| IMPORTS = """ | |
| Import-DscResource -ModuleName 'PSDesiredStateConfiguration' | |
| Import-DscResource -ModuleName 'AuditPolicyDsc' | |
| Import-DscResource -ModuleName 'SecurityPolicyDsc' | |
| """ | |
| params = [] | |
| resources = [] | |
| for row in CSV_DATA: | |
| TITLE = ((row[0].split('('))[0]).strip().replace( | |
| ' ', '').replace('.', '_').replace('#', '') | |
| CODE_COMMENTS = [line.replace("#", '').strip() for line in ( | |
| row[0].strip()).split('\n') if line.startswith('#')] | |
| md_title = TITLE.replace("_", ".") | |
| MD_FILE.write(f'# {md_title} \n') | |
| MD_FILE.write('\n'.join(CODE_COMMENTS)) | |
| MD_FILE.write('\n') | |
| MD_FILE.write("### API Documentation \n") | |
| md_matrix = [] | |
| resource_header, resource_params = row[0].split('{', 1) | |
| resource_params = [ | |
| line for line in (resource_params.split('}')[0]).split('\n') if line.replace('\t', '') != ''] | |
| params.append(f'${TITLE}_Include = $true') | |
| md_matrix.append([f'{TITLE}_Include', '$true']) | |
| resource_obj_params = [] | |
| for param in resource_params: | |
| param_name, param_value = param.split('=') | |
| param_name = param_name.strip() | |
| param_value = param_value.strip() | |
| param_name_var = f'${TITLE}_{param_name}' | |
| if ',' in param_value: | |
| param_value = f'@({param_value})' | |
| params.append(f'{param_name_var} = {param_value}') | |
| resource_obj_params.append(f'{param_name} = {param_name_var}') | |
| md_matrix.append([f'{TITLE}_{param_name}', param_value]) | |
| resource_obj_params = '\n'.join(resource_obj_params) | |
| CODE_BLOCK = f""" | |
| if (${TITLE}_Include) {{ | |
| {resource_header} {{ | |
| {resource_obj_params} | |
| }} | |
| }} | |
| """ | |
| resources.append(CODE_BLOCK) | |
| mdtable(md_matrix).dump(MD_FILE, False) | |
| MD_FILE.write( | |
| f'> Find more detail about this control by searching the CIS control number: {md_title} [here](https://learn.cisecurity.org/l/799323/2020-07-10/zx22).\n') | |
| with open(f'./{DSC_FILE_NAME}', mode='w', newline='', ) as f: | |
| f.write(HEADER) | |
| f.write(',\n'.join(params)) | |
| f.write('\n)\n') | |
| f.write(f'{IMPORTS}\n') | |
| f.write(''.join(resources)) | |
| f.write('\n\n}') | |
| if not MD_FILE.closed: | |
| MD_FILE.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| code | |
|---|---|
| # 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' AccountPolicy Enforce_password_history { name = "Enforce_password_history" Enforce_password_history = 24 } | |
| # 1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' AccountPolicy Maximum_Password_Age { name = "Maximum_Password_Age" Enforce_password_history = 60 } | |
| # 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' AccountPolicy Minimum_Password_Age { name = "Minimum_Password_Age" Minimum_Password_Age = 1 } | |
| # 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' AccountPolicy Minimum_Password_Length { name = "Minimum_Password_Length" Minimum_Password_Length = 14 } | |
| # 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' AccountPolicy Password_must_meet_complexity_requirements { name = "Password_must_meet_complexity_requirements" Password_must_meet_complexity_requirements = 'Enabled' } | |
| # 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' AccountPolicy Store_passwords_using_reversible_encryption { name = "Store_passwords_using_reversible_encryption" Store_passwords_using_reversible_encryption = 'Disabled' } | |
| # 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' AccountPolicy Account_lockout_duration { name = "Account_lockout_duration" Account_lockout_duration = 15 } | |
| # 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' AccountPolicy Account_lockout_threshold { name = "Account_lockout_threshold" Account_lockout_threshold = 10 } | |
| # 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' AccountPolicy Reset_account_lockout_counter_after { name = "Reset_account_lockout_counter_after" Reset_account_lockout_counter_after = 15 } | |
| # 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' UserRightsAssignment AccessCredentialManagerasatrustedcaller { Policy = 'Access_Credential_Manager_as_a_trusted_caller' Identity = '' Ensure = 'Present' } | |
| # 2.2.3 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only) UserRightsAssignment Accessthiscomputerfromthenetwork { Policy = 'Access_this_computer_from_the_network' Identity = 'Administrators', 'Authenticated Users' Ensure = 'Present' } | |
| # 2.2.4 (L1) Ensure 'Act as part of the operating system' is set to 'No One' UserRightsAssignment Actaspartoftheoperatingsystem { Policy = 'Act_as_part_of_the_operating_system' Identity = '' Ensure = 'Present' } | |
| # 2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' UserRightsAssignment Adjustmemoryquotasforaprocess { Policy = 'Adjust_memory_quotas_for_a_process' Identity = 'Administrators', 'LOCAL SERVICE', 'NETWORK SERVICE' Ensure = 'Present' } | |
| # 2.2.7 (L1) Ensure 'Allow log on locally' is set to 'Administrators' UserRightsAssignment Allowlogonlocally { Policy = 'Allow_log_on_locally' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.9 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) UserRightsAssignment AllowlogonthroughRemoteDesktopServices { Policy = 'Allow_log_on_through_Remote_Desktop_Services' Identity = 'Administrators', 'Remote Desktop Users' Ensure = 'Present' } | |
| # 2.2.10 (L1) Ensure 'Back up files and directories' is set to 'Administrators' UserRightsAssignment Backupfilesanddirectories { Policy = 'Back_up_files_and_directories' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.11 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' UserRightsAssignment Changethesystemtime { Policy = 'Change_the_system_time' Identity = 'Administrators', 'LOCAL SERVICE' Ensure = 'Present' } | |
| # 2.2.12 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' UserRightsAssignment Changethetimezone { Policy = 'Change_the_time_zone' Identity = 'Administrators', 'LOCAL SERVICE' Ensure = 'Present' } | |
| # 2.2.13 (L1) Ensure 'Create a pagefile' is set to 'Administrators' UserRightsAssignment Createapagefile { Policy = 'Create_a_pagefile' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.14 (L1) Ensure 'Create a token object' is set to 'No One' UserRightsAssignment Createatokenobject { Policy = 'Create_a_token_object' Identity = '' Ensure = 'Present' } | |
| # 2.2.15 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' UserRightsAssignment Createglobalobjects { Policy = 'Create_global_objects' Identity = 'Administrators', 'LOCAL SERVICE', 'NETWORK SERVICE', 'SERVICE' Ensure = 'Present' } | |
| # 2.2.16 (L1) Ensure 'Create permanent shared objects' is set to 'No One' UserRightsAssignment Createpermanentsharedobjects { Policy = 'Create_permanent_shared_objects' Identity = '' Ensure = 'Present' } | |
| # 2.2.18 (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) UserRightsAssignment Createsymboliclinks { Policy = 'Create_symbolic_links' Identity = 'Administrators', 'NT VIRTUAL MACHINE\Virtual Machines' Ensure = 'Present' } | |
| # 2.2.19 (L1) Ensure 'Debug programs' is set to 'Administrators' UserRightsAssignment Debugprograms { Policy = 'Debug_programs' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.21 (L1) Ensure 'Deny access to this computer from the network' is set to 'Guests, Local account and member of Administrators group' (MS only) UserRightsAssignment Denyaccesstothiscomputerfromthenetwork { Policy = 'Deny_access_to_this_computer_from_the_network' Identity = 'Guests' Ensure = 'Present' } | |
| # 2.2.22 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' UserRightsAssignment Denylogonasabatchjob { Policy = 'Deny_log_on_as_a_batch_job' Identity = 'Guests' Ensure = 'Present' } | |
| # 2.2.23 (L1) Ensure 'Deny log on as a service' to include 'Guests' UserRightsAssignment Denylogonasaservice { Policy = 'Deny_log_on_as_a_service' Identity = 'Guests' Ensure = 'Present' } | |
| # 2.2.24 (L1) Ensure 'Deny log on locally' to include 'Guests' UserRightsAssignment Denylogonlocally { Policy = 'Deny_log_on_locally' Identity = 'Guests' Ensure = 'Present' } | |
| # 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) UserRightsAssignment DenylogonthroughRemoteDesktopServices { Policy = 'Deny_log_on_through_Remote_Desktop_Services' Identity = 'Guests' Ensure = 'Present' } | |
| # 2.2.28 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) UserRightsAssignment Enablecomputeranduseraccountstobetrustedfordelegation { Policy = 'Enable_computer_and_user_accounts_to_be_trusted_for_delegation' Identity = '' Ensure = 'Present' } | |
| # 2.2.29 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' UserRightsAssignment Forceshutdownfromaremotesystem { Policy = 'Force_shutdown_from_a_remote_system' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.30 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' UserRightsAssignment Generatesecurityaudits { Policy = 'Generate_security_audits' Identity = 'LOCAL SERVICE', 'NETWORK SERVICE' Ensure = 'Present' } | |
| # 2.2.32 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only) UserRightsAssignment Impersonateaclientafterauthentication { Policy = 'Impersonate_a_client_after_authentication' Identity = 'Administrators', 'LOCAL SERVICE', 'NETWORK SERVICE', 'SERVICE' Ensure = 'Present' } | |
| # 2.2.33 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' UserRightsAssignment Increaseschedulingpriority { Policy = 'Increase_scheduling_priority' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.34 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' UserRightsAssignment Loadandunloaddevicedrivers { Policy = 'Load_and_unload_device_drivers' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.35 (L1) Ensure 'Lock pages in memory' is set to 'No One' UserRightsAssignment Lockpagesinmemory { Policy = 'Lock_pages_in_memory' Identity = '' Ensure = 'Present' } | |
| # 2.2.38 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) UserRightsAssignment Manageauditingandsecuritylog { Policy = 'Manage_auditing_and_security_log' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.39 (L1) Ensure 'Modify an object label' is set to 'No One' UserRightsAssignment Modifyanobjectlabel { Policy = 'Modify_an_object_label' Identity = '' Ensure = 'Present' } | |
| # 2.2.40 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' UserRightsAssignment Modifyfirmwareenvironmentvalues { Policy = 'Modify_firmware_environment_values' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.41 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' UserRightsAssignment Performvolumemaintenancetasks { Policy = 'Perform_volume_maintenance_tasks' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.42 (L1) Ensure 'Profile single process' is set to 'Administrators' UserRightsAssignment Profilesingleprocess { Policy = 'Profile_single_process' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.43 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' UserRightsAssignment Profilesystemperformance { Policy = 'Profile_system_performance' Identity = 'Administrators', 'NT SERVICE\WdiServiceHost' Ensure = 'Present' } | |
| # 2.2.44 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' UserRightsAssignment Replaceaprocessleveltoken { Policy = 'Replace_a_process_level_token' Identity = 'LOCAL SERVICE', 'NETWORK SERVICE' Ensure = 'Present' } | |
| # 2.2.45 (L1) Ensure 'Restore files and directories' is set to 'Administrators' UserRightsAssignment Restorefilesanddirectories { Policy = 'Restore_files_and_directories' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.46 (L1) Ensure 'Shut down the system' is set to 'Administrators' UserRightsAssignment Shutdownthesystem { Policy = 'Shut_down_the_system' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.2.48 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' UserRightsAssignment Takeownershipoffilesorotherobjects { Policy = 'Take_ownership_of_files_or_other_objects' Identity = 'Administrators' Ensure = 'Present' } | |
| # 2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' SecurityOption Accounts_Block_Microsoft_accounts { Name = 'Accounts_Block_Microsoft_accounts' Accounts_Block_Microsoft_accounts = 'Users cant add or log on with Microsoft accounts' } | |
| # 2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) SecurityOption Accounts_Guest_account_status { Name = 'Accounts_Guest_account_status' Accounts_Guest_account_status = 'Disabled' } | |
| # 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' SecurityOption Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only { Name = 'Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only' Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only = 'Enabled' } | |
| # 2.3.1.5 (L1) Configure 'Accounts: Rename administrator account' SecurityOption Accounts_Rename_administrator_account { Name = 'Accounts_Rename_administrator_account' Accounts_Rename_administrator_account = 'Ast.9768' } | |
| # 2.3.1.6 (L1) Configure 'Accounts: Rename guest account' SecurityOption Accounts_Rename_guest_account { Name = 'Accounts_Rename_guest_account' Accounts_Rename_guest_account = 'ba!!00ns' } | |
| # 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' SecurityOption Audit_Shut_down_system_immediately_if_unable_to_log_security_audits { Name = 'Audit_Shut_down_system_immediately_if_unable_to_log_security_audits' Audit_Shut_down_system_immediately_if_unable_to_log_security_audits = 'Disabled' } | |
| # 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' SecurityOption Devices_Allowed_to_format_and_eject_removable_media { Name = 'Devices_Allowed_to_format_and_eject_removable_media' Devices_Allowed_to_format_and_eject_removable_media = 'Administrators' } | |
| # 2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' SecurityOption Devices_Prevent_users_from_installing_printer_drivers { Name = 'Devices_Prevent_users_from_installing_printer_drivers' Devices_Prevent_users_from_installing_printer_drivers = 'Enabled' } | |
| # 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' SecurityOption Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always { Name = 'Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always' Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always = 'Enabled' } | |
| # 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' SecurityOption Domain_member_Digitally_encrypt_secure_channel_data_when_possible { Name = 'Domain_member_Digitally_encrypt_secure_channel_data_when_possible' Domain_member_Digitally_encrypt_secure_channel_data_when_possible = 'Enabled' } | |
| # 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' SecurityOption Domain_member_Digitally_sign_secure_channel_data_when_possible { Name = 'Domain_member_Digitally_sign_secure_channel_data_when_possible' Domain_member_Digitally_sign_secure_channel_data_when_possible = 'Enabled' } | |
| # 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' SecurityOption Domain_member_Disable_machine_account_password_changes { Name = 'Domain_member_Disable_machine_account_password_changes' Domain_member_Disable_machine_account_password_changes = 'Disabled' } | |
| # 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' SecurityOption Domain_member_Maximum_machine_account_password_age { Name = 'Domain_member_Maximum_machine_account_password_age' Domain_member_Maximum_machine_account_password_age = '30' } | |
| # 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' SecurityOption Domain_member_Require_strong_Windows_2000_or_later_session_key { Name = 'Domain_member_Require_strong_Windows_2000_or_later_session_key' Domain_member_Require_strong_Windows_2000_or_later_session_key = 'Enabled' } | |
| # 2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' SecurityOption Interactive_logon_Do_not_display_last_user_name { Name = 'Interactive_logon_Do_not_display_last_user_name' Interactive_logon_Do_not_display_last_user_name = 'Enabled' } | |
| # 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' SecurityOption Interactive_logon_Do_not_require_CTRL_ALT_DEL { Name = 'Interactive_logon_Do_not_require_CTRL_ALT_DEL' Interactive_logon_Do_not_require_CTRL_ALT_DEL = 'Disabled' } | |
| # 2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' SecurityOption Interactive_logon_Machine_inactivity_limit { Name = 'Interactive_logon_Machine_inactivity_limit' Interactive_logon_Machine_inactivity_limit = '900' } | |
| # 2.3.7.6 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only) SecurityOption Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available { Name = 'Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available' Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available = '4' } | |
| # 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' SecurityOption Interactive_logon_Prompt_user_to_change_password_before_expiration { Name = 'Interactive_logon_Prompt_user_to_change_password_before_expiration' Interactive_logon_Prompt_user_to_change_password_before_expiration = '14' } | |
| # 2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only) SecurityOption Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation { Name = 'Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation' Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation = 'Enabled' } | |
| # 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher SecurityOption Interactive_logon_Smart_card_removal_behavior { Name = 'Interactive_logon_Smart_card_removal_behavior' Interactive_logon_Smart_card_removal_behavior = 'Lock Workstation' } | |
| # 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' SecurityOption Microsoft_network_client_Digitally_sign_communications_always { Name = 'Microsoft_network_client_Digitally_sign_communications_always' Microsoft_network_client_Digitally_sign_communications_always = 'Enabled' } | |
| # 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' SecurityOption Microsoft_network_client_Digitally_sign_communications_if_server_agrees { Name = 'Microsoft_network_client_Digitally_sign_communications_if_server_agrees' Microsoft_network_client_Digitally_sign_communications_if_server_agrees = 'Enabled' } | |
| # 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' SecurityOption Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers { Name = 'Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers' Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers = 'Disabled' } | |
| # 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' SecurityOption Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session { Name = 'Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session' Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session = '15' } | |
| # 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' SecurityOption Microsoft_network_server_Digitally_sign_communications_always { Name = 'Microsoft_network_server_Digitally_sign_communications_always' Microsoft_network_server_Digitally_sign_communications_always = 'Enabled' } | |
| # 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' SecurityOption Microsoft_network_server_Digitally_sign_communications_if_client_agrees { Name = 'Microsoft_network_server_Digitally_sign_communications_if_client_agrees' Microsoft_network_server_Digitally_sign_communications_if_client_agrees = 'Enabled' } | |
| # 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' SecurityOption Microsoft_network_server_Disconnect_clients_when_logon_hours_expire { Name = 'Microsoft_network_server_Disconnect_clients_when_logon_hours_expire' Microsoft_network_server_Disconnect_clients_when_logon_hours_expire = 'Enabled' } | |
| # 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' SecurityOption Network_access_Allow_anonymous_SID_Name_translation { Name = 'Network_access_Allow_anonymous_SID_Name_translation' Network_access_Allow_anonymous_SID_Name_translation = 'Disabled' } | |
| # 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) SecurityOption Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts { Name = 'Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts' Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts = 'Enabled' } | |
| # 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) SecurityOption Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares { Name = 'Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares' Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares = 'Enabled' } | |
| # 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' SecurityOption Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication { Name = 'Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication' Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication = 'Enabled' } | |
| # 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' SecurityOption Network_access_Let_Everyone_permissions_apply_to_anonymous_users { Name = 'Network_access_Let_Everyone_permissions_apply_to_anonymous_users' Network_access_Let_Everyone_permissions_apply_to_anonymous_users = 'Disabled' } | |
| # 2.3.10.10 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' SecurityOption Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares { Name = 'Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares' Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares = 'Enabled' } | |
| # 2.3.10.12 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' SecurityOption Network_access_Shares_that_can_be_accessed_anonymously { Name = 'Network_access_Shares_that_can_be_accessed_anonymously' Network_access_Shares_that_can_be_accessed_anonymously = '' } | |
| # 2.3.10.13 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' SecurityOption Network_access_Sharing_and_security_model_for_local_accounts { Name = 'Network_access_Sharing_and_security_model_for_local_accounts' Network_access_Sharing_and_security_model_for_local_accounts = 'Classic - local users authenticate as themselves' } | |
| # 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' SecurityOption Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM { Name = 'Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM' Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM = 'Enabled' } | |
| # 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' SecurityOption Network_security_Allow_LocalSystem_NULL_session_fallback { Name = 'Network_security_Allow_LocalSystem_NULL_session_fallback' Network_security_Allow_LocalSystem_NULL_session_fallback = 'Disabled' } | |
| # 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' SecurityOption Network_security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities { Name = 'Network_security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities' Network_security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities = 'Disabled' } | |
| # 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' SecurityOption Network_security_Configure_encryption_types_allowed_for_Kerberos { Name = 'Network_security_Configure_encryption_types_allowed_for_Kerberos' Network_security_Configure_encryption_types_allowed_for_Kerberos = 'AES128_HMAC_SHA1','AES256_HMAC_SHA1' } | |
| # 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' SecurityOption Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change { Name = 'Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change' Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change = 'Enabled' } | |
| # 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' SecurityOption Network_security_Force_logoff_when_logon_hours_expire { Name = 'Network_security_Force_logoff_when_logon_hours_expire' Network_security_Force_logoff_when_logon_hours_expire = 'Enabled' } | |
| # 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher SecurityOption Network_security_LDAP_client_signing_requirements { Name = 'Network_security_LDAP_client_signing_requirements' Network_security_LDAP_client_signing_requirements = 'Negotiate signing' } | |
| # 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' SecurityOption Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients { Name = 'Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients' Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients = 'Both options checked' } | |
| # 2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' SecurityOption Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers { Name = 'Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers' Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers = 'Both options checked' } | |
| # 2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' SecurityOption Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on { Name = 'Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on' Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on = 'Disabled' } | |
| # 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' SecurityOption System_objects_Require_case_insensitivity_for_non_Windows_subsystems { Name = 'System_objects_Require_case_insensitivity_for_non_Windows_subsystems' System_objects_Require_case_insensitivity_for_non_Windows_subsystems = 'Enabled' } | |
| # 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' SecurityOption System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links { Name = 'System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links' System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links = 'Enabled' } | |
| # 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' SecurityOption User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account { Name = 'User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account' User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account = 'Enabled' } | |
| # 2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' SecurityOption User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop { Name = 'User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop' User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop = 'Disabled' } | |
| # 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' SecurityOption User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode { Name = 'User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode' User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode = 'Prompt for consent on the secure desktop' } | |
| # 2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' SecurityOption User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users { Name = 'User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users' User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users = 'Automatically deny elevation request' } | |
| # 2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' SecurityOption User_Account_Control_Detect_application_installations_and_prompt_for_elevation { Name = 'User_Account_Control_Detect_application_installations_and_prompt_for_elevation' User_Account_Control_Detect_application_installations_and_prompt_for_elevation = 'Enabled' } | |
| # 2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' SecurityOption User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations { Name = 'User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations' User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations = 'Enabled' } | |
| # 2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' SecurityOption User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode { Name = 'User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode' User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode = 'Enabled' } | |
| # 2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' SecurityOption User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation { Name = 'User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation' User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation = 'Enabled' } | |
| # 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success' AuditPolicySubcategory "Audit Credential Validation (Success)" { Name = 'Credential Validation' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.1.1v2 (L1) Ensure 'Audit Credential Validation' is set to 'Failure' AuditPolicySubcategory 'Audit Credential Validation (Failure)' { Name = 'Credential Validation' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success' AuditPolicySubcategory 'Audit Application Group Management (Success)' { Name = 'Application Group Management' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.2.1.v2 (L1) Ensure 'Audit Application Group Management' is set to 'Failure' AuditPolicySubcategory 'Audit Application Group Management (Failure)' { Name = 'Application Group Management' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Failure' AuditPolicySubcategory 'Audit Computer Account Management (Failure)' { Name = 'Computer Account Management' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.2.2.v2(L1) Ensure 'Audit Computer Account Management' is set to 'Success' AuditPolicySubcategory 'Audit Computer Account Management (Success)' { Name = 'Computer Account Management' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set to 'Failure' AuditPolicySubcategory 'Audit Other Account Management Events (Failure)' { Name = 'Other Account Management Events' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.2.4.v2 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success' AuditPolicySubcategory 'Audit Other Account Management Events (Success)' { Name = 'Other Account Management Events' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.2.5 (L1) Ensure 'Audit Security Group Management' is set to 'Failure' AuditPolicySubcategory 'Audit Security Group Management (Failure)' { Name = 'Security Group Management' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.2.5.v2 (L1) Ensure 'Audit Security Group Management' is set to 'Success' AuditPolicySubcategory 'Audit Security Group Management (Success)' { Name = 'Security Group Management' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Failure' AuditPolicySubcategory 'Audit User Account Management (Failure)' { Name = 'User Account Management' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.2.6.v2 (L1) Ensure 'Audit User Account Management' is set to 'Success' AuditPolicySubcategory 'Audit User Account Management (Success)' { Name = 'User Account Management' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success' AuditPolicySubcategory 'Audit Account Lockout (Success)' { Name = 'Account Lockout' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.5.1.v2 (L1) Ensure 'Audit Account Lockout' is set to 'Failure' AuditPolicySubcategory 'Audit Account Lockout (Failure)' { Name = 'Account Lockout' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.5.3 (L1) Ensure 'Audit Logoff' is set to 'Success' AuditPolicySubcategory 'Audit Logoff (Success)' { Name = 'Logoff' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.5.3.v2 (L1) Ensure 'Audit Logoff' is set to 'Failure' AuditPolicySubcategory 'Audit Logoff (Failure)' { Name = 'Logoff' Ensure = 'Absent' AuditFlag = 'Failure' } | |
| # 17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success' AuditPolicySubcategory 'Audit Logon (Success)' { Name = 'Logon' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.5.4.v2 (L1) Ensure 'Audit Logon' is set to 'Failure' AuditPolicySubcategory 'Audit Logon (Failure)' { Name = 'Logon' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Failure' AuditPolicySubcategory 'Audit Other Logon/Logoff Events (Failure)' { Name = 'Other Logon/Logoff Events' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.5.5.v2 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success' AuditPolicySubcategory 'Audit Other Logon/Logoff Events (Success)' { Name = 'Other Logon/Logoff Events' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.5.6 (L1) Ensure 'Audit Special Logon' is set to 'Success' AuditPolicySubcategory 'Audit Special Logon (Success)' { Name = 'Special Logon' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.5.6.v2 (L1) Ensure 'Audit Special Logon' is set to 'Failure' AuditPolicySubcategory 'Audit Special Logon (Failure)' { Name = 'Special Logon' Ensure = 'Absent' AuditFlag = 'Failure' } | |
| # 17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Success' AuditPolicySubcategory 'Audit Detailed File Share (Success)' { Name = 'Detailed File Share' Ensure = 'Absent' AuditFlag = 'Success' } | |
| # 17.6.1.v2 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' AuditPolicySubcategory 'Audit Detailed File Share (Failure)' { Name = 'Detailed File Share' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success' AuditPolicySubcategory 'Audit File Share (Success)' { Name = 'File Share' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.6.2.v2 (L1) Ensure 'Audit File Share' is set to 'Failure' AuditPolicySubcategory 'Audit File Share (Failure)' { Name = 'File Share' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success' AuditPolicySubcategory 'Audit Removable Storage (Success)' { Name = 'Removable Storage' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.6.4.v2 (L1) Ensure 'Audit Removable Storage' is set to 'Failure' AuditPolicySubcategory 'Audit Removable Storage (Failure)' { Name = 'Removable Storage' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.7.1 (L1) Ensure 'Audit Policy Change' is set to 'Success' AuditPolicySubcategory 'Audit Policy Change (Success)' { Name = 'Audit Policy Change' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.7.1.v2 (L1) Ensure 'Audit Policy Change' is set to 'Failure' AuditPolicySubcategory 'Audit Policy Change (Failure)' { Name = 'Audit Policy Change' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' AuditPolicySubcategory 'Audit Authentication Policy Change (Success)' { Name = 'Authentication Policy Change' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.7.2.v2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Failure' AuditPolicySubcategory 'Audit Authentication Policy Change (Failure)' { Name = 'Authentication Policy Change' Ensure = 'Absent' AuditFlag = 'Failure' } | |
| # 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' AuditPolicySubcategory 'Audit Authorization Policy Change (Success)' { Name = 'Authorization Policy Change' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.7.3.v2 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Failure' AuditPolicySubcategory 'Audit Authorization Policy Change (Failure)' { Name = 'Authorization Policy Change' Ensure = 'Absent' AuditFlag = 'Failure' } | |
| # 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Failure' AuditPolicySubcategory 'Audit Sensitive Privilege Use (Failure)' { Name = 'Sensitive Privilege Use' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.8.1.v2 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success' AuditPolicySubcategory 'Audit Sensitive Privilege Use (Success)' { Name = 'Sensitive Privilege Use' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Failure' AuditPolicySubcategory 'Audit IPsec Driver (Failure)' { Name = 'IPsec Driver' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.9.1.v2 (L1) Ensure 'Audit IPsec Driver' is set to 'Success' AuditPolicySubcategory 'Audit IPsec Driver (Success)' { Name = 'IPsec Driver' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Failure' AuditPolicySubcategory 'Audit Other System Events (Failure)' { Name = 'Other System Events' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.9.2.v2 (L1) Ensure 'Audit Other System Events' is set to 'Success' AuditPolicySubcategory 'Audit Other System Events (Success)' { Name = 'Other System Events' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' AuditPolicySubcategory 'Audit Security State Change (Success)' { Name = 'Security State Change' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.9.3.v2 (L1) Ensure 'Audit Security State Change' is set to 'Failure' AuditPolicySubcategory 'Audit Security State Change (Failure)' { Name = 'Security State Change' Ensure = 'Absent' AuditFlag = 'Failure' } | |
| # 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Failure' AuditPolicySubcategory 'Audit Security System Extension (Failure)' { Name = 'Security System Extension' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.9.4 .v2 (L1) Ensure 'Audit Security System Extension' is set to 'Success' AuditPolicySubcategory 'Audit Security System Extension (Success)' { Name = 'Security System Extension' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Failure' AuditPolicySubcategory 'Audit System Integrity (Failure)' { Name = 'System Integrity' Ensure = 'Present' AuditFlag = 'Failure' } | |
| # 17.9.5.v2 (L1) Ensure 'Audit System Integrity' is set to 'Success' AuditPolicySubcategory 'Audit System Integrity (Success)' { Name = 'System Integrity' Ensure = 'Present' AuditFlag = 'Success' } | |
| # 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' Registry 'NoLockScreenCamera' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' ValueName = 'NoLockScreenCamera' ValueType = 'DWord' ValueData = '1' } | |
| # 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' Registry 'NoLockScreenSlideshow' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' ValueName = 'NoLockScreenSlideshow' ValueType = 'DWord' ValueData = '1' } | |
| # 18.1.2.2 (L1) Ensure 'Allow input personalization' is set to 'Disabled' Registry 'AllowInputPersonalization' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' ValueName = 'AllowInputPersonalization' ValueType = 'DWord' ValueData = '0' } | |
| # 18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' Registry 'AllowOnlineTips' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'AllowOnlineTips' ValueType = 'DWord' ValueData = '0' } | |
| # 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' Registry 'Start' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' ValueName = 'Start' ValueType = 'DWord' ValueData = '4' } | |
| # 18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Registry 'SMB1' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' ValueName = 'SMB1' ValueType = 'DWord' ValueData = '0' } | |
| # 18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' Registry 'DisableExceptionChainValidation' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\kernel' ValueName = 'DisableExceptionChainValidation' ValueType = 'DWord' ValueData = '0' } | |
| # 18.3.6 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' Registry 'NetBTNodeType' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' ValueName = 'NodeType' ValueType = 'DWord' ValueData = '2' } | |
| # 18.3.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' Registry 'UseLogonCredential' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' ValueName = 'UseLogonCredential' ValueType = 'DWord' ValueData = '0' } | |
| # 18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' Registry 'AutoAdminLogon' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon' ValueName = 'AutoAdminLogon' ValueType = 'String' ValueData = '0' } | |
| # 18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry 'DisableIPSourceRouting' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' ValueName = 'DisableIPSourceRouting' ValueType = 'DWord' ValueData = '2' } | |
| # 18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry 'DisableIPSourceRouting2' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' ValueName = 'DisableIPSourceRouting' ValueType = 'DWord' ValueData = '2' } | |
| # 18.4.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' Registry 'EnableICMPRedirect' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' ValueName = 'EnableICMPRedirect' ValueType = 'DWord' ValueData = '0' } | |
| # 18.4.5 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' Registry 'KeepAliveTime' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' ValueName = 'KeepAliveTime' ValueType = 'DWord' ValueData = '300000' } | |
| # 18.4.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled Registry 'NoNameReleaseOnDemand' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' ValueName = 'NoNameReleaseOnDemand' ValueType = 'DWord' ValueData = '1' } | |
| # 18.4.7 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' Registry 'PerformRouterDiscovery' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' ValueName = 'PerformRouterDiscovery' ValueType = 'DWord' ValueData = '1' } | |
| # 18.4.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' Registry 'SafeDllSearchMode' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager' ValueName = 'SafeDllSearchMode' ValueType = 'DWord' ValueData = '1' } | |
| # 18.4.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Registry 'ScreenSaverGracePeriod' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon' ValueName = 'ScreenSaverGracePeriod' ValueType = 'String' ValueData = '5' } | |
| # 18.4.10 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry 'TcpMaxDataRetransmissions' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' ValueName = 'TcpMaxDataRetransmissions' ValueType = 'DWord' ValueData = '5' } | |
| # 18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry 'TcpMaxDataRetransmissions2' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' ValueName = 'TcpMaxDataRetransmissions' ValueType = 'DWord' ValueData = '5' } | |
| # 18.4.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Registry 'WarningLevel' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' ValueName = 'WarningLevel' ValueType = 'DWord' ValueData = '90' } | |
| # 18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' Registry 'EnableFontProviders' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'EnableFontProviders' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' Registry 'AllowInsecureGuestAuth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' ValueName = 'AllowInsecureGuestAuth' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry 'AllowLLTDIOOnDomain' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'AllowLLTDIOOnDomain' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.1.v2 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry 'AllowLLTDIOOnPublicNet' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'AllowLLTDIOOnPublicNet' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.1.v3 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry 'EnableLLTDIO' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'EnableLLTDIO' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.1.v4 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry 'ProhibitLLTDIOOnPrivateNet' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'ProhibitLLTDIOOnPrivateNet' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' Registry 'AllowRspndrOnDomain' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'AllowRspndrOnDomain' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.2.v2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' Registry 'AllowRspndrOnPublicNet' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'AllowRspndrOnPublicNet' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.2.v3 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' Registry 'EnableRspndr' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'EnableRspndr' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.9.2.v4 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' Registry 'ProhibitRspndrOnPrivateNet' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ValueName = 'ProhibitRspndrOnPrivateNet' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Registry 'Disabled' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' ValueName = 'Disabled' ValueType = 'DWord' ValueData = '1' } | |
| # 18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' Registry 'NC_AllowNetBridge_NLA' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnections' ValueName = 'NC_AllowNetBridge_NLA' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' Registry 'NC_ShowSharedAccessUI' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnections' ValueName = 'NC_ShowSharedAccessUI' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' Registry 'NC_StdDomainUserSetLocation' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnections' ValueName = 'NC_StdDomainUserSetLocation' ValueType = 'DWord' ValueData = '1' } | |
| # 18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry 'EnableRegistrars' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' ValueName = 'EnableRegistrars' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.20.1.v2 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry 'DisableUPnPRegistrar' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' ValueName = 'DisableUPnPRegistrar' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.20.1.v3 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry 'DisableInBand802DOT11Registrar' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' ValueName = 'DisableInBand802DOT11Registrar' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.20.1.v4 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry 'DisableFlashConfigRegistrar' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' ValueName = 'DisableFlashConfigRegistrar' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.20.1.v5 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry 'DisableWPDRegistrar' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' ValueName = 'DisableWPDRegistrar' ValueType = 'DWord' ValueData = '0' } | |
| # 18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Nowwizards' is set to 'Enabled' Registry 'DisableWcnUi' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' ValueName = 'DisableWcnUi' ValueType = 'DWord' ValueData = '1' } | |
| # 18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' Registry 'fMinimizeConnections' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' ValueName = 'fMinimizeConnections' ValueType = 'DWord' ValueData = '1' } | |
| # 18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' Registry 'notificationsnetworkusage' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications' ValueName = 'NoCloudApplicationNotification' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' Registry 'ProcessCreationIncludeCmdLine_Enabled' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' ValueName = 'ProcessCreationIncludeCmdLine_Enabled' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' Registry 'AllowEncryptionOracle' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' ValueName = 'AllowEncryptionOracle' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' Registry 'AllowProtectedCreds' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' ValueName = 'AllowProtectedCreds' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' Registry 'DriverLoadPolicy' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' ValueName = 'DriverLoadPolicy' ValueType = 'DWord' ValueData = '3' } | |
| # 18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' Registry 'EnableCdp' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'EnableCdp' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' Registry 'DisableBkGndGroupPolicy' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ValueName = 'DisableBkGndGroupPolicy' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.22.1.1 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' Registry 'DisableWebPnPDownload' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers' ValueName = 'DisableWebPnPDownload' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.22.1.2 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' Registry 'PreventHandwritingDataSharing' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' ValueName = 'PreventHandwritingDataSharing' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.3 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' Registry 'PreventHandwritingErrorReports' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' ValueName = 'PreventHandwritingErrorReports' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.4 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry 'ExitOnMSICW' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' ValueName = 'ExitOnMSICW' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' Registry 'NoWebServices' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoWebServices' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.6 (L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' Registry 'DisableHTTPPrinting' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers' ValueName = 'DisableHTTPPrinting' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.7 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry 'NoRegistration' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control' ValueName = 'NoRegistration' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.8 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' Registry 'DisableContentFileUpdates' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' ValueName = 'DisableContentFileUpdates' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.9 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' Registry 'NoOnlinePrintsWizard' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoOnlinePrintsWizard' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.10 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' Registry 'NoPublishingWizard' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoPublishingWizard' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.11 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' Registry 'CEIP' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' ValueName = 'CEIP' ValueType = 'DWord' ValueData = '2' } | |
| # 18.8.22.1.12 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' Registry 'CEIPEnable' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' ValueName = 'CEIPEnable' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.22.1.13 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' Registry 'Disabled2' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' ValueName = 'Disabled' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.22.1.13.v2 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' Registry 'DoReport' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' ValueName = 'DoReport' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' Registry 'DevicePKInitBehavior' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' ValueName = 'DevicePKInitBehavior' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.26.1 (L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' Registry 'DeviceEnumerationPolicy' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection' ValueName = 'DeviceEnumerationPolicy' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' Registry 'BlockUserInputMethodsForSignIn' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ControlPanel\International' ValueName = 'BlockUserInputMethodsForSignIn' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.28.1 (L1) Ensure 'Block user from showing account details on signin' is set to 'Enabled' Registry 'BlockUserFromShowingAccountDetailsOnSignin' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'BlockUserFromShowingAccountDetailsOnSignin' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' Registry 'DontDisplayNetworkSelectionUI' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'DontDisplayNetworkSelectionUI' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domainjoined computers' is set to 'Enabled' Registry 'DontEnumerateConnectedUsers' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'DontEnumerateConnectedUsers' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only) Registry 'EnumerateLocalUsers' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'EnumerateLocalUsers' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' Registry 'DisableLockScreenAppNotifications' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'DisableLockScreenAppNotifications' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' Registry 'BlockDomainPicturePassword' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'BlockDomainPicturePassword' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' Registry 'AllowDomainPINLogon' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'AllowDomainPINLogon' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.34.6.1 (L2) Ensure 'Allow network connectivity during connectedstandby (on battery)' is set to 'Disabled' Registry 'DCSettingIndex' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' ValueName = 'DCSettingIndex' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.34.6.2 (L2) Ensure 'Allow network connectivity during connectedstandby (plugged in)' is set to 'Disabled' Registry 'ACSettingIndex' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' ValueName = 'ACSettingIndex' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.34.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' Registry 'DCSettingIndex2' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb100d-47d6-a2d5-f7d2daa51f51' ValueName = 'DCSettingIndex' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.34.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' Registry 'ACSettingIndex2' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb100d-47d6-a2d5-f7d2daa51f51' ValueName = 'ACSettingIndex' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' Registry 'fAllowUnsolicited' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fAllowUnsolicited' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' Registry 'fAllowToGetHelp' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fAllowToGetHelp' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.47.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' Registry 'DisableQueryRemoteServer' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' ValueName = 'DisableQueryRemoteServer' ValueType = 'DWord' ValueData = '0' } | |
| # 18.8.49.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' Registry 'DisabledByGroupPolicy' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\AdvertisingInfo' ValueName = 'DisabledByGroupPolicy' ValueType = 'DWord' ValueData = '1' } | |
| # 18.8.52.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' Registry 'EnableNTPClient' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' ValueName = 'Enabled' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' Registry 'AllowSharedLocalAppData' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' ValueName = 'AllowSharedLocalAppData' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' Registry 'MSAOptional' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ValueName = 'MSAOptional' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Registry 'NoAutoplayfornonVolume' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' ValueName = 'NoAutoplayfornonVolume' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' Registry 'NoAutorun' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoAutorun' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' Registry 'NoDriveTypeAutoRun' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoDriveTypeAutoRun' ValueType = 'DWord' ValueData = '255' } | |
| # 18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' Registry 'EnhancedAntiSpoofing' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures' ValueName = 'EnhancedAntiSpoofing' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' Registry 'AllowCamera' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' ValueName = 'AllowCamera' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' Registry 'DisableWindowsConsumerFeatures' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' ValueName = 'DisableWindowsConsumerFeatures' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled' Registry 'RequirePinForPairing' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' ValueName = 'RequirePinForPairing' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' Registry 'DisablePasswordReveal' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI' ValueName = 'DisablePasswordReveal' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' Registry 'EnumerateAdministrators' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' ValueName = 'EnumerateAdministrators' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' Registry 'AllowTelemetry' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' ValueName = 'AllowTelemetry' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.16.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' Registry 'DisableEnterpriseAuthProxy' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' ValueName = 'DisableEnterpriseAuthProxy' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.16.3 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' Registry 'DoNotShowFeedbackNotifications' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' ValueName = 'DoNotShowFeedbackNotifications' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.16.4 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' Registry 'AllowBuildPreview' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' ValueName = 'AllowBuildPreview' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry 'RetentionApplicationLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' ValueName = 'Retention' ValueType = 'String' ValueData = '0' } | |
| # 18.9.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry 'MaxSizeApplicationLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' ValueName = 'MaxSize' ValueType = 'DWord' ValueData = '32768' } | |
| # 18.9.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry 'RetentionSecurityLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' ValueName = 'Retention' ValueType = 'String' ValueData = '0' } | |
| # 18.9.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' Registry 'MaxSizeSecurityLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' ValueName = 'MaxSize' ValueType = 'DWord' ValueData = '196608' } | |
| # 18.9.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry 'RetentionSetupLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' ValueName = 'Retention' ValueType = 'String' ValueData = '0' } | |
| # 18.9.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry 'MaxSizeSetupLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' ValueName = 'MaxSize' ValueType = 'DWord' ValueData = '32768' } | |
| # 18.9.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry 'RetentionSystemLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' ValueName = 'Retention' ValueType = 'String' ValueData = '0' } | |
| # 18.9.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry 'MaxSizeSystemLog' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' ValueName = 'MaxSize' ValueType = 'DWord' ValueData = '32768' } | |
| # 18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' Registry 'NoDataExecutionPrevention' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' ValueName = 'NoDataExecutionPrevention' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.30.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' Registry 'NoHeapTerminationOnCorruption' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' ValueName = 'NoHeapTerminationOnCorruption' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.30.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' Registry 'PreXPSP2ShellProtocolBehavior' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'PreXPSP2ShellProtocolBehavior' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.39.2 (L2) Ensure 'Turn off location' is set to 'Enabled' Registry 'DisableLocation' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' ValueName = 'DisableLocation' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.43.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' Registry 'AllowMessageSync' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' ValueName = 'AllowMessageSync' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.44.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' Registry 'DisableUserAuth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount' ValueName = 'DisableUserAuth' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.52.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' Registry 'DisableFileSyncNGSC' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' ValueName = 'DisableFileSyncNGSC' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' Registry 'DisablePasswordSaving' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'DisablePasswordSaving' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' Registry 'fSingleSessionPerUser' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fSingleSessionPerUser' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.3.1 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' Registry 'fDisableCcm' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fDisableCcm' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' Registry 'fDisableCdm' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fDisableCdm' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' Registry 'fDisableLPT' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fDisableLPT' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' Registry 'fDisablePNPRedir' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fDisablePNPRedir' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' Registry 'fEncryptRPCTraffic' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'fEncryptRPCTraffic' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' Registry 'SecurityLayer' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'SecurityLayer' ValueType = 'DWord' ValueData = '2' } | |
| # 18.9.59.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' # Commented out for testing Registry 'UserAuthentication' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'UserAuthentication' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' Registry 'MinEncryptionLevel' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'MinEncryptionLevel' ValueType = 'DWord' ValueData = '3' } | |
| # 18.9.59.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' Registry 'DeleteTempDirsOnExit' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'DeleteTempDirsOnExit' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.59.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' Registry 'PerSessionTempDir' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ValueName = 'PerSessionTempDir' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.60.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' Registry 'DisableEnclosureDownload' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetExplorer\Feeds' ValueName = 'DisableEnclosureDownload' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.61.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' Registry 'AllowCloudSearch' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearch' ValueName = 'AllowCloudSearch' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.61.3 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' Registry 'AllowIndexingEncryptedStoresOrItems' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearch' ValueName = 'AllowIndexingEncryptedStoresOrItems' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.66.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' Registry 'NoGenTicket' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' ValueName = 'NoGenTicket' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.80.1.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Registry 'EnableSmartScreen' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'EnableSmartScreen' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.80.1.1.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Registry 'ShellSmartScreenLevel' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ValueName = 'ShellSmartScreenLevel' ValueType = 'String' ValueData = 'Block' } | |
| # 18.9.84.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' Registry 'AllowSuggestedAppsInWindowsInkWorkspace' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' ValueName = 'AllowSuggestedAppsInWindowsInkWorkspace' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.84.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' Registry 'AllowWindowsInkWorkspace' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' ValueName = 'AllowWindowsInkWorkspace' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' Registry 'EnableUserControl' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' ValueName = 'EnableUserControl' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' Registry 'AlwaysInstallElevated' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' ValueName = 'AlwaysInstallElevated' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.85.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' Registry 'SafeForScripting' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' ValueName = 'SafeForScripting' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.86.1 (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' Registry 'DisableAutomaticRestartSignOn' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ValueName = 'DisableAutomaticRestartSignOn' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.95.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' Registry 'EnableScriptBlockLogging' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' ValueName = 'EnableScriptBlockLogging' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.95.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' Registry 'EnableTranscripting' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' ValueName = 'EnableTranscripting' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.97.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' Registry 'AllowBasic' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' ValueName = 'AllowBasic' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.97.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Registry 'AllowUnencryptedTraffic' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' ValueName = 'AllowUnencryptedTraffic' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.97.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' Registry 'AllowDigest' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' ValueName = 'AllowDigest' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' Registry 'AllowAutoConfig' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' ValueName = 'AllowAutoConfig' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.97.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' Registry 'DisableRunAs' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' ValueName = 'DisableRunAs' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.102.1.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' Registry 'ManagePreviewBuilds' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' ValueName = 'ManagePreviewBuilds' ValueType = 'DWord' ValueData = '1' } | |
| # 18.9.102.1.1.v2 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' Registry 'ManagePreviewBuildsPolicyValue' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' ValueName = 'ManagePreviewBuildsPolicyValue' ValueType = 'DWord' ValueData = '0' } | |
| # 18.9.102.4 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' Registry 'NoAutoRebootWithLoggedOnUsers' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' ValueName = 'NoAutoRebootWithLoggedOnUsers' ValueType = 'DWord' ValueData = '0' } | |
| # 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' Registry 'ScreenSaveActive' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop' ValueName = 'ScreenSaveActive' ValueType = 'String' ValueData = '1' } | |
| # 19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr' Registry 'SCRNSAVE.EXE' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop' ValueName = 'SCRNSAVE.EXE' ValueType = 'String' ValueData = 'scrnsave.scr' } | |
| # 19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' Registry 'ScreenSaverIsSecure' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop' ValueName = 'ScreenSaverIsSecure' ValueType = 'String' ValueData = '1' } | |
| # 19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' Registry 'ScreenSaveTimeOut' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop' ValueName = 'ScreenSaveTimeOut' ValueType = 'DWord' ValueData = '900' } | |
| # 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled' Registry 'NoToastApplicationNotificationOnLockScreen' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications' ValueName = 'NoToastApplicationNotificationOnLockScreen' ValueType = 'DWord' ValueData = '1' } | |
| # 19.6.6.1.1 (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled' Registry 'NoImplicitFeedback' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0' ValueName = 'NoImplicitFeedback' ValueType = 'DWord' ValueData = '1' } | |
| # 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' Registry 'SaveZoneInformation' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments' ValueName = 'SaveZoneInformation' ValueType = 'DWord' ValueData = '2' } | |
| # 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' Registry 'ScanWithAntiVirus' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments' ValueName = 'ScanWithAntiVirus' ValueType = 'DWord' ValueData = '3' } | |
| # 19.7.7.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled' Registry 'DisableThirdPartySuggestions' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent' ValueName = 'DisableThirdPartySuggestions' ValueType = 'DWord' ValueData = '1' } | |
| # 19.7.26.1 (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' Registry 'NoInplaceSharing' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoInplaceSharing' ValueType = 'DWord' ValueData = '1' } | |
| # 19.7.45.2.1 (L2) Ensure 'Prevent Codec Download' is set to 'Enabled' Registry 'PreventCodecDownload' { Ensure = 'Present' Key = 'HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer' ValueName = 'PreventCodecDownload' ValueType = 'DWord' ValueData = '1' } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment