File and Registry Auditing and Permissions Configuration

CCE
Outline CCE Id CCE Description

Parameters
File & Registry

Permissions &
Auditing
File & Registry

Auditing
The required auditing for (1) set of accounts

%SystemDrive% directory (2) events to audit
CCE-25 should be enabled. (3) applicability
The required auditing for
the registry key
HKEY_LOCAL_MACHINE (1) set of accounts
\SOFTWARE should be (2) events to audit
CCE-899 enabled. (3) applicability
The required auditing for
the registry key
\SYSTEM should be (2) events to audit
CCE-727 enabled. (3) applicability
File
Permissions
(1) set of accounts

The required permissions (2) list of
for the directory %ALL% permissions (3)
CCE-211 should be assigned. applicability
The required permissions (1) set of accounts

for the directory (2) list of
%AllUsersProfile% should permissions (3)
CCE-39 be assigned. applicability
The required permissions

for the directory (1) set of accounts
%AllUsersProfile (2) list of
%\Application Data should permissions (3)
for the directory
%AllUsersProfile (1) set of accounts
%\Application (2) list of
Data\Microsoft should be permissions (3)
CCE-854 assigned. applicability

for the directory
%AllUsersProfile
%\Application (1) set of accounts
Data\Microsoft\Crypto\DS (2) list of
SHKLMKeys should be permissions (3)

for the directory
%AllUsersProfile
Data\Microsoft\Crypto\RS (2) list of
AHKLMKeys should be permissions (3)

for the directory
Data\Microsoft\Dr Watson permissions (3)

for the directory
%AllUsersProfile
Data\Microsoft\Dr (2) list of
Watson\drwtsn32.log permissions (3)

for the directory
Data\Microsoft\HTML Help permissions (3)

for the directory
Data\Microsoft\MediaInde permissions (3)
CCE-3 x should be assigned. applicability
%AllUsersProfile (2) list of
%\Documents\desktop.ini permissions (3)

%AllUsersProfile%\DRM permissions (3)

%ProgramFiles% should permissions (3)

%ProgramFiles (2) list of
%\Resource Kit should be permissions (3)

%ProgramFiles (2) list of
%\Resource Pro Kit permissions (3)

%SystemDrive% should permissions (3)

for the file %SystemDrive (2) list of
%\AUTOEXEC.BAT permissions (3)
%\BOOT.INI should be permissions (3)

%\CONFIG.SYS should permissions (3)
for the file %SystemDrive (1) set of accounts
%\Documents and (2) list of
Settings should be permissions (3)

for the directory
%SystemDrive (1) set of accounts
Settings\Administrator permissions (3)

for the directory
Settings\All Users should permissions (3)

for the directory
%SystemDrive
%\Documents and (1) set of accounts
Settings\All (2) list of
Users\Documents\DrWats permissions (3)
CCE-868 on should be assigned. applicability

for the file %SystemDrive
%\Documents and
Settings\All (1) set of accounts
Users\Documents\DrWats (2) list of
on\drwtsn32.log should be permissions (3)
for the directory
Settings\Default User permissions (3)
%\IO.SYS should be permissions (3)

%\MSDOS.SYS should be permissions (3)

%\NTBOOTDD.SYS permissions (3)

%\NTDETECT.COM permissions (3)
%\NTLDR should be permissions (3)

%SystemDrive%\Temp permissions (3)

%SystemDrive%\My (2) list of
Download Files should be permissions (3)

for the file %SystemDrive (1) set of accounts
%\System Volume (2) list of
Information should be permissions (3)
%SystemRoot% should permissions (3)

%SystemRoot%\Driver (2) list of
Cache\I386\Driver.cab permissions (3)

%SystemRoot%\ (2) list of
$NtServicePackUninstall$ permissions (3)

$NtServicePackUninstall$ permissions (3)

for any of the (1) set of accounts
$NtUninstall* directories permissions (3)

%SystemRoot%\CSC permissions (3)

%SystemRoot%\Debug permissions (3)
%SystemRoot (2) list of
%\Debug\UserMode permissions (3)

for the directory
%SystemRoot (1) set of accounts
%\Debug\UserMode\user (2) list of
env.log should be permissions (3)
for the file %SystemRoot (2) list of
%\Installer should be permissions (3)

%\Offline Web Pages permissions (3)
%\Prefetch should be permissions (3)

%\regedit.exe should be permissions (3)

%SystemDrive%\NTDS permissions (3)

%SystemRoot%\Offline (2) list of
Web Pages should be permissions (3)
%\Registration should be permissions (3)

%\Registration\CRMLog permissions (3)

%SystemRoot%\repair permissions (3)

%SystemRoot%\security permissions (3)

%SystemRoot%\SYSVOL permissions (3)

%\SYSVOL\domain\Polici permissions (3)
CCE-701 es should be assigned. applicability

%SystemRoot%\Temp permissions (3)

%\System32 should be permissions (3)
%\System32\arp.exe permissions (3)
%\System32\at.exe permissions (3)
CCE-393 should
The be assigned.
required permissions applicability
(1) set of accounts
%\System32\attrib.exe permissions (3)

%\System32\cacls.exe permissions (3)

%\System32\ciadv.msc permissions (3)
for the file %SystemRoot (1) set of accounts
%\System32\Com\comex (2) list of
p.msc should be permissions (3)

%\System32\compmgmt. permissions (3)
CCE-170 msc should be assigned. applicability

%\System32\CONFIG permissions (3)
for the file %SystemRoot (1) set of accounts
%\System32\CONFIG\Ap (2) list of
pEvent.evt should be permissions (3)

%\System32\CONFIG\*.e permissions (3)
CCE-334 vt should be assigned. applicability

%\System32\debug.exe permissions (3)
%\System32\devmgmt.ms permissions (3)
CCE-386 c should be assigned. applicability

%\System32\dfrg.msc permissions (3)

%\System32\diskmgmt.ms permissions (3)

%\System32\dllcache permissions (3)

%\System32\drwatson.ex permissions (3)
CCE-403 e should be assigned. applicability

%\System32\drwtsn32.ex permissions (3)

%\System32\edlin.exe permissions (3)

%\System32\eventcreate. permissions (3)
CCE-489 exe should be assigned. applicability

%\System32\eventtriggers permissions (3)
CCE-917 .exe should be assigned. applicability

%\System32\eventvwr.ms permissions (3)
%\System32\fsmgmt.msc permissions (3)

%\System32\ftp.exe permissions (3)

%\System32\gpedit.msc permissions (3)

%\System32\DTCLog permissions (3)

%\System32\GroupPolicy permissions (3)

%\System32\ias should permissions (3)

%\System32\lusrmgr.msg permissions (3)

%\System32\MSDTC permissions (3)
%\System32\nbstat.exe permissions (3)

%\System32\net.exe permissions (3)

%\System32\net1.exe permissions (3)

%\System32\netsh.exe permissions (3)

%\System32\netstat.exe permissions (3)

%\System32\nslookup.ex permissions (3)

%\System32\Ntbackup.ex permissions (3)

%\System32\NTMSData permissions (3)

%\System32\ntmsoprq.ms permissions (3)
%\System32\ntmsmgr.ms permissions (3)

%\System32\perfmon.msc permissions (3)

%\System32\Rcp.exe permissions (3)

%\System32\reg.exe permissions (3)

%\System32\Regedt32.ex permissions (3)

%\System32\regini.exe permissions (3)

%\System32\regsvr32.exe permissions (3)

%\system32\ReinstallBac permissions (3)
CCE-89 kups should be assigned. applicability

%\System32\Rexec.exe permissions (3)
%\System32\route.exe permissions (3)

%\System32\Rsh.exe permissions (3)

%\System32\RSoP.msc permissions (3)

%\System32\runas.exe permissions (3)

%\System32\sc.exe permissions (3)

%\System32\Secedit.exe permissions (3)

%\System32\secpol.msc permissions (3)

%\System32\services.msc permissions (3)

%\System32\Setup should permissions (3)
%\System32\repl should permissions (3)

%\System32\repl\export permissions (3)

%\System32\repl\import permissions (3)

%\System32\spool\Printer permissions (3)
CCE-692 s should be assigned. applicability

%\System32\subst.exe permissions (3)

%\System32\systeminfo.e permissions (3)
CCE-225 xe should be assigned. applicability

%\System32\telnet.exe permissions (3)

%\System32\tftp.exe permissions (3)
%\System32\tlntsvr.exe permissions (3)

%\System32\wmimgmt.ms permissions (3)

%SystemRoot%\Tasks permissions (3)

for the directory %ALL (1) set of accounts
%\Program (2) list of
Files\MQSeries should be permissions (3)

for the directory %ALL (1) set of accounts
%\Program (2) list of
Files\MQSeries\qmggr permissions (3)

for the directory
%SystemDrive
%\Documents and
Settings\All (1) set of accounts
Users\Application (2) list of
Data\Microsoft\HTML Help permissions (3)
CCE-46 ACL should be assigned. applicability

for the directory
%\WINNT\SECURITY\Dat (2) list of
abase\SECEDIT.SDB ACL permissions (3)
Registry
Permissions

for the registry key (2) list of
HKEY_CLASSES_ROOT permissions (3)
HKEY_LOCAL_MACHINE permissions (3)

for the registry key (1) set of accounts
HKEY_LOCAL_MACHINE (2) list of
\SOFTWARE should be permissions (3)

\SOFTWARE\Classes permissions (3)

for the registry key
\SOFTWARE\Classes\Re (2) list of
gfile\Shell\Open\Comman permissions (3)
CCE-253 d should be assigned. applicability

\SOFTWARE\Microsoft\Cr (2) list of
yptography/Calais should permissions (3)

\SOFTWARE\Microsoft\M (2) list of
SDTC should be permissions (3)

\SOFTWARE\Microsoft\M (2) list of
SDTC\Security\XAKey permissions (3)
\SOFTWARE\Microsoft\N (2) list of
etDDE should be permissions (3)

\SOFTWARE\Microsoft\U (2) list of
PnP Device Host should permissions (3)

\SOFTWARE\Microsoft\O (2) list of
S/2 Subsystem for NT permissions (3)

HKEY_LOCAL_MACHINE
\SOFTWARE\Microsoft\Wi
ndows (1) set of accounts
NT\CurrentVersion\Asr\Co (2) list of
mmands should be permissions (3)

HKEY_LOCAL_MACHINE
\SOFTWARE\Microsoft\Wi (1) set of accounts
ndows (2) list of
NT\CurrentVersion\Perflib permissions (3)
HKEY_LOCAL_MACHINE
ndows (2) list of
NT\CurrentVersion\SeCEd permissions (3)
CCE-363 it should be assigned. applicability

HKEY_LOCAL_MACHINE
ndows\CurrentVersion\Gr (2) list of
oup Policy should be permissions (3)

\SOFTWARE\Microsoft\Wi (2) list of
ndows\CurrentVersion\Inst permissions (3)
CCE-268 aller should be assigned. applicability

\SOFTWARE\Microsoft\Wi (2) list of
ndows\CurrentVersion\Pol permissions (3)
CCE-321 icies should be assigned. applicability

HKEY_LOCAL_MACHINE
ndows\CurrentVersion\Pol (2) list of
icies\Ratings should be permissions (3)

HKEY_LOCAL_MACHINE
ndows\CurrentVersion\Tel (2) list of
ephony should be permissions (3)
\SYSTEM should be permissions (3)

\SYSTEM\clone should be permissions (3)

\SYSTEM\controlset001 permissions (3)









\SYSTEM\CurrentControl (2) list of
Set\Control\Class should permissions (3)

Set\Control\Network permissions (3)
HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControl (1) set of accounts
Set\Control\SecurePipeSe (2) list of
rvers\winreg should be permissions (3)

HKEY_LOCAL_MACHINE
Set\Control\Session (2) list of
Manager\Subsystems permissions (3)

Set\Control\Wmi\Security permissions (3)

Set\Enum should be permissions (3)

Set\Hardware Profiles permissions (3)

HKEY_LOCAL_MACHINE
Set\Services\AppMgmt\Se (2) list of
curity should be assigned. permissions (3)
CCE-613 applicability
Set\Services\ClipSrv\Secu permissions (3)
CCE-930 rity should be assigned. applicability

HKEY_LOCAL_MACHINE
Set\Services\CryptSvc\Se (2) list of

Set\Services\DNSCache permissions (3)

Set\Services\Ersvc\Securi permissions (3)
CCE-877 ty should be assigned. applicability

HKEY_LOCAL_MACHINE
Set\Services\Eventlog\Se (2) list of

HKEY_LOCAL_MACHINE
Set\Services\IRENUM\Se (2) list of
Set\Services\Netbt should permissions (3)

Set\Services\Netdd\Securi permissions (3)

HKEY_LOCAL_MACHINE
Set\Services\Netddedsdm (2) list of
\Security should be permissions (3)

Set\Services\RemoteAcce permissions (3)
CCE-246 ss should be assigned. applicability

Set\Services\Rpcss\Secur permissions (3)
CCE-902 ity should be assigned. applicability

Set\Services\Samss\Secu permissions (3)
HKEY_LOCAL_MACHINE
Set\Services\Scarddrv\Se (2) list of

HKEY_LOCAL_MACHINE
Set\Services\Scardsvr\Se (2) list of

HKEY_LOCAL_MACHINE
Set\Services\SNMP\Para (2) list of
meters\PermittedManager permissions (3)
CCE-330 s should be assigned. applicability

HKEY_LOCAL_MACHINE
Set\Services\SNMP\Para (2) list of
meters\ValidCommunities permissions (3)

Set\Services\Stisvc\Securi permissions (3)

HKEY_LOCAL_MACHINE
Set\Services\SysmonLog\ (2) list of
Log Queries should be permissions (3)
Set\Services\Tapisrv\Secu permissions (3)

Set\Services\Tcpip should permissions (3)

HKEY_LOCAL_MACHINE
Set\Services\W32time\Se (2) list of

Set\Services\Wmi\Security permissions (3)

HKEY_USERS\.DEFAULT permissions (3)

HKEY_USERS\.DEFAULT (2) list of
\Software\Microsoft\NetD permissions (3)
CCE-483 DE should be assigned. applicability

HKEY_USERS\.DEFAULT
\Software\Microsoft\Protec (1) set of accounts
ted Storage System (2) list of
Provider should be permissions (3)
HKEY_CLASSES_ROOT permissions (3)

HKEY_USERS\.DEFAULT
\Software\Microsoft\Syste (1) set of accounts
mCertificates\Root\Protect (2) list of
edRoots should be permissions (3)
User Rights
The "deny access to this

computer from the
network" user right should
be assigned to the correct
CCE-898 accounts. (1) set of accounts
The "access this computer

from the network" user
right should be assigned
CCE-532 to the correct accounts. (1) set of accounts
The "act as part of the

operating system" user
The "back up files and
directories" user right
should be assigned to the
CCE-931 correct accounts. (1) set of accounts
The "bypass traverse
checking" user right
The "change the system
time" user right should be
assigned to the correct
The "create a pagefile"
user right should be
The "Create a token
object" user right should
The "create permanent
shared objects" user right
The "debug programs"

The "force shutdown from

a remote system" user
The "generate security

audits" user right should
The "adjust memory

quotas for a process" user
The "increase scheduling
priority" user right should
The "load and unload

device drivers" user right
The "lock pages in

memory" user right should
The "log on as a batch

job" user right should be
The "log on as a service"
The "log on locally" user

The "manage auditing and

security log" user right
The "modify firmware

environment values" user
The "profile single
process" user right should
The "profile system

performance" user right
The "remove computer

from docking station" user
The "replace a process-

level token" user right
The "restore files and

directories" user right
The "shut down the

system" user right should
The "take ownership of

files or other objects" user
The "synchronize
directory service data"
The "deny logon locally"

The "enable computer

and user accounts to be
trusted for delegation"
The "add workstations to

domain" user right should
The "allow logon through

Terminal Services" user
The "deny logon as a

batch job" user right
The "deny logon as a
service" user right should
The "deny logon through
Terminal Services" user
The "perform volume

maintenance tasks" user
Auditing and
Account
Policies
Account
Lockout Policy
The "reset account

lockout counter after"
policy should meet (1) number of
CCE-733 minimum requirements. minutes
The "account lockout

duration" policy should
meet minimum (1) number of
CCE-980 requirements. minutes
The "account lockout

threshold" policy should
meet minimum (1) number of
CCE-658 requirements. attempts
Audit Policy
DEPRECATED in favor
CCE-315 of CCE-2628, CCE-2543.
Auditing of "account
logon" events on success
should be enabled or
CCE-2628 disabled as appropriate.. enabled/disabled
logon" events on failure
DEPRECATED in favor
CCE-596 of CCE-2000, CCE-1646.
management" events on
success should be
enabled or disabled as
CCE-2000 appropriate.. enabled/disabled
management" events on
failure should be enabled
or disabled as
DEPRECATED in favor
CCE-10 of CCE-2118, CCE-2390.
Auditing of "directory
service access" events on
success should be
Auditing of "directory
service access" events on
or disabled as
DEPRECATED in favor
CCE-429 of CCE-1686, CCE-1744.
Auditing of "logon" events

on success should be
Auditing of "logon" events

on failure should be
DEPRECATED in favor
CCE-812 of CCE-2640, CCE-1991.
Auditing of "object
access" events on
success should be
Auditing of "object
access" events on failure
DEPRECATED in favor
CCE-966 of CCE-2412, CCE-2347.
Auditing of "policy
change" events on
success should be
Auditing of "policy
change" events on failure
DEPRECATED in favor
CCE-874 of CCE-2431, CCE-2584.
Auditing of "privilege use"

events on success should
be enabled or disabled as
Auditing of "privilege use"

events on failure should
CCE-169 DEPRECATED.
DEPRECATED in favor
CCE-8 of CCE-2529, CCE-2617.
Auditing of "process
tracking" events on
success should be
Auditing of "process
tracking" events on failure
DEPRECATED in favor
CCE-149 of CCE-2420, CCE-1680.
Auditing of "system"
Auditing of "system"
The "Allow System to be

Shut Down Without
Having to Log On" policy (1)
CCE-396 should be set correctly. enabled/disabled
The "Decoy Admin
Account Not Disabled"
policy should be set (1)
CCE-916 correctly. enabled/disabled
The "Confirm open after
download" option should
be properly set for all file (1) file type (2)
CCE-475 types. enabled/disabled
The Microsoft Script

Runtime library, scrrun.dll, (1)
should be registered or registered/unregiste
CCE-141 not as appropriate. red
Event Log
Settings
The "restrict guest access

to application log" policy (1)
The application log

maximum size should be
CCE-185 configured correctly.. (1) size of file
The "when maximum log

size is reached" property
should be set correctly for
CCE-285 the Application log. type of retention
If the Application log's
retention method is set to
"Overwrite events by
days," an appropriate
value should be set for the
number of days' logs to
CCE-951 keep. (1) number of days

to security log" policy (1)
The security log maximum

size should be configured
CCE-757 correctly.. (1) size of file

CCE-523 the Security log. type of retention
If the Security log's


to system log" policy (1)
The system log maximum

CCE-735 correctly.. (1) size of file

CCE-664 the System log. type of retention
If the System log's
Password
Policy
The "maximum password

age" policy should meet
CCE-871 minimum requirements. (1) number of days
The "minimum password

age" policy should meet
The "minimum password

length" policy should meet
The correct password (1) file name (2)
filtering DLL should be version (3) file size
CCE-514 installed. (4) file hash
The "password must meet

complexity requirments"
The "enforce password

history" policy should (1) number of
meet minimum passwords
CCE-60 requirements. remembered
The "store password

using reversible
encryption for all users in
the domain" policy should (1)
CCE-479 be set correctly. enabled/disabled
Available
Network
Services
Services
Running
The startup type of the (1)
Alerter service should be disabled/manual/aut
CCE-487 correct. omatic

Automatic Update service disabled/manual/aut
CCE-496 should be correct. omatic
The startup type of the

Background Intelligent (1)
Transfer Service (BITS) disabled/manual/aut
CCE-148 service should be correct. omatic

ClipBook service should disabled/manual/aut
CCE-954 be correct. omatic
DEPRECATED in favor
CCE-637 of CCE-232.

Computer Browser service disabled/manual/aut

Fast User Switching disabled/manual/aut

Fax service should be disabled/manual/aut

FTP Publishing service disabled/manual/aut
The startup type of the IIS (1)

Admin service should be disabled/manual/aut
Indexing service should disabled/manual/aut

Messenger service should disabled/manual/aut

.NET Framework service disabled/manual/aut

Net Logon service should disabled/manual/aut

NetMeeting Remote (1)
Desktop Sharing service disabled/manual/aut

Print Services for Unix disabled/manual/aut

Remote Access Auto (1)
connection Manager disabled/manual/aut

Remote Desktop Help (1)
Session Manager service disabled/manual/aut
Internet Connection (1)
Sharing service should be disabled/manual/aut

Remote Registry service disabled/manual/aut

Routing and Remote (1)
Access service should be disabled/manual/aut

Remote Shell service disabled/manual/aut

Simple TCP/IP service disabled/manual/aut

Simple Mail Transport (1)
Protocol (SMTP) service disabled/manual/aut

SNMP Service service disabled/manual/aut

SNMP Trap Service disabled/manual/aut
SSDP Discovery service disabled/manual/aut

Task Scheduler service disabled/manual/aut

Telnet service should be disabled/manual/aut

Terminal Services service disabled/manual/aut

Universal Plug and Play (1)
Device Host (UPnP) disabled/manual/aut

World Wide Web (1)
Publishing service should disabled/manual/aut

Automatic Update service disabled/manual/aut

Background Intelligent (1)
Transfer Service (BITS) disabled/manual/aut

Print Services for Unix disabled/manual/aut
Service
Permissions
The correct service
permissions for the Alerter (1) set of accounts
service should be (2) list of
CCE-669 assigned. permissions
The correct service
permissions for the
Automatic Updates (1) set of accounts
The correct service
permissions for the
Background Intelligent (1) set of accounts
Transfer service should be (2) list of
The correct service

permissions for the (1) set of accounts
ClipBook service should (2) list of
CCE-476 be assigned. permissions
The correct service

Computer Browser service (2) list of
CCE-643 should be assigned. permissions
The correct service

permissions for the Fax (1) set of accounts
The correct service
permissions for the File (1) set of accounts
Shares service should be (2) list of
The correct service

permissions for the FTP (1) set of accounts
Publishing service should (2) list of
The correct service

permissions for the IIS (1) set of accounts
Admin service should be (2) list of
The correct service

Indexing service should (2) list of
The correct service
Messenger service should (2) list of
The correct service

permissions for the Net (1) set of accounts
Logon service should be (2) list of
The correct service

NetMeeting service (2) list of
The correct service
permissions for the Printer (1) set of accounts

Remote Access Auto (1)
connection Manager disabled/manual/aut
The correct service

permissions for the
Remote Desktop Help (1) set of accounts
Session Manager service (2) list of
The correct service

Remote Registry service (2) list of
The correct service
permissions for the
Routing and Remote (1) set of accounts
Access service should be (2) list of
The correct service

permissions for the SMTP (1) set of accounts
The correct service

permissions for the SNMP (1) set of accounts
The correct service
permissions for the SNMP (1) set of accounts
Trap service should be (2) list of
The correct service

permissions for the Task (1) set of accounts
Scheduler service should (2) list of
The correct service

permissions for the Telnet (1) set of accounts
The correct service

Terminal Services service (2) list of
The correct service
permissions for the
Universal Plug and Play (1) set of accounts
The correct service

permissions for the WWW (1) set of accounts
Publishing service should (2) list of
Security
Settings
Major Security
Settings
The "Additional
restrictions for anonymous
connections" policy should (1)
The behavior surrounding

Anonymous users' abiliity
to display lists of SAM (1)
accounts and shares restricted/unrestricte
CCE-195 should be correct. d
Anonymous users' abiliity
to display lists of SAM (1)
accounts should be restricted/unrestricte
CCE-318 correct. d

Anonymous SID/Name
translation should be (1)
CCE-953 correct. enabled/disabled
Minor Security
Settings
Additional
Registry
Settings
The "Anonymous access

to the application event
log" policy should be set (1) exist/not exist
CCE-983 correctly. (2) enabled/disabled
to the system event log"
policy should be set (1) exist/not exist
to the security event log"
policy should be set (1) exist/not exist

to the registry" policy (1)
Use of the built-in Guest
account should be
enabled or disabled as (1)
CCE-332 appropriate. enabled/disabled
Use of the built-in
Administrator account
should be enabled or (1)
CCE-499 disabled as appropriate. enabled/disabled
The "Message title for
users attempting to log
on" policy should be set
CCE-23 correctly. (1) text caption
The "Message text for

users attempting to log
on" policy should be set
CCE-829 correctly. (1) text statement
Administrative Shares
should be properly (1)
CCE-512 configured. allowed/removed
Automatic Execution of
the System Debugger
CCE-243 configured. enabled/disabled
Automatic Logon should (1)

CCE-283 be properly configured. enabled/disabled
Automatic Reboot After
System Crash should be (1)
CCE-137 properly configured. enabled/disabled
Autoplay on all Drive

Types should be properly (1)
Autoplay for Current User

Autoplay for Default User

CD-ROM Autorun should (1)

Computer Browser
ResetBrowser Frames
should be properly
CCE-282 configured. (1) enabled/ignored
ICMP Redirects should be

CCE-150 properly configured. (1) enabled/ignored
IP Source Routing should (1)
IRDP should be properly (1)

Kerberos and RSVP

Traffic Protected by IPSec
Dr. Watson Crash Dumps

Display Last User Name

in Logon Screen should (1)
File System Checker and

Popups should be (1)
System File Checker

System File Checker
Progress Meter should be
CCE-236 properly configured. (1) visible/invisible
System availability to
Master Browser should be
CCE-139 properly configured. (1) available/hidden
TCP/IP Dead Gateway

Detection should be (1)
The TCP/IP KeepAlive

Time should be set (1) number of
CCE-188 correctly . milliseconds
The permitted number of

TCP/IP Maximum Half-
open Sockets should be (1) number of
CCE-333 set correctly . sockets
The permitted number of

TCP/IP Maximum Retried
Half-open Sockets should (1) number of
CCE-751 be set correctly . sockets
TCP/IP NetBIOS Name
Release on Request
Prevented should be (1)
TCP/IP PMTU Discovery

TCP/IP SYN Flood Attack

Protection should be (1)
Protect Kernel object
attributes should be
CCE-112 properly configured. (1) security level
Security Audit log warning

level should be properly
CCE-125 configured. (1) warning level
Disable saving of dial-up

passwords should be (1)
The "Secure Channel:

Digitally Encrypt Secure
Channel Data (When
Possible)" policy should (1)
Digitally Sign Secure
Channel Data (When
DEPRECATED in favor
CCE-130 of CCE-92.
Safe DLL Search Mode

Always Wait for the

Network at Computer
Startup and Logon should (1)
Delete Roaming Cached
Profiles should be (1)
Use Classic Logon should

CCE-231 be properly configured. (1) logon type
Background Refresh of
Group Policy should be (1)
Show Shared Internet
Connection Access UI
Installation and
Configuration of Network
Bridge on the DNS
Domain Network should (1)
Disallow Installation of
Printers Using Kernel-
mode Drivers should be (1)
DEPRECATED in favor
CCE-358 of CCE-156.
Security
Options
The "Allow Server

Operators to Schedule
Tasks" policy should be (1)
CCE-257 set correctly. enabled/disabled
The built-in Administrator

account should be
CCE-438 correctly named. (1) valid names
The built-in Guest account

should be correctly
CCE-834 named. (1) valid names
The amount of idle time

required before
disconnecting a session (1) number of
CCE-222 should be set correctly. minutes
The "Audit the access of

global system objects"
The "Audit the use of

backup and restore
privilege" policy should be (1)
The "Disable
CTRL+ALT+Delete
Requirement for Logon"
The "LAN Manager

Authentication Level"
policy should be set (1) authentication
CCE-719 correctly. level
The "Send LanMan

compatible password"
setting should be
CCE-275 configured correctly.
The "Prevent Users from

Installing Printer Drivers"
The "Recovery Console:

Allow Automatic
Administrative Logon"
The "Recovery Console:

Allow Floppy Copy and
Access to All Drives and
All Folders" policy should (1)
The "Restrict CD-ROM
Access to Locally Logged-
On User Only" policy (1)
The "Restrict Floppy

Access to Locally Logged-
On User Only" policy (1)
The "Strengthen Default

Permissions of Global
System Objects" policy (1)

Require Strong (Windows
2000 or later) Session
Key" policy should be set (1)
The "Send Unencrypted

Password to Connect to
Third-Party SMB Servers"
The "Unsigned Driver

Installation Behavior"
policy should be set
CCE-413 correctly. (1) behavior
The "Unsigned Non-Driver

Installation Behavior"
CCE-307 correctly. (1) behavior
The "Users Prompted to

Change Password Before
Expiration" policy should (1) number of days
CCE-814 be set correctly. prior to expiration
The "Shut Down system
immediately if unable to
log security audits" policy (1)
The "Allow System to be

Shut Down Without
Having to Log On" policy (1)
The "Automatically Log
Off Users When Logon
Time Expires (local)"
The "Clear Virtual Memory

Pagefile at shutdown"
The "Digitally Sign Client

Communication (Always)"
The "Digitally Sign Client

Communication (When
The "Digitally Sign Server

Communication (Always)"
The "Digitally Sign Server

Communication (When
The "Number of Previous
Logons to Cache" policy (1) number of
CCE-773 should be set correctly. logons
The "Allowed to Format

and Eject Removable
NTFS Media" policy
CCE-919 should be set correctly. (1) Group(s)

Digitally Encrypt or Sign
Secure Channel Data
(Always)" policy should be (1)

Digitally Encrypt Secure
Channel Data (When

Digitally Sign Secure
Channel Data (When
The "Smart Card Removal

Behavior" policy should be
CCE-443 set correctly. (1) behavior
The "Prevent System

Maintenance of Computer
Account Password" policy (1)
The "System boot
timeout" policy should be (1) number of
CCE-368 set correctly. seconds to wait
The "Use FIPS compliant
algorithms for encryption,
hashing, and signing"
The "Default owner for

objects created by
members of the
Administrators group"
The "Require Case

Insensitivity for Non-
Windows Sybsystems"
The "Limit local account

user of blank passwords
to console logon only"
The "Allow undock without

having to logon" policy (1)
The "LDAP server signing

requirements" policy (1)
The "LDAP client signing
requirements" policy (1)
The "Refuse machine

account password
change" policy should be (1)
The "Maximum machine

account password age"
The "Require Domain

Controller authentication
to unlock workstation"
The "Disconnect clients

when logon hours expire"
The "Do not allow storage

of credentials or .NET
Passports" policy should (1)
The "Let Everyone
permissions apply to
anonymous users" policy (1)
The "Named Pipes that

can be accessed
anonymously" policy (1)
The "Remotely accessible

registry paths" policy
CCE-189 should be set correctly. (1) set of paths
The "Shares that can be

accessed anonymously"
CCE-942 correctly. (1) set of shares
The "Sharing and security

model for local accounts"
policy should be set (1) Classic/Guest
CCE-343 correctly. only
The "Do not store LAN
Manager hash value on
next password change"
The "Force logoff when

logon hours expire" policy (1)
The "Minimum session

security for NTLM SSP
based clients" policy (1)
The "Minimum session

security for NTLM SSP
based servers" policy (1)
System
Requirements
Other
Local volumes should be (1) type of

CCE-621 formatted correctly. formatting
Unused USB Ports should
be enabled or disabled as (1)
Application
Registry
Settings
Screensaver
The "Current user
screensaver" policy (1)
The "Current user

screensaver timeout"
CCE-830 correctly. (1) time in seconds
The "Current user

screensaver secure"
The "Current user

screensaver active" policy (1)
The "Default user
The "Default user

The "Default user

screensaver secure"
The "Default user

The "Current user

The "Current user
The "Current user

screensaver secure"
The "Current user

The "Hide Screen Saver
tab" setting should be
CCE-688 configured correctly. (1) enabled/disabled
The "password protect the

screen saver" setting
should be configured
CCE-442 correctly (1) enabled/disabled
The "Screen Saver"
CCE-468 disabled as appropriate. (1) enabled/disabled
The "Screen Saver (1) enabled/disabled

executable name" setting (2) path to
should be configured screensaver
CCE-631 correctly. executable
The "Screen Saver (1) enabled/disabled

timeout" should be set (2) number of
CCE-481 correctly. seconds
Installer
The "Always Install with

Elevated Privileges" policy (1)
The "Set Safe for
Scripting" policy should be (1)
The "Enable User Control

Over Installs" policy (1)
The "Enable User to

Browser for Source While
Elevated" policy should be (1)
The "Enable User to Use

Media Source While
Elevated" policy should be (1)
The "Allow Administrator

to Install from Terminal
Services Session" policy (1)
The "Enable User to
Patch Elevated Products"
The "Cache Transforms in

Secure Location" policy (1)
Windows
MediaPlayer
The "Disable Media

Player for automatic
updates" policy should be (1)
The "Prevent Codec

Download" policy should
be set correctly for (1)
CCE-124 Windows MediaPlayer. enabled/disabled
Windows
Messenger
Internet access for
Windows Messenger
should be configured (1)
The "Do Not Allow
Windows Messenger to
be Run" policy should be (1)
The "Do Not Automatically

Start Windows
Messenger" policy should (1)
Task Scheduler
The "Hide Property

Pages" policy should be
set correctly for the Task (1)
CCE-785 Scheduler. enabled/disabled
The "Prohibit New Task

Creation" policy should be
set correctly for the Task (1)
CCE-578 Scheduler. enabled/disabled
Terminal
Services
The "Limit Users to One
Remote Session" policy
should be set correctly for (1)
CCE-507 Terminal Services. enabled/disabled
The "Limit Number of
Connections" policy (1) Maximum
should be set correctly for number of
CCE-80 Terminal Services. connections allowed
The "Do Not Allow New

Client Connections" policy
The "Do Not Allow Local

Administrators to
Customize Permissions"
correctly for Terminal (1)
CCE-824 Services. enabled/disabled
The "Remote Control
Settings" policy should be
set correctly for Terminal (1)
The "Always Prompt
Client for Password upon
Connection" policy should
The "Set Client
connection Encryption
Level" policy should be
set correctly for Terminal
CCE-397 Services. (1) encryption level
The "Do not Use Temp

folders per Session" policy
The "Do not Delete Temp

folder on exit" policy
The "Set time limit for

disconnected sessions"
correctly for Terminal (1) Time Limit
CCE-920 Services. (minutes)
The "Set time limit for idle

sessions" policy should be
set correctly for Terminal (1) Time limit
CCE-123 Services. (minutes)
The "Allow Reconnection
from Original Client Only"
correctly for Terminal (1)
The "Terminate session
when time limits are
reached" policy should be
set correctly for Terminal (1)
The "Enable Keep-Alive
Messages" policy should
The "Allow Solicited

Remote Assistance" policy
The "Allow Unsolicited

Remote Assistance" policy
PCHealth
The "Enable Error

Reporting" policy should (1)
Kerberos
The "Enforce user logon

restrictions" policy should
CCE-227 be set correctly. -1
The "Maximum Service

Ticket Litfetime" policy
CCE-6 should be set correctly. -1
The "Maximum User

Ticket Lifetime" policy
The "Maximum User
Renewal Lifetime" policy
The "Maximum tolerance

for computer clock
synchronization" policy
Public Key The "Enroll certificates
Policies automatically" policy
CCE-888 should be set correctly
The "Renew expired
certificates, update
pending certificates, and
remove revoked
certificates" policy should
CCE-627 be set correctly
The "Update certificates
that use certificate
templates" policy should
CCE-513 be set correctly
The "Allow users to
encrypt files using
Encrypting File System
(EFS)" policy should be
CCE-676 set correctly.
The "Allow users to select
new root certification
authorities (CAs) to trust"
CCE-63 correctly.
The "Client computers can
trust the following
certificate stores" policy
CCE-628 should be set correctly.
The "To perform

certificate-based
authentication of users
and computers, CAs must
meet the following criteria"
CCE-777 correctly.
Printers The "Pre-populate printer
search location text"
setting should be
Removable
Storage
Removable storage
should have correct
CCE-420 permissions set
Removable storage
should have correct
CCE-526 auditing set
Loopback The "User Group Policy
loopback processing
mode" should be set
CCE-319 correctly
XP Service The delivery of XP Service
Pack 2 Pack 2 should be set
CCE-191 correctly.
SUS Client The "Allow automatic
updates immediate
installation" should be set
CCE-861 correctly
The "Automatic Updates
detection frequency"
The "Configure Automatic
Updates" should be set
CCE-306 correctly
The "Delay Restart for
scheduled installations"
The "Do not adjust default

option to 'Install Updates
and Shut Down' in Shut
Down Windows dialog
box" should be set
CCE-989 correctly
The "Do not display

'Install Updates and Shut
Down' option in Shut
Down Windows dialog
box" should be set
CCE-1 correctly
The "Enable client-side
targeting" should be set
CCE-456 correctly
The "No auto-restart for
scheduled Automatic
CCE-641 Updates installations
The "Re-prompt for restart
with scheduled
installations" should be
CCE-778 set correctly
The "Reschedule
Automatic Updates
scheduled installations"
The "Specify intranet

Microsoft update service
location" should be set
CCE-932 correctly
Client The "Custom Setup"
Installation option should be set
Wizard Options
correctly for the Client
CCE-82 Installation Wizard.
The "Restart Setup"
option should be set
correctly for the Client
CCE-866 Installation Wizard.
The "Tools" option should

be set correctly for the
CCE-551 Client Installation Wizard.
The "Maximum size of

Desktop/Active Active Directory searches"
Directory CCE-454 should be set correctly
MS Security The "Run logon scripts
Bulletin Login visible" setting should be
Script CCE-106 set correctly.
New for NIST
The "Create global
objects" user right should
CCE-383 accounts.
The "Impersonate a client

after authentication" user
CCE-304 to the correct accounts.
The "DCOM: Machine

access Restrictions in
Security Descriptor
Definition Language
(SDDL) syntax" setting
CCE-458 correctly.
The "DCOM: Machine

Launch Restrictions in the
Security Descriptor
Definition Language
(SDDL) syntax" security
option should be set
CCE-740 correctly.
The "Display user

information when the
session is locked" setting
CCE-22 correctly.
The "Interactive logon:
Requre smart card"
setting should be
The "Network access:
Restrict anonymous
access to named pipes
and shares" setting
CCE-638 correctly.
The "System
cryptography: Force
strong key protection for
user keys stored on the
computer" setting should
CCE-647 be configured correctly.
The "System settings:
optional subsystems"
setting should be
the "System settings: Use

Certificate Rules on
Windows Executables for
Software Restriction
Polices" setting should be
MSS:
(TCPMaxConnectRespon
seRetransmission) SYN-
ACK retansmissions when
a connection request is (1) number of
CCE-577 not acknowledged seconds
MSS:
(TCPMaxDataRetransmis
sions) How many times
unacknowledged data is (1) number of
CCE-872 retransmitted seconds
CCE-506 Backup Operators
CCE-990 Power Users
CCE-250 Remote Desktop Users
Application Layer
CCE-43 Gateway Service
CCE-167 Application Management
CCE-585 Cryptographic Services
CCE-484 DHCP Client
Distributed Link Tracking

CCE-651 Client
Distributed Transaction
CCE-303 Coordinator
CCE-436 DNS Client
CCE-774 Error Reporting Service
CCE-435 Event Log
CCE-950 Help and Support
Human Interface Device

CCE-118 Access
IMAPI CD-Burning COM

CCE-624 Service
CCE-453 Infrared Monitor
CCE-72 IPSEC Services
CCE-988 Logical Disk Manager
Logical Disk Manager

CCE-891 Administrative Service
MS Software Shadow
CCE-900 Copy Provider
CCE-671 Network Connections
Network Dynamic Data

CCE-217 Exchange (DDE)
Network DDE DDE Share

Database Manager
CCE-768 (DSDM)
Network Location
CCE-825 Awareness (NLA)
NT LM Security Support
CCE-472 Provider
Performance Logs and

CCE-265 Alerts
Portable Media Serial

CCE-759 Number Service
CCE-697 Protected Storage
CCE-706 QoS RSVP
Remote Access
CCE-750 Connection Manager
Remote Procedure Call

CCE-993 (RPC)

CCE-164 (RPC) Locator
CCE-741 Removable Storage

CCE-172 Secondary Logon
Security Accounts
CCE-679 Manager
CCE-102 Server
CCE-98 Smart Card
CCE-1001 Smart Card Helper
CCE-772 System Event Notification
CCE-450 System Restore Service
CCE-665 TCP/IP NetBIOS Helper
CCE-428 Telephony
CCE-956 Themes
Uninterruptable Power
CCE-366 Supply
CCE-652 Upload Manager
CCE-538 Volume Shadow Copy
CCE-305 WebClient
CCE-851 Windows Audio
Windows Image
CCE-234 Acquisition (WIA)
CCE-890 Windows Installer

Windows Management
CCE-912 Instrumentation
Windows Management
Instrumentation Driver
CCE-815 Extensions
CCE-560 Windows Time
Wireless Zero
CCE-604 Configuration
CCE-745 WMI Performance Adapter
CCE-296 Workstation
MSS:
(NtfsDisable8dot3NameCr
eation) Enable the
computer to stop
generating 8.3 style
CCE-511 filenames. (1) reg_dword
RPC Endpiont Mapper

Client Authentication (SP2
New For CIS CCE-145 only) (1) enabled/disabled
Restrictions for
Unauthenticated RPC
CCE-423 clients (SP2 only) (1) enabled/disabled
Domain Profile: Protect all

New For CIS network connections (SP2
(SP2 firewall) CCE-806 only) (1) enabled/disabled
Domain Profile: Do not
allow exceptions (SP2
CCE-969 only) (1) enabled/disabled
Domain Profile: Allow local

CCE-502 program exceptions (1) enabled/disabled
(1) enabled/disabled
Domain Profile: Allow (2) subnets for
CCE-771 remote administration internal support only
Domain Profile: Allow file

and printer sharing
CCE-555 exception (SP2 only) (1) enabled/disabled
Domain Profile: Allow
ICMP exceptions (SP2
Domain Profile: Allow (1) enabled/disabled

Remote Desktop (2) subnets for
CCE-832 exception (SP2 only) internal support only
Domain Profile: Allow

UPnP framework
The "Windows Firewall:
Prohibit notifications"
setting should be
configured correctly for
CCE-762 the Domain Profile. (1) enabled/disabled
The "Log Dropped

Packets" option for the
Windows Firewall should
be configured correctly for
CCE-251 the Domain Profile. (1) enabled/disabled
The log file path and

name for the Windows
Firewall should be
CCE-793 the Domain Profile. (1) File path
The log file size limit for
the Windows Firewall
correctly for the Domain
CCE-57 Profile. (1) Size limit (KB)
The "Log Successful

Connections" option for
correctly for the Domain
CCE-617 Profile. (1) enabled/disabled
Unicast response to
multicast or broadcast
requests should be
appropriate for the
CCE-696 Domain Profile. (1) enabled/disabled
Domain Profile: Define

CCE-114 port exceptions (SP2 only) (1) enabled/disabled
Domain Profile: Allow local

Standard Profile: Protect

all network connections
CCE-273 (SP2 only) (1) enabled/disabled
Standard Profile: Do not
allow exceptions (SP2
Standard Profile: Allow

local program exceptions
CCE-352 (SP2 only) (1) enabled/disabled

remote administration
Standard Profile: Allow file

and printer sharing
(1) enabled/ Allow
outboud source
quench, Allow
inbound echo
Standard Profile: Allow request, Allow
ICMP exceptions (SP2 outbound packet
CCE-797 only) too big

Remote Desktop

UPnP framework
The "Windows Firewall:
Prohibit notifications"
setting should be
CCE-901 the Standard Profile. (1) enabled/disabled
The "Log Dropped

CCE-945 the Standard Profile. (1) enabled/disabled
Firewall should be
CCE-609 the Standard Profile. (1) file path
correctly for the Standard
The "Log Successful

correctly for the Standard
CCE-962 Profile. (1) enabled/disabled
Unicast response to
requests should be
appropriate for the
CCE-632 Standard Profile. (1) enabled/disabled
Standard Profile: Define

local port exceptions (SP2
Internet Connection
Firewall service should be
CCE-530 correct. (1) enabled/disabled
Restricted Groups have (1) Group
CCE-301 been set on the system enumeration
MSS:
TCPMaxPortsExhausted,
How many dropped
connect requests to
initiate SYN attack
CCE-418 protection.
CCE-2188 POSIX Subsystem File
Components
CCE-2258 Distributed Link Tracking
Server Service Disabled
CCE-1298 License LoggingService
Disabled
CCE-2166 Network News Transport
Protocol Service Disabled
CCE-1786 Resultant Set of Policy

Provider Service Disabled
CCE-831 Resetting Computer

Account Password
Requirements
CCE-146 IE - Security Zones: Do
Not Allow Users to
Add/Delete Sites
Requirements
CCE-2065 OS/2 Subsystem Registry
Keys Installed
Requirements
CCE-1988 POSIX Subsystem

Registry Keys Installed
Requirements
CCE-1984 Recycle Bin Configured to
Delete Files (Servers)
Requirements
CCE-2253 CAC logon required
(NIPRNet only)
Requirement
Vista
Domain Profile - Inbound

CCE-249 Connections
Domain Profile -
CCE-485 Outbound Connections
Domain Profile - Apply

CCE-400 Local Firewall Rules
Domain Profile - Apply

Local Connection Security
CCE-584 Rules
Private Profile- Firewall

CCE-7 State
Private Profile - Inbound

CCE-29 Connections
Private Profile - Outbound

CCE-32 Connections
User notifications when
a program is blocked
from receiving inbound
connections by
Windows Firewall
disabled as appropriate yes/no/not
CCE-38 for the Private Profile. configured
Unicast response to
requests should be
appropriate for the Private
CCE-70 Profile. enabled/disabled
Private Profile - Apply

Private Profile - Apply

CCE-199 Rules
Public Profile- Firewall

CCE-295 State
Public Profile - Inbound

CCE-338 Connections
Public Profile - Outbound

CCE-342 Connections
User notifications when a
program is blocked from
receiving inbound
connections by Windows
Firewall should be
appropriate for the Public yes/no/not
CCE-390 Profile. configured
Unicast response to
requests should be
appropriate for the Public
CCE-414 Profile. enabled/disabled
Public Profile - Apply

Public Profile - Apply

CCE-437 Rules
Logon - Do not process

CCE-503 the legacy run list
Logon - Do not process

CCE-583 the run once list
Group Policy - Registry

CCE-584 policy processing
Turn off Internet download

for Web publishing and
CCE-691 online ordering wizards
Turn off the Windows
Messenger Customer
Experience Improvement
CCE-722 Program
Turn off Search

Companion content file
CCE-818 updates
Turn off printing over

CCE-852 HTTP
Turn off downloading of

CCE-887 print drivers over HTTP
Turn off Windows Update

CCE-927 device driver searching
Enumerate administrator
CCE-935 accounts on elevation
Require trusted path for

CCE-255 credential entry
Deny all add-ons unless

specifically allowed in the
CCE-466 Add-on List
CCE-11 Add-on List

The "Do not allow
passwords to be saved"
setting should be
CCE-976 Terminal Services.
The "Do not allow drive

redirection" setting should
CCE-648 Terminal Services.
Access to registry editing

CCE-405 tools is set correctly.
Prompt for password on
resume from
hibernate/suspend is set
CCE-509 correctly.
Do not preserve zone
information in file
attachments is set
CCE-12 correcly.
Hide mechanisms to
remove zone information
CCE-58 is set correcly.
Notify antivirus programs
when opening
attachments is set
CCE-372 correcly.
Outlook Express
attachment blocking is set
CCE-886 correctly.
Audit: Force audit policy

subcategory settings are
CCE-111 set correcly.
The "Log Access For

Setup Log" setting should
CCE-1044 be configured correctly. enabled/disabled
Windows Search service
The startup type of
Microsoft Peer-to-Peer
Networking Services
The "Prohibit Access of
the Windows Connect
Now Wizards" setting
The "Allow remote access
to the PnP interface"
setting should be
CCE-593 configured correctly. enabled/disabled
The "Do not create
system restore point when
new device driver
installed" setting should
The "Do not send a

Windows Error Report
when a generic driver is
installed on a device"
setting should be
The "Turn Off Access to
All Windows Update
Feature" setting should be
The "Turn Off Automatic
Root Certificates Update"
setting should be
The "Turn Off Event Views
'Events.asp' Links" setting
The "Turn Off Handwriting

Reconition Error
Reporting" setting should
The "Turn Off Help and
Support Center "Did You
Know?" Content" setting
The "Turn Off Help and
Support Center Microsoft
Knowledge Base Search"
setting should be
The "Turn Off Internet

Connection Wizard if URL
Connection is Referring to
Microsoft.com" setting
The "Turn Off Internet File
Association Service"
setting should be
The "Turn Off Registration
if URL Connection is
Referring to
Microsoft.com" setting
The "Turn Off the 'Order
Prints' Picture Task"
setting should be
The "Turn off the 'Publish
to Web' task for files and
folders" setting should be
The "Turn Off Windows
Movies Maker Automatic
Codec Downloads" setting

Movie Maker Online Web
Links" setting should be
Movie Maker Saving to
Online Video Hosting
Provider" setting should
The "Don't Display the
Getting Started Welcome
Screen at Logon" setting
The "Turn off Windows
Startup Sound" setting
The "Require a Password
when a Computer Wakes
(On Battery)" setting
The "Require a Password

when a Computer Wakes
(Plugged)" setting should
The "Allow only Vista or
later connections" setting
The "Customization
Warning Messages"
setting should be
The "Turn on bandwidth
optimization" setting
The "Turn on session
logging" setting should be
The "Prevent IIS

Installation" setting should
The "Turn off Active Help"
setting should be
The "Turn off Untrusted
Content" setting should be
The "Turn off downloading

of enclosures" setting
The "Allow indexing of
encrypted files" setting
The "Prevent indexing
uncached Exchange
Calendar" setting should
The "Allow Corporate
redirection of Customer
uploads" setting should be
Defender" setting should
The "Turn off Heap
termination on corruption"
setting should be
The "Turn off shell
protocol protected mode"
setting should be
The "Prohibit non-
administrators from
applying vendor signed
updates" setting should
The "Report Logon Server

Not Available During User
logon" setting should be
The "Turn off the
communitication features"
setting should be
Mail application" setting
The "Prevent Windows
Media DRM Internet
Access" setting should be
Meeting Space" setting
The "Turn on Windows
Meeting Space audting"
setting should be
The "Disable unpacking

and installation of gadgets
that are not digitally
signed" setting should be
The "Override the More
Gadgets Link" setting
The "Turn Off User
Installed Windows
Sidebar Gadgets" setting
The "Do not allow Digital
Locker to run" setting
The "Turn Off
Downloading of Game
Information" setting
The "IPv6 Block of
Protocols 41" setting
The "IPv6 Block of UDP

3544" setting should be
Office 2007
The "Disable VBA for

Office applications" setting
2003/2007 CCE-116 correctly. enabled/disabled
1 = Do not prompt |
The "ActiveX Control 4 = Prompt user to
Initialization:" setting use control defaults
should be configured | 6 = Prompt user to
2003/2007 CCE-908 correctly. use persisted data
The "Enable Customer
Program" setting should
2007 CCE-184 be configured correctly. enabled/disabled
The "Enable Customer

0 = Never show
online content or
entry points | 1 =
Search only offline
content whenever
available | 2 =
The "Online content Search online
options" setting should be content whenever
2007 CCE-967 configured correctly. available
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 =
Settings" setting should No Warnings for all
be configured correctly for macros but disable
2007 CCE-427 Access 2007. all macros
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
2007 CCE-649 Excel 2007. all macros
The "Trust access to
Visual Basic Project"
setting should be
2003/2007 CCE-862 Excel 2007 and 2003. enabled/disabled
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
2007 CCE-567 PowerPoint 2007. all macros

setting should be
2007 CCE-68 PowerPoint 2007. enabled/disabled
The "Disable Remember

Password" setting should
0 = Trust all or use

Exchange settings if
present | 1 = Trust
all loaded and
installed COM
addins | 2 = Do
The "Configure Add-In NOT trust loaded
Trust Level" setting should and installed COM
2003/2007 CCE-786 be configured correctly. addins
The "Disable 'Remember
password' for Internet e-
mail accounts" setting
2007 CCE-937 correctly. enabled/disabled
The "Minimum encryption

settings" setting should be
2007 CCE-13 configured correctly. enabled/disabled
The "Do not check e-mail

address against address
of certificates being using"
setting should be
2007 CCE-316 configured correctly. enabled/disabled
The "Send all signed

messages as clear signed
messages" setting should
2003/2007 CCE-14 be configured correctly. enabled/disabled
The "Request an S/MIME

receipt for all S/MIME
signed messages" setting
The "Do not display

'Publish to GAL' button"
setting should be
2003/2007 CCE-345 configured correctly. enabled/disabled
0 = Let user decide
if they want to be
warned | 1 = Always
warn about invalid
The "Signature Warning" signatures | 2 =
setting should be Never warn about
2003/2007 CCE-700 configured correctly. invalid signatures
The "Enable Cryptography

Icons" setting should be
0 = Use system
Default | 1 = When
The "Retrieving CRLs online always
(Certificate Revocation retreive the CRL | 2
Lists)" setting should be = Never retreive the
2007 CCE-395 configured correctly. CRL
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
2007 CCE-659 Word 2007. all macros
setting should be
2003/2007 CCE-703 Word 2007 and 2003. enabled/disabled
The "Warn before printing,

saving or sending a file
that contains tracked
changes or comments"
setting should be
The "Block updates from
the Office Update Site
from applying" setting
ms user
config
The "Underline enabled/disabled
hyperlinks" setting should
Access 2007.
2007 CCE-1395
The "Number of enabled/disabled
documents in the Recent
Documents list (0-9)"
setting should be
Access 2007.
2007 CCE-1137
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins"
setting should be
Access 2007.
2007 CCE-1423
The "Disable all enabled/disabled
setting should be
2007 CCE-1238 Access 2007.
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
Access 2007.
2007 CCE-1476
The "Disable all trusted enabled/disabled
locations" setting should
Access 2007.
2007 CCE-1520
The "Allow Trusted enabled/disabled
Locations not on the
Access 2007.
2007 CCE-780
The "Modal Trust Decision enabled/disabled
Only" setting should be
Access 2007.
2007 CCE-1214
The "Disable commands" enabled/disabled
setting should be
Access 2007.
2007 CCE-1370
The "Disable commands - enabled/disabled
Office Button | E-Mail"
setting should be
Access 2007.
2007 CCE-1268
Office Button | Access
Options | Customize | All
Commands | Insert
Hyperlink" setting should
Access 2007.
2007 CCE-1400
Database Tools |
Database Tools | Encrypt
with Password" setting
correctly for Access 2007.
2007 CCE-1440
Database Tools |
Administer | Users and
Permission | User and
Group Permissions"
setting should be
Access 2007.
2007 CCE-581
Database Tools |
Permissions | User and
Group Accounts" setting
2007 CCE-1480
Database Tools |
Permission | User-Level
Security Wizard..." setting
2007 CCE-1489
Database Tools |
Database Tools |
Encode/Decode
Database" setting should
Access 2007.
2007 CCE-1392
Database Tools | Macro |
Visual Basic" setting
2007 CCE-1414
Database Tools | Macro |
Run Macro" setting should
Access 2007.
2007 CCE-1418
The "Database Tools | enabled/disabled
Macro | Convert Macros to
Visual Basic" setting
2007 CCE-1405
The "Database Tools | enabled/disabled
Macro | Create Shortcut
Menu from Macro" setting
2007 CCE-1550
The "Disable shortcut enabled/disabled
keys" setting should be
Access 2007.
2007 CCE-1075
Ctrl+K (Office Button |
Access Options |
Customize | All
Commands | Insert
Hyperlinks)" setting
2007 CCE-709
Alt+F11 (Database Tools |
Macro | Visual Basic)"
setting should be
Access 2007.
2007 CCE-1502
The "Default file format enabled/disabled
(Access 2007 | Access
2002-2003)" setting
2007 CCE-1260
The "Do not prompt to enabled/disabled
convert older databases"
setting should be
2007 CCE-1510 Access 2007.
The "Internet and network enabled/disabled
paths as hyperlinks"
setting should be
Excel 2007.
2007 CCE-1532
The "Save Excel files as enabled/disabled
(Excel Workbook (*.xlsx) |
Excel Macro-Enabled
Workbook (*.xlsm) | Excel
Binary Workbook (*.xlsb) |
Web Page (*.htm; *.html) |
Excel 97-2003 Workbook
(*.xls) | Excel 5.0/95
Workbook (*.xls))" setting
correctly for Excel 2007.
2007 CCE-1039
The "Disable enabled/disabled
AutoRepublish" setting
2007 CCE-1295 correctly for Excel 2007.
The "AutoRepublish enabled/disabled
Warning Alert (Always
show the alert before
publishing | Never show
the alert before
publishing)
" setting should be
Excel 2007.
2007 CCE-1334
The "Determine whether enabled/disabled
to force encrypted macros
to be scanned in Microsoft
Excel Open XML
workbooks" setting should
be configured correctly
2007 CCE-1308
The "Force file extension enabled/disabled
to match file type (Allow
different | Allow different,
but warn | Always match
file type)" setting should
Excel 2007.
2007 CCE-616
The "Store macro in enabled/disabled
Personal Macro Workbook
by default" setting should
2007 CCE-1246
setting should be
2007 CCE-1251 Excel 2007.
signed by Trusted
Excel 2007.
2007 CCE-1524
setting should be
Excel 2007.
2007 CCE-1422
Excel 2007.
2007 CCE-1444
Excel 2007.
2007 CCE-1449
The "Ignore other enabled/disabled
applications " setting
2007 CCE-1471
The "Ask to update enabled/disabled
automatic links" setting
2007 CCE-1119 correctly for Excel 2007.
setting should be
Excel 2007.
2007 CCE-1378
The "Save any additional enabled/disabled
data necessary to
maintain formulas" setting
2007 CCE-1277
The "Load pictures from enabled/disabled
Web pages not created in
Excel" setting should be
2007 CCE-1464 Excel 2007.
The "Do not show data enabled/disabled
extraction options when
opening corrupt
workbooks" setting should
Excel 2007.
2007 CCE-1094
The "Assume structured enabled/disabled
storage format of
workbook is intact when
recovering data" setting
2007 CCE-1129
The "Corrupt formula enabled/disabled
conversion (Convert
unrecoverable references
to: values | #REF or
#NAME)" setting should
Excel 2007.
2007 CCE-1389
The "Connection File enabled/disabled
Locations" setting should
Excel 2007.
2007 CCE-1433
The "Automatic Query enabled/disabled
Refresh (Prompt for all
workbooks | Do not
prompt; do not allow auto
refresh | Do not prompt;
allow auto refresh)"
setting should be
Excel 2007.
2007 CCE-1323
setting should be
Excel 2007.
2007 CCE-1469
Office Button | Excel
Commands | Save as
Web Page" setting should
Excel 2007.
2007 CCE-1473
Commands | Web Page
Preview" setting should be
Excel 2007.
2007 CCE-1499
Office Button | Send |
Email" setting should be
Excel 2007.
2007 CCE-1024
Insert | Links | Hyperlink"
setting should be
Excel 2007.
2007 CCE-1530
Review | Changes |
Protect Sheet" setting
2007 CCE-1120
Review | Changes |
Protect Workbook" setting
2007 CCE-1252
Review | Changes |
Protect and Share
Workbook" setting should
Excel 2007.
2007 CCE-1151
View | Macros | Macros"
setting should be
Excel 2007.
2007 CCE-1301
Developer | Code |
Macros" setting should be
Excel 2007.
2007 CCE-1310
Developer | Code |
Record Macro" setting
2007 CCE-1213
Developer | Code | Macro
Security" setting should
Excel 2007.
2007 CCE-1362
Developer | Code | Visual
Basic" setting should be
Excel 2007.
2007 CCE-1156
Commands | Document
Location" setting should
Excel 2007.
2007 CCE-1429
Excel 2007.
2007 CCE-1182
keys - Ctrl+K (Insert |
Links | Hyperlink)" setting
2007 CCE-1525
keys - Alt+F8 (Developer |
Code | Macros)" setting
2007 CCE-1547
keys - Alt+F11 (Developer
| Code | Visual Basic)"
setting should be
Excel 2007.
2007 CCE-1300
The "Block opening of enabled/disabled
pre-release versions of file
formats new to Excel
Excel 2007.
2007 CCE-1331
Open XML file types"
setting should be
2007 CCE-1468 Excel 2007.
Binary 12 file types"
setting should be
2007 CCE-1490 Excel 2007.
Binary file types" setting
2007 CCE-1512
Html and Xmlss files
types" setting should be
2007 CCE-1543 Excel 2007.
The "Block opening of Xml enabled/disabled
file types" setting should
Excel 2007.
2007 CCE-1195
The "Block opening of DIF enabled/disabled
and SYLK file types"
setting should be
2007 CCE-554 Excel 2007.
Text file types" setting
2007 CCE-1415
The "Block opening of Xll enabled/disabled
file type" setting should be
Excel 2007.
2007 CCE-1437
The "Block saving of enabled/disabled
Open Xml file types"
setting should be
2007 CCE-1446 Excel 2007.
Binary12 file types" setting
2007 CCE-1098
2007 CCE-562
The "Block saving of Html enabled/disabled
and Xmlss file types"
setting should be
2007 CCE-1507 Excel 2007.
The "Block saving Xml file enabled/disabled
types" setting should be
Excel 2007.
2007 CCE-1406
The "Block saving DIF enabled/disabled
and SYLK file types"
setting should be
2007 CCE-573 Excel 2007.
The "Block saving of Text enabled/disabled
Excel 2007.
2007 CCE-1336
The "Locally cache enabled/disabled
network file storages"
setting should be
2007 CCE-1230 Excel 2007.
The "Locally cache enabled/disabled
PivotTable reports" setting
2007 CCE-1375
The "OLAP PivotTable enabled/disabled
User Defined Function
(UDF) security setting
(Allow ALL UDFs | Allow
safe UDFs only | Allow NO
UDFs)" setting should be
Excel 2007.
2007 CCE-1380
The "Recognize enabled/disabled
SmartTags" setting should
2007 CCE-1376 Excel 2007.
Documents list (0 - 9)"
setting should be
InfoPath 2007.
2007 CCE-1398
The "Offline Mode status enabled/disabled
(Disabled | Enabled,
InfoPath in Offline Mode |
Enabled, InfoPath not in
Offline Mode)" setting
correctly for InfoPath
2007.
2007 CCE-569
setting should be
InfoPath 2007.
2007 CCE-1065
File | Print" setting should
InfoPath 2007.
2007 CCE-1361
File | Send to Mail
Recipient" setting should
InfoPath 2007.
2007 CCE-1096
File | Open from
SharePoint Site" setting
2007.
2007 CCE-1391
File | Print Preview"
setting should be
InfoPath 2007.
2007 CCE-1519
File | Page Setup" setting
2007.
2007 CCE-1523
Insert | Hyperlinks..."
setting should be
InfoPath 2007.
2007 CCE-1171
Tools | Set Language"
setting should be
InfoPath 2007.
2007 CCE-1457
Tools | Customize..."
setting should be
InfoPath 2007.
2007 CCE-1426
Tools | Options..." setting
2007.
2007 CCE-805
Help | Microsoft Office
Online" setting should be
InfoPath 2007.
2007 CCE-1453
Office Diagnostics" setting
2007.
2007 CCE-1351
Help | Activate Product..."
setting should be
InfoPath 2007.
2007 CCE-620
Print Default" setting
2007 CCE-1017 2007.
InfoPath 2007.
2007 CCE-1021
keys - Print Shortcut
(Ctrl+P)" setting should be
InfoPath 2007.
2007 CCE-1299
keys - Insert Hyperlink
Shortcut (Ctrl+K)" setting
2007.
2007 CCE-1197
The "Control behavior for enabled/disabled
Windows SharePoint
Services gradual upgrade
(Allow redirections to any
location | Allow
redirections to Intranet
only | Block all
redirections)" setting
2007.
2007 CCE-704
The "Disable opening of enabled/disabled
solutions from the Internet
security zone" setting
2007.
2007 CCE-1105
The "Disable fully trusted enabled/disabled
solutions full access to
2007 CCE-1114 InfoPath 2007.
The "Allow the use of enabled/disabled
ActiveX Custom Controls
in InfoPath forms" setting
2007.
2007 CCE-761
The "Run forms in enabled/disabled
restricted mode if they do
not specify a publish
location and use only
features introduced before
InfoPath 2003 SP1"
setting should be
InfoPath 2007.
2007 CCE-739
The "Allow file types as enabled/disabled
attachments to forms"
setting should be
2007 CCE-1259 InfoPath 2007.
The "Block specific file enabled/disabled
types as attachments to
forms" setting should be
2007 CCE-1267 InfoPath 2007.
The "Prevent users from enabled/disabled
allowing unsafe file types
to be attached to forms"
setting should be
InfoPath 2007.
2007 CCE-1060
The "Display a warning enabled/disabled
that a form is digitally
signed" setting should be
2007 CCE-955 InfoPath 2007.
The "Control behavior enabled/disabled
when opening forms in the
Internet security zone
(Block | Prompt | Allow)"
setting should be
InfoPath 2007.
2007 CCE-1479
Intranet security zone
setting should be
InfoPath 2007.
2007 CCE-1360
Local Machine security
zone (Block | Prompt |
Allow)" setting should be
InfoPath 2007.
2007 CCE-1386
Trusted Site security zone
setting should be
InfoPath 2007.
2007 CCE-893
The "Beaconing UI for enabled/disabled
forms opened in InfoPath
(Never show beaconing
UI | Always show
beaconing UI | Show UI if
Form Template is from
Internet Zone)" setting
2007.
2007 CCE-1290
The "Beaconing UI for enabled/disabled
forms opened in InfoPath
Editor ActiveX (Never
show beaconing UI |
Always show beaconing
UI | Show UI if Form
Template is from Internet
Zone)" setting should be
InfoPath 2007.
2007 CCE-1381
setting should be
2007 CCE-1135 InfoPath 2007.
signed by Trusted
InfoPath 2007.
2007 CCE-1157
setting should be
InfoPath 2007.
2007 CCE-1434
when opening InfoPath e-
mail forms containing
code or script (Run
without prompting |
Prompt before running |
Never run)" setting should
InfoPath 2007.
2007 CCE-1315
The "Disable sending form enabled/disabled
template with e-mail
forms" setting should be
InfoPath 2007.
2007 CCE-1210
The "Disable dynamic enabled/disabled
caching of the form
template in InfoPath e-
mail forms" setting should
InfoPath 2007.
2007 CCE-1236
The "Disable sending enabled/disabled
InfoPath 2003 Forms as
e-mail forms" setting
2007.
2007 CCE-884
The "Disable e-mail forms enabled/disabled
running in restricted
security level" setting
2007.
2007 CCE-1518
from the Internet security
zone" setting should be
InfoPath 2007.
2007 CCE-1170
from the Intranet security
InfoPath 2007.
2007 CCE-1316
from the Full Trust security
InfoPath 2007.
2007 CCE-1567
The "Disable InfoPath e- enabled/disabled
mail forms in Outlook"
setting should be
2007 CCE-1265 InfoPath 2007.
The "Information Rights enabled/disabled
Management" setting
2007 CCE-1538 2007.
The "Custom code" enabled/disabled
setting should be
2007 CCE-1564 InfoPath 2007.
The "Email Forms enabled/disabled
Beaconing UI (Never
show UI | Always show UI
| Show UI if XSN is in
2007.
2007 CCE-1212
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI"
setting should be
configured correctly
2007 CCE-1344
Access Toolbar via UI -
Disallow in Word" setting
correctly
2007 CCE-723
Disallow in Excel" setting
correctly
2007 CCE-1384
Disallow in PowerPoint"
setting should be
2007 CCE-1159
Disallow in Access"
setting should be
2007 CCE-1146
Disallow in Outlook"
setting should be
2007 CCE-1542
The "Disable all user enabled/disabled
Access Toolbar" setting
correctly
2007 CCE-582
Access Toolbar - Disallow
in Word" setting should be
2007 CCE-1291
in Excel" setting should be
2007 CCE-1326
in PowerPoint" setting
correctly
2007 CCE-1330
in Access" setting should
2007 CCE-1335
in Outlook" setting should
2007 CCE-1229
The "Disable UI extending enabled/disabled
from documents and
templates" setting should
2007 CCE-630
from documents and
templates - Disallow in
Word" setting should be
2007 CCE-1154
from documents and
2007 CCE-1410
from documents and
PowerPoint" setting
correctly
2007 CCE-1432
from documents and
Access" setting should be
2007 CCE-1198
from documents and
Outlook" setting should be
2007 CCE-929
The "Recognize smart enabled/disabled
tags in Excel" setting
correctly
2007 CCE-1074
The "Disable Clip Art and enabled/disabled
Media downloads from the
client and from Office
Online website" setting
correctly
2007 CCE-1458
The "Disable template enabled/disabled
downloads from the client
and from Office Online
website" setting should be
2007 CCE-1233
The "Disable access to enabled/disabled
updates, add-ins, and
patches on the Office
Online website" setting
correctly
2007 CCE-1379
The "Prevents users from enabled/disabled
uploading document
templates to the Office
Online community."
setting should be
2007 CCE-1401
The "Disable training enabled/disabled
practice downloads from
the Office Online website"
setting should be
2007 CCE-1528
The "Disable customer- enabled/disabled
submitted templates
downloads from Office
2007 CCE-1533
The "Open Office enabled/disabled
documents as read/write
while browsing" setting
correctly
2007 CCE-646
The "Rely on VML for enabled/disabled
displaying graphics in
browsers" setting should
2007 CCE-1438
The "Allow PNG as an enabled/disabled
output format" setting
correctly
2007 CCE-711
The "Improve Proofing enabled/disabled
Tools" setting should be
2007 CCE-1292
The "Disable Opt-in
Wizard on first run" setting
correctly.
2007 CCE-1615 enabled/disabled
The "Microsoft Office enabled/disabled
2007 CCE-1191 configured correctly
The "Disable Password enabled/disabled
Caching" setting should
2007 CCE-1587
The "Disable all Trust Bar enabled/disabled
notifications for security
issues" setting should be
2007 CCE-1486
The "Protect document enabled/disabled
metadata for rights
managed Office Open
XML Files" setting should
2007 CCE-1508
The "Protect document enabled/disabled
metadata for password
protected files." setting
2007 CCE-1640 correctly
The "Encryption type for enabled/disabled
password protected Office
Open XML files" setting
The "Encryption type for enabled/disabled
password protected Office
97-2003 files" setting
The "Load Controls in enabled/disabled
Forms3 (1 | 2 | 3 | 4)"
setting should be
The "Automation Security enabled/disabled
(Disable macros by
default | Use application
macro security level |
Macros enabled)" setting
correctly
2003/2007 CCE-1574
The "Prevent Word and enabled/disabled
Excel from loading
managed code
extensions" setting should
2007 CCE-1239
The "Disable hyperlink enabled/disabled
warnings" setting should
2007 CCE-1623
The "Disable password to enabled/disabled
open UI" setting should be
2007 CCE-1083
The "Download Office enabled/disabled
Controls" setting should
2007 CCE-1343
The "Disable All ActiveX" enabled/disabled
setting should be
2007 CCE-1242
The "Allow mix of policy enabled/disabled
and user locations" setting
correctly
2007 CCE-770
The "Disable Smart enabled/disabled
Document's use of
manifests" setting should
2007 CCE-903
The "Completely disable enabled/disabled
the Smart Documents
feature in Word and
2007 CCE-1555
The "Disable Internet Fax enabled/disabled
feature" setting should be
2007 CCE-1061
The "Prevent users from enabled/disabled
changing permissions on
rights managed content"
setting should be
2007 CCE-1603
The "Allow users with enabled/disabled
earlier versions of Office
to read with browsers..."
setting should be
2007 CCE-1612
The "Always require users enabled/disabled
to connect to verify
permission" setting should
2007 CCE-1493
The "Always expand enabled/disabled
groups in Office when
restricting permission for
documents" setting should
2007 CCE-1409
The "Never allow users to enabled/disabled
specify groups when
restricting permission for
2007 CCE-1589
The "Disable Microsoft enabled/disabled
Passport service for
content with restricted
permission" setting should
2007 CCE-1237
The "Do not allow users to enabled/disabled
upgrade Information
Rights Management
configuration" setting
correctly
2007 CCE-1404
The "Key Usage Filtering" enabled/disabled
setting should be
The "EKU filtering" setting enabled/disabled
correctly
2007 CCE-1167
The "Legacy format enabled/disabled
signatures" setting should
2007 CCE-1585
The "Suppress Office enabled/disabled
Signing Providers (Enable
Western and East Asian |
Suppress default Western
| Suppress default East
Asian | Suppress both
Western and East Asian)"
setting should be
2007 CCE-1572
The "Suppress external enabled/disabled
signature services menu
item" setting should be
2007 CCE-1220
The "Disable Check For enabled/disabled
Solutions" setting should
2007 CCE-1634
The "Disable inclusion of enabled/disabled
document properties in
PDF and XPS output"
setting should be
2007 CCE-1643
The "Disable Document enabled/disabled
Information Panel" setting
correctly
2007 CCE-1546
The "Document enabled/disabled
Information Panel
Beaconing UI (Never
show UI | Always show UI
| Show UI if XSN is in
correctly
2007 CCE-1505
The "Disable the Office enabled/disabled
client from polling the
Office server for published
links" setting should be
2007 CCE-1545
formats new to Word 2007
through the Compatibility
Pack for the 2007 Office
system and Word 2007
Open XML/Word 97-2003
Format Converter" setting
correctly
2007 CCE-1549
formats new to Excel
2007 through the
Compatibility Pack for the
2007 Office system and
Excel 2007 Converter"
setting should be
2007 CCE-1431
formats new to
PowerPoint 2007 through
the Compatibility Pack for
the 2007 Office system
and PowerPoint 2007
Converter" setting should
2007 CCE-1594
The "Control Blogging enabled/disabled
(Enabled | Only
SharePoint blogs allowed
| All blogging disabled)"
setting should be
2007 CCE-1241
The "Enable Smart enabled/disabled
Resume" setting should
2007 CCE-1607
The "Do not upload media enabled/disabled
files" setting should be
2007 CCE-752
The "Disable hyperlinks to enabled/disabled
web templates in File |
New and task panes"
setting should be
The "Prevent access to enabled/disabled
Web-based file storage"
setting should be
2007 CCE-654
The "Do not allow enabled/disabled
attachment previewing in
Outlook" setting should be
2007 CCE-1192 Outlook 2007.
The "Read e-mail as plain enabled/disabled
text" setting should be
Outlook 2007.
2007 CCE-791
The "Read signed e-mail enabled/disabled
as plain text" setting
correctly for Outlook 2007.
2007 CCE-1456
The "Prevent publishing to enabled/disabled
Office Online" setting
2007 CCE-1478
The "Prevent publishing to enabled/disabled
a DAV server" setting
2007 CCE-1368
The "Restrict level of enabled/disabled
calendar details users can
publish (All options are
available | Disables 'Full
details' | Disables 'Full
details' and 'Limited
details')" setting should be
Outlook 2007.
2007 CCE-1641
The "Access to published enabled/disabled
calendars" setting should
Outlook 2007.
2007 CCE-1266
The "Restrict upload enabled/disabled
method" setting should be
Outlook 2007.
2007 CCE-1399
The "Hide Junk Mail UI" enabled/disabled
setting should be
Outlook 2007.
2007 CCE-1187
The "Junk E-mail enabled/disabled
protection level (No
Protection, Low, High,
Trusted Lists Only)"
setting should be
Outlook 2007.
2007 CCE-1588
The "Trust E-mail from enabled/disabled
Contacts" setting should
Outlook 2007.
2007 CCE-1117
The "Add e-mail recipients enabled/disabled
to users' Safe Senders
Lists" setting should be
Outlook 2007.
2007 CCE-1130
The "Dial-up options" enabled/disabled
setting should be
Outlook 2007.
2007 CCE-1093
The "Dial-up options - enabled/disabled
Warn before switching
dial-up connection" setting
2007 CCE-1599
Hang up when finished
sending, receiving, or
updating" setting should
Outlook 2007.
2007 CCE-1621
Automatically dial during a
background
Send/Receive" setting
2007 CCE-1269
The "Do not allow enabled/disabled
creating, replying, or
forwarding signatures for
e-mail messages" setting
2007 CCE-1419
The "Send copy of enabled/disabled
pictures with HTML
messages instead of
reference to Internet
location" setting should be
Outlook 2007.
2007 CCE-1551
The "Outlook Rich Text enabled/disabled
options (Convert to HTML
| Convert to Plain Text
format | Send Using
Outlook Rich Text format)"
setting should be
Outlook 2007.
2007 CCE-655
The "Plain text options" enabled/disabled
setting should be
Outlook 2007.
2007 CCE-1592
The "Plain text options - enabled/disabled
Encode attachments in
UUENCODE format when
sending a plain text
message" setting should
Outlook 2007.
2007 CCE-1614
The "Set message format enabled/disabled
(HTML | Rich Text | Plain
Text)" setting should be
Outlook 2007.
2007 CCE-1526
The "Make Outlook the enabled/disabled
default program for E-
mail, Contacts, and
Calendar" setting should
Outlook 2007.
2007 CCE-1111
The "Do not allow folders enabled/disabled
in non-default stores to be
set as folder home pages"
setting should be
Outlook 2007.
2007 CCE-1494
The "Use Unicode format enabled/disabled
when dragging e-mail
message to file system"
setting should be
Outlook 2007.
2007 CCE-1287
The "Do not allow Outlook enabled/disabled
object model scripts to run
for shared folders" setting
2007 CCE-1529
The "Do not allow Outlook enabled/disabled
object model scripts to run
for public folders" setting
2007 CCE-1560
The "Set maximum level enabled/disabled
of online status on a
person name (Do not
allow | Allow everywhere
except To and CC field |
Allow everywhere)" setting
2007 CCE-1596
The "Display online status enabled/disabled
on a person name (Never
| Everywhere except To
and CC field |
Everywhere)" setting
2007 CCE-1604
The "Turn off Enable the enabled/disabled
Person Names Smart Tag
option" setting should be
Outlook 2007.
2007 CCE-1648
The "Outlook Security enabled/disabled
Mode (Outlook Default
Security | Use Security
Form from 'Outlook
Security Settings' Public
Folder | Use Security
Form from 'Outlook 10
Security Settings' Public
Folder | Use Outlook
Security Group Policy)"
setting should be
Outlook 2007.
2007 CCE-1516
The "Display Level 1 enabled/disabled
attachments" setting
2007 CCE-1296
The "Allow users to enabled/disabled
demote attachments to
Level 2" setting should be
Outlook 2007.
2007 CCE-1388
The "Do not prompt about enabled/disabled
Level 1 attachments when
sending an item" setting
2007 CCE-1652
The "Do not prompt about enabled/disabled
Level 1 attachments when
closing an item" setting
2007 CCE-1569
The "Allow in-place enabled/disabled
activation of embedded
OLE objects" setting
2007 CCE-1459
The "Display OLE enabled/disabled
package objects" setting
2007 CCE-1608
The "Add file extensions enabled/disabled
to block as Level 1"
setting should be
2007 CCE-1617 Outlook 2007.
The "Remove file enabled/disabled
extensions blocked as
Outlook 2007.
2007 CCE-1631
The "Add file extensions enabled/disabled
to block as Level 2"
setting should be
2007 CCE-1155 Outlook 2007.
The "Remove file enabled/disabled
extensions blocked as
Outlook 2007.
2007 CCE-1556
The "Allow scripts in one- enabled/disabled
off Outlook forms" setting
2007 CCE-1595
The "Set Outlook object enabled/disabled
model Custom Actions
execution prompt (Prompt
User | Automatically
Approve | Automatically
Deny | Prompt user based
on computer security)"
setting should be
Outlook 2007.
2007 CCE-1436
The "Set control enabled/disabled
ItemProperty prompt
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)"
setting should be
2007 CCE-1586
The "Configure Outlook enabled/disabled
object model prompt when
sending mail (Prompt
setting should be
Outlook 2007.
2007 CCE-1590
accessing an address
book (Prompt User |
computer security)"
setting should be
Outlook 2007.
2007 CCE-1004
reading address
information (Prompt User |
computer security)"
setting should be
Outlook 2007.
2007 CCE-1273
responding to meeting
and task requests (Prompt
setting should be
Outlook 2007.
2007 CCE-1172
executing Save As
(Prompt User |
computer security)"
setting should be
Outlook 2007.
2007 CCE-1568
object model prompt
When accessing the
Formula property of a
UserProperty object
(Prompt User |
computer security)"
setting should be
Outlook 2007.
2007 CCE-1573
accessing address
information via
UserProperties.Find
(Prompt User |
computer security)"
setting should be
Outlook 2007.
2007 CCE-1454
The "Required Certificate enabled/disabled
Authority" setting should
2007 CCE-1498 Outlook 2007.
The "S/MIME enabled/disabled
interoperability with
external clients: (Handle
internally | Handle
externally | Handle if
possible)" setting should
Outlook 2007.
2007 CCE-1630
The "Always use Rich enabled/disabled
Text formatting in S/MIME
Outlook 2007.
2007 CCE-1626
The "S/MIME password enabled/disabled
Outlook 2007.
2007 CCE-1163
settings - Default S/MIME
password time (minutes):
(0 - 2147483647)" setting
2007 CCE-1445
settings - Maximum
S/MIME password time
(minutes): (0 -
2147483647)" setting
2007 CCE-1582
The "Message Formats" enabled/disabled
setting should be
2007 CCE-1357 Outlook 2007.
The "Message Formats - enabled/disabled
Support the following
message formats:
(S/MIME | Exchange |
Fortezza | S/MIME and
Exchange | S/MIME and
Fortezza | Exchange and
Fortezza | S/MIME,
Exchange, and Fortezza)"
setting should be
Outlook 2007.
2007 CCE-1132
2007: The "Do not provide enabled/disabled
Continue option on
Encryption warning dialog
boxes" setting should be
Outlook 2007. 2003: The
"Disable Continue button
on all Encryption warning
dialogs" setting should be
configured correctly.
2003/2007 CCE-1511
The "Run in FIPS enabled/disabled
compliant mode" setting
2007 CCE-1018
The "Encrypt all e-mail enabled/disabled
Outlook 2007 and 2003.
2003/2007 CCE-1181
The "Sign all e-mail enabled/disabled
Outlook 2007.
2007 CCE-1639
The "URL for S/MIME enabled/disabled
certificates" setting should
Outlook 2007.
2007 CCE-677
The "Ensure all S/MIME enabled/disabled
signed messages have a
label" setting should be
2007 CCE-687 Outlook 2007.
The "S/MIME receipt enabled/disabled
requests (Open message
if receipt can't be sent |
Don't open message if
receipt can't be sent |
Always prompt before
sending receipt | Never
send S/MIME )" setting
2007 CCE-1613
The "Fortezza certificate enabled/disabled
policies" setting should be
2007 CCE-1402 Outlook 2007.
The "Require SuiteB enabled/disabled
algorithms for S/MIME
operations" setting should
Outlook 2007.
2007 CCE-1658
The "Missing CRLs" enabled/disabled
setting should be
2007 CCE-1662 Outlook 2007.
The "Missing CRLs - enabled/disabled
Indicate a missing CRL as
a(n): (warning | error)"
setting should be
Outlook 2007.
2007 CCE-1080
The "Missing root enabled/disabled
certificates" setting should
Outlook 2007.
2007 CCE-1076
The "Missing root enabled/disabled
certificates - Indicate a
missing root certificate as
a(n): (neither error nor
warning | warning | error)"
setting should be
Outlook 2007.
2007 CCE-1636
The "Promote Level 2 enabled/disabled
errors as errors, not
warnings" setting should
2007 CCE-943 Outlook 2007.
The "Attachment Secure enabled/disabled
Temporary Folder" setting
2007 CCE-1591
The "Display pictures and enabled/disabled
external content in HTML
e-mail" setting should be
Outlook 2007.
2007 CCE-1133
The "Automatically enabled/disabled
download content for e-
mail from people in Safe
Senders and Safe
Recipients Lists" setting
2007 CCE-725
The "Do not permit enabled/disabled
download of content from
safe zones" setting should
Outlook 2007.
2007 CCE-1347
The "Block Trusted enabled/disabled
Zones" setting should be
Outlook 2007.
2007 CCE-1475
The "Include Internet in enabled/disabled
Safe Zones for Automatic
Picture Download" setting
2007 CCE-1497
The "Include Intranet in enabled/disabled
Safe Zones for Automatic
Picture Download" setting
2007 CCE-1501
The "Security setting for enabled/disabled
macros (Always warn |
Never warn, disable all |
Warn for signed, disable
unsigned | No security
check)" setting should be
Outlook 2007.
2007 CCE-1030
The "Enable links in e- enabled/disabled
mail messages" setting
2007 CCE-1052
The "Apply macro security enabled/disabled
settings to macros, add-
ins, and SmartTags"
setting should be
Outlook 2007.
2007 CCE-1462
configure profile based on
Active Directory Primary
SMTP address" setting
2007 CCE-1281
The "Do not allow users to enabled/disabled
change permissions on
Outlook 2007.
2007 CCE-1303
The "Enable RPC enabled/disabled
encryption" setting should
Outlook 2007.
2007 CCE-1082
The "Authentication with enabled/disabled
Exchange Server
(Kerberos/NTLM
Password Authentication |
Kerberos Password
Authentication | NTLM
Password Authentication)"
setting should be
Outlook 2007.
2007 CCE-1712
The "Synchronize Outlook enabled/disabled
RSS Feeds with Common
Feed List" setting should
Outlook 2007.
2007 CCE-1131
The "Turn off RSS enabled/disabled
feature" setting should be
Outlook 2007.
2007 CCE-1620
download enclosures"
setting should be
2007 CCE-1541 Outlook 2007.
The "Download full text of enabled/disabled
articles as HTML
attachments" setting
2007 CCE-1311
download attachments"
setting should be
Outlook 2007.
2007 CCE-1682
The "Do not include enabled/disabled
Internet Calendar
integration in Outlook"
setting should be
Outlook 2007.
2007 CCE-1461
The "Disable user entries enabled/disabled
to server list (Publish
default, allow others |
Publish default, disallow
others)" setting should be
Outlook 2007.
2007 CCE-1041
The "Do not expand enabled/disabled
distribution lists" setting
2007 CCE-1565
The "Save files in this enabled/disabled
format (PowerPoint
Presentation (*.pptx) |
PowerPoint Macro-
Enabled Presentation
(*.pptm) | PowerPoint 97-
2003 Presentation
(*.ppt))" setting should be
PowerPoint 2007.
2007 CCE-1719
Documents list (0 - 50)"
setting should be
PowerPoint 2007.
2007 CCE-1477
PowerPoint Open XML
presentations" setting
correctly for PowerPoint
2007.
2007 CCE-1142
The "Run Programs enabled/disabled
(disable (don't run any
programs) | enable
(prompt user before
running) | enable all (run
without prompting))"
setting should be
PowerPoint 2007.
2007 CCE-1649
The "Make hidden markup enabled/disabled
visible" setting should be
PowerPoint 2007.
2007 CCE-1279
The "Unblock automatic enabled/disabled
download of linked
images" setting should be
PowerPoint 2007.
2007 CCE-1451
setting should be
2007 CCE-1204 PowerPoint 2007.
signed by Trusted
PowerPoint 2007.
2007 CCE-1107
setting should be
PowerPoint 2007.
2007 CCE-743
PowerPoint 2007.
2007 CCE-747
PowerPoint 2007.
2007 CCE-782
setting should be
PowerPoint 2007.
2007 CCE-1327
Office Button | PowerPoint
Commands | Web Page
PowerPoint 2007.
2007 CCE-1723
PowerPoint 2007.
2007 CCE-1366
setting should be
PowerPoint 2007.
2007 CCE-1679
Review | Proofing |
Language" setting should
PowerPoint 2007.
2007 CCE-1173
setting should be
PowerPoint 2007.
2007 CCE-1714
Developer | Code |
PowerPoint 2007.
2007 CCE-1485
PowerPoint 2007.
2007 CCE-1687
PowerPoint 2007.
2007 CCE-1709
Office Button | PowerPoint
Commands | Document
Location" setting should
PowerPoint 2007.
2007 CCE-1463
Disable shortcut keys"
setting should be
PowerPoint 2007.
2007 CCE-1467
Ctrl+K (Insert | Links |
Hyperlink)" setting should
PowerPoint 2007.
2007 CCE-1740
Alt+F8 (Developer | Code
| Macros)" setting should
PowerPoint 2007.
2007 CCE-1780
Alt+F11 (Developer | Code
| Visual Basic)" setting
2007.
2007 CCE-1661
formats new to
PowerPoint 2007" setting
2007.
2007 CCE-1688
Open Xml files types"
setting should be
2007 CCE-1348 2007.
Html file types" setting
2007 CCE-1644 2007.
Outlines" setting should
PowerPoint 2007.
2007 CCE-1194
Converters" setting should
PowerPoint 2007.
2007 CCE-1216
Open Xml file types"
setting should be
2007 CCE-1136 2007.
The "Block saving of Html enabled/disabled
PowerPoint 2007.
2007 CCE-1766
Outlines" setting should
PowerPoint 2007.
2007 CCE-1180
GraphicFilters" setting
2007 CCE-1722 2007.
The "Disable Slide enabled/disabled
Update" setting should be
PowerPoint 2007.
2007 CCE-1731
The "Hidden text" setting enabled/disabled
correctly for Word 2007.
2007 CCE-885
The "Save files in this enabled/disabled
format (Word document
(*.docx) | Single Files Web
Page (*.mht) | Web Page
(*.htm; *.html) | Web
Page, Filtered (*.htm,
*.html) | Rich Text Format
(*.rtf) | Plain Text (*.txt) |
Word 6.0/95 (*.doc) |
Word 6.0/95 - Chinese
(Simplified) (*.doc) | Word
6.0/95 - Chinese
(Traditional) (*.doc) | Word
6.0/95 - Japanese (*.doc)
| Word 6.0/95 - Korean
(*.doc) | Word 97-2002 &
6.0/95 - RTF | Word 5.1
for Macintosh (*.mcw) |
Word 5.0 for Macintosh
(*.mcw) | Word 2.x for
Windows (*.doc) | Works
4.0 for Windows (*.wps) |
WordPerfect 5.x for
Windows (*.doc) |
WordPerfect 5.1 for DOS
(*.doc) | Word 2007 Macro
Enabled Document
(*.docm) | Word 2007
Macro Free Template
(*.dotx) | Word 2007
Macro Enabled Template
(*.dotm) | Word 97 - 2003
Document (*.doc) | Word
97 - 2003 Template (*.dot)
| Flat XML Document
2007 CCE-1656 (*.xml))" setting should be
setting should be
Word 2007.
2007 CCE-1537
The "Update automatic enabled/disabled
links at Open" setting
2007 CCE-1249 correctly for Word 2007.
The "Save smart tags in enabled/disabled
e-mail" setting should be
2007 CCE-1509 Word 2007.
Word Open XML
Word 2007.
2007 CCE-1280
setting should be
2007 CCE-1681 Word 2007.
signed by Trusted
Word 2007.
2007 CCE-1562
setting should be
Word 2007.
2007 CCE-1333
Word 2007.
2007 CCE-1355
Word 2007.
2007 CCE-1637
setting should be
Word 2007.
2007 CCE-1659
Office Button | Word
Commands | Save As
Web Page" setting should
Word 2007.
2007 CCE-1329
Office Button | Word
Commands | Web Page
Word 2007.
2007 CCE-1632
Word 2007.
2007 CCE-1425
setting should be
Word 2007.
2007 CCE-1196
Review | Protect | Protect
Document" setting should
Word 2007.
2007 CCE-936
setting should be
Word 2007.
2007 CCE-1354
Developer | Code |
Word 2007.
2007 CCE-1125
Developer | Code |
Record Macro" setting
2007 CCE-1742
Word 2007.
2007 CCE-1782
Word 2007.
2007 CCE-1306
Developer | Templates |
Document Template"
setting should be
Word 2007.
2007 CCE-1548
Word 2007.
2007 CCE-1716
keys - Ctrl+F (Home |
Editing | Find)" setting
2007 CCE-1597
keys - Ctrl+K (Insert |
Links | Hyperlink)" setting
2007 CCE-1689
keys - Alt+F8 (Developer |
Code | Macros)" setting
2007 CCE-1570
keys - Alt+F11 (Developer
| Code | Visual Basic)"
setting should be
Word 2007.
2007 CCE-1720
formats new to Word
Word 2007.
2007 CCE-1746
setting should be
2007 CCE-1504 Word 2007.
2007 CCE-1654
HTML file types" setting
2007 CCE-1160
Word 2003 XML file types"
setting should be
2007 CCE-958 Word 2007.
RTF file types" setting
2007 CCE-1579
The "Block open enabled/disabled
Word 2007.
2007 CCE-984
Text file types" setting
2007 CCE-1072
Internal file types" setting
2007 CCE-1503
files before version"
setting should be
2007 CCE-1371 Word 2007.
setting should be
2007 CCE-1019 Word 2007.
2007 CCE-1684
HTML file types" setting
2007 CCE-1675
The "Block saving of Word enabled/disabled
2003 XML file types"
setting should be
2007 CCE-1200 Word 2007.
The "Block saving of RTF enabled/disabled
Word 2007.
2007 CCE-1741
Word 2007.
2007 CCE-1231
The "Block saving of Text enabled/disabled
Word 2007.
2007 CCE-1755
ms computer
config
The InfoPath APTCA enabled/disabled
Assembly Whitelist setting
correctly.
2007 CCE-1169
The Windows Internet enabled/disabled
Explorer Feature Control
Opt-In (None |
InfoPath.exe, Document
Information Panel and
Workflow forms |
InfoPath.exe, Document
Information Panel,
Workflow forms and 3rd
Party Hosting) setting
correctly.
2007 CCE-1735
The InfoPath APTCA enabled/disabled
Assembly Whitelist
Enforcement setting
correctly.
2007 CCE-1739
The Disable Package enabled/disabled
Repair setting should be
2007 CCE-933
The Disable user name enabled/disabled
and password setting
correctly.
2007 CCE-1563
and password - excel.exe
setting should be
2007 CCE-1215
and password -
powerpnt.exe setting
correctly.
2007 CCE-1484
and password -
pptview.exe setting should
be configured correctly.
2007 CCE-1629
and password -
winword.exe setting
correctly.
2007 CCE-1762
and password -
outlook.exe setting should
2007 CCE-1660
and password -
spDesign.exe setting
correctly.
2007 CCE-1057
and password -
msaccess.exe setting
correctly.
2007 CCE-1285
The Bind to object setting enabled/disabled
correctly.
2007 CCE-1669
The Bind to object - enabled/disabled
excel.exe setting should
2007 CCE-1691
correctly.
2007 CCE-1338
2007 CCE-1717
winword.exe setting
correctly.
2007 CCE-1488
2007 CCE-1638
correctly.
2007 CCE-1647
correctly.
2007 CCE-1294
The Saved from URL enabled/disabled
setting should be
2007 CCE-1193
The Saved from URL - enabled/disabled
2007 CCE-1352
correctly.
2007 CCE-928
2007 CCE-1576
2007 CCE-1100
2007 CCE-1232
correctly.
2007 CCE-1774
correctly.
2007 CCE-906
The Navigate URL setting enabled/disabled
correctly.
2007 CCE-1034
The Navigate URL - enabled/disabled
2007 CCE-1435
correctly.
2007 CCE-1708
2007 CCE-808
winword.exe setting
correctly.
2007 CCE-1650
2007 CCE-1223
correctly.
2007 CCE-1764
correctly.
2007 CCE-1769
The Block popups setting enabled/disabled
correctly.
2007 CCE-1152
The Block popups - enabled/disabled
2007 CCE-1566
correctly.
2007 CCE-1077
2007 CCE-1606
winword.exe setting
correctly.
2007 CCE-1738
2007 CCE-1262
correctly.
2007 CCE-1663
correctly.
2007 CCE-1544
new NIST
The "Prevent users from
customizing attachment
security settings" setting
2007 CCE-1443 correctly. 1 = Enabled
The "Access: Macro 1 = Enabled - Low |

Security Level" setting 2 = Enabled -
should be configured Medium | 3 =
2003 CCE-1161 correctly. Enabled - High
The "Access: Trust all

installed add ins and
templates" setting should 0 = Enabled | 1 =
2003 CCE-1421 be configured correctly. Disabled
The "Excel: Macro 1 = Enabled - Low |
The "Excel: Trust all

The "Outlook: Macro 1 = Enabled - Low |

The "Outlook: Trust all

installed add-ins and
0 = Uses default
administrative
settings | 1 = Look
in the Outlook
Security Settings
The "Outlook virus folder | 2 = Look in
security settings" setting the Outlook 10
should be configured Security Settings
2003 CCE-1522 correctly. folder
0 = Open message
if receipt can't be
sent | 1 = Always
prompt before
sending receipt | 2 =
Never send S/MIME
The "S/MIME receipt receipts | 3 = Don't
requests" setting should open message if
2003 CCE-1183 be configured correctly. receipt can't be sent
The "PowerPoint: Macro 1 = Enabled - Low |

The "PowerPoint: Trust all

The "Publisher: Macro 1 = Enabled - Low |

The "Publisher: Trust all

installed addins and
The "Word: Macro 1 = Enabled - Low |

The "Word: Trust all
installed addins and
The "Store random

number to improve merge
accuracy" setting should 0 = Enabled | 1 =
The "Prevent Users from
Changing Office
Encryption Settings"
setting should be 0 = Disabled | 1 =
2003 CCE-1307 configured correctly. Enabled
Internet
Explorer
The "Security Zones: Use

Only Machine Settings"
setting should be (1)
Internet Explorer
Processes (Restrict (1)
CCE-119 ActiveX Install) enabled/disabled
The "Security Zones: Do
Not Allow Users to
Add/Delete Sites" setting
The "Disable Periodic

Check For Internet
Explorer Software
Updates" setting should (1)
DEPRECATED in favor
CCE-270 of CCE-684.
Internet Explorer
Processes (Zone
CCE-347 Elevation Protection) enabled/disabled
The "Internet Explorer
Processes (Consistent
MIME Handling)" setting
The "Allow Software to

Run or Install Even if the
Signature is Invalid"
setting should be
DEPRECATED in favor
CCE-498 of CCE-212.

Processes (MK Protocol)"
The "Disable Software
Update Shell Notifications
on Program Launch"

Processes (Restrict File
Download)" setting should
The "Disable Automatic

Install of Internet Explorer
Components" setting
The "Make Proxy Settings

Per-Machine (Rather
Then Per-User)" setting
should be configured (1) number of proxy
CCE-693 correctly. settings
The "Do Not Allow Users
to enable or Disable Add-
Ons" setting should be
The "Turn Off Crash

Detection" setting should

Processes (Scripted
Window Security
Restrictions)" setting
The "Security Zones: Do

Not Allow Users to
Change Policies" setting
Processes (MIME
Sniffing)" setting should
The "Check for Signature

on Downloaded
Programs" setting should
The "Do Not Allow
Resetting Internet
Explorer Settings" setting
The "Allow cut, copy, or

paste operations from the
clipboard via script"
setting should be
CCE-49 the Internet Zone. enabled/disabled
The "Turn Off First- Run

Opt-In" setting should be
The "Web Browser

Applications" setting
correctly for the Internet
CCE-286 Zone. enabled/disabled
The "Allow cut, copy, or
paste operations from the
clipboard via script"
setting should be
CCE-1031 the Restricted Sites Zone. enabled/disabled
The "Turn Off First- Run

Opt-In" setting should be
The "Web Browser

Applications" setting
correctly for the Restricted
CCE-51 Sites Zone. enabled/disabled
The "Intranet Sites:

Include all network paths
(UNCs)" setting should be
The "Disable the

Advanced Page" setting
The "Disable the Privacy

Page" setting should be
The "Disable the Security

Page" setting should be
The "Prevent Ignoing

Certificate Errors" setting
The "Turn Off changing
the URL to be displayed
for checking updates to
Internet Explorer and
Internet Tools" setting
The "Turn Off Configuring

the Update Check Interval
(In Days)" setting should
The "Add-on List" setting

The "Deny all add-ons

unless specifically allowed
in the Add-on List" setting
The "Disable "Configuring

History"" setting should be
The "Disable Changing

Automatic Configuration
Settings" setting should

Connection Settings"
setting should be
Proxy Settings" setting
The "Disable Showing the

Splash Screen" setting
The "Prevent "Fix

settings" Functionality"
setting should be
The "Prevent participation

in the Customer
Programs" setting should
The "Prevent performance

of First Run Customize
The "Prevent the

deletation of temporary
internet files and cookies"
setting should be
The "Turn off "Delete

Browsing History"
functionality" setting
The "Turn off Managing

Phishing Filter" setting
The "Turn off the Security

Settings Check feature"
setting should be
The "Allow Active Content
from CD's to Run on User
Machine" setting should
The "Enable third-party

browser extensions"
setting should be
The "Automatically Check

for Internet Explorer
Updates" setting should
The "Check for Server

Certificate Revocation"
setting should be
The "Access data sources

across domains" setting
correctly for the Internet enabled/disabled/pr
CCE-47 Zone. ompt
The "Drag and drop or

copy and paste files"
setting should be
configured correctly for enabled/disabled/pr
CCE-685 the Internet Zone. ompt
The "Font download"

setting should be
The "Installation of
desktop items" setting
CCE-355 Zone. ompt
The "Allow script-initiated
windows without size or
position constraints"
setting should be
The "Allow Scriptlets"

setting should be
The "Allow status bar

updates via script" setting
The "Automatic prompting

for file downloads" setting
The "Download signed

ActiveX controls" setting
CCE-1013 Zone. ompt
The "Download unsigned

CCE-176 Zone. ompt
The "Initialize and script
ActiveX controls not
marked as safe for
scripting" setting should
be configured correctly for enabled/disabled/pr
Custom/Disable
The "Java permissions" Java/High
setting should be safety/Low
configured correctly for safety/Medium
CCE-132 the Internet Zone. safety
The "Launching programs

and files in an IFRAME"
setting should be
Anonymous
logon/Automatic
logon only in
Intranet
zone/Automatic
logon with current
The "Logon" setting user name and
should be configured password/Prompt
correctly for the Internet for user name and
CCE-720 Zone. password
The "Loose XAML" setting

CCE-126 Zone. ompt
The "Navigate sub-frames
across different domains"
setting should be
The "Open files based on

content, not file extension"
setting should be
The "Software channel

permissions" setting
should be configured High safety/low
correctly for the Internet safety/medium
CCE-359 Zone. safety
The "Use Pop-up Blocker"

setting should be
The "Userdata
persistence" setting
The "Web sites in less

privileged Web content
zones can navigate into
this zone" setting should
The "XPS documents"

setting should be
The "Display mixed
content" setting should be
The "Display mixed

CCE-288 the Intranet Zone. ompt
The "Display mixed

the Locked Down Intranet enabled/disabled/pr
CCE-552 Zone. ompt
The "Display mixed

CCE-473 the Local Machine Zone. ompt
The "Display mixed

the Locked Down Local enabled/disabled/pr
CCE-239 Machine Zone. ompt
The "Access data sources

across domains" setting
correctly for the Restricted enabled/disabled/pr
CCE-636 Sites Zone. ompt
The "Active scripting"

setting should be
CCE-292 the Restricted Sites Zone. ompt
The "Binary and script
behaviors" setting should Administrator
be configured correctly for approved/enabled/di
CCE-178 the Restricted Sites Zone. sabled
The "Drag and drop or

copy and paste files"
setting should be
The "File download"

setting should be
The "Font download"

setting should be
The "Installation of
desktop items" setting
The "Allow META

REFRESH" setting should
The "Allow script-initiated
windows without size or
position constraints"
setting should be
The "Allow Scriptlets"

setting should be

The "Automatic prompting

for file downloads" setting

The "Download unsigned

The "Initialize and script
ActiveX controls not
marked as safe for
Custom/Disable
CCE-925 the Restricted Sites Zone. safety
The "Launching programs

and files in an IFRAME"
setting should be
Anonymous
logon/Automatic
logon only in
Intranet
zone/Automatic
logon with current
The "Logon" setting user name and
should be configured password/Prompt
correctly for the Restricted for user name and
CCE-128 Sites Zone. password
The "Loose XAML" setting

The "Navigate sub-frames

across different domains"
setting should be
The "Open files based on
content, not file extension"
setting should be
The "Run components not

signed with Authenticode"
setting should be
The "Run components

signed with Authenticode"
setting should be
The "Run ActiveX controls

and plugins" setting
should be configured Administrator
correctly for the Restricted approved/enabled/di
CCE-841 Sites Zone. sabled/prompt
The "Script ActiveX

controls marked safe for
The "Scripting of Java
applets" setting should be
The "Software channel

permissions" setting
should be configured High safety/low
correctly for the Restricted safety/medium
CCE-520 Sites Zone. safety
The "Use Pop-up Blocker"

setting should be
The "Userdata
persistence" setting
The "Web sites in less

privileged Web content
zones can navigate into
this zone" setting should
The "XPS documents"

setting should be
The "Display mixed
The "Display mixed

CCE-31 the Trusted Sites Zone. ompt
The "Display mixed

the Locked Down Trusted enabled/disabled/pr
The "Enable Native

XMLHttp Support" setting
The "Turn on the auto-
complete feature for user
names and passwords on
form" setting should be
The "Allow Install On
Demand (Internet
Explorer)" setting should
The "Turn off page

transitions" setting should
The "Disable
AutoComplete for forms"
setting should be
The "Disable Save this
program to disk option"
setting should be
The "Disable changing
certificate settings" setting
The "Disable external
branding of Internet
Explorer" setting should
The "Configure Outlook
Express" setting should
CCE-963 be configured correctly enabled/disabled
The "Turn on the Internet
Connection Wizard Auto
Detect" setting should be
The "Disable Internet
Connection wizard"
setting should be
The "Disable the Reset
Web Settings feature"
The "Disable Downloading

Of Site Subscription
Content" setting should be
The "Disable Adding
Schedules For Offline
Pages" setting should be
The "Disable Adding
Channels" setting should
The "Disable Editing And
Creating Of Schedule
Groups" setting should be
The "Disable All
Scheduled Offline Pages"
setting should be
The "Disable Editing
The "Disable Channel
User Interface
Completely" setting
The "Disable Removing
Channels" setting should
The "Disable Removing
The "Disable Offline Page
Hit Logging" setting
The "Increase a Process

Working Set" setting
should be configured Set of users or
CCE-1027 correctly. groups
The "Behavior of the
elevation prompt for
standard users" setting Prompt for
should be configured credentials/Automati
CCE-1067 correctly. cally deny
The "Behavior of the

elevation prompt for
administrators in Admin Prompt for
Approval Mode" setting consent/Prompt for
should be configured credentials/Automati
CCE-1063 correctly. cally deny
The "Remove CD Burning

features" setting should
The "Remove Security
tab" setting should be
The "Empty Temporary
Internet Files folder when
browser is closed" setting
The "Disable changing
Temporary Internet files

Maintenance Policy
Processing - Allow
processing across a slow
network connection"
setting should be
Maintenance Policy
Processing - Do not apply
during periodic
background processing"
setting should be

Maintenance Policy
Processing - Process
even if the Group Policy
objects have not
changed" setting should
The "Turn on Mapper I/O
(LLTDIO) driver" setting
correctly for the domain
CCE-947 profile. enabled/disabled
correctly for the public
correctly for the private
The "Turn on Responder
(RSPNDR) driver" setting
correctly for the domain
correctly for the public
correctly for the private
The "Java permissions" Custom/Disable

setting should be Java/High
configured correctly for safety/Low
the Locked Down Intranet safety/Medium
CCE-320 Zone. safety
Custom/Disable
CCE-138 the Local Machine Zone. safety

the Locked Down Local safety/Medium
CCE-1045 Machine Zone. safety

the Locked Down safety/Medium
CCE-1088 Restricted Sites Zone. safety
Custom/Disable
CCE-675 the Trusted Sites Zone. safety

the Locked Down Trusted safety/Medium
CCE-140 Sites Zone. safety
The "Configuration of
wireless settings using
Windows Connect Now"
setting should be
Wireless Connect Now
CCE-734 over Ethernet (UPnP). enabled/disabled
setting should be
CCE-469 USB flash drives. enabled/disabled
setting should be
the Windows Portable
CCE-302 Device API. enabled/disabled
The 'Approved Installation

Sites for ActiveX Controls'
security mechanism
The "Disable Logging"
setting should be
The "Disable Windows
Error Reporting" setting
The "Do not send
additional data" setting
The "Configure Corporate

Windows Error Reporting"
setting should be
The "Remove Default

Programs link from the
Start menu" setting should
The "Turn off Help
The "Turn off Help

Ratings" setting should be

The "Prevent users from
sharing files within their
profile" setting should be
The "Access Credential
Manager as a trusted
caller" user right should
be assigned to the
CCE-389 appropriate accounts. list of accounts
The "Change the time
zone" user right should be
assigned to the
The "Create Symbolic
Links" user right should be
assigned to the
The "Modify an object
label" user right should be
assigned to the
The "Remotely accessible

registry paths and
subpaths" policy should
CCE-1185 be set correctly. set of paths
The "User Account

Control: Admin Approval
Mode for the Built-in
Administrator account"
setting should be
The "User Account

Control: Detect application
installations and prompt
for elevation" setting
The "User Account

Control: Only elevate
executables that are
signed and validated"
setting should be
The "User Account

Control: Only elevate
UIAccess applications that
are installed in secure
The "User Account
Control: Run all
administrators in Admin
Approval Mode" setting
The "User Account

Control: Switch to the
secure desktop when
prompting for elevation"
setting should be
The "User Account

Control: Virtualize file and
registry write failures to
per-user locations" setting

%\System32\mshta.exe permissions (3)

for the WLAN AutoConfig (2) list of
service should be permissions (3)
The "Prohibit use of

Internet Connection
Firewall on your DNS
domain network" setting
The "Display Error

Notification" setting should
The setup log maximum
CCE-262 correctly. (1) Size limit (KB)
Computer-wide, rather
than per-user, assignment
of sites to zones for
Internet Explorer should
be enabled or disabled as enabled, disabled,
CCE-1005 appropriate. or not configured
The "Turn on Protected
Mode" setting should be
correctly for the Locked- enabled/disabled/pr
CCE-308 Down Internet Zone. ompt

correctly for the Locked-
CCE-1147 Down Trusted Sites Zone. enabled/disabled
The "Turn on Protected

Mode" setting should be
Computer-wide, rather
than per-user, use of
Microsoft Spynet
Reporting for Windows
Defender should be
enabled or disabled as enabled, disabled,
CCE-312 appropriate. or not configured
The "Do Not Show First
Use Dialog Boxes" setting
for Windows Media Player
The "Prevent Desktop
Shortcut Creation" setting
for Windows Media Player
User notifications when a

program is blocked from
receiving inbound
connections by Windows
Firewall should be
appropriate for the yes/no/not
CCE-1047 Domain Profile. configured
The "Log Dropped
CCE-325 the Private Profile. (1) enabled/disabled
The "Log Successful

correctly for the Private
CCE-327 Profile. enable/disabled

Firewall should be
CCE-999 the Private Profile. (1) File path

correctly for the Private
The "Log Dropped

CCE-1165 the Public Profile. (1) enabled/disabled
The "Log Successful
correctly for the Public
CCE-534 Profile. enable/disabled

Firewall should be
CCE-1263 the Public Profile. (1) File path

correctly for the Public
The ISATAP tunneling
protocol for IPv6 should
The 6to4 tunneling
The Teredo tunneling
Auditing of "System:
Security System
Extension" events on
success should be
Security System
Extension" events on
or disabled as
System Integrity" events
System Integrity" events
Auditing of "System: Ipsec

Driver" events on success
Auditing of "System: Ipsec

Driver" events on failure
Auditing of "System: Other
System Events" events on
success should be
Auditing of "System: Other
System Events" events on
or disabled as
Security State Change"
Security State Change"
Auditing of "Logon/Logoff:
Logon" events on success
Logon" events on failure
Logoff" events on success
Logoff" events on failure
Account Lockout" events
Account Lockout" events
IPsec Main Mode" events
IPsec Main Mode" events
IPsec Quick Mode" events
IPsec Quick Mode" events
IPsec Extended Mode"
IPsec Extended Mode"
Special Logon" events on
success should be
Special Logon" events on
or disabled as
Other Logon/Logoff
Events" events on
success should be
Other Logon/Logoff
Events" events on failure
Auditing of "Object
Access: File System"
Auditing of "Object
Access: File System"
Auditing of "Object
Access: Registry" events
Auditing of "Object
Access: Registry" events
Auditing of "Object
Access: Kernel Object"
Auditing of "Object
Access: Kernel Object"
Auditing of "Object
Access: SAM" events on
success should be
Auditing of "Object
Access: SAM" events on
or disabled as
Auditing of "Object
Access: Certification
Services" events on
success should be
Auditing of "Object
Access: Certification
Services" events on
or disabled as
Auditing of "Object
Access: Application
Generated" events on
success should be
Auditing of "Object
Access: Application
Generated" events on
or disabled as
Auditing of "Object
Access: Handle
Manipulation" events on
success should be
Auditing of "Object
Access: Handle
Manipulation" events on
or disabled as
Auditing of "Object
Access: File Share"
Auditing of "Object
Access: File Share"
Auditing of "Object
Access: Filtering Platform
Packet Drop" events on
success should be
Auditing of "Object
Packet Drop" events on
or disabled as
Auditing of "Object
Connection" events on
success should be
Auditing of "Object
Connection" events on
or disabled as
Auditing of "Object
Access: Other Object
Access Events" events on
success should be
Auditing of "Object
Access: Other Object
Access Events" events on
or disabled as
Auditing of "Privilege Use:
Sensitive Privilege Use"
Sensitive Privilege Use"

Non Sensitive Privilege
Use" events on success

Non Sensitive Privilege
Use" events on failure

Other Privilege Use
Events" events on
success should be

Privilege Use: Other
Privilege Use Events"
Auditing of "Detailed
Tracking: Process
Termination" events on
success should be
Tracking: Process
Termination" events on
or disabled as
Tracking: DPAPI Activity"
Tracking: DPAPI Activity"
Tracking: RPC Events"
Tracking: RPC Events"
Tracking: Process
Creation" events on
success should be
Tracking: Process
Creation" events on failure
Auditing of "Policy
Change: Audit Policy
Change" events on
success should be
Auditing of "Policy
Change: Audit Policy
Change" events on failure
Auditing of "Policy
Change: Authentication
Policy Change" events on
success should be
Auditing of "Policy
Change: Authentication
or disabled as
Auditing of "Policy
Change: Authorization
success should be
Auditing of "Policy
Change: Authorization
or disabled as
Auditing of "Policy
Change: MPSSVC Rule-
Level Policy Change"
Auditing of "Policy
Change: MPSSVC Rule-
Level Policy Change"
Auditing of "Policy
Change: Filtering Platform
success should be
Auditing of "Policy
Change: Filtering Platform
or disabled as
Auditing of "Policy
Change: Other Policy
Change Events" events
Auditing of "Policy
Change: Other Policy
Change Events" events
Auditing of "Account
Management: User
Account Management"
Management: User
Account Management"
Management: Computer
Account Management"
Management: Computer
Account Management"
Management: Security
Group Management"
Management: Security
Group Management"
Management: Distribution
Group Management"
Management: Distribution
Group Management"
Management: Application
Group Management"
Management: Application
Group Management"
Management: Other
Account Management
Events" events on
success should be
Management: Other
Account Management
Auditing of "DS Access:
Directory Service
Changes" events on
success should be

Directory Service
Changes" events on
or disabled as

Directory Service
Replication" events on
success should be

Directory Service
or disabled as

Detailed Directory Service
success should be

Detailed Directory Service
or disabled as

Directory Service Access"

Directory Service Access"
Logon: Kerberos Ticket
Events" events on
success should be
Logon: Kerberos Ticket
Logon: Other Account
Logon Events" events on
success should be
Logon: Other Account
Logon Events" events on
or disabled as
Logon: Credential
Validation" events on
success should be
Logon: Credential
Validation" events on
or disabled as
DISA Gold
Disk Check
CIS W2K Server
Name for
CCE Technical Mechanisms Level 2
W2K
Benchmark v2.2.1
(golddisk.win
2k.ecve.txt)
4.4.3.1 %System Drive% - ?

Everyone: Failures (this
folder, propagate
inheritable permissions to
all subfolders and files)
(1) defined by the object's SACL
4.4.3.2 HKLM\Software
key, propagate inheritable Reg Auditing Local
(1) defined by the object's SACL permission to all subkeys) Machine
4.4.3.3 HKLM\System
key, propagate inheritable Reg Auditing Local
(1) defined by the object's SACL permission to all subkeys) Machine
(1) defined by the object's DACL



4.4.1.15 %ProgramFiles%
- Administrators: Full;
System: Full; Creator
Owner: Full; Users: Read
and Execute, List
Program Files
(1) defined by the object's DACL ACL
4.4.1.16 %Program
Files%\Resource Kit
Administrators: Full; Resource Kit ACL
(1) defined by the object's DACL System: Full Servers and DCs
4.4.1.17 %Program
Files%\Resource Pro
Kit Administrators: Resource Kit ACL
(1) defined by the object's DACL Full; System: Full Workstation
4.4.1.1 %SystemDrive%\ - SystemDrive ACL
Administrators: Full;
Owner: Full; Users: Read
and Execute, List
4.4.1.2 %SystemDrive Autoexec.bat ACL
%\autoexec.bat -
Administrator: Full;
System: Full

4.4.1.3 %SystemDrive
%\boot.ini
(1) defined by the object's DACL System: Full BOOT.INI ACL
4.4.1.4 %SystemDrive CONFIG.SYS ACL
%\config.sys -
System: Full

4.4.1.10 %SystemDrive Documents and
%\Documents and Settings ACL
Settings - Administrators:
Full; System: Full; Users:
Read and Execute, List
%\Documents and
Settings\Administrator -
System: Full
Documents and
Settings\Administr
(1) defined by the object's DACL ator ACL
%\Documents and
Settings\All Users
Administrators: Full; Documents and
System: Full; Users: Settings\All Users
(1) defined by the object's DACL Read and Execute, List ACL
%\Documents and
Settings\All
Users\Documents\DrWa
tson Administrators:
Full; System:
Full;Creator Owner:
Full; Users: Traverse
Folder/Execute File, List
Folder/Read Data,
Read Attributes, Read
Extended Attributes,
Read Permissions (This
folder, subfolders, and
files); Users: Traverse
Folder/Execute Files,
CreateFiles/Write Data,
Create Folder/Append
Data (Subfolders and
(1) defined by the object's DACL files only) DrWatson ACL
?
DrWatson Log
4.4.1.14 %SystemDrive Default User ACL
%\Documents and
Settings\Default User -
System: Full; Users: Read
and Execute, List

4.4.1.5 %SystemDrive IO.SYS ACL
%\io.sys - Administrators:
Full; System: Full
4.4.1.6 %SystemDrive MSDOS.SYS ACL
%\msdos.sys -
System: Full

4.4.1.7 %SystemDrive NTBOOTDD.SYS
%\ntbootdd.sys - ACL
System: Full
%\ntdetect.com
Administrators: Full; NTDETECT.COM
(1) defined by the object's DACL System: Full ACL
%\ntldr - Administrators:
(1) defined by the object's DACL Full; System: Full NTLDR ACL
?
(1) defined by the object's DACL Temp ACL

?
My Download
%\System Volume
Information (Do not
allow permissions on
this folder to be
(1) defined by the object's DACL replaced)
4.4.1.18 %SystemRoot
% Administrators:
Full; System: Full;
Creator Onwer: Full;
Users: Read and
(1) defined by the object's DACL Execute, List System Root ACL
(1) defined by the object's DACL Driver.cab ACL
% Administrators:
Full; System: Full;
Creator Onwer: Full;
Users: Read and
(1) defined by the object's DACL Execute, List System Root ACL
%\
$NtServicePackUninstal %SystemRoot%\
l$ Administrators: Full; $NtServicePackU
(1) defined by the object's DACL System: Full ninstall$
NT SP Uninstall
(1) defined by the object's DACL ? ACL
%\CSC
(1) defined by the object's DACL System: Full CSC ACL
%\Debug -
Owner: Full; Users:
(1) defined by the object's DACL Read and Execute, List Debug ACL
%\Debug\UserMode -
System: Full; Users:
Traverse
Folder/Execute File,
Listfolder/Read data,
Create files/Write data
(This folder, only);
Create files/Write data,
Create folders/Append UserMode
(1) defined by the object's DACL data(Files only) Directory ACL
%\regedit.exe
(1) defined by the object's DACL System: Full regedit.exe ACL
?
(1) defined by the object's DACL NTDS ACL
%\Offline Web Pages
Ignore Parent
(1) defined by the object's DACL Permission Changes
%\Registration -
(1) defined by the object's DACL Read Registration ACL
%\repair -
(1) defined by the object's DACL System: Full Repair ACL
%\security -
(1) defined by the object's DACL Owner: Full Security ACL
?
(1) defined by the object's DACL SYSVOL ACL

?
%SystemRoot
%\SYSVOL\doma
(1) defined by the object's DACL in\Policies
?
(1) defined by the object's DACL Temp ACL
%\system32 -
Owner: Full; Users:
(1) defined by the object's DACL Read and Execute, List System32 ACL
%\system32\appmgmt
(1) defined by the object's DACL Read and Execute, List appmgmt ACL
%\system32\at.exe
(1) defined by the object's DACL System: Full at.exe ACL
%\system32\config
(1) defined by the object's DACL System: Full CONFIG ACL
?
%SystemRoot
%\System32\CO
NFIG\AppEvent.e
(1) defined by the object's DACL vt
?
%SystemRoot
%\System32\CO
NFIG\SecEvent.e
(1) defined by the object's DACL vt

%\system32\dllcache
(1) defined by the object's DACL Owner: Full dllcache ACL

%\system32\DTCLog -
Owner: Full; Users:
(1) defined by the object's DACL Read andExecute, List
%\system32\Group
Policy - Administrators:
Full; System: Full;
Authenticated Users:
(1) defined by the object's DACL Read andExecute, List GroupPolicy ACL
%\system32\ias -
(1) defined by the object's DACL Owner: Full ias ACL

%\system32\Ntbackup.
exe Administrators: NTbackup.exe
(1) defined by the object's DACL Full; System: Full ACL
%\system32\NTMSData
(1) defined by the object's DACL System: Full NTMSData ACL

%\system32\rcp.exe
(1) defined by the object's DACL System: Full Rcp.exe ACL
%\system32\regedt32.e
xe Administrators: Regedt32.exe
(1) defined by the object's DACL Full; System: Full ACL
%\system32\reinstallbacku
ps Administrators: Full;
Owner: Full; PowerUsers:
(1) defined by the object's DACL Read and Execute, List
%\system32\rexec.exe
(1) defined by the object's DACL System: Full Rexec.exe ACL
%\system32\rsh.exe
(1) defined by the object's DACL System: Full Rsh.exe ACL

?
%\system32\secedit.ex
e Administrators: Full;
(1) defined by the object's DACL System: Full
%\system32\Setup
(1) defined by the object's DACL Read and Execute, List Setup ACL
?
(1) defined by the object's DACL repl ACL

?
(1) defined by the object's DACL Export ACL

?
(1) defined by the object's DACL Import ACL
%\system32\spool\print
ers Administrators:
Full; System: Full;
Creator Owner: Full;
Users:Traverse Folder,
Execute File, Read,
Read Extended
Attributes, Create Spool\Printers
(1) defined by the object's DACL folders, Append Data ACL


?
%\Tasks - (Do not allow
permissions on this folder
(1) defined by the object's DACL to be replaced)
?
(1) defined by the object's DACL MQSeries ACL

?
MQSeries Queue
(1) defined by the object's DACL 269
(1) defined by the object's DACL SECEDIT.SDB ACL
Registry ACL
Check
(1) defined by the object's DACL CLASSES_ROOT
? ?
4.4.2.2 HKLM\Software
Administrators Full;
Owner: Full; Users: Registry ACL
(1) defined by the object's DACL Read Check Software
?
4.4.2.1
HKLM\Software\Classes -
(1) defined by the object's DACL Owner: Full; Users: Read
?
\
SOFTWARE\Clas
ses\Regfile\Shell\
(1) defined by the object's DACL Open\Command

4.4.2.3
HKLM\Software\Micros
oft\Net DDE
Administrators: Full; Reg ACL NetDDE
(1) defined by the object's DACL System: Full Check test
4.4.2.4
oft\OS/2 Subsystem for
NT Administrators:
Full; System: Full; Reg ACL OS2
(1) defined by the object's DACL Creator Owner: Full Check test
4.4.2.5
oft\Windows
NT\CurrentVersion\Asr
Commands
System: Full;Creator
Owner: Full; Users:
Read; Backup
Operators: Query
Value, Set Value,
Create Subkey,
EnumerateSubkeys,
Notify, Delete, Read Reg ACL Check
(1) defined by the object's DACL (this key and subkeys) AsrCommands
4.4.2.6
oft\Windows
NT\CurrentVersion\Perfl
ib Administrators: Full;
System: Full;
CreatorOwner: Full;
Interactive: Read (this Registry ACL
(1) defined by the object's DACL key and subkeys) Check Perflib
4.4.2.7
oft\Windows\CurrentVer
sion\Group Policy -
System:
Full;Authenticated Reg ACL Check
(1) defined by the object's DACL Users: Read Group Policy
4.4.2.8
sion\Installer -
System: Full; Users: Reg ACL Check
(1) defined by the object's DACL Read Installer
4.4.2.9
sion\Policies -
System: Full;
AuthenticatedUsers: Reg ACL Check
(1) defined by the object's DACL Read Policies

4.4.2.10 HKLM\System
- Administrators Full;
(1) defined by the object's DACL Read Check SYSTEM
4.4.2.11
HKLM\System\Clone
Allow inheritable
permissions to
(1) defined by the object's DACL propagate to this object
4.4.2.12
HKLM\System\ControlS
et001 - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset001
4.4.2.13
et00x - Administrators
4.4.2.13
4.4.2.13
4.4.2.13
4.4.2.13
4.4.2.13
4.4.2.13
4.4.2.13
4.4.2.13

4.4.2.14
HKLM\System\CurrentC
ontrolSet\Control\Secur
ePipeServers\WinReg
(1) defined by the object's DACL Administrators: Full Winreg ACL
? ?
4.4.2.15
ontrolSet\Control\WMI\
Security
Owner: Full(this key Registry ACL
(1) defined by the object's DACL and subkeys) Check Security
4.4.2.16
ontrolSet\Enum - (Do
not allow permissions
on this key to be
(1) defined by the object's DACL replaced)
4.4.2.17
HKLM\System\CurrentCon
trolSet\Hardware Profiles
Administrators Full; Registry ACL
System: Full; Creator Check Hardware
(1) defined by the object's DACL Owner: Full;Users: Read Profiles



4.4.2.18
ontrolSet\Services\SNM
P\Parameters\Permitted
Managers -
System: Full;Creator Check Permitted
(1) defined by the object's DACL Owner: Full Managers
4.4.2.19
ontrolSet\Services\SNM
P\Parameters\ValidCom
munities -
System: Full;Creator Check
(1) defined by the object's DACL Owner: Full ValidCommunities


4.4.2.20 HKU\.Default -
(1) defined by the object's DACL Read Check Default
4.4.2.21
HKU\.Default\Software\
Microsoft\NetDDE -
(1) defined by the object's DACL System: Full Check NetDDE
4.4.2.22
HKU\.Default\Software\
Microsoft\Protected
Storage System
(1) defined by the object's DACL Provider No entries
?
Registry ACL
Check
(1) defined by the object's DACL CLASSES_ROOT
4.2.11 Deny access to this User Right Check

(1) defined by the SeDenyNetworkLogonRight setting computer from the deny access from
in Local or Group Policy network: Guests network
4.2.1 Access this computer

(1) defined by the SeNetworkLogonRight setting in from the network: Users, User Right Check
Local or Group Policy Administrators (or none) Network Logon
(1) defined the SeTcbPrivilege setting in by Local or 4.2.2 Act as part of the User Right Check
Group Policy operating system: None Act as OS
(1) defined the SeBackupPrivilege setting in by Local 4.2.4 Back up files and User Right Check
or Group Policy directories: Administrators Backup
User Right Check

(1) defined the SeChangeNotifyPrivilege setting in by 4.2.5 Bypass traverse Bypass Traverse
Local or Group Policy checking: Users checking
(1) defined the SeSystemTimePrivilege setting in by 4.2.6 Change the system User Right Check
Local or Group Policy time: Administrators change system time
(1) defined the SeCreatePagefilePrivilege setting in by 4.2.7 Create a pagefile: User Right Check
Local or Group Policy Administrators create pagefile
(1) defined the SeCreateTokenPrivilege setting in by 4.2.8 Create a token User Right Check
Local or Group Policy object: None create token object
User Right Check

(1) defined the SeCreatePermanentPrivilege setting in 4.2.9 Create permanent create permanent
by Local or Group Policy shared objects: None shared objects
(1) defined the SeDebugPrivilege setting in by Local or 4.2.10 Debug Programs: User Right Check
Group Policy None debug programs
4.2.16 Force shutdown

(1) defined the SeRemoteShutdownPrivilege setting in from a remote system: User Right Check
by Local or Group Policy Administrators remote shutdown
User Right Check

(1) defined the SeAuditPrivilege setting in by Local or 4.2.17 Generate security generate security
Group Policy audits: None audits
(1) defined the SeIncreaseQuotaPrivilege setting in by 4.2.18 Increase quotas: User Right Check
Local or Group Policy Administrators increase quotas
User Right Check
(1) defined the SeIncreaseBasePriorityPrivilege setting 4.2.19 Increase scheduling increase scheduling
in by Local or Group Policy priority: Administrators priority
4.2.20 Load and unload User Right Check

(1) defined the SeLoadDriverPrivilege setting in by device drivers: load and unload
Local or Group Policy Administrators device drivers
User Right Check

(1) defined the SeLockMemoryPrivilege setting in by 4.2.21 Lock pages in lock pages in
Local or Group Policy memory: None memory
User Right Check

(1) defined the SeBatchLogonRight setting in by Local 4.2.22 Log on as a batch log on as a batch
or Group Policy job: None job
User Right Check

(1) defined the SeServiceLogonRight setting in by 4.2.23 Log on as a log on as a service
Local or Group Policy service: None job
4.2.24 Log on locally:

Users, Administrators
(1) defined the SeInteractiveLogonRight setting in by (further restriction User Right Check
Local or Group Policy allowable) log on locally
Manage
Auditing and
4.2.25 Manage auditing Security Logs
(1) defined the SeSecurityPrivilege setting in by Local and security log: on a Member
or Group Policy Administrators Server
4.2.26 Modify firmware

(1) defined the SeSystemEnvironmentPrivilege setting environment values: User Right Check
in by Local or Group Policy Administrators modify firmware
User Right Check
(1) defined the SeProfileSingleProcessPrivilege setting 4.2.27 Profile single Profile single
in by Local or Group Policy process: Administrators process
4.2.28 Profile system User Right Check

(1) defined the SeSystemProfilePrivilege setting in by performance: Profile system
Local or Group Policy Administrators performance
4.2.29 Remove computer

(1) defined the SeUndockPrivilege setting in by Local from docking station: User Right Check
or Group Policy Users, Administrators undock
(1) defined the SeAssignPrimaryTokenPrivilege setting 4.2.30 Replace a process User Right replace
in by Local or Group Policy level token: None process token
(1) defined the SeRestorePrivilege setting in by Local 4.2.31 Restore files and
or Group Policy directories: Administrators User Right restore
4.2.32 Shut down the

(1) defined the SeShutdownPrivilege setting in by system: Users, User Right shut
Local or Group Policy Administrators down
4.2.34 Take ownership of

(1) defined the SeTakeOwnershipPrivilege setting in by file or other objects: User Right take
Local or Group Policy Administrators ownership
4.2.33 Synchronize
(1) defined the SeSynchAgentPrivilege setting in by directory service data: Not User Right synch
Local or Group Policy Applicable directory
4.2.14 Deny logon locally:

(1) defined the SeDenyInteractiveLogonRight setting in None by default (others User Right Check
by Local or Group Policy allowable as appropriate) deny logon locally
4.2.15 Enable computer

and user accounts to be User Right Check
(1) defined the SeEnableDelegationPrivilege setting in trusted for delegation: Not allow trust for
by Local or Group Policy Applicable delegation
User Right Check

(1) defined the SeMachineAccountPrivilege setting in 4.2.3 Add workstations to Add wkstn to
by Local or Group Policy domain: Not applicable domain
(1) defined the SeRemoteInteractiveLogonRight setting

in by Local or Group Policy
(1) defined the SeDenyBatchLogonRight setting in by

Local or Group Policy
(1) defined the SeDenyServiceLogonRight setting in by

(1) defined the SeDenyRemoteInteractiveLogonRight
setting in by Local or Group Policy
(1) defined the SeManageVolumePrivilege setting in by

Reset Account Lockout

After: 15 Minutes Lockout Reset
(1) defined by Local or Group Policy (minimum) (15)
Account Lockout Duration: Lockout

(1) defined by Local or Group Policy 15 Minutes (minimum) Duration (15)
Account Lockout
Threshold: 3 Bad Login Lockout Count
(1) defined by Local or Group Policy Attempts (maximum) (3)
Audit Account Logon

Events: Success and Account logon
(1) defined by Local or Group Policy Failure auditing
Audit Account Logon
Events: Success and Account logon
(1) defined by Local or Group Policy Failure auditing
Audit Account Account

Management: Success management
(1) defined by Local or Group Policy and Failure auditing
Audit Account Account

Management: Success management
(1) defined by Local or Group Policy and Failure auditing
? ?
(1) defined by Local or Group Policy

? ?
Audit Logon Events:

(1) defined by Local or Group Policy Success and Failure logon auditing
Audit Logon Events:

(1) defined by Local or Group Policy Success and Failure logon auditing
Audit Object Access: object access
(1) defined by Local or Group Policy Failure (minimum) auditing
Audit Object Access: object access

Audit Policy Change: policy change

Audit Policy Change: policy change

Audit Privilege Use:

(1) defined by Local or Group Policy Failure (minimum) priv use auditing
Audit Privilege Use:

(1) defined by Local or Group Policy Failure (minimum) priv use auditing
Audit Process Tracking:

(1) defined by Local or Group Policy Not Defined
?
Audit Process Tracking:

(1) defined by Local or Group Policy Not Defined
Audit System Events: System Event
(1) defined by Local or Group Policy Success and Failure auditing
Audit System Events: System Event

(1) defined by Local or Group Policy Success and Failure auditing
?
Allow System to be
Shut Down Without
(1) defined by Local or Group Policy Having to Log On
?
Decoy Admin,
Account
(1) defined by Local or Group Policy Exists
? ?
(1) In Windows Explorer: Tools->Folder Options->File

Types->[file type]->Advanced
? ?
(1) `REGSVR32 "C:\Windows\System\Scrrun.dll"` (2)

`UNREGSVR32 "C:\Windows\System\Scrrun.dll"`
(1) Anonymous
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Application Log: Restrict
Access to the
ces\EventLog\Application\RestrictGuestAccess (2) Guest Access to Logs: Application
defined by Group Policy Enabled Event Log value
(1) defined by the Windows Event Log (2) defined by

Group Policy (3) Application Log: Maximum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Event Log Size: 80 Mb Application Event
ces\EventLog\Application\MaxSize (minimum) Log size key value
(1)
Application Log: Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Retention Method: Application Event
ces\EventLog\Application\Retention (2) defined by Overwrite Events As Log retention key
Group Policy Needed value
Application Event
Log retention key
value
(1) Anonymous
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Security Log: Restrict
Access to the
ces\EventLog\Security\RestrictGuestAccess (2) defined Guest Access to Logs: Security Event
by Group Policy Enabled Log value

Group Policy (3) Security Log: Maximum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Event Log Size: 80 Mb Security Event Log
ces\EventLog\Security\MaxSize (minimum) size key value
(1)
Security Log: Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Retention Method:
ces\EventLog\Application\Retention (2) defined by Overwrite Events As Security Event Log
Group Policy Needed retention key value
Security Event Log

retention key value
(1) Anonymous
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi System Log: Restrict Access to the
ces\EventLog\System\RestrictGuestAccess (2) defined Guest Access to Logs: System Event
by Group Policy Enabled Log value

Group Policy (3) System Log: Maximum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Event Log Size: 80 Mb System Event Log
ces\EventLog\System\MaxSize (minimum) size key value
(1)
System Log: Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Retention Method:
ces\EventLog\Application\Retention (2) defined by Overwrite Events As System Event Log
Group Policy Needed retention key value
System Event Log
retention key value
All passwords are no more

Maximum
than 90 days old Password Age
(1) defined by Local or Group Policy (maximum). (90)
Minimum Password Age: 1 Minimum

(1) defined by Local or Group Policy day Password Age
All passwords are at least

8 characters long Password
(1) defined by Local or Group Policy (minimum). Length (8)
?
Check for
(1) determined by the local filesystem Enpasflt.dll
Password Complexity:
(1) defined by Local or Group Policy Enabled EnPasFlt Check
Password History: 24 Password

(1) defined by Local or Group Policy Passwords Remembered History (24)
Store Passwords using

Reversible Encryption: Reversible Pwd
(1) defined by Local or Group Policy Disabled Encryption
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\Alerter\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy 4.1.1 Alerter Disabled
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\WindowsUpdate\AU\NoAutoUpdate (2) defined by
the Services Administrative Tool (3) definied by Group
Policy
(1)
ces\BITS\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
?
(1)
ces\ClipSrv\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy 4.1.2 Clipbook Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Computer
ces\Browser\Start (2) defined by the Services 4.1.3 Computer Browser Browser
Administrative Tool (3) definied by Group Policy Disabled Disabled
(1)
ces\FastUserSwitchingCompatibility\Start (2) defined by
the Services Administrative Tool (3) definied by Group
Policy
?
(1)
ces\Fax\Start (2) defined by the Services Administrative 4.1.4 Fax Service
Tool (3) definied by Group Policy s Disabled
?
(1)
ces\MSFTPSVC\Start (2) defined by the Services 4.1.5 FTP Publishing
Administrative Tool (3) definied by Group Policy Service Disabled
?
(1)
ces\IISADMIN\Start (2) defined by the Services 4.1.6 IIS Admin Service
Administrative Tool (3) definied by Group Policy Disabled
(1)
ces\CiSvc\Start (2) defined by the Services
?
(1)
ces\Messenger\Start (2) defined by the Services 4.1.8 Messenger
(1) defined by the Services Administrative Tool (2)

definied by Group Policy
(1)
ces\Netlogon\Start (2) defined by the Services
NetMeeting
(1) Remote
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.9 NetMeeting Remote
Desktop
ces\mnmsrvc\Start (2) defined by the Services Desktop Sharing Sharing
Administrative Tool (3) definied by Group Policy Disabled Disabled


(1)
ces\RDSessMgr\Start (2) defined by the Services
(1)
ces\SharedAccess\Start (2) defined by the Services 4.1.7 Internet Connection
Administrative Tool (3) definied by Group Policy Sharing Disabled
?
(1)
ces\RemoteRegistry\Start (2) defined by the Services 4.1.10 Remote Registry
Administrative Tool (3) definied by Group Policy Service Disabled
Remote Access
(1) Auto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Connection
ces\RemoteAccess\Start (2) defined by the Services 4.1.11 Routing and Manager
Administrative Tool (3) definied by Group Policy Remote Access Disabled Disabled
?
(1)
ces\RshSvc\Start (2) defined by the Services Remote Shell
Administrative Tool (3) definied by Group Policy Service
?
(1)
ces\SIMPTCP\Start (2) defined by the Services Simple TCP/IP
Administrative Tool (3) definied by Group Policy Service
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.12 Simple Mail
ces\SMTPSVC\Start (2) defined by the Services Transfer Protocol (SMTP)
?
(1)
4.1.13 Simple Network
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Management Protocol
ces\SNMP\Start (2) defined by the Services (SNMP) Service
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.14 Simple Network
ces\SNMPTRAP\Start (2) defined by the Services Management Protocol
Administrative Tool (3) definied by Group Policy (SNMP) Trap Disabled
(1)
ces\Schedule\Start (2) defined by the Services
(1)
ces\TlntSvr\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy 4.1.15 Telnet Disabled Telnet Disabled
(1)
ces\TermService\Start (2) defined by the Services
(1)
ces\upnphost\Start (2) defined by the Services
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.16 World Wide Web
ces\W3SVC\Start (2) defined by the Services Publishing Services
Administrative
(1) Tool (3) definied by Group Policy Disabled
ows\WindowsUpdate\AU\NoAutoUpdate (2) defined by
the Services Administrative Tool (3) definied by Group 4.1.17 Automatic Updates
Policy Not Defined
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.18 Background
ces\BITS\Start (2) defined by the Services Intelligent Transfer Service
Administrative Tool (3) definied by Group Policy Not Defined
Print Services for
UNIX
? ?
(1) set via Security Templates (2) definied by Group

Policy

Policy

Policy
? ?

Policy
? ?

Policy
? ?

Policy

Policy
? ?

Policy
? ?

Policy

Policy
? ?

Policy

Policy
? ?

Policy

Policy Printer Permissions


Policy
? ?

Policy
? ?

Policy
? ?

Policy
? ?

Policy
? ?

Policy
?
"Schedule" service
(1) set via Security Templates (2) definied by Group is run as the system
Policy account.
? ?

Policy

Policy

Policy
? ?

Policy
Additional Restrictions for

Anonymous Connections:
No Access Without
Explicit Anonymous
(1) defined by Local or Group Policy Permissions
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont Restrict
rol\Lsa\RestrictAnonymous (2) defined by Local or Anonymous
Group Policy value
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\Lsa\RestrictAnonymousSAM (2) defined by Local or
Group Policy
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\Lsa\AnonymousNameLookup (2) defined by Local or
Group
(1)
ces\EventLog\Application
(1)
ces\EventLog\System
?
(1) Anonymous access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi to the event logs is
ces\EventLog\Security not restricted.
(1) Anonymous access

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont to the Registry is
rol\SecurePipeServers\Winreg not restricted.
?
Guest Account
(1) Local Users and Groups MMC Disabled
(1) Local Users and Groups MMC

(1)
Legal notice is not
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Message Title for Users configured to
rentVersion\Policies\System\LegalNoticeCaption (2) Attempting to Log On: display before
defined by Local or Group Policy Warning: or custom title. console logon.
?
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Message Text for Users
rentVersion\Policies\System\LegalNoticeText (2) defined Attempting to Log On:
by Local or Group Policy Custom
RemoveMessage or This
administrative
shares on workstation ?
(Professional):
(1) trolSet\Services\LanmanS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi erver\Parameters\AutoSha
ces\LanmanServer\Parameters\AutoShareWks reWks (REG_DWORD) 0
Disable Automatic
Execution of the System
Debugger: HKLM\ CIS: Automatic
Software\Microsoft\Windo
(1) ws Execution of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDeb the System
NT\CurrentVersion\AEDebug\Auto ug\Auto (REG_DWORD) 0 Debugger value
Disable Automatic Logon:

HKLM\
ws
(1) NT\CurrentVersion\Winlog
Admin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows on\AutoAdminLogon(REG Autologon
NT\CurrentVersion\Winlogon\AutoAdminLogon _DWORD) 0 Value
Disable automatic reboots
after a Blue Screen of
Death:
(1) trolSet\Control\CrashContr
CIS: Disable
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont ol\AutoReboot Reboot After
rol\CrashControl\AutoReboot (REG_DWORD) 0 Crash value
Disable autoplay from any

disk type, regardless of
application:
HKLM\Software\Microsoft\
Windows\CurrentVersion\P
(1) olicies\Explorer\NoDriveTy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ peAutoRun
CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255 Autoplay value
?
Disable autoplay for
current user:
HKCU\Software\Microsoft\
Windows\CurrentVersion\P
(1) olicies\Explorer\NoDriveTy
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C peAutoRun
urrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255
Disable autoplay for new

users by default:
HKU\.DEFAULT\Software\
Microsoft\Windows\Curren CIS: Disable
tVersion\Policies\Explorer\
(1) NoDriveTypeAutoRun
Media Autoplay
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\Cu (REG_DWORD) Not (HKU-.Default
rrentVersion\Policies\Explorer\NoDriveTypeAutoRun Defined hive)
?
Disable CD Autorun:
(1) HKLM\System\CurrentCon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi trolSet\Services\CDrom\Au
ces\CDrom\Autorun torun (REG_DWORD) 0
Protect against Computer

Browser Spoofing Attacks:
(1) trolSet\Services\MrxSmb\P
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi arameters\RefuseReset Computer Browser
ces\MrxSmb\Parameters\RefuseReset (REG_DWORD) 1 Spoofing Attacks
Ensure ICMP Routing via

shortest path first:
(1) trolSet\Services\Tcpip\Par
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\EnableICMPRedir Disable ICMP
cesTcpip\Parameters\EnableICMPRedirect ect (REG_DWORD) 0 Redirect
Protect against source-
routing spoofing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\DisableIPSource Disable IP Source
ces\Tcpip\Parameters\DisableIPSourceRouting Routing (REG_DWORD) 2 Routing
Ensure Router Discovery

is Disabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\PerformRouterDis Disable Router
ces\Tcpip\Parameters\PerformRouterDiscovery covery (REG_DWORD) 0 Discovery
Enable IPSec to protect CIS: Enable
Kerberos RSVP Traffic: IPSec security
(1) trolSet\Services\IPSEC\No
for Kerberos
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi DefaultExempt RSVP Traffic
ces\IPSEC\NoDefaultExempt (REG_DWORD) 1 value
Suppress Dr. Watson
Crash Dumps:
(1) HKLM\Software\Microsoft\ CIS: Allow Dr.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\ DrWatson\CreateCrashDu Watson Crash
CreateCrashDump mp (REG_DWORD) 0 Dumps value
?
Dont display username of
last successful logon at
the logon screen:
Windows
NT\CurrentVersion\Winlog
(1) on\DontDisplayLastUserN
ame (REG_SZ) Not
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defined; 3.2.1.15 Do Not
NT\CurrentVersion\Winlogon\DontDisplayLastUserName Display Last User Name in
Logon Screen: Enabled
Enable the File System

Checker and Disable
Popups: HKLM\
ws
(1) on\SFCDisable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows (REG_DWORD)
Enable the System NotFile
NT\CurrentVersion\Winlogon\SFCDisable Defined to verify all
Checker
operating system files at
boot time:
Windows
on\SFCScan
(REG_DWORD) Not
DefinedNote: Due to the
processor-intensive nature
(1) of the System File
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Checker, it is no longer
NT\CurrentVersion\Winlogon\SFCScan required on startup.
Do not show the System
File Checker progress
meter:
Windows
(1) on\SFCShowProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows (REG_DWORD) Not
NT\CurrentVersion\Winlogon\SFCShowProgress Defined
3.2.2.24 Do not announce CIS: Hide
this computer to domain computer Name
master browsers: from other
(1) trolSet\Services\Lanmanse domain
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi rver\Parameters\Hidden controllers
ces\Lanmanserver\Parameters\Hidden (REG_DWORD) 1 value
Protect the Default

Gateway network setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\EnableDeadGWD Disable Dead
ces\Tcpip\Parameters\EnableDeadGWDetect etect (REG_DWORD) 0 Gateway Detection
Manage Keep-alive times:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\KeepAliveTime(R TCP Connection
ces\Tcpip\Parameters\KeepAliveTime EG_DWORD) 300000 Keep-Alive Time
SYN Attack protection

Manage TCP Maximum
half-open sockets:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\TcpMaxHalfOpen Half-open TCP
ces\Tcpip\Parameters\TcpMaxHalfOpen (REG_DWORD) 100 Sockets
SYN Attack protection

Manage TCP Maximum
half-open retired sockets:
trolSet\Services\Tcpip\Par
(1) ameters\TcpMaxHalfOpen
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Retired (REG_DWORD) Half-open retired
ces\Tcpip\Parameters\TcpMaxHalfOpenRetried 80 TCP Sockets
Protect Against Malicious
Name-Release Attacks:
trolSet\Services\Netbt\Par
(1) ameters\NoNameRelease
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi OnDemand Name-Release
ces\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 1 Attacks
?
Help protect against

packet fragmentation:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\EnablePMTUDisc
ces\Tcpip\Parameters\EnablePMTUDiscovery overy (REG_DWORD) 0
Protect against SYN Flood

attacks:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ameters\SynAttackProtect SYN Attack
ces\Tcpip\Parameters\SynAttackProtect (REG_DWORD) 2 Protection
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Protect Kernel
ol\Session Manager\EnhancedSecurityLevel object attributes
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Audit Log Warning
ces\Eventlog\Security\WarningLevel Level
(1) Disable saving

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi of dial up
ces\Rasman\Parameters\DisableSavePassword password
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Encrypt Secure
ces\Netlogon\Parameters\SealSecureChannel (2) Channel Traffic
defined by Local or Group Policy Value
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Sign Secure
ces\Netlogon\Parameters\SignSecureChannel (2) Channel Traffic
defined by Local or Group Policy Value
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Sess
ion Manager\SafeDllSearchMode
(1)
ows NT\CurrentVersion\Winlogon\SyncForegroundPolicy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\DeleteRoamingCache
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\system\LogonType
(1)
ows\CurrentVersion\Policies\system\DisableBkGndGroup
Policy
(1)
ows\Network Connections\NC_ShowSharedAccessUI
(1)
ows\Network Connections\NC_AllowNetBridge_NLA
(1)
ows NT\Printers\KMPrintersAreBlocked
Allow Server Operators to

Schedule Tasks: Not
(1) defined by Local or Group Policy Applicable
Rename Administrator Administrator

Account: Any value other Account
(1) defined by Local or Group Policy than Administrator Renamed
Rename Guest Account:

Any value other than Guest Account
(1) defined by Local or Group Policy Guest Renamed
(1) Amount of idle

Amount of Idle Time
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Required Before
time before
ces\LanManServer\Parameters\AutoDisconnect (2) Disconnecting Session: 30 disconnecting
defined by Local or Group Policy Minutes (minimum) value (<= 15)
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Audit the access of global
ol\Lsa\AuditBaseObjects (2) defined by Local or Group system objects: Not
Policy Defined
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Audit the use of backup
ol\Lsa\FullPrivilegeAuditing (2) defined by Local or and restore privilege: Not
Group Policy Defined
(1)
Disable Ctrl+Alt+Del
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur CTRL+ALT+Delete security attention
rentVersion\Policies\System\DisableCAD (2) defined by Requirement for Logon: sequence is
Local or Group Policy Disabled Disabled.
(1)
LAN Manager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Authentication Level:
ol\Lsa\LMCompatibilityLevel (2) defined by Local or Send NTLMv2 response LMCompatibility
Group Policy only (minimum) Value
The Send download

LanMan compatible
password option is
not set to "Send LM
(1) and NTLM - Use
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont NTLMv2 if
rol\Lsa\LMCompatibilityLevel Paramenters: (1) level Negotiated."
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Print\Providers\LanMan Print Prevent Users from
Print Driver
Services\Servers\AddPrinterDrivers (2) defined by Local Installing Printer Drivers: Installation
or Group Policy Enabled value
Recovery
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Recovery Console: Allow Console
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLev Automatic Administrative Autologon
el (2) defined by Local or Group Policy Logon: Disabled value
Recovery Console: Allow

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Floppy Copy and Access
Recovery
NT\CurrentVersion\Setup\RecoveryConsole\SetComman to All Drives and All Console Full
d (2) defined by Local or Group Policy Folders: Disabled Access Value
?
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Restrict CD-ROM Access

NT\CurrentVersion\Winlogon\AllocateCDRoms (2) to Locally Logged-On User
defined by Local or Group Policy Only: Enabled
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Restrict Floppy Access to

NT\CurrentVersion\Winlogon\AllocateFloppies (2) Locally Logged-On User Floppy
defined by Local or Group Policy Only: Enabled Allocation
(1)
Strengthen Default
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Permissions of Global
Strength
ol\Session Manager\ProtectionMode (2) defined by System Objects (e.g. permissions on
Local or Group Policy Symbolic Links): Enabled GSO value
?
(1)
Secure Channel: Require
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Strong (Windows 2000 or
ces\Netlogon\Parameters\RequireStrongKey (2) defined later) Session Key: Not
by Local or Group Policy Defined
Send
(1) unencrypted
Send Unencrypted
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Password to Connect to
password to
ces\LanmanWorkstation\Parameters\EnablePlainTextPas Third-Party SMB Servers: 3rd party SMB
sword (2) defined by Local or Group Policy Disabled value
Unsigned Driver
Installation Behavior:
Warn, but allow
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver installation (minimum) or Unsigned Driver
Signing\Policy (2) defined by Local or Group Policy Do Not Allow Installation. Behavior Value
Unsigned Non-Driver
Installation Behavior:
Warn, but allow
Unsigned Non-
installation (minimum) or Driver Behavior
(1) defined by Local or Group Policy Do Not Allow Installation Value
Prompt User to Change

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Password Before
NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) Expiration: 14 Days Password
defined by Local or Group Policy (minimum) Expiration value
(1)
Shut Down system
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr immediately if unable to
ol\Lsa\CrashOnAuditFail (2) defined by Local or Group log security audits: Not Crash on audit
Policy Defined fail Value
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Allow System to be Shut The system allows
rentVersion\Policies\System\ShutdownWithoutLogon (2) Down Without Having to shutdown from the
defined by Local or Group Policy Log On: Disabled logon dialog box
Automatically Log Off

Logon Time
Users When Logon Time Enforcement
(1) defined by Local or Group Policy Expires (local): Enabled (0)
(1)
ol\Session Manager\Memory Clear Virtual Memory
Management\ClearPageFileAtShutdown (2) defined by Pagefile When System Clear Pagefile
Local or Group Policy Shuts Down: Enabled value
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Client
ces\LanmanWorkstation\Parameters\RequireSecuritySig Communication (Always):
nature (2) defined by Local or Group Policy Not Defined
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Client
ces\LanmanWorkstation\Parameters\EnableSecuritySign Communication (When Enable Security
ature (2) defined by Local or Group Policy Possible): Enabled Signature Value
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Server
ces\LanManServer\Parameters\RequireSecuritySignatur Communication (Always):
e (2) defined by Local or Group Policy Not Defined
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Server SMB Server
ces\LanManServer\Parameters\EnableSecuritySignature Communication (When Packet Signing
(2) defined by Local or Group Policy Possible): Enabled Value
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Number of Previous
NT\CurrentVersion\Winlogon\CachedLogonsCount (2) Logons to Cache: 1 Logon Caching
defined by Local or Group Policy (maximum) value (<= 2)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Allowed to Eject

NT\CurrentVersion\Winlogon\AllocateDASD (2) defined Removable NTFS Media: NTFS Media
by Local or Group Policy Administrators Ejection value
?
(1)
Secure Channel: Digitally
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Encrypt or Sign Secure
ces\Netlogon\Parameters\RequireSignOrSeal (2) Channel Data (Always):
defined by Local or Group Policy Not Defined
?
(1)
Secure Channel: Digitally
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Encrypt Secure Channel
ces\Netlogon\Parameters\SealSecureChannel (2) Data (When Possible):
defined by Local or Group Policy Enabled
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Secure Channel: Digitally
ces\Netlogon\Parameters\SignSecureChannel (2) Sign Secure Channel Data
defined by Local or Group Policy (When Possible): Enabled
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Smart Card Removal

Smart Card
NT\CurrentVersion\Winlogon\ScRemoveOption (2) Behavior: Lock Removal
defined by Local or Group Policy Workstation (minimum) Behavior Value
(1)
Prevent System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Maintenance of Computer Disable
ces\Netlogon\Parameters\DisablePasswordChange (2) Account Password: password
defined by Local or Group Policy Disabled change Value
(1) defined in %Systemroot%\boot.ini ? ?

(1)
ol\Lsa\FIPSAlgorithmPolicy (2) defined by Local or
Group Policy
(1)
ol\Lsa\NoDefaultAdminOwner (2) defined by Local or
Group Policy
(1)
ol\Session Manager\Kernel\ObCaseInsensitive (2)
defined by Local or Group Policy
(1)
ol\Lsa\LimitBlankPasswordUse (2) defined by Local or
Group Policy
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\System\UndockWithoutLogon (2)

(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi
ces\LDAP\LDAPClientIntegrity (2) defined by Local or
Group Policy
(1)
ces\Netlogon\Parameters\MaximumPasswordAge (2)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceUnlockLogon (2)
(1)
ces\LanManServer\Parameters\EnableForcedLogoff (2)
(1)
ol\Lsa\DisableDomainCreds (2) defined by Local or
Group Policy
(1)
ol\Lsa\EveryoneIncludesAnonymous (2) defined by
(1)
ces\LanManServer\Parameters\NullSessionPipes (2)
(1)
ol\SecurePipeServers\Winreg\AllowedPathsHKLM (2)
(1)
ces\LanManServer\Parameters\NullSessionShares (2)
(1)
ol\Lsa\ForceGuest (2) defined by Local or Group Policy
(1)
ol\Lsa\NoLMHash (2) defined by Local or Group Policy
(1)
ol\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local
or Group Policy
(1)
ol\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local
or Group Policy
4.3.1 Ensure all disk

volumes are using the Non-NTFS
(1) Disk Management MMC NTFS file system Partition
Unused USB ports

(1) ? ? are not disabled.
?
(1) HKEY_CURRENT_USER\Control current user

Panel\Desktop\SCRNSAVE.EXE scrnsave.exe
?
Current user
(1) HKEY_CURRENT_USER\Control screensaver
Panel\Desktop\ScreenSaveTimeOut timeout
?
(1) HKEY_CURRENT_USER\Control Current user

Panel\Desktop\ScreenSaverIsSecure screensaver secure
?
(1) HKEY_CURRENT_USER\Control Current user

Panel\Desktop\ScreenSaveActive screensaver active
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\SCRNSAVE.EXE
Panel\Desktop\ScreenSaveTimeOut
Panel\Desktop\ScreenSaverIsSecure
Panel\Desktop\ScreenSaveActive
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\SCRNSAVE.EXE
Panel\Desktop\ScreenSaveTimeOut
Panel\Desktop\ScreenSaverIsSecure
Panel\Desktop\ScreenSaveActive
GPO path: User Configuration\Administrative

Templates\Control Panel\Display\Hide Screen Saver tab

Templates\Control Panel\Display\Password protect the screen
saver

Templates\Control Panel\Display\Screen saver

Templates\Control Panel\Display\Screen Saver executable
name

Templates\Control Panel\Display\Screen Saver timeout
(1) Always Install

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind with Elevated
ows\Installer\AlwaysInstallElevated Privileges
Disable IE
Security
Prompt for
(1) Windows
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Installer
ows\Installer\SafeForScripting\ Scripts
(1) Enable User

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Control Over
ows\Installer\EnableUserControl Installs
Enable User
(1) to Browse for
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Source While
ows\Installer\AllowLockDownBrowse Elevated
Enable User
(1) to Use Media
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Source While
ows\Installer\AllowLockDownMedia Elevated
Allow Admin
to Install
(1) from Terminal
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Services
ows\Installer\EnableAdminTSRemote Session
Enable User
(1) to Patch
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Elevated
ows\Installer\AllowLockDownPatch Products
Cache
Transforms in
(1) Secure
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Location on
ows\Installer\TransformSecure Workstation
(1)
owsMediaPlayer\DisableAutoupdate
(1)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind
owsMediaPlayer\PreventCodecDownload
(1) ?
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Mess
enger\Client\{9b017612-c9f1-11d2-8d9f- Windows
0000f875c541}\Disabled (2) Messenger
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Mess Internet
engerService Access
(1)
enger\Client\PreventRun
(1)
enger\Client\PreventAutoRun
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window Hide Property
s\Task Scheduler5.0\Property Pages Pages
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window Prohibit New
s\Task Scheduler5.0\Task Creation Task Creation
(1)
ows NT\Terminal Services\fSingleSessionPerUser
(1)
ows NT\Terminal Services\MaxInstanceCount
(1)
ows NT\Terminal Services\fDenyTSConnections
(1)
ows NT\Terminal Services\fWritableTSCCPermTab
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\Shadow
(1)
ows NT\Terminal Services\fPromptForPassword
(1)
ows NT\Terminal Services\MinEncryptionLevel
(1)
ows NT\Terminal Services\PerSessionTempDir
(1)
ows NT\Terminal Services\DeleteTempDirsOnExit
(1)
ows NT\Terminal Services\MaxDisconnectionTime
(1)
ows NT\Terminal Services\MaxIdleTime
(1)
ows NT\Terminal Services\fReconnectSame
(1)
ows NT\Terminal Services\fResetBroken
(1)
ows NT\Terminal Services\KeepAliveEnable
(1)
ows NT\Terminal Services\fAllowToGetHelp
(1)
ows NT\Terminal Services\fAllowUnsolicited
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH
ealth\ErrorReporting\DoReport
-1
-1
-1
-1
-1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
\Tcpip\Parameters\TcpMaxDataRetransmissions
`
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
FileSystem\NtfsDisable8dot3NameCreation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
dows NT\RPC\EnableAuthEpResolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
dows NT\RPC\RestrictRemoteClients
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\En
ableFirewall
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Do
NotAllowExceptions
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Aut
horizedApplications\AllowUserPrefMerge
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\En
abled
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Se
rvices\FileAndPrint\Enabled
rvices\RemoteDesktop\Enabled
rvices\UPnPFramework\Enabled
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Dis
ableNotifications
(1)
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogDroppedPackets (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile\Windows
Firewall: Allow Logging - Log Dropped Packets
(1)
gging\LogFilePath (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Domain Profile\Windows Firewall: Allow Logging - Log
file path and name (3) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile Tab\Logging\Name
(1)
gging\LogFileSize (2) Computer Configuration\Administrative
Firewall\Domain Profile\Windows Firewall: Allow Logging - Size
limit (KB)
(1)
gging\LogSuccessfulConnections (2) Computer
Connections\Windows Firewall\Domain Profile\Windows
Firewall: Allow Logging - Log successful connections
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Dis
ableUnicastResponsesToMulticastBroadcast
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Gl
oballyOpenPorts
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Gl
oballyOpenPorts\AllowUserPrefMerge
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\E
nableFirewall
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\D
oNotAllowExceptions
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\A
uthorizedApplications\AllowUserPrefMerge
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S
ervices\RemoteDesktop
ervices\RemoteDesktop\Enabled
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\I
CMPSettings\*
ervices\RemoteDesktop\Enabled
ervices\UPnPFramework\Enabled
isableNotifications
(1)
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\L
ogging\LogDroppedPackets (2) Computer
Connections\Windows Firewall\Standard Profile\Windows
ogging\LogFilePath
ogging\LogFileSize
ogging\LogSuccessfulConnections
isableUnicastResponsesToMulticastBroadcast
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\G
loballyOpenPorts
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\G
loballyOpenPorts\AllowUserPrefMerge
es\SharedAccess\Parameters\FirewallPolicy
\Tcpip\Parameters\TCPMaxPortsExhausted
POSIX.EXE, "PSXSS.EXE" or "PSXDLL.DLL" exist
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Subsystems\Optional,
Manager\Subsystems\Os2,
Manager\Environment\Os2LibPath
Manager\Subsystems\posix
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Bi
tBucket\NukeOnDelete
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Sy
stem\SCForceOption
(1)Computer Configuration\Windows Settings\Security

Settings\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile\Inbound Connections Tab\
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile\DefaultInboundAction
Firewall Properties\Domain Profile
WindowsFirewall\DomainProfile\DefaultOutboundAction

Firewall Properties\Domain Profile\Customized Settings
WindowsFirewall\DomainProfile\AllowLocalPolicyMerge

Firewall Properties\Domain Profile\Customized Settings
WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge
Firewall Properties\Private Profile
WindowsFirewall\PrivateProfile\EnableFirewall
WindowsFirewall\PrivateProfile\DefaultInboundAction
WindowsFirewall\PrivateProfile\DefaultOutboundAction
Firewall Properties\Private Profile\Customized Settings
WindowsFirewall\PrivateProfile\DisableNotifications

WindowsFirewall\PrivateProfile\DisableUnicastResponsesToM
ulticastBroadcast

WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge

WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge
Firewall Properties\Public Profile
WindowsFirewall\PublicProfile\EnableFirewall
Firewall Properties\Public Profile
WindowsFirewall\PublicProfile\DefaultInboundAction

Firewall Properties\Public Profile\Customized Settings
WindowsFirewall\PublicProfile\DefaultOutboundAction
WindowsFirewall\PublicProfile\DisableNotifications

WindowsFirewall\PublicProfile\DisableUnicastResponsesToMul
ticastBroadcast

WindowsFirewall\PublicProfile\AllowLocalPolicyMerge

WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge
(1) Computer Configuration\Administrative

Templates\System\Logon
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\Explorer\DisableLocalMachineRun
Templates\System\Logon
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnc
e

Templates\System\Group Policy
(2)HKLM\Software\Policies\Microsoft\Windows\Group Policy\
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!
NoBackgroundPolicy,
HKLM\Software\Policies\Microsoft\Windows\Group Policy\
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!
NoGPOListChanges
Templates\System\Internet Communication Settings
(2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer!NoWebServices
(2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
(2)HKLM\Software\Policies\Microsoft\SearchCompanion!
DisableContentFileUpdates
(2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!
DisableHTTPPrinting
(2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!
DisableWebPnPDownload
(2)HKLM\Software\Policies\Microsoft\Windows\DriverSearchin
g!DontSearchWindowsUpdate
Templates\System\Credential User Interface
(2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
CredUI\EnumerateAdministrators
Templates\System\Credential User Interface
(2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
CredUI\EnableSecureCredentialPrompting
(1) Computer Configuration\Administrative Templates\Windows
Components\Internet Explorer\Security Features\Add-on
Management
Ext!RestrictToList
Components\Internet Explorer\Security Features\Add-on
Management
Ext!ListBox_Support_CLSID

Components\Terminal Services\Remote Desktop Connection
(2)HKLM\SOFTWARE\Policies\Microsoft\Windows
NT\DisablePasswordSaving
Components\Terminal Services\Terminal Server\Device and
Resource Redirection
(2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services!fDisableCdm
(1) User Configuration\Administrative Templates\System
(2)HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
entVersion\Policies\System\DisableRegistryTools
(1) User Configuration\Administrative Templates\System\Power
Mangement
(2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind
ows\System\Power\PromptPasswordOnResume
(1) User Configuration\Administrative
Templates\System\Attachment Manager
entVersion\Policies\Attachments\SaveZoneInformation

entVersion\Policies\Attachments\HideZoneInfoOnProperties
entVersion\Policies\Attachments\ScanWithAntiVirus
(1) User Configuration\Administrative Templates\Windows
Components\Internet Explorer
(2)HKEY_CURRENT_USER\Software\Microsoft\Outlook
Express\BlockExeAttachments
(1) Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options
(2)HKEY_LOCAL_MACHINE\System\Currentcontrolset\Contro
l\Lsa\SCENoApplyLegacyAuditPolicy
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\EventLog\Setup\ChannelAccess
(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser
vices\Eventlog\Application\Windows Search Service\Start
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peer
net\Disabled
ows\WCN\UI\DisableWcnUi
ows\DeviceInstall\Settings\AllowRemoteRPC
s\DeviceInstall\Settings\DisableSystemRestore
ows\DeviceInstall\Settings\DisableSendGenericDriverNotFoun
dToWER
ows\WindowsUpdate\DisableWindowsUpdateAccess
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Syst
emCertificates\AuthRoot\DisableRootAutoUpdate
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Even
tViewer\MicrosoftEventVwrDisableLinks
ows\HandwritingErrorReports\PreventHandwritingErrorReports
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH
ealth\HelpSvc\Headlines
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH
ealth\HelpSvc\MicrosoftKBSearchs
ows\Internet Connection Wizard\ExitOnMSICW
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Explorer\NoInternetOpenWith
ows\Registration Wizard Control\NoRegistration
rentVersion\Policies\Explorer\NoOnlinePrintsWizard
(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER]
\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Expl
orer\NoPublishingWizard
owsMovieMaker\CodecDownload
owsMovieMaker\WebHelp
owsMovieMaker\WebPublish
rentVersion\Policies\Explorer\NoWelcomeScreen
rentVersion\Policies\System\DisableStartupSound
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Pow
er\PowerSettings\0e796bdb-100d-47d6-a2d5-
f7d2daa51f51\DCSettingIndex
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Pow
er\PowerSettings\0e796bdb-100d-47d6-a2d5-
f7d2daa51f51\ACSettingIndex
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\CreateEncryptedOnlyTickets
ows NT\Terminal Services\UseCustomMessages
ows NT\Terminal Services\UseBandwidthOptimization
ows NT\Terminal Services\LoggingEnabled
ows NT\IIS\PreventIISInstall
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assis
tance\Client\1.0\NoActiveHelp
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assis
tance\Client\1.0\NoUntrustedContent
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Inter
net Explorer\Feeds\DisableEnclosureDownload
Windows\Windows
Search\AllowIndexingEncryptedStoresOrItems
Windows\Windows
Search\PreventIndexingUncachedExchangeFolders
rentVersion\Policies\Windows\TurnOffWinCal
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQM
Client\CorporateSQMURL
ows Defender\DisableAntiSpyware
ows\Explorer\NoHeapTerminationOnCorruption
rentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
ows\Installer\DisableLUAPatching
rentVersion\Policies\System\ReportControllerMissing
Windows Mail\DisableCommunities
Windows Mail\ManualLaunchAllowed
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMD
RM\DisableOnline
ows\Windows Collaboration\TurnOffWindowsCollaboration
ows\Windows
Collaboration\TurnOnWindowsCollaborationAuditing
rentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadget
s
rentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLi
nk
rentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGa
dgets
Computer Configuration\Administrative Templates\Windows

Components\Digital Locker
Computer Configuration\Windows Settings\Security

Components\Game Explorer

Firewall with Advanced Security\Outbound Rules

Firewall with Advanced Security\Outbound Rules
2007: GPO Settings:Computer Configuration / Administrative

Templates / Classic Administrative Templates / Microsoft Office
2007 System / Security Settings , Registry Keys:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\1
2.0\Common\VbaOff 2003: (1) Computer
Configuration\Administrative Templates\Microsoft Office
2003\Security Settings\Disable VBA for Office applications (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Common -
VbaOff (3) User Configuration\Administrative
Templates\Microsoft Office 2003\Security Settings\Disable VBA
for Office applications (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Common -
VbaOff
2007: GPO Settings:User Configuration / Administrative

2007 system / Security /ActiveX Control InitializationSettings ,
Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\C
ommon\Security\UFIControls 2003: (1) User
2003\Security Settings\ActiveX Control Initialization (2)
HKCU\Software\Policies\Microsoft\Office\Common\Security -
UFIControls
GPO Settings:User Configuration / Administrative Templates /
Classic Administrative Templates / Microsoft Office 2007 /
Privacy / Trust Center , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1
2.0\Common\QMEnable
Privacy / Trust Center , Registry Keys:
2.0\Common\UpdateReliabilityData

Classic Administrative Templates / Microsoft Office 2007
system / Tools / Options / General / Service Options / Online
Content , Registry Keys:
HKEY_CURRENT_USER\Softtware\Polices\Microsoft\Office\1
2.0\Common\Internet\UseOnlineContent

Classic Administrative Templates / Microsoft Office Access
2007 / Application Settings / Security / Trust Center , Registry
Keys:
2.0\Access\Security\VBAWarnings

Excel 2007 / Excel Options / Security / Trust Center , Registry
Keys:
2.0\Excel\Security\VBAWarnings
2007GPO Settings:User Configuration / Administrative
Excel 2007 / Excel Options / Security / Trust Center , Registry
Keys:
2.0\Excel\Security\AccessVBOM 2003: (1) Computer
2003\Security Settings\Excel: Trust access to Visual Basic
Project (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security -
AccessVBOM (3) User Configuration\Administrative
Templates\Microsoft Office Excel
2003\Tools\Macros\Security\Trust access to Visual Basic
Project (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security -
AccessVBOM

Classic Administrative Templates / Microsoft Office PowerPoint
2007 / PowerPoint Options / Security / Trust Center , Registry
Keys:
2.0\PowerPoint\Security\VBAWarnings

Classic Administrative Templates / Microsoft Office PowerPoint
2007 / PowerPoint Options / Security / Trust Center , Registry
Keys:
2.0\PowerPoint\Security\AccessVBOM
Classic Administrative Templates / Microsoft Office Outlook
2007 / Security , Registry Keys:
2.0\Outlook\Security\EnableRememberPwd

Outlook 2007 / Security , Registry Keys:
2.0\Outlook\Security\AddinTrust 2003: (1) User
Outlook 2003\Tools\Options\Security\Configure Add-In Trust
Level (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security
- AddinTrust
2007 / Security , Registry Keys:
2.0\Outlook\Security\EnableRememberPwd

2007 / Security / Cryptography , Registry Keys:
2.0\Outlook\Security\MinEncKey

2.0\Outlook\Security\SupressNameChecks

Outlook 2007 / Security / Cryptography , Registry Keys:
2.0\Outlook\Security\ClearSign 2003: (1) User
Outlook 2003\Tools\Options\Security\Cryptography\Send all
signed messages as clear signed messages (2)
- ClearSign

2.0\Outlook\Security\RequestSecureReceipt

2.0\Outlook\Security\PublishToGalDisabled 2003: (1) User
Outlook 2003\Tools\Options\Security\Cryptography\Disable
'Publish to GAL' button (2)
HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security -
PublishToGalDisabled
2.0\Outlook\Security\WarnAboutInvalid 2003: (1) User
Outlook 2003\Tools\Options\Security\Cryptography\Signature
Warning (2)
- WarnAboutInvalid

2.0\Outlook\Security\ConvertSMIMEBlobSignedIcons 2003: (1)
User Configuration\Administrative Templates\Microsoft Office
Outlook 2003\Tools\Options\Security\Cryptography\Enable
cryptography icons (2)
- ConvertSMIMEBlobSignedIcons

2007 / Security / Cryptography / Signature Status Dialog Box ,
Registry Keys:
2.0\Outlook\Security\UseCRLChasing

Classic Administrative Templates / Microsoft Office Word 2007 /
Word Options / Security / Trust Center , Registry Keys:
2.0\Word\Security\VBAWarnings
Word 2007 / Word Options / Security / Trust Center , Registry
Keys:
HKEY_CURRENT_USER\Software\Policies\Policies\Microsoft\
Office\12.0\Word\Security\AccessVBOM 2003: (1) Computer
2003\Security Settings\Word: Trust access to Visual Basic
Project (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security -
AccessVBOM (3) User Configuration\Administrative
Templates\Microsoft Office Word
2003\Tools\Macro\Security\Trust access to Visual Basic Project
(4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security -
AccessVBOM

Word 2007 / Word Options / Security , Registry Keys:
2.0\Word\Options\vpref\fWarnRevisions_1805_1 2003: (1)
User Configuration\Administrative Templates\Microsoft Office
Word 2003\Tools\Options\Security\Warn before printing or
saving or sending a file that contains tracked changes or
comments (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vp
re
Miscellaneous , Registry Keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\C
ommon\OfficeUpdate\BlockUpdates
(1) User Configuration\Administrative Templates\Microsoft

Office Access 2007\Application Settings\Web
Options\General\Underline hyperlinks (2)
Software\Policies\Microsoft\Office\12.0\Access\Internet

Office Access 2007\Application
Settings\General\General\Number of documents in the Recent
Documents list (0-9) (2)
Software\Policies\Microsoft\Office\12.0\Access\Settings
Office Access 2007\Application Settings\Security\Trust
Center\Disable Trust Bar Notification for unsigned application
add-ins (2)
Software\Policies\Microsoft\Office\12.0\Access\Security

Center\Disable all application add-ins (2)

Center\Require that application add-ins are signed by Trusted
Publisher (2)

Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Access\Security\Truste
d Locations

Center\Trusted Locations\Allow Trusted Locations not on the
computer (2)
d Locations

Center\Trusted Locations\Modal Trust Decision Only (2)
d Locations

Office Access 2007\Disable items in user
interface\Predefined\Disable commands (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdB
arItemsCheckBoxes
interface\Predefined\Disable commands - Office Button | E-
Mail (2)
arItemsCheckBoxes
interface\Predefined\Disable commands - Office Button |
Access Options | Customize | All Commands | Insert Hyperlink
(2)
arItemsCheckBoxes

interface\Predefined\Disable commands - Database Tools |
Database Tools | Encrypt with Password (2)
arItemsCheckBoxes

Administer | Users and Permission | User and Group
Permissions (2)
arItemsCheckBoxes

Administer | Users and Permissions | User and Group
Accounts (2)
arItemsCheckBoxes

Administer | Users and Permission | User-Level Security
Wizard... (2)
arItemsCheckBoxes

Database Tools | Encode/Decode Database (2)
arItemsCheckBoxes
Macro | Visual Basic (2)
arItemsCheckBoxes

Macro | Run Macro (2)
arItemsCheckBoxes

interface\Predefined\Database Tools | Macro | Convert Macros
to Visual Basic (2)
arItemsCheckBoxes

interface\Predefined\Database Tools | Macro | Create Shortcut
Menu from Macro (2)
arItemsCheckBoxes

interface\Predefined\Disable shortcut keys (2)
Software\Policies\Microsoft\Office\12.0\Access\DisabledShortc
utKeysCheckBoxes
interface\Predefined\Disable commands - Ctrl+K (Office Button
| Access Options | Customize | All Commands | Insert
Hyperlinks) (2)
utKeysCheckBoxes

interface\Predefined\Disable commands - Alt+F11 (Database
Tools | Macro | Visual Basic) (2)
utKeysCheckBoxes

Office Access 2007\Miscellaneous\Default file format (Access
2007 | Access 2002-2003) (2)
Office Access 2007\Miscellaneous\Do not prompt to convert
older databases (2)

Office Excel 2007\Excel Options\Proofing\Autocorrect
Options\Internet and network paths as hyperlinks (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options

Office Excel 2007\Excel Options\Save\Save Excel files as
(Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook
(*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm;
*.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95
Workbook (*.xls)) (2)

Office Excel 2007\Excel Options\Save\Disable AutoRepublish
(2) Software\Policies\Microsoft\Office\12.0\Excel\Options

Office Excel 2007\Excel Options\Save\AutoRepublish Warning
Alert (Always show the alert before publishing | Never show
the alert before publishing)

Office Excel 2007\Excel Options\Security\Determine whether
to force encrypted macros to be scanned in Microsoft Excel
Open XML workbooks (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security

Office Excel 2007\Excel Options\Security\Force file extension
to match file type (Allow different | Allow different, but warn |
Always match file type) (2)
Office Excel 2007\Excel Options\Security\Trust Center\Store
macro in Personal Macro Workbook by default (2)

Office Excel 2007\Excel Options\Security\Trust Center\Disable
all application add-ins (2)

Office Excel 2007\Excel Options\Security\Trust Center\Require
that application add-ins are signed by Trusted Publisher (2)

Office Excel 2007\Excel Options\Security\Trust Center\Disable
Trust Bar Notification for unsigned application add-ins (2)

Office Excel 2007\Excel Options\Security\Trust Center\Trusted
LocationsAllow Trusted Locations not on the computer (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted
Locations

Office Excel 2007\Excel Options\Security\Trust Center\Trusted
LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted
Locations
Office Excel 2007\Excel Options\Advanced\Ignore other
applications (2)
Software\Policies\Microsoft\Office\12.0\Excel\Options\BinaryO
ptions
Office Excel 2007\Excel Options\Advanced\Ask to update
automatic links (2)
Office Excel 2007\Excel Options\Advanced\Number of
documents in the Recent Documents list (0-17) (2)
Software\Policies\Microsoft\Office\12.0\Excel\File MRU
Office Excel 2007\Excel Options\Advanced\Web
Options\GeneralSave any additional data necessary to
maintain formulas (2)
Software\Policies\Microsoft\Office\12.0\Excel\Internet

Office Excel 2007\Excel Options\Advanced\Web
Options\GeneralLoad pictures from Web pages not created
in Excel (2)
Software\Policies\Microsoft\Office\12.0\Excel\Internet
Office Excel 2007\Data Recovery\Do not show data extraction
options when opening corrupt workbooks (2)

Office Excel 2007\Data Recovery\Assume structured storage
format of workbook is intact when recovering data (2)

Office Excel 2007\Data Recovery\Corrupt formula conversion
(Convert unrecoverable references to: values | #REF or
#NAME) (2)

Office Excel 2007\Data Access Security\Connection File
Locations (2)
Software\Policies\Microsoft\Office\Common\Server
Links\Published
Office Excel 2007\Data Access Security\Automatic Query
Refresh (Prompt for all workbooks | Do not prompt; do not
allow auto refresh | Do not prompt; allow auto refresh) (2)
Software\Policies\Microsoft\Office\Common\Server
Links\Published

Office Excel 2007\Disable items in user
Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarI
temsCheckBoxes
interface\Predefined\Disable commands - Office Button | Excel
Options | Customize | All Commands | Save as Web Page (2)
temsCheckBoxes

Options | Customize | All Commands | Web Page Preview (2)
temsCheckBoxes

interface\Predefined\Disable commands - Office Button | Send
| Email (2)
temsCheckBoxes

interface\Predefined\Disable commands - Insert | Links |
Hyperlink (2)
temsCheckBoxes

interface\Predefined\Disable commands - Review | Changes |
Protect Sheet (2)
temsCheckBoxes

Protect Workbook (2)
temsCheckBoxes

Protect and Share Workbook (2)
temsCheckBoxes

interface\Predefined\Disable commands - View | Macros |
Macros (2)
temsCheckBoxes
interface\Predefined\Disable commands - Developer | Code |
Macros (2)
temsCheckBoxes

Record Macro (2)
temsCheckBoxes

Macro Security (2)
temsCheckBoxes

Visual Basic (2)
temsCheckBoxes

Options | Customize | All Commands | Document Location (2)
temsCheckBoxes

Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcut
KeysCheckBoxes
interface\Predefined\Disable shortcut keys - Ctrl+K (Insert |
Links | Hyperlink) (2)
KeysCheckBoxes

interface\Predefined\Disable shortcut keys - Alt+F8 (Developer
| Code | Macros) (2)
KeysCheckBoxes
interface\Predefined\Disable shortcut keys - Alt+F11
(Developer | Code | Visual Basic) (2)
KeysCheckBoxes

Office Excel 2007\Block file formats\Open\Block opening of
pre-release versions of file formats new to Excel 2007 (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpe
nBlock

Open XML file types (2)
nBlock
Binary 12 file types (2)
nBlock
Binary file types (2)
nBlock
Html and Xmlss files types (2)
nBlock
Xml file types (2)
nBlock
DIF and SYLK file types (2)
nBlock
Text file types (2)
nBlock
Office Excel 2007\Block file formats\Open\Block opening of Xll
file type (2)
nBlock
Office Excel 2007\Block file formats\Save\Block saving of
Open Xml file types (2)
Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSave
Block
Binary12 file types (2)
Block
Block
Office Excel 2007\Block file formats\Save\Block saving of Html
and Xmlss file types (2)
Block
Office Excel 2007\Block file formats\Save\Block saving Xml file
types (2)
Block
Office Excel 2007\Block file formats\Save\Block saving DIF
and SYLK file types (2)
Block
Office Excel 2007\Block file formats\Save\Block saving of Text
file types (2)
Block
Office Excel 2007\Miscellaneous\Locally cache network file
storages (2)

Office Excel 2007\Miscellaneous\Locally cache PivotTable
reports (2)
Office Excel 2007\Miscellaneous\OLAP PivotTable User
Defined Function (UDF) security setting (Allow ALL UDFs |
Allow safe UDFs only | Allow NO UDFs) (2)

Office Excel 2007\Miscellaneous\Recognize SmartTags (2)

Office InfoPath 2007\Tools | Options\General\Number of
documents in the Recent Documents list (0 - 9) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath

Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline
Mode status (Disabled | Enabled, InfoPath in Offline Mode |
Enabled, InfoPath not in Offline Mode) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Editor\Offline

Office InfoPath 2007\Disable items in user
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmd
BarItemsCheckBoxes
interface\Predefined\Disable commands - File | Print (2)
BarItemsCheckBoxes
interface\Predefined\Disable commands - File | Send to Mail
Recipient (2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - File | Open from
SharePoint Site (2)
BarItemsCheckBoxes
interface\Predefined\Disable commands - File | Print Preview
(2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - File | Page Setup (2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - Insert | Hyperlinks...
(2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - Tools | Set
Language (2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - Tools | Customize...
(2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - Tools | Options... (2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - Help | Microsoft
Office Online (2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - Office Diagnostics
(2)
BarItemsCheckBoxes
interface\Predefined\Disable commands - Help | Activate
Product... (2)
BarItemsCheckBoxes

interface\Predefined\Disable commands - Print Default (2)
BarItemsCheckBoxes
Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShort
cutKeysCheckBoxes
interface\Predefined\Disable shortcut keys - Print Shortcut
(Ctrl+P) (2)
cutKeysCheckBoxes

interface\Predefined\Disable shortcut keys - Insert Hyperlink
Shortcut (Ctrl+K) (2)
cutKeysCheckBoxes

Office InfoPath 2007\Security\Control behavior for Windows
SharePoint Services gradual upgrade (Allow redirections to
any location | Allow redirections to Intranet only | Block all
redirections) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Office InfoPath 2007\Security\Disable opening of solutions
from the Internet security zone (2)

Office InfoPath 2007\Security\Disable fully trusted solutions full
access to computer (2)
Office InfoPath 2007\Security\Allow the use of ActiveX Custom
Controls in InfoPath forms (2)

Office InfoPath 2007\Security\Run forms in restricted mode if
they do not specify a publish location and use only features
introduced before InfoPath 2003 SP1 (2)

Office InfoPath 2007\Security\Allow file types as attachments
to forms (2)

Office InfoPath 2007\Security\Block specific file types as
attachments to forms (2)

Office InfoPath 2007\Security\Prevent users from allowing
unsafe file types to be attached to forms (2)

Office InfoPath 2007\Security\Display a warning that a form is
digitally signed (2)

Office InfoPath 2007\Security\Control behavior when opening
forms in the Internet security zone (Block | Prompt | Allow) (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors

forms in the Intranet security zone (Block | Prompt | Allow) (2)
Behaviors
forms in the Local Machine security zone (Block | Prompt |
Allow) (2)
Behaviors

forms in the Trusted Site security zone (Block | Prompt | Allow)
(2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open
Behaviors

Office InfoPath 2007\Security\Beaconing UI for forms opened
in InfoPath (Never show beaconing UI | Always show
beaconing UI | Show UI if Form Template is from Internet
Zone) (2)

Office InfoPath 2007\Security\Beaconing UI for forms opened
in InfoPath Editor ActiveX (Never show beaconing UI | Always
show beaconing UI | Show UI if Form Template is from Internet
Zone) (2)

Office InfoPath 2007\Security\Trust Center\Disable all
application add-ins (2)

Office InfoPath 2007\Security\Trust Center\Require that
application add-ins are signed by Trusted Publisher (2)
Office InfoPath 2007\Security\Trust Center\Disable Trust Bar
Notification for unsigned application add-ins (2)

Office InfoPath 2007\Disable items in user interface\Control
behavior when opening InfoPath e-mail forms containing code
or script (Run without prompting | Prompt before running |
Never run) (2)

Office InfoPath 2007\Disable items in user interface\Disable
sending form template with e-mail forms (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

dynamic caching of the form template in InfoPath e-mail forms
(2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

sending InfoPath 2003 Forms as e-mail forms (2)

Office InfoPath 2007\Disable items in user interface\Disable e-
mail forms running in restricted security level (2)

mail forms from the Internet security zone (2)
mail forms from the Intranet security zone (2)

mail forms from the Full Trust security zone (2)

InfoPath e-mail forms in Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Office InfoPath 2007\Restricted Features\Information Rights
Management (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\Rest
rictedFeatures
Office InfoPath 2007\Restricted Features\Custom code (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\Rest
rictedFeatures
Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI
(Never show UI | Always show UI | Show UI if XSN is in
Internet Zone) (2)

Office 2007 system\Global Options\Customize\Disable user
customization of Quick Access Toolbar via UI (2)
Software\Policies\Microsoft\Office\12.0\Common\Toolbars

customization of Quick Access Toolbar via UI - Disallow in
Word (2)
Excel (2)

PowerPoint (2)

Access (2)

Outlook (2)

Office 2007 system\Global Options\Customize\Disable all user
customization of Quick Access Toolbar (2)

customization of Quick Access Toolbar - Disallow in Word (2)

customization of Quick Access Toolbar - Disallow in Excel (2)

customization of Quick Access Toolbar - Disallow in
PowerPoint (2)
customization of Quick Access Toolbar - Disallow in Access (2)

customization of Quick Access Toolbar - Disallow in Outlook (2)

Office 2007 system\Global Options\Customize\Disable UI
extending from documents and templates (2)

extending from documents and templates - Disallow in Word
(2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

extending from documents and templates - Disallow in Excel

extending from documents and templates - Disallow in
PowerPoint (2)

extending from documents and templates - Disallow in Access

extending from documents and templates - Disallow in Outlook
Office 2007 system\Tools | AutoCorrect Options... (Excel,
Word, PowerPoint and Access)\Recognize smart tags in Excel

Office 2007 system\Tools | Options | General | Web
Options...\Disable Clip Art and Media downloads from the client
and from Office Online website (2)
Software\Policies\Microsoft\Office\12.0\Common\Internet

Options...\Disable template downloads from the client and from
Office Online website (2)

Options...\Disable access to updates, add-ins, and patches on
the Office Online website (2)

Options...\Prevents users from uploading document templates
to the Office Online community. (2)

Options...\Disable training practice downloads from the Office
Online website (2)

Options...\Disable customer-submitted templates downloads
from Office Online (2)

Options...\Files\Open Office documents as read/write while
browsing (2)
Options...\Browsers\Rely on VML for displaying graphics in
browsers (2)

Options...\Browsers\Allow PNG as an output format (2)

Office 2007 system\Tools | Options | Spelling\Proofing Data
Collection\Improve Proofing Tools (2)
Software\Policies\Microsoft\Office\12.0\Common\PTWatson
(1) User Configuration\Administrative Templates\Classic

Administrative Templates\Microsoft Office 2007\Privacy \Trust
Center\Disable Opt-in Wizard on first run (2)
2.0\Common\QMEnable
Office 2007 system\Help\Microsoft Office Online (2)
Office 2007 system\Security Settings\Disable Password
Caching (2)
Software\Policies\Microsoft\Office\12.0\Common\Security
Office 2007 system\Security Settings\Disable all Trust Bar
notifications for security issues (2)
Software\Policies\Microsoft\Office\12.0\Common\TrustCenter

Office 2007 system\Security Settings\Protect document
metadata for rights managed Office Open XML Files (2)

Office 2007 system\Security Settings\Protect document
metadata for password protected files. (2)

Office 2007 system\Security Settings\Encryption type for
password protected Office Open XML files (2)
Office 2007 system\Security Settings\Encryption type for
password protected Office 97-2003 files (2)

Office 2007 system\Security Settings\Load Controls in Forms3
(1 | 2 | 3 | 4) (2) Software\Policies\Microsoft\VBA\Security
2007: (1) User Configuration\Administrative

Templates\Microsoft Office 2007 system\Security
Settings\Automation Security (Disable macros by default | Use
application macro security level | Macros enabled) (2)
Software\Policies\Microsoft\Office\Common\Security 2003: (1)
Computer Configuration\Administrative Templates\Microsoft
Office 2003\Security Settings\Automation Security (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Common\Securit
y - AutomationSecurity

Office 2007 system\Security Settings\Prevent Word and Excel
from loading managed code extensions (2)
Software\Policies\Microsoft\Office\Common\Smart Tag

Office 2007 system\Security Settings\Disable hyperlink
warnings (2)
Office 2007 system\Security Settings\Disable password to
open UI (2)
Office 2007 system\Security Settings\Download Office Controls
(2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Office 2007 system\Security Settings\Disable All ActiveX (2)
Software\Policies\Microsoft\Office\Common\Security

Office 2007 system\Security Settings\Trust Center\Allow mix of
policy and user locations (2)
Software\Policies\Microsoft\Office\12.0\Common\Security\Trust
ed Locations
Office 2007 system\Smart Documents (Word, Excel)\Disable
Smart Document's use of manifests (2)
Office 2007 system\Smart Documents (Word,
Excel)\Completely disable the Smart Documents feature in
Word and Excel (2)

Office 2007 system\Services\Fax\Disable Internet Fax feature
(2)
Software\Policies\Microsoft\Office\12.0\Common\Services\Fax

Office 2007 system\Manage Restricted Permissions\Prevent
users from changing permissions on rights managed content
(2) Software\Policies\Microsoft\Office\12.0\Common\DRM

Office 2007 system\Manage Restricted Permissions\Allow
users with earlier versions of Office to read with browsers... (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM

Office 2007 system\Manage Restricted Permissions\Always
require users to connect to verify permission (2)

Office 2007 system\Manage Restricted Permissions\Always
expand groups in Office when restricting permission for
documents (2)
Software\Policies\Microsoft\Office\12.0\Common\DRM\AutoEx
pandDls

Office 2007 system\Manage Restricted Permissions\Never
allow users to specify groups when restricting permission for
documents (2)

Office 2007 system\Manage Restricted Permissions\Disable
Microsoft Passport service for content with restricted
permission (2)
Office 2007 system\Manage Restricted Permissions\Do not
allow users to upgrade Information Rights Management
configuration (2)

Office 2007 system\Signing\Key Usage Filtering (2)
Software\Policies\Microsoft\Office\12.0\Common\General
Office 2007 system\Signing\EKU filtering (2)
Software\Policies\Microsoft\Office\12.0\Common\Signatures

Office 2007 system\Signing\Legacy format signatures (2)

Office 2007 system\Signing\Suppress Office Signing Providers
(Enable Western and East Asian | Suppress default Western |
Suppress default East Asian | Suppress both Western and
East Asian) (2)

Office 2007 system\Signing\Suppress external signature
services menu item (2)

Office 2007 system\Office Diagnostics\Disable Check For
Solutions (2)
Software\Policies\Microsoft\Office\Common\OffDiag
Office 2007 system\Microsoft Save As PDF and XPS add-
ins\Disable inclusion of document properties in PDF and XPS
output (2)
Software\Policies\Microsoft\Office\12.0\Common\FixedFormat

Office 2007 system\Document Information Panel\Disable
Document Information Panel (2)
Software\Policies\Microsoft\Office\12.0\Common\DocumentInfo
rmationPanel
Office 2007 system\Document Information Panel\Document
Information Panel Beaconing UI (Never show UI | Always show
UI | Show UI if XSN is in Internet Zone) (2)
Software\Policies\Microsoft\Office\12.0\Common\DocumentInfo
rmationPanel

Office 2007 system\Server Settings\Disable the Office client
from polling the Office server for published links (2)
Software\Policies\Microsoft\Office\12.0\Common\Portal

Office 2007 system\Office 2007 Converters\Block opening of
pre-release versions of file formats new to Word 2007 through
the Compatibility Pack for the 2007 Office system and Word
2007 Open XML/Word 97-2003 Format Converter (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpen
Block

pre-release versions of file formats new to Excel 2007 through
the Compatibility Pack for the 2007 Office system and Excel
2007 Converter (2)
nBlock

pre-release versions of file formats new to PowerPoint 2007
through the Compatibility Pack for the 2007 Office system and
PowerPoint 2007 Converter (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Fil
eOpenBlock

Office 2007 system\Miscellaneous\Control Blogging (Enabled |
Only SharePoint blogs allowed | All blogging disabled) (2)
Software\Policies\Microsoft\Office\12.0\Common\Blog
Office 2007 system\Miscellaneous\Enable Smart Resume (2)
Software\Policies\Microsoft\Office\12.0\Common\Restore
Workspace

Office 2007 system\Miscellaneous\Do not upload media files
(2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Office 2007 system\Miscellaneous\Disable hyperlinks to web
templates in File | New and task panes (2)

Office 2007 system\Miscellaneous\Prevent access to Web-
based file storage (2)
Software\Policies\Microsoft\Office\12.0\Common\WebServices

Office Outlook 2007\Tools | Options...\Preferences\E-mail
Options\Do not allow attachment previewing in Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Preferences

Options\Read e-mail as plain text (2)

Options\Read signed e-mail as plain text (2)

Office Outlook 2007\Tools | Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing ServicePrevent
publishing to Office Online (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCa
l

Options\Microsoft Office Online Sharing ServicePrevent
publishing to a DAV server (2)
l
Options\Microsoft Office Online Sharing ServiceRestrict level
of calendar details users can publish (All options are available |
Disables 'Full details' | Disables 'Full details' and 'Limited
details') (2)
l

Options\Microsoft Office Online Sharing ServiceAccess to
published calendars (2)
l

Options\Microsoft Office Online Sharing ServiceRestrict upload
method (2)
l

Office Outlook 2007\Tools | Options...\Preferences\Junk E-
mail\Hide Junk Mail UI (2)
Software\Policies\Microsoft\Office\12.0\Outlook

mail\Junk E-mail protection level (No Protection, Low, High,
Trusted Lists Only) (2)

mail\Trust E-mail from Contacts (2)

mail\Add e-mail recipients to users' Safe Senders Lists (2)
Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up
options (2)

options - Warn before switching dial-up connection (2)

options - Hang up when finished sending, receiving, or
updating (2)

options - Automatically dial during a background Send/Receive
(2)

Office Outlook 2007\Tools | Options...\Mail Format\Do not allow
creating, replying, or forwarding signatures for e-mail
messages (2)
Software\Policies\Microsoft\Office\12.0\Common\MailSettings

Office Outlook 2007\Tools | Options...\Mail Format\Internet
Formatting\Send copy of pictures with HTML messages
instead of reference to Internet location (2)

Formatting\Outlook Rich Text options (Convert to HTML |
Convert to Plain Text format | Send Using Outlook Rich Text
format) (2)

Formatting\Plain text options (2)
Formatting\Plain text options - Encode attachments in
UUENCODE format when sending a plain text message (2)

Formatting\Message FormatSet message format (HTML | Rich
Text | Plain Text) (2)

Office Outlook 2007\Tools | Options...\Other\Make Outlook the
default program for E-mail, Contacts, and Calendar (2)
software\policies\microsoft\office\12.0\outlook\options\general

Office Outlook 2007\Tools | Options...\Other\Advanced\Do not
allow folders in non-default stores to be set as folder home
pages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security

Office Outlook 2007\Tools | Options...\Other\Advanced\Use
Unicode format when dragging e-mail message to file system
(2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Gener
al

allow Outlook object model scripts to run for shared folders (2)

allow Outlook object model scripts to run for public folders (2)
Office Outlook 2007\Tools | Options...\Other\Person
Names\Set maximum level of online status on a person name
(Do not allow | Allow everywhere except To and CC field | Allow
everywhere) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\IM

Names\Display online status on a person name (Never |
Everywhere except To and CC field | Everywhere) (2)
Software\Policies\Microsoft\Office\12.0\Outlook\IM

Names\Turn off Enable the Person Names Smart Tag option
(2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

Office Outlook 2007\Security\Security Form Settings\Outlook
Security Mode (Outlook Default Security | Use Security Form
from 'Outlook Security Settings' Public Folder | Use Security
Form from 'Outlook 10 Security Settings' Public Folder | Use
Outlook Security Group Policy) (2)

Office Outlook 2007\Security\Security Form
Settings\Attachment Security\Display Level 1 attachments (2)

Settings\Attachment Security\Allow users to demote
attachments to Level 2 (2)
Settings\Attachment Security\Do not prompt about Level 1
attachments when sending an item (2)

Settings\Attachment Security\Do not prompt about Level 1
attachments when closing an item (2)

Settings\Attachment Security\Allow in-place activation of
embedded OLE objects (2)

Settings\Attachment Security\Display OLE package objects (2)

Settings\Attachment Security\Add file extensions to block as
Level 1 (2)
Settings\Attachment Security\Remove file extensions blocked
as Level 1 (2)

Settings\Attachment Security\Add file extensions to block as
Level 2 (2)
Settings\Attachment Security\Remove file extensions blocked
as Level 2 (2)
Office Outlook 2007\Security\Security Form Settings\Custom
Form Security\Allow scripts in one-off Outlook forms (2)

Form Security\Set Outlook object model Custom Actions
execution prompt (Prompt User | Automatically Approve |
Automatically Deny | Prompt user based on computer security)
(2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Form Security\Set control ItemProperty prompt (Prompt User |
Automatically Approve | Automatically Deny | Prompt user
based on computer security) (2)

Settings\Programmatic Security\Configure Outlook object
model prompt when sending mail (Prompt User | Automatically
Approve | Automatically Deny | Prompt user based on
computer security) (2)

model prompt when accessing an address book (Prompt User |
model prompt when reading address information (Prompt User
| Automatically Approve | Automatically Deny | Prompt user

model prompt when responding to meeting and task requests
(Prompt User | Automatically Approve | Automatically Deny |
Prompt user based on computer security) (2)

model prompt when executing Save As (Prompt User |

model prompt When accessing the Formula property of a
UserProperty object (Prompt User | Automatically Approve |
model prompt when accessing address information via
UserProperties.Find (Prompt User | Automatically Approve |

Office Outlook 2007\Security\Cryptography\Required
Certificate Authority (2)
Office Outlook 2007\Security\Cryptography\S/MIME
interoperability with external clients: (Handle internally | Handle
externally | Handle if possible) (2)

Office Outlook 2007\Security\Cryptography\Always use Rich
Text formatting in S/MIME messages (2)

Office Outlook 2007\Security\Cryptography\S/MIME password
settings (2)
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Mi
crosoft Exchange Cryptographic Provider v1.0
settings - Default S/MIME password time (minutes): (0 -
2147483647) (2)
settings - Maximum S/MIME password time (minutes): (0 -
2147483647) (2)

Office Outlook 2007\Security\Cryptography\Message Formats

Office Outlook 2007\Security\Cryptography\Message Formats -
Support the following message formats: (S/MIME | Exchange |
Fortezza | S/MIME and Exchange | S/MIME and Fortezza |
Exchange and Fortezza | S/MIME, Exchange, and Fortezza)

Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not provide Continue option on
Encryption warning dialog boxes (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003:
Office Outlook
2003\Tools\Options\Security\Cryptography\Disable Continue
button on all Encryption warning dialogs (2)
HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security -
DisableContinue

Office Outlook 2007\Security\Cryptography\Run in FIPS
compliant mode (2)
2007\Security\Cryptography\Encrypt all e-mail messages (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003:
Office Outlook
2003\Tools\Options\Security\Cryptography\Encrypt all e-mail
messages (2)
- AlwaysEncrypt

Office Outlook 2007\Security\Cryptography\Sign all e-mail
messages (2)

Office Outlook 2007\Security\Cryptography\URL for S/MIME
certificates (2)

Office Outlook 2007\Security\Cryptography\Ensure all S/MIME
signed messages have a label (2)

Office Outlook 2007\Security\Cryptography\S/MIME receipt
requests (Open message if receipt can't be sent | Don't open
message if receipt can't be sent | Always prompt before
sending receipt | Never send S/MIME ) (2)

Office Outlook 2007\Security\Cryptography\Fortezza certificate
policies (2)
Office Outlook 2007\Security\Cryptography\Require SuiteB
algorithms for S/MIME operations (2)

Office Outlook 2007\Security\Cryptography\Signature Status
dialog box\Missing CRLs (2)
dialog box\Missing CRLs - Indicate a missing CRL as a(n):
(warning | error) (2)

dialog box\Missing root certificates (2)

dialog box\Missing root certificates - Indicate a missing root
certificate as a(n): (neither error nor warning | warning | error)

dialog box\Promote Level 2 errors as errors, not warnings (2)

dialog box\Attachment Secure Temporary Folder (2)

Office Outlook 2007\Security\Automatic Picture Download
Settings\Display pictures and external content in HTML e-mail
(2)

Settings\Automatically download content for e-mail from people
in Safe Senders and Safe Recipients Lists (2)

Settings\Do not permit download of content from safe zones
(2)
Settings\Block Trusted Zones (2)

Settings\Include Internet in Safe Zones for Automatic Picture
Download (2)

Settings\Include Intranet in Safe Zones for Automatic Picture
Download (2)

Office Outlook 2007\Security\Trust Center\Security setting for
macros (Always warn | Never warn, disable all | Warn for
signed, disable unsigned | No security check) (2)

Office Outlook 2007\Security\Trust Center\Enable links in e-
mail messages (2)

Office Outlook 2007\Security\Trust Center\Apply macro
security settings to macros, add-ins, and SmartTags (2)

Office Outlook 2007\Tools | Account
Settings\Exchange\Automatically configure profile based on
Active Directory Primary SMTP address (2)
Software\Policies\Microsoft\Office\12.0\Outlook\AutoDiscover
Office Outlook 2007\Tools | Account Settings\Exchange\Do not
allow users to change permissions on folders (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\Folder
s

Office Outlook 2007\Tools | Account Settings\Exchange\Enable
RPC encryption (2)
Software\Policies\Microsoft\Office\12.0\Outlook\RPC

Office Outlook 2007\Tools | Account
Settings\Exchange\Authentication with Exchange Server
(Kerberos/NTLM Password Authentication | Kerberos
Password Authentication | NTLM Password Authentication) (2)

Office Outlook 2007\Tools | Account Settings\RSS
Feeds\Synchronize Outlook RSS Feeds with Common Feed
List (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn
off RSS feature (2)

Feeds\Automatically download enclosures (2)

Feeds\Download full text of articles as HTML attachments (2)

Office Outlook 2007\Tools | Account Settings\Internet
Calendars\Automatically download attachments (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebC
al
Office Outlook 2007\Tools | Account Settings\Internet
Calendars\Do not include Internet Calendar integration in
Outlook (2)
Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebC
al

Office Outlook 2007\Meeting Workspace\Disable user entries
to server list (Publish default, allow others | Publish default,
disallow others) (2)
Software\Policies\Microsoft\Office\12.0\Meetings\Profile

Office Outlook 2007\Miscellaneous\Do not expand distribution
lists (2)

Office PowerPoint 2007\PowerPoint Options\Save\Save files in
this format (PowerPoint Presentation (*.pptx) | PowerPoint
Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003
Presentation (*.ppt)) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Options

Office PowerPoint 2007\PowerPoint
Options\Advanced\Number of documents in the Recent
Documents list (0 - 50) (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\File MRU

Office PowerPoint 2007\PowerPoint
Options\Security\Determine whether to force encrypted macros
to be scanned in Microsoft PowerPoint Open XML
presentations (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
Office PowerPoint 2007\PowerPoint Options\Security\Run
Programs (disable (don't run any programs) | enable (prompt
user before running) | enable all (run without prompting)) (2)

Office PowerPoint 2007\PowerPoint Options\Security\Make
hidden markup visible (2)

Office PowerPoint 2007\PowerPoint Options\Security\Unblock
automatic download of linked images (2)

Office PowerPoint 2007\PowerPoint Options\Security\Trust
Center\Disable all application add-ins (2)

Center\Require that application add-ins are signed by Trusted
Publisher (2)

Center\Disable Trust Bar Notification for unsigned application
add-ins (2)

Center\Trusted LocationsAllow Trusted Locations not on the
computer (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Tr
usted Locations

Center\Trusted LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Tr
usted Locations
Office PowerPoint 2007\Disable items in user
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledC
mdBarItemsCheckBoxes
PowerPoint Options | Customize | All Commands | Web Page
Preview (2)

| Email (2)

Hyperlink (2)

interface\Predefined\Disable commands - Review | Proofing |
Language (2)

Macros (2)

Macros (2)

Macro Security (2)
Visual Basic (2)

PowerPoint Options | Customize | All Commands | Document
Location (2)

interface\Predefined\Disable commands - Disable shortcut
keys (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledSh
ortcutKeysCheckBoxes

interface\Predefined\Disable commands - Ctrl+K (Insert | Links
| Hyperlink) (2)

interface\Predefined\Disable commands - Alt+F8 (Developer |
Code | Macros) (2)

interface\Predefined\Disable commands - Alt+F11 (Developer |
Code | Visual Basic) (2)

Office PowerPoint 2007\Block file formats\Open\Block opening
of pre-release versions of file formats new to PowerPoint 2007
(2)
eOpenBlock

of Open Xml files types (2)
eOpenBlock
of Binary file types (2)
eOpenBlock
of Html file types (2)
eOpenBlock
of Outlines (2)
eOpenBlock
of Converters (2)
eOpenBlock
Office PowerPoint 2007\Block file formats\Save\Block saving of
Open Xml file types (2)
eSaveBlock
eSaveBlock
Html file types (2)
eSaveBlock
Outlines (2)
eSaveBlock
GraphicFilters (2)
eSaveBlock
Office PowerPoint 2007\Block file
formats\Miscellaneous\Disable Slide Update (2)
Software\Policies\Microsoft\Office\12.0\PowerPoint\slide
libraries
Office Word 2007\Word Options\Display\Hidden text (2)
Software\Policies\Microsoft\Office\12.0\Word\Options\vpref

Office Word 2007\Word Options\Save\Save files in this format
(Word document (*.docx) | Single Files Web Page (*.mht) |
Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) |
Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc)
| Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 -
Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) |
Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF |
Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh
(*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for
Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) |
WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled
Document (*.docm) | Word 2007 Macro Free Template (*.dotx)
| Word 2007 Macro Enabled Template (*.dotm) | Word 97 -
2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat
XML Document (*.xml)) (2)
Software\Policies\Microsoft\Office\12.0\Word\Options

Office Word 2007\Word Options\Advanced\Number of
documents in the Recent Documents list (0-50) (2)
Software\Policies\Microsoft\Office\12.0\Word\File MRU

Office Word 2007\Word Options\Advanced\Update automatic
links at Open (2)
Software\Policies\Microsoft\Office\12.0\Word\Options
Office Word 2007\Word Options\Advanced\E-mail
Options\Save smart tags in e-mail (2)
Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
Office Word 2007\Word Options\Security\Trust
Center\Determine whether to force encrypted macros to be
scanned in Microsoft Word Open XML documents (2)
Software\Policies\Microsoft\Office\12.0\Word\Security

Office Word 2007\Word Options\Security\Trust Center\Disable
all application add-ins (2)

Office Word 2007\Word Options\Security\Trust Center\Require
that application add-ins are signed by Trusted Publisher (2)

Office Word 2007\Word Options\Security\Trust Center\Disable
Trust Bar Notification for unsigned application add-ins (2)

Office Word 2007\Word Options\Security\Trust Center\Trusted
LocationsAllow Trusted Locations not on the computer (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted
Locations

Office Word 2007\Word Options\Security\Trust Center\Trusted
LocationsDisable all trusted locations (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted
Locations
Office Word 2007\Disable items in user
Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarI
temsCheckBoxes
interface\Predefined\Disable commands - Office Button | Word
Options | Customize | All Commands | Save As Web Page (2)
temsCheckBoxes
interface\Predefined\Disable commands - Office Button | Word
Options | Customize | All Commands | Web Page Preview (2)
temsCheckBoxes

| Email (2)
temsCheckBoxes

Hyperlink (2)
temsCheckBoxes

interface\Predefined\Disable commands - Review | Protect |
Protect Document (2)
temsCheckBoxes

Macros (2)
temsCheckBoxes

Macros (2)
temsCheckBoxes

Record Macro (2)
temsCheckBoxes

Macro Security (2)
temsCheckBoxes
Visual Basic (2)
temsCheckBoxes

interface\Predefined\Disable commands - Developer |
Templates | Document Template (2)
temsCheckBoxes

Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcut
KeysCheckBoxes
interface\Predefined\Disable shortcut keys - Ctrl+F (Home |
Editing | Find) (2)
KeysCheckBoxes

interface\Predefined\Disable shortcut keys - Ctrl+K (Insert |
Links | Hyperlink) (2)
KeysCheckBoxes

interface\Predefined\Disable shortcut keys - Alt+F8 (Developer
| Code | Macros) (2)
KeysCheckBoxes

interface\Predefined\Disable shortcut keys - Alt+F11
(Developer | Code | Visual Basic) (2)
KeysCheckBoxes

Office Word 2007\Block file formats\Open\Block opening of
pre-release versions of file formats new to Word 2007 (2)
Block
Open XML file types (2)
Block
Block
HTML file types (2)
Block
Word 2003 XML file types (2)
Block
RTF file types (2)
Block
Office Word 2007\Block file formats\Open\Block open
Converters (2)
Block
Text file types (2)
Block
Internal file types (2)
Block
files before version (2)
Block
Office Word 2007\Block file formats\Save\Block saving of Open
XML file types (2)
Software\Policies\Microsoft\Office\12.0\Word\Security\FileSave
Block
Office Word 2007\Block file formats\Save\Block saving of
Block
HTML file types (2)
Block
Office Word 2007\Block file formats\Save\Block saving of Word
2003 XML file types (2)
Block
Office Word 2007\Block file formats\Save\Block saving of RTF
file types (2)
Block
Converters (2)
Block
Office Word 2007\Block file formats\Save\Block saving of Text
file types (2)
Block
(1) Computer Configuration\Administrative Templates\Microsoft

Office InfoPath 2007 (Machine)\Security\InfoPath APTCA
Assembly Whitelist (2)
Software\Policies\Microsoft\Office\12.0\InfoPath\Security\APTC
A

Office InfoPath 2007 (Machine)\Security\Windows Internet
Explorer Feature Control Opt-In (None | InfoPath.exe,
Document Information Panel and Workflow forms |
InfoPath.exe, Document Information Panel, Workflow forms
and 3rd Party Hosting) (2)
Office InfoPath 2007 (Machine)\Security\InfoPath APTCA
Assembly Whitelist Enforcement (2)

Office 2007 system (Machine)\Security Settings\Disable
Package Repair (2)
Software\Policies\Microsoft\Office\12.0\Common\OpenXMLFor
mat
Office 2007 system (Machine)\Security Settings\IE
Security\Disable user name and password (2)
Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_
PASSWORD_DISABLE

Security\Disable user name and password - excel.exe (2)
PASSWORD_DISABLE

Security\Disable user name and password - powerpnt.exe (2)
PASSWORD_DISABLE

Security\Disable user name and password - pptview.exe (2)
PASSWORD_DISABLE

Security\Disable user name and password - winword.exe (2)
PASSWORD_DISABLE
Security\Disable user name and password - outlook.exe (2)
PASSWORD_DISABLE

Security\Disable user name and password - spDesign.exe (2)
PASSWORD_DISABLE

Security\Disable user name and password - msaccess.exe (2)
PASSWORD_DISABLE

Security\Bind to object (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJ
ECT

Security\Bind to object - excel.exe (2)
ECT

Security\Bind to object - powerpnt.exe (2)
ECT

Security\Bind to object - pptview.exe (2)
ECT

Security\Bind to object - winword.exe (2)
ECT
Security\Bind to object - outlook.exe (2)
ECT

Security\Bind to object - spDesign.exe (2)
ECT

Security\Bind to object - msaccess.exe (2)
ECT

Security\Saved from URL (2)
Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILEC
HECK

Security\Saved from URL - excel.exe (2)
HECK

Security\Saved from URL - powerpnt.exe (2)
HECK

Security\Saved from URL - pptview.exe (2)
HECK

Security\Saved from URL - winword.exe (2)
HECK
Security\Saved from URL - outlook.exe (2)
HECK

Security\Saved from URL - spDesign.exe (2)
HECK

Security\Saved from URL - msaccess.exe (2)
HECK

Security\Navigate URL (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGA
TE_URL

Security\Navigate URL - excel.exe (2)
TE_URL

Security\Navigate URL - powerpnt.exe (2)
TE_URL

Security\Navigate URL - pptview.exe (2)
TE_URL

Security\Navigate URL - winword.exe (2)
TE_URL
Security\Navigate URL - outlook.exe (2)
TE_URL

Security\Navigate URL - spDesign.exe (2)
TE_URL

Security\Navigate URL - msaccess.exe (2)
TE_URL

Security\Block popups (2) Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMA
NAGEMENT

Security\Block popups - excel.exe (2)
NAGEMENT

Security\Block popups - powerpnt.exe (2)
NAGEMENT

Security\Block popups - pptview.exe (2)
NAGEMENT

Security\Block popups - winword.exe (2)
NAGEMENT
Security\Block popups - outlook.exe (2)
NAGEMENT

Security\Block popups - spDesign.exe (2)
NAGEMENT

Security\Block popups - msaccess.exe (2)
NAGEMENT

Office Outlook 2007\Security\Prevent users from customizing
attachment security settings (2)
HKCU\Software\Policies\Microsoft\Office\12.0\Outlook -
DisallowAttachmentCustomization

Office 2003\Security Settings\Access: Macro Security Leve (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security
- Level (3) User Configuration\Administrative
Templates\Microsoft Office Access
2003\Tools\Macros\Security\Security level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security
- Level

Office 2003\Security Settings\Access: Trust all installed add
ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security
- DontTrustInstalledFiles (3) User Configuration\Administrative
2003\Tools\Macros\Security\Trust all installed add-ins and
templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security
- DontTrustInstalledFiles
Office 2003\Security Settings\Excel: Macro Security Level (2)
Level(3) User Configuration\Administrative Templates\Microsoft
Office Excel 2003\Tools\Macros\Security\Security level (4)
Level

Office 2003\Security Settings\Excel: Trust all installed add ins
and templates (2)
DontTrustInstalledFiles (3) User Configuration\Administrative
2003\Tools\Macros\Security\Trust all installed add-ins and
templates (4)
DontTrustInstalledFiles

Office 2003\Security Settings\Outlook: Macro Security Level
(2)
HKLM\Software\Policies\Microsoft\Office\11.0\Outlook\Security
- Level (3) User Configuration\Administrative
2003\Tools\Macros\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Outlook -
Security\Level
Office Outlook 2003\Tools\Macros\Security\Outlook: Trust all
installed add-ins and templates (2)
- DontTrustInstalledFiles

Office Outlook 2003\Tools\Options\Security\Outlook virus
security settings (2) HKCU\Software\Policies\Microsoft\Security
- CheckAdminSettings
Office Outlook
2003\Tools\Options\Security\Cryptography\S/MIME receipt
requests (2)
- RespondToReceiptRequests

Office 2003\Security Settings\PowerPoint: Macro Security
Level (2)
HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - Level (3) User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2003\Tools\Macro\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint -
Security\Level

Office 2003\Security Settings\PowerPoint: Trust all installed
add ins and templates (2)
HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - DontTrustInstalledFiles (3) User
PowerPoint 2003\Tools\Macro\Security\Trust all installed add
HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint\Sec
urity - DontTrustInstalledFiles
Office 2003\Security Settings\Publisher: Macro Security Level
(2)
HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Securit
y - Level

Office 2003\Security Settings\Publisher: Trust all installed add
HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Securit
y - DontTrustInstalledFiles

Office 2003\Security Settings\Word: Macro Security Level (2)
Level (3) User Configuration\Administrative
2003\Tools\Macro\Security\Security Level (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word -
Security\Level
Office 2003\Security Settings\Word: Trust all installed addins
and templates (2)
DontTrustInstalledFiles (3) User Configuration\Administrative
2003\Tools\Macro\Security\Trust all installed add ins and
templates (4)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security -
DontTrustInstalledFiles
Office Word 2003\Tools\Options\Security\Store random number
to improve merge accuracy (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vp
ref - fDontSaveRSID_1804_1
Office 2003\Security Settings\Prevent Users from Changing
Office Encryption Settings (2)
HKCU\Software\Policies\Microsoft\Office\11.0\Common\Securit
y - DisableCustomEncryption
(1)
ows\CurrentVersion\Internet Settings\Use_HKLM_only
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Security
Explorer, Registry Keys:[HKLM | Zones: Use
HKCU]\Software\Policies\Microsoft\Windows\CurrentVers Only Machine
ion\Internet Settings\Security_HKLM_only Settings
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVE
XINSTALL!(Reserved),
XINSTALL!explorer.exe, HKLM\Software\Policies\Local
Internet Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict ActiveX Install, Registry Keys:
[HKLM | HKCU]\Software\Policies\Microsoft\Internet
XINSTALL\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
XINSTALL\explorer.exe, [HKLM |
XINSTALL\iexplore.exe
(1)
ows\CurrentVersion\Internet
Settings\Security_Zones_Map_Edit Local Internet
Options: GPO Settings:[Computer Configuration | User Security
Configuration]/Network/Internet Explorer, Registry Zones: Do Not
Keys:[HKLM | Allow Users
HKCU]\Software\Policies\Microsoft\Windows\CurrentVers to Add/Delete
ion\Internet Settings\Security_zones_map_edit Sites
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Inter Disable
net Explorer\InfoDelivery\Restrictions\NoUpdateCheck Periodic
Local Internet Options: GPO Settings:[Computer Check for
Configuration | User Configuration]/Network/Internet Internet
Explorer, Registry Keys:[HKLM | Explorer
HKCU]\Software\Policies\Microsoft\Internet Software
Explorer\Infodelivery\Restrictions\NoUpdateCheck Updates
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!
(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!
explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local
Panel/Security Features/Protection From Zone Elevation,
Registry Keys:[HKLM |
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\
(Reserved), [HKLM |
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\
explorer.exe, [HKLM |
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\i
explore.exe
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!
explorer.exe, HKLM\Software\Policies\Microsoft\Internet
E,Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Binary
Behavior Security Restriction, Registry Keys:[HKLM |
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\
(Reserved), [HKLM |
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\e
xplorer.exe, [HKLM |
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\ie
xplore.exe
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!
RunInvalidSignatures,Local Internet Options: GPO Settings:
[Computer Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Download\RunInvalidSignatures
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet
TOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local
Panel/Security Features/MK Protocol Security Restriction,
TOCOL\(Reserved), [HKLM |
TOCOL\explorer.exe, [HKLM |
TOCOL\iexplore.exe
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
tVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local
Panel/Security Features/Restrict File Download, Registry Keys:
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO
WNLOAD\(Reserved), [HKLM |
Disable
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO Software
WNLOAD\explorer.exe, [HKLM | Update Shell
HKCU]\Software\Policies\Microsoft\Internet Notifications
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO on Program
WNLOAD\iexplore.exe Launch
WNLOAD!(Reserved),
WNLOAD!explorer.exe, Local Internet Options: GPO Settings:
Explorer/Internet Control Panel/Security Features/Restrict File
Download, Registry Keys:[HKLM |
WNLOAD\(Reserved), [HKLM |
WNLOAD\explorer.exe, [HKLM |
WNLOAD\iexplore.exe
(1)
Disable
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Automatic
Options: GPO Settings:[Computer Configuration | User Install of
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM Internet
| HKCU]\Software\Policies\Microsoft\Internet Explorer
Explorer\Infodelivery\Restrictions\NoJITSetup Components
(1)
s\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM
| Make Proxy
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\In Settings Per
ternet Settings\ProxySettingsPerUser Machine
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry Keys:
Explorer\Restrictions\NoExtensionManagement
Explorer\Restrictions!NoCrashDetection,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM
| HKCU]\Software\Policies\Microsoft\Internet
Explorer\Restrictions\NoCrashDetection
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRIC
TIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet
TIONS!explorer.exe, Local Internet Options: GPO Settings:
Explorer/Internet Control Panel/Security Features/Scripted
Window Security Restrictions, Registry Keys:[HKLM |
TIONS\(Reserved), [HKLM |
TIONS\explorer.exe, [HKLM |
TIONS\iexplore.exe
(1)
s\CurrentVersion\Internet Settings\Security_options_edit,Local
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM Security Zones:
| Do Not Allow
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\In Users to
ternet Settings\Security_options_edit Change Policies
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!
explorer.exe, Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Mime
Sniffing Safety Feature, Registry Keys:[HKLM |
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\
(Reserved), [HKLM |
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\ex
plorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iex
plore.exe
| User Configuration]/Network/Internet Explorer/Internet Control
Panel/Advanced Page , Registry Keys:[HKLM |
Explorer\Download\CheckExeSignatures
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\DisableRIED

Panel/Security Page/Internet Zone, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\In
ternet Settings\Zones\3\1407


Panel/Security Page/Restricted Sites Zone, Registry Keys:
[HKLM |

[HKLM |

[HKLM |

Panel/Security Page, Registry Keys:[HKLM |
ternet Settings\ZoneMap\UNCAsIntranet
Panel, Registry Keys:[HKLM |
Panel\AdvancedTab
Panel\PrivacyTab
Panel\SecurityTab
ternet Settings\PreventIgnoreCertErrors
Panel/Internet Settings/Component Updates/Periodic Check
for Updates to Internet Explorer and Internet Tools, Registry
Explorer\Main\Update_Check_Page

Panel/Internet Settings/Component Updates/Periodic Check
for Updates to Internet Explorer and Internet Tools, Registry
Explorer\Main\Update_Check_Interval

Panel/Security Features/Add-on Management, Registry Keys:
[HKLM |
HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\E
xt\ListBox_Support_CLSID

Panel/Security Features/Add-on Management, Registry Keys:
[HKLM |
HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\E
xt\RestrictToList

Explorer\Control Panel\History, [HKLM |
ternet Settings\Url History\DaysToKeep

Explorer\Control Panel\Autoconfig

Explorer\Control Panel\Connection Settings, [HKLM |
Panel\Connwiz Admin Lock
Explorer\Control Panel\Proxy

Explorer\Infodelivery\Restrictions\NoSplash

Explorer\Security\DisableFixSecuritySettings

Explorer\SQM\DisableCustomerImprovementProgram

Explorer\Main\DisableFirstRunCustomize

Explorer\Control Panel\Settings

Explorer\Control Panel\DisableDeleteBrowsingHistory

Explorer\PhishingFilter\Enabled

Explorer\Security\DisableSecuritySettingsCheck
Explorer\Main\FeatureControl\FEATURE_LOCAL
Explorer\Main\Enable Browser Extensions
Explorer\Main\NoUpdateCheck

ternet Settings\CertificateRevocation










| User Configuration]/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security
Page/Internet Zone, Registry Keys:[HKLM |
ternet Settings\Zones\3\1C00


ternet Settings\Zones\3\1A00



ternet Settings\Zones\3\1E05




Panel/Security Page/Locked-Down Internet Zone, Registry
Keys:[HKLM |

Panel/Security Page/Intranet Zone, Registry Keys:[HKLM |

Panel/Security Page/Locked-Down Intranet Zone, Registry
Keys:[HKLM |
ternet Settings\Lockdown_Zones\1\1609

Panel/Security Page/Local Machine Zone, Registry Keys:
[HKLM |

Panel/Security Page/Locked-Down Local Machine Zone,

[HKLM |

[HKLM |
[HKLM |

[HKLM |

[HKLM |

[HKLM |

[HKLM |

[HKLM |
[HKLM |

[HKLM |

[HKLM |

[HKLM |

[HKLM |

[HKLM |
[HKLM |

Page/Restricted Sites Zone, Registry Keys:[HKLM |

[HKLM |

[HKLM |
ternet Settings\Zones\4\1A00

[HKLM |

[HKLM |
[HKLM |

[HKLM |

[HKLM |

[HKLM |

[HKLM |
[HKLM |

[HKLM |
ternet Settings\Zones\4\1E05

[HKLM |

[HKLM |

[HKLM |

[HKLM |
Panel/Security Page/Locked-Down Restricted Sites Zone,

Panel/Security Page/Trusted Sites Zone, Registry Keys:[HKLM
|

Panel/Security Page/Locked-Down Trusted Sites Zone,
Panel/Security Features, Registry Keys:[HKLM |
Explorer\Main\XMLHTTP
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!
FormSuggest Passwords,
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel\FormSuggest Passwords
NoJITSetup
Page_Transitions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use
FormSuggest, HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel!FormSuggest
HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoSelectDownloadDir
Panel!Certificates
Explorer\Restrictions!NoExternalBranding
HKCU\Software\Microsoft\Outlook Express!
BlockExeAttachments
HKCU\Software\Policies\Microsoft\Internet Connection Wizard!

DisableICW
Panel!Connwiz Admin Lock
Panel!ResetWebSettings
Explorer\Infodelivery\Restrictions\NoSubscriptionContent
Explorer\Infodelivery\Restrictions\NoAddingSubscriptions
Explorer\Infodelivery\Restrictions\NoAddingChannels
Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups
Explorer\Infodelivery\Restrictions\NoScheduledUpdates
Explorer\Infodelivery\Restrictions\NoEditingSubscriptions
Explorer\Infodelivery\Restrictions\NoChannelUI
Explorer\Infodelivery\Restrictions\NoRemovingChannels
Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions
Explorer\Infodelivery\Restrictions\NoChannelLogging
GPO Setting: Computer Configuration\Windows

Settings\Security Settings\Local Policies\User Rights
Assignment\Increase a process working set

Settings\Security Settings\Local Policies\Security Options\User
Account Control: Behavior of the elevation prompt for standard
users

Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode
GPO Setting: User Configuration\Administrative

Templates\Windows Components\Windows Explorer\Remove
CD Burning features
Templates\Windows Components\Windows Explorer\Remove
Security tab
GPO Setting: Computer Configuration\Administrative

Templates\Windows Components\Internet Explorer\Internet
Control Panel\Advanced Page\Empty Temporary Internet Files
folder when browser is closed

Templates\Windows Components\Internet Explorer\Disable
changing Temporary Internet files settings

Templates\System\Group Policy\Internet Explorer Maintenance
Policy Processing
Policy Processing

Policy Processing

Templates\Network\Link-Layer Topology Discovery\Turn on
Mapper I/O (LLTDIO) driver



Responder (RSPNDR) driver



Page/Locked-Down Intranet Zone/Java permissions, Registry
Keys:[HKLM |
ternet Settings\Lockdown_Zones\1\1C00
Page/Local Machine Zone/Java permissions, Registry Keys:
[HKLM |

Page/Locked-Down Local Machine Zone/Java permissions,

Page/Locked-Down Restricted Sites Zone/Java permissions,

Page/Trusted Sites Zone/Java permissions, Registry Keys:
[HKLM |

Page/Locked-Down Trusted Sites Zone/Java permissions,

Templates\Network\Windows Connect Now\Configuration of
wireless settings using Windows Connect Now


Templates\Windows Components\ActiveX Installer
Service\Approved Installation Sites for ActiveX Controls
Templates\Windows Components\Windows Error
Reporting\Disable Logging

Reporting\Disable Windows Error Reporting

Templates\Windows Components\Windows Error Reporting\Do
not send additional data

Reporting\Advanced Error Reporting Settings\Configure
Corporate Windows Error Reporting
Templates\Start Menu and Taskbar\Remove Default Programs
link from the Start menu; Registry Key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
plorer\NoSMConfigurePrograms
Templates\System\Internet Communication
Management\Internet Communication settings\Turn off Help
Experience Improvement Program
Management\Internet Communication settings\Turn off Help
Ratings
Management\Internet Communication settings\Turn off
Windows Online

Templates\Windows Components\Network Sharing\Prevent
users from sharing files within their profiles
Assignment\Access Credential Manager as a trusted caller

Assignment\Change the time zone

Assignment\Create Symbolic Links

Assignment\Modify an object label

Settings\Security Settings\Local Policies\Security
Options\Network access: Remotely accessible registry paths
and subpaths

Account Control: Admin Approval Mode for the Built-in
Administrator account

Account Control: Detect application installations and prompt for
elevation

Account Control: Only elevate executables that are signed and
validated

Account Control: Only elevate UIAccess applications that are
installed in secure locations
Account Control: Run all administrators in Admin Approval
Mode

Account Control: Switch to the secure desktop when prompting
for elevation

Account Control: Virtualize file and registry write failures to per-
user locations
(1) defined by the object's DACL (2) defined through group

policy

Templates\Network\Network Connections\Prohibit use of
Internet Connection Firewall on your DNS domain network
GPO Settings: Computer Configuration\Administrative
Templates\System\Error Reporting\Display Error Notification,
Computer Configuration\Administrative Templates\Windows
Components\Windows Error Reporting\Display Error
Notification
Templates\Windows Components\Event Log
Service\Setup\Maximum Log Size (KB)

Control Panel\Security Page\Site to Zone Assignment List
Control Panel\Security Page\Internet Zone\Turn on Protected
Mode
GPO Settings:[Computer Configuration | User

Panel/Security Page/Locked-Down Internet Zone\Download
signed ActiveX controls
GPO Settings:[Computer Configuration | User

Panel/Security Page/Locked-Down Trusted Sites Zone\Allow
status bar updates via script
(1) GPO Setting: Computer Configuration\Administrative

Control Panel\Security Page\Restricted Sites Zone\Turn on
Protected Mode (2) Registry Keys:[HKLM|

Templates\Windows Components\Windows
Defender\Configure Microsoft Spynet Reporting

Templates\Windows Components\Windows Media Player\Do
Not Show First Use Dialog Boxes

Templates\Windows Components\Windows Media
Player\Prevent Desktop Shortcut Creation
Firewall Properties\Domain Profile Tab\Settings\Firewall
settings\Display a notification
(1)
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogDroppedPackets (2) Computer
Connections\Windows Firewall\Private Profile\Windows
(1)
ging\LogSuccessfulConnections (2) Computer
Connections\Windows Firewall\Private Profile\Windows
Firewall: Allow Logging - Log successful connections (3)
Firewall with Advanced Security\Windows Firewall
Properties\Private Profile Tab\Logging\Logged successful
connections
(1)
ging\LogFilePath (2) Computer Configuration\Administrative
Firewall\Private Profile\Windows Firewall: Allow Logging - Log
Firewall Properties\Private Profile Tab\Logging\Name
(1)
ging\LogFileSize (2) Computer Configuration\Windows
Firewall Properties\Private Profile Tab\Logging\Size limit (KB)
(1)
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logg
ing\LogDroppedPackets (2) Computer
Connections\Windows Firewall\Public Profile\Windows
(1)
ing\LogSuccessfulConnections (2) Computer
Connections\Windows Firewall\Public Profile\Windows
Firewall: Allow Logging - Log successful connections (3)
Firewall with Advanced Security\Windows Firewall
Properties\Public Profile Tab\Logging\Logged successful
connections
(1)
ing\LogFilePath (2) Computer Configuration\Administrative
Firewall\Public Profile\Windows Firewall: Allow Logging - Log
Firewall Properties\Public Profile Tab\Logging\Name
(1)
ing\LogFileSize (2) Computer Configuration\Windows
Firewall Properties\Public Profile Tab\Logging\Size limit (KB)
(1)
es\tcpip6\Parameters\DisableComponents
(1)
(1)
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol

CIS WXP Pro
NSA Security Benchmark
DISA Gold Disk for Guide for WXP CIS WXP Pro Benchmark v2.01
WXP (NSA-XP-C44- v1.3 (CIS_WindowsX
026-02.pdf) P_Benchmark_
v2.01.pdf)
? ?
4.4.3.1 %SystemDrive%
? ?
4.4.3.2
HKEY_LOCAL_MACHINE\Softw
are
? ?
4.4.3.3
HKEY_LOCAL_MACHINE\Syste
m
File Auditing - Must Have

ACE (CID:269)
?
%AllUsersProfile%
?
%AllUsersProfile
%\Application Data
?
%AllUsersProfile
%\Application
Data\Microsoft
?
%AllUsersProfile
%\Application
Data\Microsoft\Crypt
o\DSSHKLMKeys
?
%AllUsersProfile
%\Application
Data\Microsoft\Crypt
o\RSAHKLMKeys
?
%AllUsersProfile
%\Application
Data\Microsoft\Dr
Watson
?
%AllUsersProfile
%\Application
Data\Microsoft\Dr
Watson\drwtsn32.lo
g
?
%AllUsersProfile
%\Application
Data\Microsoft\HTM
L Help
?
%AllUsersProfile
%\Application
Data\Microsoft\Medi
a Index
?
%AllUsersProfile
%\Documents\deskt
op.ini
?
%AllUsersProfile
%\DRM
?
%ProgramFiles%
System Drive ACL

(CID:2000) %SystemDrive% 4.4.1.1 %SystemDrive%
?
%SystemDrive
%\autoexec.bat
%SystemDrive
%\config.sys
?
%SystemDrive
%\Documents and
Settings
?
%SystemDrive
%\Documents and
Settings\Administrat
or
?
%SystemDrive
%\Documents and
Settings\Default
User
?
%SystemDrive
%\io.sys
?
%SystemDrive
%\msdos.sys
?
%SystemDrive
%\ntbootdd.sys
?
%SystemDrive
%\ntdetect.com
?
%SystemDrive
%\ntldr
%SystemDrive
%\System Volume
Information
?
%SystemRoot%
?
Driver.cab ACL (CID:4083)

?
%SystemRoot%\
$NtServicePackUnin
stall$
%SystemRoot
%\CSC
?
%SystemRoot
%\Debug
?
%SystemRoot
%\Debug\UserMode
? ?
%SystemRoot
%\Debug\UserMode
\userenv.log
?
%SystemRoot
%\Installer
?
%SystemRoot
%\Offline Web
Pages
?
%SystemRoot
%\Prefetch
regedit.exe ACL %SystemRoot 4.4.1.17 %SystemRoot

(CID:2001) %\regedit.exe %\regedit.exe
?
%SystemRoot
%\Registration
?
%SystemRoot
%\Registration\CRM
Log
?
%SystemRoot
%\repair
?
%SystemRoot
%\security
%SystemRoot
%\Temp
?
%SystemRoot
%\system32
%SystemRoot
arp.exe ACL (CID:2002) %\system32\arp.exe
%SystemRoot 4.4.1.2 %SystemRoot
at.exe ACL (CID:2003) %\system32\at.exe %\system32\at.exe
?
4.4.1.3 %SystemRoot
attrib.exe ACL (CID:2004) %\system32\attrib.exe
?
4.4.1.4 %SystemRoot
cacls.exe ACL (CID:2005) %\system32\cacls.exe
?
%SystemRoot
%\system32\ciadv.m
sc
?
%SystemRoot
%\system32\Com\co
mexp.msc
?
%SystemRoot
%\system32\compm
gmt.msc
?
%SystemRoot
%\system32\config
?
Eventlog ACL (CID:225)

?
4.4.1.5 %SystemRoot
debug.exe ACL (CID:2006) %\system32\debug.exe
?
%SystemRoot
%\system32\devmg
mt.msc
?
%SystemRoot
%\system32\dfrg.ms
c
?
%SystemRoot
%\system32\diskmg
mt.msc
?
%SystemRoot
%\system32\dllcach
e
? ?
4.4.1.6 %SystemRoot
%\system32\drwatson.exe
? ?
4.4.1.7 %SystemRoot
%\system32\drwtsn32.exe
?
4.4.1.8 %SystemRoot
edlin.exe ACL (CID:2007) %\system32\edlin.exe
?
eventcreate.exe ACL 4.4.1.9 %SystemRoot

(CID:2008) %\system32\eventcreate.exe
?
eventtriggers.exe ACL 4.4.1.10 %SystemRoot

(CID:2009) %\system32\eventtriggers.exe
?
%SystemRoot
%\system32\eventv
wr.msc
?
%SystemRoot
%\system32\fsmgmt
.msc
?
ftp.exe ACL (CID:2010) %\system32\ftp.exe
?
%SystemRoot
%\system32\gpedit.
msc
?
%SystemRoot
%\system32\Group
Policy
%SystemRoot
%\system32\ias
?
%SystemRoot
%\system32\lusrmgr
.msg
?
%SystemRoot
%\system32\MSDT
C
?
%SystemRoot
%\system32\nbstat.
exe
?
nbtstat.exe ACL (CID:2011)

?
net.exe ACL (CID:2012) %\system32\net.exe
?
net1.exe ACL (CID:2013) %\system32\net1.exe
%SystemRoot
%\system32\netsh.e 4.4.1.14 %SystemRoot
netsh.exe ACL (CID:2014) xe %\system32\netsh.exe
%SystemRoot
netstat.exe ACL %\system32\netstat.
(CID:2015) exe
%SystemRoot
nslookup.exe ACL %\system32\nslook
(CID:2016) up.exe
%SystemRoot
ntbackup.exe ACL %\system32\Ntback
(CID:2017) up.exe
?
%SystemRoot
%\system32\NTMS
Data
?
%SystemRoot
%\system32\ntmsop
rq.msc
?
%SystemRoot
%\system32\ntmsm
gr.msc
?
%SystemRoot
%\system32\perfmo
n.msc

rcp.exe ACL (CID:2018) %\system32\rcp.exe %\system32\rcp.exe

reg.exe ACL (CID:2019) %\system32\reg.exe %\system32\reg.exe
%SystemRoot
regedt32.exe ACL %\system32\regedt3 4.4.1.18 %SystemRoot
(CID:2020) 2.exe %\system32\regedt32.exe
%SystemRoot
%\system32\regini.e
regini.exe ACL (CID:2021) xe
?
regsvr32.exe ACL 4.4.1.19 %SystemRoot

(CID:2022) %\system32\regsvr32.exe
%SystemRoot
%\system32\rexec.e 4.4.1.20 %SystemRoot
rexec.exe ACL (CID:2023) xe %\system32\rexec.exe
%SystemRoot
%\system32\route.e
route.exe ACL (CID:2024) xe

rsh.exe ACL (CID:2025) %\system32\rsh.exe %\system32\rsh.exe
?
%SystemRoot
%\system32\RSoP.
msc
? ?
%\system32\runas.exe
?
sc.exe ACL (CID:2026) %\system32\sc.exe
%SystemRoot
secedit.exe ACL %\system32\secedit
(CID:2027) .exe
?
%SystemRoot
%\system32\secpol.
msc
?
%SystemRoot
%\system32\service
s.msc
?
%SystemRoot
%\system32\Setup
?
%SystemRoot
%\system32\spool\P
rinters
?
subst.exe ACL (CID:2028) %\system32\subst.exe
%SystemRoot
systeminfo.exe ACL %\system32\systemi
(CID:2029) nfo.exe
?
telnet.exe ACL (CID:2030) %\system32\telnet.exe

tftp.exe ACL (CID:2031) %\system32\tftp.exe %\system32\tftp.exe
?
tlntsvr.exe ACL (CID:2032) %\system32\tlntsvr.exe
?
%SystemRoot
%\system32\wmimg
mt.msc
?
%SystemRoot
%\Tasks
? ?
?
HKEY_LOCAL_MA
CHINE\SOFTWARE 4.4.2.1 HKLM\Software
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Cryptogra
phy\Calais
?
HKEY_LOCAL_MA 4.4.2.9
CHINE\SOFTWARE HKLM\Software\Microsoft\MSDT
\Microsoft\MSDTC C
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\MSDTC\S
ecurity\XAKey
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\NetDDE
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\UPnP
Device Host
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows
NT\CurrentVersion\
Asr\Commands
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows
NT\CurrentVersion\
Perflib
?
HKEY_LOCAL_MA
CHINE\SOFTWARE 4.4.2.11
\Microsoft\Windows HKLM\SOFTWARE\Microsoft\Wi
NT\CurrentVersion\ ndows
SeCEdit NT\CurrentVersion\SeCEdit
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\
CurrentVersion\Grou
p Policy
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\ 4.4.2.2
CurrentVersion\Insta HKLM\Software\Microsoft\Windo
ller ws\CurrentVersion\Installer
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\ 4.4.2.3
CurrentVersion\Polic HKLM\Software\Microsoft\Windo
ies ws\CurrentVersion\Policies
?
HKEY_LOCAL_MA
CHINE\SOFTWARE 4.4.2.8
\Microsoft\Windows\ HKLM\SOFTWARE\Microsoft\Wi
CurrentVersion\Polic ndows\CurrentVersion\Policies\
ies\Ratings Ratings
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\
CurrentVersion\Tele
phony
?
HKEY_LOCAL_MA
CHINE\SYSTEM 4.4.2.4 HKLM\System
?
HKEY_LOCAL_MA
CHINE\SYSTEM\clo
ne
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\Class
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\Network
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\SecurePipeServ
Winreg ACL (CID:237) ers\winreg
? ?
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\Wmi\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu 4.4.2.5
rrentControlSet\Enu HKLM\System\CurrentControlSe
m t\Enum
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Har
dware Profiles
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\AppMgmt\Secu
rity
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\ClipSrv\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\CryptSvc\Secur
ity
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\DNSCache
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Ersvc\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Eventlog\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\IRENUM\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Netbt
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Netdde\Securit
y
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Netddedsdm\S
ecurity
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\RemoteAccess
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Rpcss\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Samss\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Scarddrv\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Scardsvr\Securi
ty
HKEY_LOCAL_MA
rrentControlSet\Serv HKLM\System\CurrentControlSe
ices\SNMP\Paramet t\Services\CurrentControlSet\Se
SNMP - Permitted ers\PermittedManag rvices\SNMP\Parameters\Permit
Managers (CID:1033) ers tedManagers
HKEY_LOCAL_MA
rrentControlSet\Serv HKLM\System\CurrentControlSe
ices\SNMP\Paramet t\Services\CurrentControlSet\Se
SNMP Communities ers\ValidCommunitie rvices\SNMP\Parameters\ValidC
(CID:4046) s ommunities
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Stisvc\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\SysmonLog\Lo
g Queries
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Tapisrv\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Tcpip
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\W32time\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
ices\Wmi\Security
?
HKEY_USER\.DEF
AULT
?
HKEY_USER\.DEF
AULT\Software\Micr
osoft\NetDDE
?
?
? ?
?
HKEY_USER\.DEF
AULT\Software\Micr 4.4.2.10
osoft\SystemCertific HKEY_USER\.Default\Software\
ates\Root\Protected Microsoft\SystemCertificates\Ro
Roots ot\ProtectedRoots
Deny access to this

User Right Check deny computer from the
access from network network: Not 4.2.13 Deny access to this
(CID:162) Defined computer from the network
Access this
computer from a
network:
User Right Check Logon Administrators, 4.2.1 Access this computer from
on network (CID:152) Users the network
User Right Check act as Act as part of the 4.2.2 Act as part of the operating
OS (CID:153) operating system system
Back up files and

User Right Check Backup directories: 4.2.6 Back up files and
(CID:155) Administrators directories
User Right Check Bypass

Traverse Checking Bypass traverse
(CID:156) checking: Users 4.2.7 Bypass traverse checking
User Right Check change Change the system
system time (CID:157) time: Administrators 4.2.8 Change the system time
User Right Check create Create a pagefile:

pagefile (CID:158) Administrators 4.2.9 Create a pagefile
User Right Check create Create a token

token object (CID:159) object: No One 4.2.10 Create a token object
User Right Check create Create permanent

permanent shared objects shared objects: No 4.2.11 Create permanent shared
(CID:160) One objects
User Right Check debug Debug programs:

programs (CID:161) No One 4.2.12 Debug Programs
Force shutdown
from a remote
User Right Check remote system: 4.2.19 Force shutdown from a
shutdown (CID:165) Administrators remote system
Generate security
audits: LOCAL
SERVICE,
User Right Check generate NETWORK
security audits (CID:173) SERVICE 4.2.20 Generate security audits
Adjust memory
quotas for a
process:
Administrators,NET
User Right Check increase WORK SERVICE, 4.2.4 Adjust memory quotas for
quotas (CID:166) LOCAL SERVICE a process
User Right Check increase Increase scheduling
scheduling priority priority: 4.2.21 Increase scheduling
(CID:167) Administrators priority
User Right Check load and Load and unload

unload device drivers device drivers: 4.2.22 Load and unload device
(CID:168) Administrators drivers
User Right Check lock

pages in memory Lock pages in
(CID:169) memory: No One 4.2.23 Lock pages in memory
User Right Check log on Log on as a batch

as a batch job (CID:170) job: No One 4.2.24 Log on as a batch job
User Right Check log on Log on as a service:

as a service job (CID:171) Network Service 4.2.25 Log on as a service
Log on locally:
User Right Check log on Administrators,
locally (CID:172) Users 4.2.26 Log on locally
?
Manage auditing
and security log: 4.2.27 Manage auditing and
Administrators security log
Modify firmware
environment
User Right Check modify variables: 4.2.28 Modify firmware
firmware (CID:174) Administrators environment values
Profile single
User Right Check Profile process:
single process (CID:175) Administrators 4.2.30 Profile single process
User Right Check Profile Profile system

system performance performance: 4.2.31 Profile system
(CID:176) Administrators performance
Remove computer
from docking
station:
User Right Check undock Administrators, 4.2.32 Remove computer from
(CID:177) Users docking station
Replace a process
level token: LOCAL
User Right replace process SERVICE, NETWORK 4.2.33 Replace a process level
token (CID:178) SERVICE token
Restore files and

User Right restore directories: 4.2.34 Restore files and
(CID:179) Administrators directories
Shut down the

system:
User Right shut down Administrators,
(CID:180) Users 4.2.35 Shut down the system
Take ownership of
files or other
User Right take ownership objects: 4.2.37 Take ownership of file or
(CID:182) Administrators other objects
Synchronize
User Right synch directory directory service 4.2.36 Synchronize directory
(CID:181) data: No One service data
User Right Check deny Deny logon locally:

logon locally (CID:163) Not Defined 4.2.16 Deny logon locally
Enable computer
User Right Check allow and user accounts 4.2.18 Enable computer and
trust for delegation to be trusted for user accounts to be trusted for
(CID:164) delegation: No One delegation
User Right Check Add Add workstations to 4.2.3 Add workstations to

wkstn to domain (CID:154) domain domain
Allow logon through

User Right allow logon Terminal Services: 4.2.5 Allow logon through
terminal service (CID:737) No One terminal services
?
Deny logon as a 4.2.14 Deny logon as a batch

batch job: No One job
?
Deny logon as a
service: No One 4.2.15 Deny logon as a service
Deny logon through
User Right deny logon Terminal Services: 4.2.17 Deny logon through
terminal service (CID:738) Everyone Terminal Service
Perform volume
User Right perform volume maintenance tasks: 4.2.29 Perform volume
maintenance (CID:739) Administrators maintenance tasks
Reset account
lockout counter after 2.2.3.3 Reset Account Lockout
Lockout Reset (CID:45) (15 min.) After
Account lockout
duration (15 2.2.3.1 Account Lockout
Lockout Duration (CID:44) minutes) Duration
Account lockout
threshold (3 invalid 2.2.3.2 Account Lockout
Lockout Count (CID:43) attempts) Threshold
Audit account logon

Account logon auditing events (Success, 2.2.1.1 Audit Account Logon
(CID:49) Failure) Events
Audit account logon
Account logon auditing events (Success, 2.2.1.1 Audit Account Logon
(CID:49) Failure) Events
Audit account
Account management management 2.2.1.2 Audit Account
auditing (CID:51) (Success, Failure) Management
Audit account
Account management management 2.2.1.2 Audit Account
auditing (CID:51) (Success, Failure) Management
Audit directory
service access (No 2.2.1.3 Audit Directory Service
auditing) Access
?
Audit directory
service access (No 2.2.1.3 Audit Directory Service
auditing) Access
Audit logon events

logon auditing (CID:53) (Success, Failure) 2.2.1.4 Audit Logon Events
Audit logon events

logon auditing (CID:53) (Success, Failure) 2.2.1.4 Audit Logon Events
object access auditing Audit object access
(CID:55) (Failure) 2.2.1.5 Audit Object Access
object access auditing Audit object access

(CID:55) (Failure) 2.2.1.5 Audit Object Access
policy change auditing Audit policy change

(CID:56) (Success, Failure) 2.2.1.6 Audit Policy Change
policy change auditing Audit policy change

(CID:56) (Success, Failure) 2.2.1.6 Audit Policy Change
Audit privilege use

priv use auditing (CID:58) (Failure) 2.2.1.7 Audit Privilege Use
Audit privilege use

priv use auditing (CID:58) (Failure) 2.2.1.7 Audit Privilege Use
Audit process
tracking (No
Auditing) 2.2.1.8 Audit Process Tracking
?
Audit process
tracking (No
Auditing) 2.2.1.8 Audit Process Tracking
system event auditing Audit system events
(CID:59) (Success, Failure) 2.2.1.9 Audit System Events
system event auditing Audit system events

(CID:59) (Success, Failure) 2.2.1.9 Audit System Events
Anonymous Access to Restrict guest

the Security Event Log access to
value (CID:479) application Log 2.2.4.1.2 Restrict Guest Access
Application log size Maximum 2.2.4.1.1 Maximum Event Log

(CID:82) application log size Size
Application log retention Retention method

(CID:85) for application Log 2.2.4.1.3 Log Retention Method
Retain application
log 2.2.4.1.4 Log Retention

the Security Event Log access to security
value (CID:477) Log 2.2.4.2.2 Restrict Guest Access
Maximum security 2.2.4.2.1 Maximum Event Log

Security log size (CID:80) log size Size
Security log retention Retention method

(CID:83) for security log 2.2.4.2.3 Log Retention Method
Retain security log 2.2.4.2.4 Log Retention

the Security Event Log access to system
value (CID:482) Log 2.2.4.3.2 Restrict Guest Access
Maximum system 2.2.4.3.1 Maximum Event Log

System log size (CID:81) log size Size
System log retention Retention method

(CID:84) for system log 2.2.4.3.3 Log Retention Method
Retain system log 2.2.4.3.4 Log Retention
Maximum Password Age Maximum Password 2.1.2 Maximum Password Age,

(CID:40) Age (90) 2.2.2.2 Maximum Password Age
Minimum Password Age Minimum Password

(CID:41) Age (1) 2.2.2.1 Minimum Password Age
2.1.1 Minimum Password

Minimum Password Length, 2.2.2.3 Minimum
Password Length (CID:39) Length (12) Password Length
Passwords must
meet complexity
requirements
(Enabled) 2.2.2.4 Password Complexity
Enforce password
history (24
Password History (CID:42) passwords) 2.2.2.5 Password History
Store password
using reversible
encryption for all
Reversible Pwd Encryption users in the domain 2.2.2.6 Store Passwords using
(CID:232) (Disabled) Reversible Encryption
? ?
4.1.1 Alerter
? ?
4.1.2 Automatic Updates

? ?
4.1.3 Background Intelligent

Transfer Service
? ?
4.1.4 Clipbook
Computer Browser
Disabled (CID:22) 4.1.5 Computer Browser
?
Fast User Swithcing

Compatibility Disabled
(CID:729) 4.1.6 Fax Service
? ?
? ?
4.1.7 FTP Publishing Service

?
Internet Information
System Installed - IIS
Admin (CIS:4066) 4.1.8 IIS Admin Service
? ?
4.1.9 Indexing Service

?
Windows Messenger
Internet Access (CIS:4036) 4.1.10 Messenger
?
.NET Framework service

(CIS:4035)
? ?
4.1.11 Net Logon

?
NetMeeting Romote
Desktop Sharing Disabled 4.1.12 NetMeeting Remote
(CIS:730) Desktop Sharing
?
Print Services for Unix

Service (CIS:4031)
?
Remote Access Auto

Connection Manager
Disabled (CIS:731)
?
Remote Desktop Help

Session Manager Disabled 4.1.13 Remote Desktop Help
(CIS:732) Session Manager
? ?
4.1.14 Remote Registry Service

?
Routing and Remote 4.1.15 Routing and Remote

Access Disabled (CIS:733) Access
?
Remote Shell Service

(CIS:24)
?
Simple TCP/IP Service

(CIS:25)
? ?
4.1.16 Simple Mail Transfer

Protocol (SMTP)
?
Management and 4.1.17 Simple Network

Monitoring Tools Installed - Management Protocol (SNMP)
SNMP Service (CIS:4071) Service
?
Management and 4.1.18 Simple Network

Monitoring Tools Installed - Management Protocol (SNMP)
SNMP Trap (CIS:4072) Trap
?
SSDP Discovery Service

Disabled (CIS:734)
?
Task Scheduler Check

(CIS:28) 4.1.19 Task Scheduler
?
23 - Telnet Disabled
(CIS:23) 4.1.20 Telnet
?
Terminal Services Disabled

(CIS:735) 4.1.21 Terminal Services
? ?
4.1.22 Universal Plug and Play

Device Host
?
Internet Information Sytem

Installed - World Wide Web 4.1.23 World Wide Web
Publishing (CIS:4067) Publishing Services
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
?
File Shares (CIS:230)

Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
?
Printer ACL (CIS:229)

? ?
? ?
4.1 Available Services
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Stop, and Pause)
Network access: Do
not allow
anonymous
enumeration of SAM 3.1.3 Network Access: Do not
Restrict Anonymous value accounts and allow Anonymous Enumeration
(CIS:97) shares: Enabled of SAM Accounts and Shares
?
Network access: Do
not allow
anonymous 3.1.2 Network Access: Do not
enumeration of SAM allow Anonymous Enumeration
accounts: Enabled of SAM Accounts
?
Network access:
Allow anonymous 3.1.1 Network Access: Allow
SID/Name Anonymous SID/Name
translation: Disabled Translation
Anon Access to Application

log (CIS:78)
?
Anon Access to Security

log (CIS:79)
?
Anon Access to System log

(CIS:77)
Accounts: Guest
Guest Account Disabled account status: 3.2.1.2 Accounts: Guest Account
(CIS:29) Disabled Status
? Accounts:
Administrator
account status: 3.2.1.1 Accounts: Administrator
Enabled Account Status
?
Interactive logon:
Message title for 3.2.1.27 Interactive Logon:
users attempting to Message Title for Users
log on Attempting to Log On
?
Interactive logon:
Message test for
users attempting to 3.2.1.26 Interactive Logon:
log on: <Configure Message Text for Users
Locally> Attempting to Log On
? ?
3.2.2.9 Remove administrative

shares on workstation
(Professional)
?
CIS: Automatic Execution 3.2.2.2 Disable Automatic

of the System Debugger Execution of the System
value (CIS:749) Debugger
Admin Autologon password
values not exist: Interactive logon:
HKEY_LOCAL_MACHINE\ Allow Automatic
Software\Microsoft\Window Administator Logon
s -
NT\CurrentVersion\Winlogo HKEY_LOCAL_MA
n\DefaultPassword; Admin CHINE\Software\Mic
Autologon Value: rosoft\Windows
HKEY_LOCAL_MACHINE\ NT\CurrentVersion\
*\AutoAdminLogon Winlogon\AutoAdmi
(CIS:188, 189) nLogon = 0 3.2.2.6 Disable Automatic Logon
?
3.2.2.7 Disable automatic

CIS: Disable Reboot After reboots after a Blue Screen of
Crash value (CID:755) Death
?
3.2.2.3 Disable autoplay from

any disk type, regardless of
Autoplay value (CID:103) application
? ?
3.2.2.4 Disable autoplay for

current user
?
Disable Media Autoplay

(HKEY_USER-.Default 3.2.2.5 Disable autoplay for the
hive) Value (CID:752) default profile
? ? 3.2.2.8 Disable CD Autorun:
HKLM\System\CurrentControlSe
t\Services\Cdrom\Autorun
(REG_DWORD)
? ?
3.2.2.10 Protect against

Computer Browser Spoofing
Attacks
? ?
3.2.2.13 Ensure ICMP Routing

via shortest path first
? ?
3.2.2.11 Protect against source-

routing spoofing
? ?
3.2.2.17 Ensure Router

Discovery is Disabled
?
CIS: Enable IPSec secuiryt

for Kerberos RSVP Traffic 3.2.2.21 Enable IPSec to protect
value (CID:758) Kerberos RSVP Traffic
?
CIS: Allow Dr. Watson
Crash Dumps value 3.2.2.1 Suppress Dr. Watson
(CID:746) Crash Dumps
?
Interactive logon:
Do no display last
user name - 3.2.1.24 Interactive Logon: Do
Enabled Not Display Last User Name
3.2.2.22 Hide workstation from
? Network Browser listing:
CIS: Hide computer Name m\CurrentControlSet\Services\L
from other domain anmanserver\Parameters\Hidde
controllers value (CID:761) n
? ?
3.2.2.12 Protect the Default
Gateway network setting:
m\CurrentControlSet\Services\Tc
pip\Parameters\EnableDeadGW
Detect
? ?
3.2.2.15 Manage Keep-alive

times:
m\CurrentControlSEt\Services\T
cpip\Parameters\KeepAliveTime
? ?
3.2.2.19 SYN Attack protection
Manage TCP Maximum half-
open sockets:
pip\Parameters\TcpMaxHalfOpe
n
? ?
3.2.2.20 SYN Attack protection

Manage TCP Maximum half-
open retired sockets:
pip\Parameters\TcpMaxHalfOpe
nRetried
? ?
3.2.2.16 Protect Against

Malicious Name-Release
Attacks:
m\CurrentControlSet\Services\N
etbt\Parameters\NoNameReleas
eOnDemand
? ?
3.2.2.14 Help protect against
packet fragmentation:
pip\Parameters\EnablePMTUDis
covery
? ?
3.2.2.18 Protect against SYN
Flood attacks:
pip\Parameters\SynAttackProtec
t
Disable saving of dial up

password (CID:105)
3.2.2.23 Enable Safe DLL
Search Mode:
System objects: Set m\CurrentControlSet\Control\Se
Safe DLL Search Mode safe search path for ssion
value (CID:774) DLLs Manager\SafeDllSearchMode
?
Always Wait for the
Network at Computer
Startup and Logon
(CID:927)
?
Cached Profiles value
(CID:93)
?
Always Use Classic Logon
(CID:924)
?
Turn Off Background

Refresh of Group Policy
(CID:930)
?
Internet Connection
Sharing (CID:942)
?
Prohibit Installation and

Configuration of Network
Bridge on the DNS Domain
Network (CID:945)
?
Disallow Installation of
mode Drivers (CID:948)
Domain controller:
Allow server
operators to 3.2.1.15 Domain Controller:
schedule tasks: Not Allow Server Operators to
Defined Schedule Tasks
Accounts: Rename
administrator
Administrator Account account: 3.2.1.4 Accounts: Rename
Renamed (CID:30) Administrator Administrator Account
Accounts: Rename
Guest Account Renamed guest account: 3.2.1.5 Accounts: Rename
(CID:31) <Configure locally> Guest Account
Microsoft network
server: Amount of 3.2.1.35 Microsoft Network
Amount of idle time before idle time required Server: Amount of Idle Time
disconnecting value before suspending Required Before Disconnecting
(CID:213) session Session
?
Audit: Audit the

access of global
system objects: Not 3.2.1.6 Audit: Audit the access of
Defined global system objects
?
Audit: Audit the use

of Backup and
Restore privilege: 3.2.1.7 Audit: Audit the use of
Not Defined backup and restore privilege
?
Interactive logon:
Do not require
CTRL+ALT+DEL: 3.2.1.25 Interactive Logon: Do
Disabled not require CTRL+ALT+DEL
Network security:
LAN Manager
authentication level:
Send LM & NTLM -
use NTLMv2
LMCompatibility Value session security if 3.2.1.47 Network Security: LAN
(CID:123) negotiated Manager Authentication Level
Devices: Prevent
users from installing
Print Driver Installation printer drivers: 3.2.1.11 Devices: Prevent users
value (CID:99) Enabled from installing printer drivers
Recovery console:
Allow automatic 3.2.1.51 Recovery Console:
Recovery Console administrative Allow Automatic Administrative
Autologon value (CID:117) logon: Disabled Logon
Recovery console:
Allow floppy copy
and access to all 3.2.1.52 Recovery Console:
Recovery Console Full drives and all Allow Floppy Copy and Access
Access Value (CID:119) folders: Disabled to All Drives and All Folders
?
Devices: Restrict
CD-ROM access to 3.2.1.12 Devices: Restrict CD-
locally logged-on ROM Access to Locally Logged-
user only: Enabled On User Only
Devices: Restrict
floppy access to 3.2.1.13 Devices: Restrict
locally logged-on Floppy Access to Locally
Floppy Allocation (CID:89) user only: Enabled Logged-On User Only
System objects:
Strengthen default
permissions of
internal system
objects (e.g. 3.2.1.58 System objects:
Strength permissions on Symbolic Links): Strengthen default permissions
GSO value (CID:204) Enabled of internal system objects
Domain member:
Domain member: Require Require strong
strong (Windows 2000 or (Windows 2000 or 3.2.1.23 Domain Member:
later) session key value later) session key: Require Strong (Windows 2000
(CID:770) Enabled or later) Session Key
Microsoft network
client: Send 3.2.1.34 Microsoft Network
Send unencrypted unencrypted Client: Send Unencrypted
password to 3rd party SMB password to third- Password to Connect to Third-
value (CID:207) party SMB servers Party SMB Server
Devices: Unsigned
driver installation
Unsigned Driver Behavior behavior: Warn but 3.2.1.14 Devices: Unsigned
Value (CID:127) allow installation Driver Installation Behavior
Interactive logon:
Prompt user to
change password 3.2.1.29 Interactive Logon:
Password Expiration value before expiration: 14 Prompt User to Change
(CID:199) days Password Before Expiration
Audit: Shut down
system immediately
if unable to log 3.2.1.8 Audit: Shut Down system
Crash on audit fail Value security audits: immediately if unable to log
(CID:121) Disabled security alerts
Shutdown: Allow
system to be shut 3.2.1.53 Shutdown: Allow
Shutdown before logon down without having System to be Shut Down
Check (CID:217) to log on: Enabled Without Having to Log On
? ?
Shutdown: Clear
Clear Pagefile value virtual memory 3.2.1.54 Shutdown: Clear Virtual
(CID:101) pagefile: Disabled Memory Pagefile
?
Microsoft network
client: Digitally sign 3.2.1.32 Microsoft Network
communications Client: Digitally sign
(always) communications (always)
Microsoft network 3.2.1.33 Microsoft Network

client: Digitally sign Client: Digitally sign
Enable Security Signature communications (if communications (if server
Value (CID:113) server agrees) agrees)
?
Microsoft network
server: Digitally sign 3.2.1.36 Microsoft Network
communications Server: Digitally sign
(always) communications (always)
?
Microsoft network
server: Digitally sign 3.2.1.37 Microsoft Network
communications (if Server: Digitally sign
client agrees): communications (if client
Enabled agrees)
Interactive logon:
Number of previous
logons to cache (in
case domain 3.2.1.28 Interactive Logon:
Logon Caching value controller is not Number of Previous Logons to
(CID:91) available): 0 logons Cache
Devices: Allowed to
format and eject 3.2.1.10 Devices: Allowed to
NTFS Media Ejection value removable media: format and eject removable
(CID:2010) Administrators media
Domain member:
Digitally encrypt or
Digitally encrypt or sign sign secure channel 3.2.1.18 Domain Member:
secure channel data data (always): Not Digitally Encrypt or Sign Secure
(always) value (CID:743) Defined Channel Data (Always)
Domain member:
Digitally encrypt
secure channel data 3.2.1.19 Domain Member:
Sign Secure Channel (when possible): Digitally Encrypt Secure
Traffic Value (CID:109) Enabled Channel Data (When Possible)
Domain member:
Digitally sign secure 3.2.1.20 Domain Member:
Sign Secure Channel channel data (when Digitally Sign Secure Channel
Traffic Value (CID:107) possible): Enabled Data (When Possible)
Interactive logon:
Smart card removal
Smart Card Removal behavior: Lock 3.2.1.31 Interactive Logon:
Behavior Value (CID:125) Workstation Smart Card Removal Behavior
Domain member:
Disable machine 3.2.1.21 Domain Member:
Disable password change account password Disable Machine Account
Value (CID:111) changes:Disabled Password Changes
System
cryptography: Use
FIPS compliant
Use FIPS compliant algorithms for 3.2.1.55 System Cryptography:
algorithms for encryption, encryption, hashing, Use FIPS compliant algorithms
hashing, and signing and signing: for encryption, hashing, and
(CID:804) Enabled signing
System objects:
Default owner for
objects created by
Default owner for objects members of the 3.2.1.56 System objects: Default
created by members of the Administrators owner for objects created by
Administrators group group: Object members of the Administrators
(CID:807) Creator group
System objects:
Require case
System Object: Require insensitivity for non-
Case Insensitivity for Non- Windows 3.2.1.57 System objects:
Windows Subsystems subsystems: Require case insensitivity for
(CID:810) Enabled non-Windows subsystems
Accounts: Limit local

account user of
blank passwords to 3.2.1.3 Accounts: Limit local
Limit Blank Passwords console logon only: account use of blank passwords
value (CID:764) Enabled to console logon only
?
Devices: Allow
undock without
having to log on: 3.2.1.9 Devices: Allow undock
Disabled without having to log on
?
Domain controller:
LDAP server signing 3.2.1.16 Domain Controller:
requirements: Not LDAP Server Signing
Defined Requirements
Network security: 3.2.1.48 Network Security:
LDAP client signing LDAP client signing LDAP client signing
requirements (CID:795) requirements requirements
?
Domain controller:
Refuse machine 3.2.1.19(note: different
account password enumeration) Domain Controller:
changes: Not Refuse machine account
Defined password changes
Domain member:
Accounts: Maximum Maximum machine 3.2.1.22 Domain Member:
machine account password account password Maximum Machine Account
age value (CID:767) age: 7 Days Password Age
Interactive logon:
Require Domain
Domain Controller Controller 3.2.1.30 Interactive Logon:
Authentication to Unlock authentication to Require Domain Controller
Workstation Value unlock workstation: authentication to unlock
(CID:777) Enabled workstation
Microsoft network
server: Disconnect
Automatically log off user clients when logon 3.2.1.38 Microsoft Network
when logon time expires hours expire: Server: Disconnect clients when
value (CID:210) Enabled logon hours expire
Do not allow storage of

credentials or .NET Network access: Do 3.2.1.39 Network Access: Do not
Passports for network not allow storage of allow storage of credentials
authentication value credentials or .NET or .NET passports for network
(CID:780) Passports: Enabled authentication
Network access: Let
Everyone
Let Everyone permissions permissions apply to 3.2.1.40 Network Access: Let
apply to anonymous users anonymous users: Everyone permissions apply to
Value (CID:783) Disabled anonymous users
?
Network access:
Named Pipes that
can be accessed 3.2.1.41 Network Access:
anonymously: Not Named pipes that can be
Defined accessed anonymously
?
Network access:
Remotely accessible
registry paths:
Classic - local users 3.2.1.42 Network Access:
authenticate as Remotely accessible registry
themselves paths
?
Network access:
Shares that can be
accessed 3.2.1.43 Network Access:
anonymously: Not Shares that can be accessed
Defined anonymously
Network access:
Sharing and security
model for local
accounts: Classic -
Sharing and security model local users 3.2.1.44 Network Access:
for local accounts Value authenticate as Sharing and security model for
(CID:786) themselves local accounts
Network security:
Do not store LAN Manager Do not store LAN 3.2.1.45 Network Security: Do
hash value on next Manager hash value not store LAN Manager
password change on next password password hash value on next
(CID:789) change: Enabled password change
Network security:
Force logoff when 3.2.1.46 Network Security:
Logon Time Enforcement logon hours expire: Force logoff when logon hours
(CID:46) Enabled expire
Network security:
Minimum session
security for NTLM
SSP based
(including secure
RPC) clients:
Require NTLMv2 3.2.1.49 Network Security:
Minimum session security session security, Minimum session security for
for NTLM SSP based Require 128-bit NTLM SSP based (including
clients (CID:798) encryption secure RPC) clients
Network security:
Minimum session
security for NTLM
SSP based
(including secure
RPC) servers:
Require NTLMv2 3.2.1.50 Network Security:
Minimum session security session security, Minimum session security for
for NTLM SSP based Require 128-bit NTLM SSP based (including
servers (CID:801) encryption secure RPC) servers
Chapter 10:
Modifying File
System Security
Non-NTFS Partition Settings with 4.3.1 Ensure volumes are using
(CID:10) Security Templates the NTFS file system
?
Default user scrnsave.exe
(CID:67)
?
Default user screensaver

timeout (CID:68, 71)
?

secure (CID:69)
?

active (CID:70)
?
Current user scrnsave.exe

(CID:76)
?
Current user screensaver

timeout (CID:74)
?

secure (CID:72)
?

active (CID:73)
Always Install with

Elevated Privileges
(CID:888)
Disable IE Security Prompt
for Windows Installer
Scripts (CID:891)
Enable User Control Over

Installs (CID:894)
Enable User to Use Media

Source While Elevated
(CID:900)
Allow Admin to Install from

Terminal Services Session
(CID:906)
Enable User to Patch

Elevated Products
(CID:903)
Cache Transforms in
Secure Location on
Workstation (CID:908)
Disable Media Player for

XP automatic Updates
(CID:912)
?
951 - Prevent Codec

Download
?
Do Not Allow Windows
Messenger to be Run
(CID:915)
?
918 - Do Not Automatically

Start Windows Messenger
Initially
Prohibit New Task Creation

(CID:843) ?
Limit Users to One Remote Limit users to one

Session (CID:849) remote session
Limit Number of Limit number of

Connections (CID:852) connections
Do Not Allow New Client Do not allow new

Connections (CID:855) client connections
Do not allow local

Do Not Allow Local administrator to
Administrators to customize
Customize (CID:858) permissions
Remote Control Settings Remote control
(CID:861) settings
Always Prompt Client for Always prompt client

Password upon for password upon
Connection (CID:864) connection
Set client
Set Client Connection connection
Encryption (CID:867) encryption level
Do Not Use Temp Folders Do not use temp

per Session (CID:870) folders per session
Do Not Delete Temp Folder Do not delete temp

upon Exit (CID:873) folder upon exit
Set Time Limit for Set time limit for

Disconnected Sessions disconnected
(CID:876) sessions
Set Time Limit for Idle Set time limit for idle
Sessions (CID:879) sessions
Allow Reconnection from Allow reconnection

Original Client Only from original client
(CID:882) only
Terminate Session When Terminate session

Time Limits are Reached when time limits are
(CID:885) reached
?
Keep-Alive Messages
(CID:846)
?
Solicited Remote
Assistance (CID:933)
?
Unsolicited Remote
Assistance (CID:936)
Report Errors (CID:939)
?
Enforce user logon
restrictions
(Enabled)
?
Maximum lifetime
for service ticket
(600 minutes)
?
Maximum lifetime
for user ticket (10
hours)
? Maximum lifetime
for user ticket
renewal (7 days)
?
Maximum tolerance
for computer clock
synchronization (5
minutes)
5.1.1.1 RPC
Endpiont Mapper
Client Authentication
(SP2 only)
5.1.1.2 Restrictions
for Unauthenticated
RPC clients (SP2
only)
5.2.1.1.1.1 Protect
all network
connections (SP2
only)
5.2.1.1.1.2 Do not
allow exceptions
(SP2 only)
5.2.1.1.1.3 Allow
local program
exceptions
5.2.1.1.1.4 Allow
remote
administration
5.2.1.1.1.5 Allow file

and printer sharing
exception (SP2 only)
5.2.1.1.1.6 Allow
ICMP exceptions
(SP2 only)
5.2.1.1.1.7 Allow
Remote Desktop
5.2.1.1.1.8 Allow
UPnP framework
5.2.1.1.1.9 Prohibit
notifications
5.2.1.1.1.10 Log
dropped packets
(SP2 only)
5.2.1.1.1.11 Log file

path and name (SP2
only)
5.2.1.1.1.12 Log file
size limit (SP2 only)
5.2.1.1.1.13 Log
successful
connections (SP2
only)
5.2.1.1.1.14 Prohibit
unicast response to
multicast or
broadcast (SP2
only)
5.2.1.1.1.15 Define
port exceptions (SP2
only)
5.2.1.1.16 Allow
local port exceptions
(SP2 only)
5.2.1.1.2.1 Protect
all network
connections (SP2
only)
5.2.1.1.2.2 Do not
allow exceptions
(SP2 only)
5.2.1.1.2.3 Allow
local program
exceptions (SP2
only)
5.2.1.1.2.4 Allow
remote
administration
5.2.1.1.2.4 Allow file

and printer sharing
5.2.1.1.2.6 Allow
ICMP exceptions
(SP2 only)
5.2.1.1.2.7 Allow
Remote Desktop
5.2.1.1.2.8 Allow
UPnP framework
5.2.1.1.2.9 Prohibit
notifications (SP2
only)
5.2.1.1.2.10 Log
Dropped Packets
(SP2 only)
5.2.1.1.2.11 Log file

path and name (SP2
only)
5.2.1.1.2.12 Log file

size limit (SP2 only)
5.2.1.1.2.13 Log
Successful
Connections (SP2
only)
5.2.1.1.2.14 Prohibit
unicast response to
multicast or
broadcast (SP2
only)
5.2.1.1.2.15 Define
port exceptions (SP2
only)
5.2.1.1.2.16 Allow
local port exceptions
(SP2 only)
5.2.1.1. Windows
Firewall
Disable Periodic Check for
Internet Explorer Software
Updates (CID:834)
Disable Automatic Install of
Internet Explorer
Components (CID:831)
NIST 800-68
CIS WXP Pro NIST 800-68
NIST 800-68 Windows XP
Benchmark Windows XP OVAL
Windows XPPDF XCCDF (NIST-800-
v2.01 OVAL (NIST-800-68-53-
(SP800-68- 68-53-
(cis-winxp- WinXPPro_OVAL_
20051102.pdf) WinXPPro_XCCDF
oval.xml) 10102006.xml)
_10102006.xml)
%SystemRoot
%\system32\regedit.exe
Table: 9.19 Value:
Administrators: Full
System: Full regedit.exePermissions oval:gov.nist.1:def:146
%SystemRoot
%\system32\arp.exe
Table: 9.1 Value:
System: Full arp.exePermissions oval:gov.nist.1:def:128
%SystemRoot
%\system32\at.exe Table:
9.2 Value: Administrators:
%SystemRoot
Full System: Full at.exePermissions oval:gov.nist.1:def:129
%\system32\attrib.exe
Table: 9.3 Value:
System: Full attrib.exePermissions oval:gov.nist.1:def:130
%SystemRoot
%\System32\cacls.exe
Table: 9.4 Value:
System: Full cacls.exePermissions oval:gov.nist.1:def:131
%SystemRoot
%\System32\debug.exe
Table: 9.5 Value:
System: Full oval:gov.nist.1:def:132 debug.exePermissions
%SystemRoot
%\system32\edlin.exe
Table: 9.6 Value:
System: Full edlin.exePermissions oval:gov.nist.1:def:133
%SystemRoot
%\system32\eventcreate.
exe Table: 9.7 Value:
Administrators: Full eventcreate.exePermission
System: Full s oval:gov.nist.1:def:134
%SystemRoot
%\System32\eventtriggers eventtriggers.exePermissio
.exe Table: 9.8 Value: 9.8 ns oval:gov.nist.1:def:135
%SystemRoot
%\system32\ftp.exe
Table: 9.9 Value:
System: Full ftp.exePermissions oval:gov.nist.1:def:136
%SystemRoot
%\system32\nbtstat.ex
e Table: 9.10 Value:
System: Full nbtstat.exePermissions oval:gov.nist.1:def:137
%SystemRoot
%\system32\net.exe
Table: 9.11 Value:
System: Full net.exePermissions oval:gov.nist.1:def:138
%SystemRoot
%\system32\net1.exe
Table: 9.12 Value:
System: Full net1.exePermissions oval:gov.nist.1:def:139
%SystemRoot
%\system32\netsh.exe
Table: 9.13 Value:
System: Full netsh.exePermissions oval:gov.nist.1:def:140
%SystemRoot
%\system32\netstat.ex
System: Full netstat.exePermissions oval:gov.nist.1:def:141
%SystemRoot
%\system32\nslookup.
System: Full nslookup.exePermissions oval:gov.nist.1:def:142
%SystemRoot
%\system32\Ntbackup.
System: Full ntbackup.exePermissions oval:gov.nist.1:def:143
%SystemRoot
%\system32\rcp.exe
Table: 9.17 Value:
System: Full rcp.exePermissions oval:gov.nist.1:def:144
%SystemRoot
%\system32\reg.exe
Table: 9.18 Value:
System: Full reg.exePermissions oval:gov.nist.1:def:145
%SystemRoot
%\system32\Regedt32.ex
System: Full regedt32.exePermissions oval:gov.nist.1:def:147
%SystemRoot
%\system32\regini.exe
Table: 9.21 Value:
System: Full regini.exePermissions oval:gov.nist.1:def:148
%SystemRoot
%\system32\regsvr32.exe
Table: 9.22 Value:
System: Full regsvr32.exePermissions oval:gov.nist.1:def:149
%SystemRoot
%\system32\rexec.exe
Table: 9.23 Value:
System: Full rexec.exePermissions oval:gov.nist.1:def:150
%SystemRoot
%\system32\route.exe
Table: 9.24 Value:
System: Full route.exePermissions oval:gov.nist.1:def:151
%SystemRoot
%\system32\rsh.exe
Table: 9.25 Value:
System: Full rsh.exePermissions oval:gov.nist.1:def:152
%SystemRoot
%\system32\sc.exe Table:
9.26 Value:
System: Full sc.exePermissions oval:gov.nist.1:def:153
%SystemRoot
%\system32\secedit.exe
Table: 9.27 Value:
System: Full secedit.exePermissions oval:gov.nist.1:def:154
%SystemRoot
%\system32\subst.exe
Table: 9.28 Value:
System: Full subst.exePermissions oval:gov.nist.1:def:155
%SystemRoot
%\system32\systeminfo.e
xe Table: 9.29 Value:
System: Full systeminfo.exePermissions oval:gov.nist.1:def:156
%SystemRoot
%\system32\telnet.exe
Table: 9.30 Value:
System: Full telnet.exePermissions oval:gov.nist.1:def:157
%SystemRoot
%\system32\tftp.exe
Table: 9.31 Value:
System: Full tftp.exePermissions oval:gov.nist.1:def:158
%SystemRoot
%\system32\tlntsvr.exe
Table: 9.32 Value:
System: Full tlntsvr.exePermissions oval:gov.nist.1:def:159
Deny access to this
computer from the
network Table: 4.15 Value:
Guests, SUPPORT DenyAccessFromNetwork oval:gov.nist.1:def:175
Access this computer AccessComputerFromNet

from the network Table: work,
4.1 Value: Administrators, AccessComputerFromNet oval:gov.nist.1:def:161,
not defined workUsers oval:gov.nist.1:def:231
Act as part of the

operating system Table: ActAsPartOfOperatingSyst
4.2 Value: none em oval:gov.nist.1:def:162
Back up files and BackUpFilesAndDirectorie

directories Table: 4.7 s,
Value: Administrators, not BackUpFilesAndDirectorie oval:gov.nist.1:def:167,
defined sOperators oval:gov.nist.1:def:234
Bypass traverse checking

Table: 4.8 Value:
Administrators, Users, not
defined BypassTraverseChecking oval:gov.nist.1:def:168
Change the system time
Table: 4.9 Value:
Administrators ChangeSystemTime oval:gov.nist.1:def:169
Create pagefile Table:

4.10 Value: Administrators CreatePagefile oval:gov.nist.1:def:170
Create a token object

Table: 4.11 Value: None,
not defined CreateTokenObject oval:gov.nist.1:def:171
Create permanent share

objects Table: 4.13 Value: CreatePermanentSharedO
None, not defined bjects oval:gov.nist.1:def:172
Debug programs Table:

4.14 value: None,
Administrators DebugPrograms oval:gov.nist.1:def:173
Force shutdown from a

remote system Table: 4.21 ShutdownFromRemoteSys
Value: Administrators tem oval:gov.nist.1:def:180
Generate security audits

Table: 4.22 Value: LOCAL
SERVICE, NETWORK
SERVICE GenerateSecurityAudits oval:gov.nist.1:def:181
Adjust memory quotas for

a process Table: 4.4
Value: Administrators,
LOCAL SERVICE,
NETWORK SERVICE AdjustMemoryQuotas oval:gov.nist.1:def:164
Increase scheduling
priority Table: 4.24 Value:
Administrators IncreaseSchedulingPriority oval:gov.nist.1:def:182
Load and unload device

drivers Table: 4.25 Value: LoadAndUnloadDeviceDriv
Administrators ers oval:gov.nist.1:def:183
Lock pages in memory

Table: 4.26 Value: none LockPagesInMemory oval:gov.nist.1:def:184
Log on as a batch job

Table: 4.27 Value: none,
not defined LogOnAsBatchJob oval:gov.nist.1:def:185
Log on as a service Table:

4.28 Value: LOCAL
SERVICE, NETWORK
SERVICE LogOnAsService oval:gov.nist.1:def:186
Allow log on locally Table: AllowLogOnLocally,

4.5 Value: Users, AllowLogOnLocallyAuthent oval:gov.nist.1:def:165,
Administrators icatedUsers oval:gov.nist.1:def:233
ManageAuditingAndSecurit
Manage auditing and yLog,
security log Table: 4.29 ManageAuditingAndSecurit oval:gov.nist.1:def:187,
Value: Administrators yLogNone oval:gov.nist.1:def:235
Modify firmware
environment values Table: ModifyFirmwareEnvironme
4.30 Value: Administrators ntValues oval:gov.nist.1:def:188
Profile single process
Table: 4.32 Value:
Administrators ProfileSingleProcess oval:gov.nist.1:def:190
Profile system
performance Table: 4.33
Value: Administrators ProfileSystemPerformance oval:gov.nist.1:def:191
Remove computer from RemoveComputerFromDo

docking station Table: ckingStation,
4.34 Value: Users, RemoveComputerFromDo oval:gov.nist.1:def:192,
Administrators ckingStationNone oval:gov.nist.1:def:236
Replace a process-level
token Table: 4.35 Value:
LOCAL SERVICE, ReplaceProcessLevelToke
NETWORK SERVICE n oval:gov.nist.1:def:193
Restore files and

directories Table: 4.36 RestoreFilesAndDirectorie
Value: Administrators s oval:gov.nist.1:def:194
Shut down the system

Table: 4.37 Value: Users,
Administrators ShutDownSystem oval:gov.nist.1:def:195
Take ownership of files

and other objects Table:
4.39 Value: Administrators TakeOwnershipOfFiles oval:gov.nist.1:def:196
Syncronize directory
service data Table: 4.38 SynchronizeDirectoryServi
Value: not defined ceData oval:gov.nist.1:def:238
Deny logon locally Table:

4.18 Value: Guests,
SUPPORT_388945a0,
any service accounts DenyLogonLocally oval:gov.nist.1:def:177
Enable computer and

user accounts to be
trusted for delegation
Table: 4.20 Value: none, AccountsTrustedForDelega
not defined tion oval:gov.nist.1:def:179
AddWorkstationsToDomain
Add workstations to ,
domain Table: 4.3 Value: AddWorkstationsToDomain oval:gov.nist.1:def:163,
Administrators None oval:gov.nist.1:def:232
Allow logon through

Terminal Services Table:
4.6 Value: none, not AllowLogOnThroughTermin
defined alServices oval:gov.nist.1:def:166
Deny logon as a batch job

Table: 4.16 Value: Guests,
SUPPORT_388945a0 DenyLogonAsBatchJob oval:gov.nist.1:def:176
Deny logon as a service

Table: 4.17 Value: not
defined *** ***
Deny logon through
Terminal Services Table:
4.19 Value: Everyone, not DenyLogonThroughTermin
defined alServices oval:gov.nist.1:def:178
Profile volume
maintenance tasks Table: PerformVolumeMaintenanc
4.31 Value: Administrators eTasks oval:gov.nist.1:def:189
Reset account lockout

counter after Table: 2.3
value: 15 AccountLockoutReset oval:gov.nist.1:def:26
Account lockout duration

Table: 2.1 Value: 15 AccountLockoutDuration oval:gov.nist.1:def:23
Account lockout threshold

Table: 2.2 Value: 10, 50 AccountLockoutThreshold oval:gov.nist.1:def:24
Audit account logon

events Table: 3.1 Value:
success, success and
failure AuditAccountLogin oval:gov.nist.1:def:27
Audit account logon
events Table: 3.1 Value:
success, success and
failure AuditAccountLogin oval:gov.nist.1:def:27
Audit account
management Table: 3.2
Value success, failure AuditAccountManagement oval:gov.nist.1:def:29
Audit account
management Table: 3.2
Value success, failure AuditAccountManagement oval:gov.nist.1:def:29
Audit directory service

acces Table: 3.3 Value:
not defined Not applicable Not applicable
Audit directory service

acces Table: 3.3 Value:
not defined Not applicable Not applicable
Audit logon events Table:

3.4 Value: success,
success and failure AuditLogonEvents oval:gov.nist.1:def:32
Audit logon events Table:

3.4 Value: success,
success and failure AuditLogonEvents oval:gov.nist.1:def:32
Audit object access Table:
3.5 Value: failure, no
auditing AuditObjectAccess oval:gov.nist.1:def:34
Audit object access Table:

auditing AuditObjectAccess oval:gov.nist.1:def:34
Audit policy change Table: AuditPolicyChangesSucce

3.6 Value: success ssOnly oval:gov.nist.1:def:35
Audit policy change Table: AuditPolicyChangesSucce

3.6 Value: success ssOnly oval:gov.nist.1:def:35
Audit privilege use Table:

auditing AuditPrivilegeUse oval:gov.nist.1:def:36
Audit privilege use Table:

auditing AuditPrivilegeUse oval:gov.nist.1:def:36
Audit process tracking

Table: 3.8 Value: no
auditing AuditProcessTracking oval:gov.nist.1:def:40
Audit process tracking

Table: 3.8 Value: no
auditing AuditProcessTracking oval:gov.nist.1:def:40
Audit system events AuditSystemEventsSucces
Table: 3.9 Value: success sOnly oval:gov.nist.1:def:37
Audit system events AuditSystemEventsSucces

Table: 3.9 Value: success sOnly oval:gov.nist.1:def:37
Prevent local guestsgroup

from accessingapplication
log Table: 6.4 Value: PreventGuestApplicationLo
enabled gAccess oval:gov.nist.1:def:200
Maximum Application log

size Table: 6.1 Value: MaximumApplicationLogSi
16384 kilobytes ze oval:gov.nist.1:def:197
Retain application log

defined
Retention method for
application log Table: 6.10 ApplicationLogRetentionM
Value: as needed ethod oval:gov.nist.1:def:203

from accessingsecurity
log Table: 6.5 Value: PreventGuestSecurityLogA
enabled ccess oval:gov.nist.1:def:201
Maxium security log size

Table: 6.2 Value: 81920
kilobytes MaximumSecurityLogSize oval:gov.nist.1:def:198
Retain security log

defined
Retention method
forsystem log Table: 6.11 SecurityLogRetentionMeth
Value: as needed od oval:gov.nist.1:def:204

from accessingsystem log PreventGuestSystemLogA
Table: 6.6 Value: enabled ccess oval:gov.nist.1:def:202
Maximum system log size

kilobytes MaximumSystemLogSize oval:gov.nist.1:def:199
Retain system log

defined
Retention method for
system log Table: 6.12 SystemLogRetentionMe
Value: not defined thod oval:gov.nist.1:def:205
Maximum password age

Table: 1.2 Value: 90 MaximumPasswordAge oval:gov.nist.1:def:17
Minimum password age

Table: 1.3 Value: 1 MinimumPasswordAge oval:gov.nist.1:def:18
Minimum password length

Table: 1.4 Value: 12, 8 MinimumPasswordLength oval:gov.nist.1:def:19
Password must meet

complexity requirements
Table: 1.5 Value: enabled PasswordComplexity oval:gov.nist.1:def:21
Enforce password history PasswordHistoryEnforcem

Table: 1.1 Value: 24 ent oval:gov.nist.1:def:16
Store passwrd using

reversible encryptin for all
users in the domain Table: PasswordStorageReversibl
1.6 Value: disabled eEncryption oval:gov.nist.1:def:22
Alerter Service Table: 8.1
Value: disabled AlerterService oval:gov.nist.1:def:209
Automatic update service

defined *** ***
Background Intelligent
Transfer Service Table:
8.5 Value: not defined *** ***
ClipBook service Table:

8.6 Value: disabled ClipBookService oval:gov.nist.1:def:210
Computer Browswer
Service Table: 8.9 Value:
disabled BrowserService oval:gov.nist.1:def:211
Fast User
SwitchingCompatibility
defined
Fax Servce Table: 8.18

Value: disabled FaxService oval:gov.nist.1:def:212
FTP Publishing Service

Table: 8.19 Value:
disabled FTPPublishingService oval:gov.nist.1:def:213
IIS Admin service Table:

8.22 Value: disabled IISAdminService oval:gov.nist.1:def:214
Indexing Service Table:
8.24 Value: disabled IndexingService oval:gov.nist.1:def:215
Messenger service Table:

8.30 Value: disabled MessengerService oval:gov.nist.1:def:216
Net Logon service Table:

8.32 Value: not defined
Net meeting Remote

Desktop Sharing Table: NetMeetingRemoteDeskto
8.33 Value: disabled pSharingService oval:gov.nist.1:def:217
Remote Access Auto

Connection Manager
defined
Remote Desktop Help

Session Manager Table: RemoteDesktopHelpSessi
8.47 Value: disabled onManagerService oval:gov.nist.1:def:218
Internet
ConnectionFirewall
(ICF)/InternetConnection
Sharing(ICS) Table: 8.26
Value: not defined
Remote Registery service

defined
Routing and Remote

Access service Table: RoutingAndRemoteAccess
8.52 Value: disabled Service oval:gov.nist.1:def:219
Simple Mail
TransferProtocol
(SMTP) Table: 8.59
Value: disabled SMTPService oval:gov.nist.1:def:220
Simple
NetworkManagement
Protocol(SNMP) Service
Table: 8.60 Value:
disabled SNMPService oval:gov.nist.1:def:221
Simple
NetworkManagement
Protocol(SNMP) Trap
Table: 8.61 Value:
disabled SNMPTrap oval:gov.nist.1:def:222
Simple ServiceDiscovery
Protocol(SSDP)
DiscoveryService Table:
8.62 Value: disabled SSDPService oval:gov.nist.1:def:223
Task Scheduler service

Table: 8.65 Value:
disabled TaskSchedulerService oval:gov.nist.1:def:224
Telnet service Table: 8.68

Value: disabled TelnetService oval:gov.nist.1:def:225
Terminal Services service

Table: 8.69 Value:
disabled TerminalServicesService oval:gov.nist.1:def:226
Universal Plug and Play

Device Host Disabled
Table: 8.73 Value: Not UniversalPlugAndPlayDevi
defined ceHostService oval:gov.nist.1:def:227
World Wide Web

Publishing Services Table: WWWPublishingServicesS
8.85 Value: Disabled ervice oval:gov.nist.1:def:228
Print Spooler service
defined
Plug and Play service
defined
Network access: Do
notallow
anonymousenumeration
of SAMaccounts and
shares Table: 5.45 Value: AnonymousEnumerationOf
enabled AccountsAndShares oval:gov.nist.1:def:88
Network access: Do
notallow
anonymousenumeration
of SAMaccounts Table: AnonymousEnumerationOf
5.44 Value: enabled Accounts oval:gov.nist.1:def:87
Network access:
Allowanonymous
SID/Nametranslation
Table: 5.43 Value:
disabled
Accounts: Guestaccount
status Table: 5.2 Value:
disabled GuestAccountStatus oval:gov.nist.1:def:243
Accounts:
Administratoraccount
status Table: 5.1 Value: AdministratorAccountStatu
enabled s oval:gov.nist.1:def:242
Interactive logon:
Messagetitle for users
attempting tolog on
Table: 5.30 Value:
<DoJ Approved> LogonMessageTitle oval:gov.nist.1:def:71
Interactive logon:
Messagetext for users
attempting tolog on Table:
5.29 Value: <DoJ
approved> LogonMessageText oval:gov.nist.1:def:70
MSS:
(AutoShareWks)Enable
AdministrativeShares
defined
MSS:
(AutoAdminLogon)Enable
Automatic Logon Table:
5.70 Value: disabled AutomaticLogonDisabled oval:gov.nist.1:def:110
MSS: (AutoReboot)
AllowWindows to
automaticallyrestart after
a system crash Table:
MSS:
(NoDriveTypeAutoRun)Di
sable Autorun for alldrives DisableAutorunForAllDrive
Table: 5.80 Value: 255 s
MSS:
(EnableICMPRedirect)Allo
w ICMP redirects
tooverride OSPF
generatedroutes Table: AllowICMPRedirectsDisabl
5.76 Value: disabled ed oval:gov.nist.1:def:113
MSS:
(DisableIPSourceRouting)
IP source routing
protectionlevel Table: 5.73
Value:
Highestprotection,source
routingis IPSourceRoutingProtection
completelydisabled Level oval:gov.nist.1:def:111
MSS:
(PerformRouterDiscovery)
Allow IRDP to detect
andconfigure
DefaultGatewayaddresse
s Table: 5.83 Value:
enabled
MSS: RouterDiscovery oval:gov.nist.1:def:121
(NoDefaultExempt)Enable
NoDefaultExemptfor
IPSec Filtering Table: 5.79
Value: Multicast,
broadcast, and ISAKMP NoDefaultExemptForIPSec
are exempt Filtering oval:gov.nist.1:def:116
oval:gov.nist.1:def:117
Interactive logon: Do
notdisplay last user name
Table: 5.27 Value: LastUserNameNotDisplaye
enabled dForLogon oval:gov.nist.1:def:68
MSS: (Hidden)
HideComputer From the
BrowseList Table: 5.77
Value: enabled HideFromBrowseList oval:gov.nist.1:def:114
MSS:
(EnableDeadGWDetect)Al
low automatic detectionof
dead network gateways
Table: 5.75 Value: AutomaticDetectionOfDead
disabled GWs oval:gov.nist.1:def:112
MSS:
(KeepAliveTime)How
often keep-alivepackets
are sent inmilliseconds
Table: 5.78 Value:
300,000ms (5 minutes) KeepAliveTime oval:gov.nist.1:def:115
MSS:
(NoNameReleaseOnDem
and) Allow the computer
toignore NetBIOS
namerelease requests
exceptfrom WINS servers
Table: 5.81 Value:
enabled NameReleaseRequests oval:gov.nist.1:def:118
MSS: (SynAttackProtect)
Syn attact protection level
Table: 5.86 Value:
Connections time out
sooner if attack is
detected (1) SynAttackProtectionLevel oval:gov.nist.1:def:124
MSS: (WarningLevel)
Percentage threshold for
the security event log at
which the system will
generate a warning Table: EventLogThresholdWarnin
5.89 Value: 90 g oval:gov.nist.1:def:127
MSS:
(DisableSavePassword)Pr
event the dial-uppassword
from being saved Table:
MSS:
(SafeDllSearchMode)Ena
ble Safe DLL searchmode
Table: 5.84 value: enabled SafeDLLSearchMode oval:gov.nist.1:def:122
Domain controller: Allow
server operators to
schedule tasks Table:
Accounts: Rename
administrator account
defined
Accounts: Rename guest

account Table: 5.5 Value:
not defined
Microsoft network
server:Amount of idle
timerequired before
suspendingsession Table:
5.39 Value: 15 minutes SessionTimeout oval:gov.nist.1:def:83
Audit: Audit the access of

global system objects AuditAccessToGlobalObjec
Table: 5.6 Value: disabled ts oval:gov.nist.1:def:45
Audit: Audit the use of

backup and restore
privilege Table: 5.7 Value: AuditBackupAndRestorePri
disabled vilegeDisabled oval:gov.nist.1:def:52
Interactive logon: Do
notrequire
CTRL+ALT+DEL Table:
5.28 Value: diabled RequireCTRL_ALT_DEL oval:gov.nist.1:def:69
Network security:
LANManager
authenticationlevel Table:
5.55 Value: Send
NTLMv2responseonly\ref LANManagerAuthenticatio
use LM& NTLM or Send nRefuseLM,
NTLMv2 response LANManagerAuthenticatio oval:gov.nist.1:def:97,
only\refuse LM nRefuseLM_NTLM oval:gov.nist.1:def:96
Devices: Prevent users

from installing priter
drivers Table: 5.13 Value: PreventUsersFromInstallin
enabled or disabled gPrinterDrivers oval:gov.nist.1:def:56
Recovery console:
Allowautomatic
administrativelogon Table: RecoveryConsoleAutoLog
5.59 Value: disabled on oval:gov.nist.1:def:101
Recovery console:
Allowfloppy copy and
access toall drives and all
folders Table: 5.60 Value: RecoveryConsoleFullSyste
disabled mAccess oval:gov.nist.1:def:102
Devices: Restrict CD-
ROM access to locally
logged-on user only Table: RecoveryConsoleFullSyste
5.14 Value: disabled mAccess oval:gov.nist.1:def:102
Devices: Restrict floppy

access to locally logged-
on user only Table: 5.15 RestrictFloppyAccessDisa
Value: disabled bled oval:gov.nist.1:def:59
System objects:
Strengthendefault
permissions ofinternal
system objects(e.g.
Symbolic Links) Table: InternalSystemObjectsPer
5.67 Value: enabled missions oval:gov.nist.1:def:109
Domain member:
Requirestrong (Windows
2000 orlater) session key
Table: 5.25 Value:
enabled RequireStrongSessionKey oval:gov.nist.1:def:66
Microsoft network
client:Send
unencryptedpassword to
third-partySMB servers
Table: 5.38 Value: UnencryptedSMBPasswor
disabled ds oval:gov.nist.1:def:82
Devices: Unsigned driver

installation behavior
Table: 5.16 Value: warn UnsignedDriverInstallation
but allow isntallation Warning oval:gov.nist.1:def:60
Interactive logon:
Promptuser to change
passwordbefore
expiration Table: 5.32
Value: 14 days PasswordExpirationPrompt oval:gov.nist.1:def:74
Audit: Shut down system
immediately if unable to
log security audits Table:
Shutdown: Allow system

tobe shut down
withouthaving to log on
Table: 5.61 Value:
disabled ShutdownWithoutLogon oval:gov.nist.1:def:103
Shutdown: Clear
virtualmemory pagefile
Table: 5.62 Value:
enabled ClearPagefileOnShutdown oval:gov.nist.1:def:104
Microsoft network
client:Digitally
signcommunications
(always) Table: 5.36 ClientAlwaysSignCommuni
Value: enabled cations oval:gov.nist.1:def:79
Microsoft network
client:Digitally
signcommunications (if
serveragrees) Table: 5.37 SignCommunicationsIfServ
Value: enabled erAgrees oval:gov.nist.1:def:81
Microsoft network
server:Digitally
signcommunications
(always) Table: 5.40 ServerAlwaysSignCommu
Value: enabled nications oval:gov.nist.1:def:84
Microsoft network
server:Digitally
signcommunications (if
clientagrees) Table: 5.41 SignCommunicationsIfClie
Value: enabled ntAgrees oval:gov.nist.1:def:85
Interactive logon:
Numberof previous logons
to cache(in case domain
controlleris not available)
logons or 2 logons PreviousLogonsCached oval:gov.nist.1:def:72
Devices: Allowed to
format and eject RestrictAccessToFormatAn
removeable media Table: dEjectRemovableMediaAd
5.12 Value: Administrators ministrators,
or Administrators and RestrictAccessToFormatAn oval:gov.nist.1:def:43,
interactive users dEjectRemovableMedia oval:gov.nist.1:def:44
Domain member:
Digitallyencrypt or sign
securechannel data
(always) Table: 5.20 AlwaysDigitallyEncryptSec
Value: enabled ureChannelData oval:gov.nist.1:def:61
Domain member:
Digitallyencrypt secure
channeldata (when
possible) Table: 5.21 WhenPossibleDigitallyEncr
Value: enabled yptSecureChannelData oval:gov.nist.1:def:62
Domain member:
Digitallysign secure
channel data(when
possible) Table: 5.22 WhenPossibleDigitallySign
Value: enabled SecureChannelData oval:gov.nist.1:def:63
Interactive logon: Smart

card removal behavior
Table: 5.35 Value: lock
workstation SmartCardRemoval oval:gov.nist.1:def:78
Domain member:
Disablemachine account
passwordchanges Table: MachineAccountPassword
5.23 Value: disabled Changes oval:gov.nist.1:def:64
System cryptography:
UseFIPS compliant
algorithmsfor encryption,
hashing,and signing
Table: 5.64 Value enabled FIPSCompliantEncryption oval:gov.nist.1:def:105
System objects:
Defaultowner for objects
createdby members of
theAdministrators group
Table: 5.65 Value: Object AdministratorsGroupObject
creator CreatorOwner oval:gov.nist.1:def:106
System objects:
Requirecase insensitivity
for non-Windows
subsystems Table: 5.66
Value: enabled RequireCaseInsensitivity oval:gov.nist.1:def:107
Accounts: Limit local

account use of blank
passwords to console
logon only Table: 5.3
Value: enabled LimitBlankPasswordUse oval:gov.nist.1:def:42
Devices: Allow undock

without having to logon
Table: 5.11 Value: AllowUndockWithoutLogin
disabled Disabled oval:gov.nist.1:def:53
Domain controller: LDAP

server signin
requirements Table: 5.18
Value: not defined
Network security:
LDAPclient signing
requirements Table: 5.56 LDAPClientSigningRequire
Value: Negotiate signing ments oval:gov.nist.1:def:98
Domain controller: Refuse

machine account
password changes Table:
Domain member:
Maximummachine
account passwordage MaximumMachineAccount
Table: 5.24 Value:30 days PasswordAge oval:gov.nist.1:def:65
Interactive logon:
RequireDomain
Controllerauthentication to
unlockworkstation Table:
5.33 Value: enabled or DomainControllerAuthentic
disabled ationRequired oval:gov.nist.1:def:75
Microsoft network
server:Disconnect clients
whenlogon hours expire
Table: 5.42 Value:
enabled LogonTimeExpiration oval:gov.nist.1:def:86
Network access: Do
notallow storage of
credentialsor .NET
Passports fornetwork
authentication Table: 5.46
Value: enabled CredentialsStorage oval:gov.nist.1:def:89
Network access:
LetEveryone
permissionsapply to
anonymous users Table: AnonymousUsersPermissi
5.47 Value: disabled ons oval:gov.nist.1:def:90
Network access:
Remotelyaccessible
registry
Networkpaths Table: 5.49
access:
Value:
NamedPipes that can be
System\CurrentControlSet
accessedanonymously
\Control\ProductOptions,
Table: 5.48 Value:
COMNAPCOMNODESQL
\Control\Print\Printers,Sys
\QUERYSPOOLSSLLSR AnonymouslyAccessedNa
tem\CurrentControlSet\Co
PCbrowser medPipes oval:gov.nist.1:def:91
ntrol\Server Applications,
\Services\Eventlog,Softwa
re\Microsoft\OLAP Server,
ws
NT\CurrentVersion,Syste
m\CurrentControlSet\Cont
rol\ContentIndex,
\Control\Terminal
Server,System\CurrentCo
ntrolSet\Control\Terminal
Server\UserConfig,
\Control\TerminalServer\D RemotelyAccessibleRegist
efaultUserConfiguration ryPaths oval:gov.nist.1:def:92
Network access:
Sharesthat can be
accessedanonymously
Table: 5.51 Value: AnonymouslyAccessedSha
COMCFGDFS$ res oval:gov.nist.1:def:93
Network access:
Sharingand security
model for localaccounts
Table: 5.52 Value: Classic
- local users authenticate LocalAccountsSecurityMod
as themselves el oval:gov.nist.1:def:94
Network security: Do
notstore LAN Manager
hashvalue on next
passwordchange Table:
5.53 Value: enabled` LANManagerHashStorage oval:gov.nist.1:def:95
Network security:
Forcelogoff when logon
hoursexpire Table: 5.54
Value: enabled ForceLogoff oval:gov.nist.1:def:244
Network security:
Minimumsession security
for NTLMSSP based
(includingsecure RPC)
clients Table: 5.57 Value:
Require message
integrityRequire message
confidentialityRequire
NTLMv2 session
securityRequire 128-bit NTLM_SSP_BasedClients
encryption SessionSecurity oval:gov.nist.1:def:99
Network security:
Minimumsession security
for NTLMSSP based
(includingsecure RPC)
servers Table: 5.58 Value:
Require message
integrityRequire message
confidentialityRequire
NTLMv2 session
securityRequire 128-bit NTLM_SSP_BasedServers
encryption SessionSecurity oval:gov.nist.1:def:100
MSS:
(ScreenSaverGracePer
iod)The time in
seconds beforethe
screen saver
graceperiod expires ScreenSaverGracePerio
Table: 5.85 Value: 0 d oval:gov.nist.1:def:123
Create global objects
defined
Impersonate a client
after authentication
defined
DCOM: Machine
access of the global
system objects Table:
5.9 Value: disabled
DCOM: Machine
Launch Restrictions in
the Security Descriptor
Definition Language
(SDDL) syntax Table:
Interactive logon:
Display user
information when the
session is locked Table:
Interactive logon:
Requre smart card
defined
Network access:
Restrict anonymous
access to named pipes
and shares Table: 5.50
Value: not defined
System cryptography:
Force strong key
protection for user keys
stored on the computer
defined
System settings:
optional subsystems
defined
System settings: Use

Certificate Rules on
Windows Executables
for Software Restriction
Polices Table: 5.69
Value: not defined
MSS:
(TCPMaxConnectResp
onseRetransmission)
SYN-ACK
retansmissions when a
connection request is
not acknowledged
and 6 sec, half open
connections dropped TCPConnectionRespon
after 21 sec ses oval:gov.nist.1:def:125
MSS:
(TCPMaxDataRetrans
missions) How many
times unacknowledged
data is retransmitted TCPMaxDataRetransmi
Table: 5.88 Value: 3 ssions oval:gov.nist.1:def:126
Backup Operators
Table: 7.1 Value: none BackupOperators oval:gov.nist.1:def:206
Power Users Table: 7.2
Value: none PowerUsers oval:gov.nist.1:def:207
Remote Desktop Users

Table: 7.3 Value: none RemoteDesktopUsers oval:gov.nist.1:def:208
Application Layer
Gateway Service Table:
Application
Management Table: 8.3
Value: not defined
Cryptographic Services
defined
DHCP Client Table:

Distributed Link
Tracking Client Table:
Distributed Transaction
Coordinator Table: 8.13
Value: not defined
DNS Client Table: 8.14

Value: not defined
Error Reporting Service
defined
Event Log Table: 8.16
Value: not defined
Help and Support
defined
Human Interface
Device Access Table:
IMAPI CD-Burning
COM Service Table:
Infrared Monitor Table:

IPSEC Services Table:

defined
Administrative Service
defined
MS Software Shadow
Copy Provider Table:
Network Connections
defined
Network Dynamic Data

Exchange (DDE) Table:
8.35 Value: not defined DDEService oval:gov.nist.1:def:245
Network DDE DDE
Share Database
Manager (DSDM)
defined DDEdsdmService oval:gov.nist.1:def:246
Network Location
Awareness (NLA)
defined
NT LM Security
Support Provider Table:
Performance Logs and
Alerts Table: 8.39
Value: not defined
Portable Media Serial

Number Service Table:
Protected Storage
defined
QoS RSVP Table: 8.44

Value: not defined
Remote Access
Connection Manager
defined RasManService oval:gov.nist.1:def:247
(RPC) Table: 8.48
Value: not defined

(RPC) Locator Table:
Removable Storage
defined
Secondary Logon
defined
Security Accounts
Manager Table: 8.54
Value: not defined
Server Table: 8.55
Value: not defined
Smart Card Table: 8.57

Value: not defined
Smart Card Helper
defined
System Event
Notification Table: 8.63
Value: not defined
System Restore
Service Table: 8.64
Value: not defined
TCP/IP NetBIOS
Helper Table: 8.66
Value: not defined
Telephony Table: 8.67
Value: not defined
Themes Table: 8.70
Value: not defined
Uninterruptable Power
Supply Table: 8.71
Value: not defined
Upload Manager Table:

Volume Shadow Copy
defined
Webclient Table: 8.75
Value: not defined
Windows Audio Table:

Windows Image
Acquisition (WIA)
defined
Windows Installer
defined
Windows Management
Instrumentation Table:
Windows Management
Instrumentation Driver
Extensions Table: 8.80
Value: not defined
Windows Time Table:

Wireless Zero
Configuration Table:
WMI Performance
Adapter Table: 8.83
Value: not defined
Workstation Table: 8.84

Value: not defined
MSS:
(NtfsDisable8dot3Nam
eCreation) Enable the
computer to stop
generating 8.3 style
filenames. Table: 5.82 Disable8Dot3NameCrea
Value: enabled tion oval:gov.nist.1:def:119
5.2.1.1.2.4 Allow
remote
administration
5.2.1.1.2.7 Allow
Remote Desktop
OVAL10088
OVAL10219
Microsoft Security NIST SCAP Windows
Center for Internet
Guide for DISA Stig for Vista XCCDF (SCAP-
Security Windows
Windows Server Windows 2003 WinVista-XCCDF.xml rev
Server 2003
2003 2007-02-06)
Table 3.28 Deny access to
this computer from the
network: ANONYMOUS
LOGON; Built-in
Administrator, Guests;
Support_388945a0; Guest;
all NON-Operating System 4.2.15 Deny access to
service accounts (Legacy this computer from the
Client, Enterprise Client, network (minimum): Not
and High Security) Defined .
Table 4.2 Access this 5.1 User Rights: (4.015:

computer from the 4.2.1 Access this CAT I) Built-in Guest
network: Administrators, computer from the account, Everyone
Authenticated Users, network: Not Defined; group, guests group,
Enterprise Domain Administrators, and Domain Guests
Controllers (High Security); Authenticated Users, group DO NOT have the
Legacy Client and Enterprise Domain right to "access this
Enterprise Client are not Controllers (Specialized computer from the
defined Security) network"
Table 3.21 Act as part of 5.1 User Rights: (4.009:

the operating system: Not CAT I) Individual and
defined (Legacy Client and group accounts DO NOT
Enterprise Client); revoke have the right to "act as
all security groups and 4.2.2 Act as part of the part of the operating
accounts (High Security) operating system: none system"
4.2.36 Backup files and

directories: Administrators
. (Specialized Security) .
4.2.8 Bypass traverse

. checking: Not Defined .
Table 3.26 Change the
system time:
Administrators and Power
Users (default);
Administrators (High
Security); Legacy client
and Enterprise Client are 4.2.9 Change the system
not defined time: Administrators .
4.2.10 Create a pagefile:

Administrators
4.2.11 Create a token

. object: None .
4.2.13 Create permanent

. shared objects: None .
Table 3.27 Debug

programs: Administrators
(default); Revoke all
security groups and
accounts (Legacy Client,
Enterprise client and High 4.2.14 Debug Programs:
Security) None .
Table 3.32 Force shutdown

from a remote system:
Administrators (High 4.2.21 Force shutdown
Security): Legacy client from a remote system:
and Enterprise Client are Administrators
not defined (Specialized Security) .
Table 3.33 Generate

security audits: Network
Service, Local Service 4.2.22 Generate security
(High Security): Legacy audits: Local Service,
Client and Enterprise Network Service
Client are not defined (Specialized Security) .
Table 3.23 Adjust memory

quotas for a process:
Administrators, Network 4.2.4 Adjust memory
Service, Local Service quotas for a process:
(High Security); Legacy Network Service, Local
client and Enterprise Client Service, Administrators
are not defined (Specialized Security) .
Table 3.35 Increase
scheduling priority:
Administrators (High 4.2.24 Increase
Security): Legacy Client scheduling priority:
Table 3.36 Load and

unload device drivers:
Security): Legacy Client 4.2.25 Load and unload
and Enterprise Client are device drivers:
not defined Administrators .
Table 3.37 Lock pages in

memory: Administrators
(High Security): Legacy 4.2.26 Lock pages in
Client and Enterprise memory: Administrators
Table 3.38 Log on as a

batch job:
Support_388945a0, Local
Service (Default); Revoke
all security groups and
accounts (High Security);
Legacy Client and
Enterprise Client are not 4.2.27 Log on as a batch
defined job: None .
4.2.28 Log on as a
. service: Not Defined .
5.1 User rights: (4.026:

CAT II) Built-in Guest
account, guests group,
and Domain guests
Table 4.4 Allow log on group, HelpAssistant,
locally: Administrators and Suppor_388945a0
(Legacy client, Enterprise 4.2.5 Allow log on locally: are assigned the right to
Client, and High Security) Administrators DENY log on locally
Table 3.39 Manage

auditing and security log:
Administrators (High 4.2.29 Manage auditing
Security); Legacy Client and security log:
Table 3.40 Modify firmware

environment values:
Administrators (High 4.2.30 Modify firmware
Security); Legacy client environment values:
Table 3.42 Profile single
process: Administrators
(High Security); Legacy 4.2.32 Profile single
Client and Enterprise process: Administrators
Table 3.43 Profile system

performance:
Administrators (High 4.2.33 Profile system
Security); Legacy client performance:
Table 3.44 Remove

computer from docking
station: Administrators,
Power Users
(Default)/Administrators 4.2.34 Remove computer
(High Security); Legacy from docking station:
client and Enterprise Client Administrators
are not defined (Specialized Security) .
Table 3.45 Replace a

process level token: Local
Service, Network Service
(High Security); Legacy 4.2.35 Replace a process
Client and Enterprise level token: Network
Client are not defined Service, Local Service .
Table 3.46 Restore files

and directories:
Administrators and Backup
Operators
(Default)/Administrators
(High Security); Legacy 4.2.36 Restore files and
Client and Enterprise directories: Administrators
Table 3.47 Shut down the

system: Backup Operators,
Power Users and
Administrators
(Default)/Administrators 4.2.37 Shut down the
(High Security); Legacy system: Administrators
Client and Enterprise (Enterprise, Specialized
Client are not defined Security) .
Table 3.49 Take ownership

of files or other objects:
Security); Legacy Client 4.2.39 Take ownership of
and Enterprise Client are file or other objects:
not defined Administrators .
Table 3.48 Synchronize
directory service data:
Revoke all security groups
and accounts (High
Security); legacy client and 4.2.38 Synchronize
Enterprise Client are not directory service data:
defined None .
5.1 User rights: (4.026:

CAT II) Built-in Guest
account, guests group,
and Domain guests
group, HelpAssistant,
and Suppor_388945a0
4.2.18 Deny logon locally: are assigned the right to
. Not Defined DENY log on locally
Table 4.7 Enable computer

and user accounts to be
trusted for delegation:
Administrators (High 4.2.20 enable computer
Security); Legacy client and user accounts to be
and Enterprise Client are trusted for delegation:
not defined None .
Table 3.22 Add

workstations to domain:
Administrators (High 4.2.3 Add workstations to
Security); Legacy Client domain: Not Defined;
and Enterprise Client are None (Specialized
not defined Security) .
Table 3.25 Allow log on 5.1 User Rights:

through Terminal (4.040: CAT I) No one
Services: Administrators has the right to allow
(High Security); logn through Terminal
Administrators and 4.2.6 Allow logon Services unless the
Remote Desktop Users through terminal machine is performing
(Legacy Client and services: the role of a Terminal
Enterprise Client) Administrators Server
Table 4.18 Deny log on as

a batch job:
Support_388945a0 and
Guest (Legacy Client,
Enterprise Client, and High 4.2.16 Deny logon as a
Security) batch job: Not Defined .
4.2.17 Deny logon as a

. service: Not Defined .
5.1 User Rights: (4.041:
CAT II) The Everyone
group is assigned the
Table 4.18 Deny log on right to deny logon
through Terminal Services: through Terminal
Built-in Administrator; all Services unless the
NON-operating system machine is performing
service accounts (Legacy 4.2.19 Deny logon the roale of a Terminal
Client, Enterprise Client, through Terminal Server, then the Guests
and High Security) Services: Not Defined group is assigned
Table 3.41 Perform volume

maintenance tasks:
Administrators (High 4.2.31 Perform volume 5.4.5.1 [AP] User Rights
Security); Legacy client maintenance tasks: Assignments: Perform
and Enterprise Client are Administrators Volume Maintenance
not defined (Specialized Security) Tasks: Administrators
Table 2.11 Reset account

lockout counter after: 30
minutes; 15 minutes (High
Security); 30 minutes 5.4.2.2 [A] Bad Logon
(Legacy Client and 2.2.3.3 Reset Account Counter Reset: 15
Enterprise Client) Lockout After: 15 minutes minutes reset-account-lockout-counter
Table 2.9 Account lockout 4.5.3 Password Policy

duration: 15 minutes (High (4.004: CAT II) The
Security); 30 minutes Account Lockout
(Legacy Client and 2.2.3.1 Account Lockout duration set to 15
Enterprise Client) Duration: 15 minutes minutes or more account-lockout-duration
Table 2.10 Account lockout

threshold: 50 invalid login 4.5.3 Password Policy
attempts (Legacy Client 2.2.3.2 Account Lockout (4.002: CAT II) The
and Enterprise Client); 10 Threshold: 15 attempts; Account Lockout
invalid login attempts (High 10 attempts (Specialized Threshold will be set to
Security) Security) 3 or less account-lockout-threshold
Table 3.2 Audit account

logon events:
Success/Failure (Legacy 2.2.1.1 Audit Account
Client, Enterprise Client, Logon Events:
and High Security) Success/Failure . audit-account-logon-events
logon events:
Client, Enterprise Client, Logon Events:
and High Security) Success/Failure . audit-account-logon-events

management:
Client, Enterprise Client, Management:
and High Security) Success/Failure . audit-account-management

management:
Client, Enterprise Client, Management:
and High Security) Success/Failure . audit-account-management
Table 3.6 Audit directory

service access: 6.4 System Audit
Success/Failure (Legacy 2.2.1.3 Audit Directory Settings: Audit directory
Client, Enterprise Client, Service Access: Not service access: Not
and High Security) Defined Defined audit-directory-services-access
Table 3.6 Audit directory

service access: 6.4 System Audit
Success/Failure (Legacy 2.2.1.3 Audit Directory Settings: Audit directory
Client, Enterprise Client, Service Access: Not service access: Not
and High Security) Defined Defined audit-directory-services-access
Table 3.8 Audit logon

events: Success/Failure 2.2.1.4 Audit Logon 6.4 System Audit
(Legacy Client, Enterprise Events: Success and Settings: Audit logon
Client, and High Security) Failure events: Success, Failure audit-logon-events
Table 3.8 Audit logon

events: Success/Failure 2.2.1.4 Audit Logon 6.4 System Audit
(Legacy Client, Enterprise Events: Success and Settings: Audit logon
Client, and High Security) Failure events: Success, Failure audit-logon-events
Table 3.10 Audit object
access: Success/Failure
(Legacy Client, Enterprise 2.2.1.5 Audit Object
Client, and High Security) Access: Success/Failure . audit-object-access
Table 3.10 Audit object

access: Success/Failure
(Legacy Client, Enterprise 2.2.1.5 Audit Object
Client, and High Security) Access: Success/Failure . audit-object-access
Table 3.12 Audit policy 6.4 System Audit

change: Success (legacy Settings: Audit policy
client, Enterprise Client, 2.2.1.6 Audit Policy change: Success,
and High Security) Change: Success Failure audit-policy-change
Table 3.12 Audit policy 6.4 System Audit

change: Success (legacy Settings: Audit policy
client, Enterprise Client, 2.2.1.6 Audit Policy change: Success,
and High Security) Change: Success Failure audit-policy-change
Table 3.14 Audit privilege

use: Success/Failure (High
Security); No Auditing 6.4 System Audit
(Legacy Client); Failure 2.2.1.7 Audit Privilege Settings: Audit privilege
(Enterprise Client) Use: Not Defined use: Failure audit-privilege-use
Table 3.14 Audit privilege

use: Success/Failure (High
Security); No Auditing 6.4 System Audit
(Legacy Client); Failure 2.2.1.7 Audit Privilege Settings: Audit privilege
(Enterprise Client) Use: Not Defined use: Failure audit-privilege-use
.
6.4 System Audit

Settings: Audit process
. . tracking: Not Defined audit-process-tracking
6.4 System Audit

Settings: Audit process
. . tracking: Not Defined audit-process-tracking
Table 3.18 Audit system
events: Success (Legacy 6.4 System Audit
Client, Enterprise Client, 2.2.1.9 Audit System Settings: Audit system
and High Security) Events: Success events: Success, Failure audit-system-events
Table 3.18 Audit system

events: Success (Legacy 6.4 System Audit
Client, Enterprise Client, 2.2.1.9 Audit System Settings: Audit system
and High Security) Events: Success events: Success, Failure audit-system-events
Table 3.102 Shutdown:

Allow system to be shut
down without having to log
on: Disabled (Legacy
Client, Enterprise Client,
and High Security) . .
. . .
. . .
. . .
2.2.4.1.2 Restrict Guest Prevent-Guest-Application-Log-

. Access: Enabled . Access
Table 3.110 Maximum

application log size: 16,384 5.4.7.1 [A] Event Log
KB (Legacy Client, Sizes: Maximum
Enterprise Client, and High 2.2.4.1.1 Maximum Event application log size:
Security) Log Size: 16MB 16384 kilobytes Maximum-Application-Log-Size
Retention-Method-For-Application-
. . Log
5.4.7.3 [AP] Preserving
Table 3.116 Retention Security Events:
method for application log: Retention method for
As needed (Legacy Client, application log: Do not
Enterprise Client, and High 2.2.4.1.3 Log Retention overwrite events (clear
Security) Method: Not Defined log manually)
3.5 [M] Access to

2.2.4.2.2 Restrict Guest Security Event Log:
. Access: Enabled Auditors Prevent-Guest-Security-Log-Access
Table 3.111 Maximum

security log size: 81,920 5.4.7.1 [A] Event Log
KB (Legacy Client, Sizes: Maximum
Enterprise Client, and High security log size: 16384
Security) kilobytes Maximum-Security-Log-Size
6.2 Audit Log

Requirements: (5.002:
CAT II) minimum of
. 81920KB Retention-Method-For-Security-Log
Table 3.117 Retention

method for security log: As
needed (Legacy Client,
Enterprise Client, and High 2.2.4.2.3 Log Retention
Security) Method: Not Defined .
5.4.7.2 [A] Restrict

Event Log Access Over
Network: Prevent local
guests group from
2.2.4.3.2 Restrict Guest accessing security log:
Access: Enabled Enabled Prevent-Guest-System-Log-Access
Table 3.112 Maximum

system log size: 16,384 KB 5.4.7.1 [A] Even Log
(Legacy Client, Enterprise 2.2.4.3.1 Maximum Event Sizes: Maximum system
Client, and High Security) Log Size: 16MB log size: 16384 kilobytes Maximum-System-Log-Size
6.2 Audit Log

Requirements: (5.002:
CAT II) minimum of
. 81920KB Retention-Method-For-System-Log
3.118 Retention method
for system log: As
needed (Legacy Client,
Enterprise Client, and
High Security) . .
Table 2.4 Maximum 4.5.3 Password Policy:

password age: 42 days (4.011: CAT II) Maximum
(Legacy Client, Enterprise 2.1.2 Maximum Password password age is set to
Client, and High Security) Age: 90 Days 90 days or less maximum-password-age
Table 2.5 Minimum 4.5.3 Password Policy:

password age: 2 days (4.012: CAT II) Minimum
(Legacy Client, Enterprise 2.2.2.1 Minimum password age is set to 1
Client, and High Security) Password Age: 1 day day or more minimum-password-age
Table 2.6 Minimum

password length: 12
characters (High Security); 2.2.2.3 Minimum
8 characters (Legacy Password Length: 8 5.4.1.3 [AP] Minimum
Client and Enterprise characters; 12 characters Password Length: 8
Client) (Specialized Security) characters minimum-password-length
. . .
Table 2.7 Password must 5.4.1.5 [M] Enable

meet complexity strong Password
requirements: Enabled Filtering: Password must
(Legacy Client, Enterprise 2.2.2.4 Password meet complexity
Client, and High Security) Complexity: Enabled requirements: Enabled password-complexity
Table 2.3 Enforce

password history: 24 5.4.1.4 [A] Password
passwords remembered 2.2.2.5 Password History: Uniqueness: Enforce
(Legacy Client, Enterprise 24 passwords password history: 24
Client, and High Security) remembered passwords enforce-password-history
Table 2.8 Store password

using reversible
encryption: Disabled 2.2.2.6 Store Passwords 5.4.1.6 [M] Disable
(Legacy Client, Enterprise Using Reversible Reversible Password
Client, and High Security) Encryption: Disabled Encryption: Disabled reversible-password-encryption
Table 3.119 Alerter
Service: Disabled (Legacy
and High Security) 4.1.1 Alerter: Disabled .
Table 3.123 Automatic

updates service: Automatic 7.6.1 Automatic Updates
(Legacy Client, Enterprise Service: Disable if not
Client, and High Security) . needed
Table 3.124 Background

Intelligent Transfer 7.6.2 Background
Service: Manual (Legacy Intelligent Transfer
Client, Enterprise Client, Service (BITs): Disable if
and High Security) . not needed
Table 3.127 Clipbook

service: Disabled (Legacy
and High Security) 4.1.3 Clipbook: Disabled .
Table 10.5 Computer

Browser service: Automatic
(default); Disabled
(Enterprise) . .
. . .
Table 3.143 Fax Service:

Not installed (default);
Disabled (Legacy Client,
Enterprise Client, and High 4.1.4 Fax Service:
Security) Disabled .
Table 3.146 FTP

Publishing Service: Not
installed (default); Disabled
(Legacy Client, Enterprise 4.1.7 FTP Publishing 7.6.3 FTP Service:
Client, and High Security) Service: Disabled Disabled
Table 3.151 IIS Admin

Service: Not installed
(default); Disabled (Legacy
Client, Enterprise Client, 4.1.10 IIS Admin Service:
and High Security) Disabled .
Table 3.153 Indexing
Client, Enterprise Client, 4.1.11 Indexing Service:
Table 3.167 Messenger

Client, Enterprise Client, 4.1.13 Messenger: 8.3.4 Windows Do-not-allow-Windows-Messenger-
and High Security) Disabled Messenger: Disabled to-be-run
8.4.3 .NET Framework:

Table 3.172 .NET (5.069: CAT II) the .NET
Framework Support Framwork is not active
Service: Not installed on the system unless it
(default); Disabled (Legacy only supports locally
Client, Enterprise Client, developed .NET
and High Security) . applications
. . .
Table 3.174 NetMeeting

Remote Desktop Sharing: 7.6.4 NetMeeting
Disabled (Legacy Client, 4.1.15 NetMeeting Remote Desktop
Enterprise Client, and High Remote Desktop Sharing: Sharing Service: (5.063:
Security) Disabled CAT II) Disabled Disable-remote-Desktop-Sharing
7.6.5 Print Services for

Unix: (5.026: CAT II)
. . Remove if not required
Table 3.187 Remote

Access Auto Connection
Manager: Manual (default); 7.6.7 Remote Access
Disabled (Legacy Client, 4.1.20 Remote Access Auto Connection
Enterprise Client, and High Auto Connection Manager Service:
Security) Manager: Disabled (5.064: CAT II) Disabled
Table 3.190 Remote

Desktop Help Session
Manager: Manual (default);
Disabled (Legacy Client, 4.1.23 Remote Desktop 7.6.8 Remote Desktop
Enterprise Client, and High Help Session Manager: Help Session Manager:
Security) Disabled (5.065: CAT II) Disabled
8.3.9.1 Internet
Connection Sharing:
(3.085: CAT II) Prohibit
use of Internet
Connection Sharing on
your DNS domain
. . networks is Enabled
Table 3.194 Remote

Registry Service:
Automatic (Legacy Client, 4.1.26 Remote Registry
Enterprise Client, and High Service: Disabled 7.6.9 Remote Registry
Security) (Specialized Security) Service: Disabled
Table 3.201 Routing and

Remote Access Service: 7.6.11 Routing and
Disabled (Legacy Client, Remote Access Service:
Enterprise Client, and High (5.067: CAT II) Disabled
Security) . if not required
7.6.10 Remote Shell

Service: (5.008: CAT II)
Service is removed by
typing instsrv rshsvc
remove at the command
. . prompt
Table 3.208 Simple TCP/IP

Services: Not installed 7.6.16 Telnet Servers:
(default); Disabled (Legacy (5.010: CAT II) Simple
Client, Enterprise Client, TCP/IP services are
and High Security) . disabled
Table 3.207 Simple Mail

Transport Protocol
(SMTP): Not installed
(default); Disabled (Legacy 4.1.31 Simple Mail
Client, Enterprise Client, Transfer Protocol:
Table 3.211 SNMP

(default); Disabled (Legacy 4.1.32 Simple Network 7.6.13 SNMP Service:
Client, Enterprise Client, Management Protocol (5.026: CAT II) SNMP is
and High Security) Service: Disabled disabled if not required
Table 3.212 SNMP Trap

(default); Disabled (Legacy 4.1.33 Simple Network
Client, Enterprise Client, Management Protocol
and High Security) Trap: Disabled .
7.6.14 Simple Service
Discovery Protocol
(SSDP) Service: 5.019:
. . CAT I) Disabled
Table 3.216 Task

Scheduler: Automatic
(default); Disabled (Legacy 7.6.15 Task Scheduler
Client, Enterprise Client, Service: (5.009: CAT II)
and High Security) . Disabled
Table 3.220 Telnet Service:

Disabled (Legacy Client,
Enterprise Client, and High
Security) 4.1.35 Telnet: Disabled .
Table 3.221 Terminal 7.6.17 Terminal

Services: Manual (default); Services: (5.020: CAT I)
Automatic (Legacy Client, 4.1.36 Terminal Services: Disabled on machines
Enterprise Client, and High Disabled (Specialized that are not performing
Security) Security) as Terminal Servers
Table 3.182 Plug and Play:

Automatic (Legacy Client,
Security) . .
Table 3.245 World Wide

Web Publishing Service:
Not installed (default);
Disabled (Legacy Client, 4.1.39 World Wide Web
Enterprise Client, and High Publishing Services:
Security) Disabled .
7.6.1 Automatic Updates

Table 11.3 Automatic Service: Disable if not
Update Service: Disabled . needed
7.6.2 Background
Table 11.4 Background Intelligent Transfer
Intelligent Transfer Service (BITs): Disable if
Service: Disabled . not needed
7.6.5 Print Services for

Unix: (5.026: CAT II)
. . Remove if not required
Table 3.119 Alerter
and High Security) 4.1.1. Alerter: Disabled .

Updates Service:
Automatic (Legacy Client,
Security) . .
. . .
. 4.1.3 Clipbook: Disabled .
. . .
4.1.4 Fax Service:

. Disabled .
. . .
4.1.7 FTP Publishing

. Service: Disabled .
4.1.10 IIS Admin Service:

. Disabled .
4.1.11 Indexing Service:

. Disabled .
4.1.13 Messenger:
. Disabled .
. . .
4.1.15 NetMeeting
Remote Desktop Sharing:
. Disabled .
4.1.19 Print Spooler:

Disabled (Specialized
. Security) .
7.6.7 Remote Access

4.1.20 Remote Access Auto Connection
Auto Connection Manager Service:
. Manager: Disabled (5.064: CAT II) Disabled
4.1.23 Remote Desktop

Help Session Manager:
. Disabled .
4.1.26 Remote Registry

Service: Disabled
. . .
4.1.31 Simple Mail

Transfer Protocol:
. Disabled .

Management Protocol
. Service: Disabled .
Management Protocol
. Trap: Disabled .
. . .
. 4.1.35 Telnet: Disabled .
4.1.36 Terminal Services:

Disabled (Specialized
. Security) .
. . .
4.1.39 World Wide Web

Publishing Services:
. Disabled .
. . .
3.1.3 Network Access:

Do not allow 5.4.6.53 [AP] Restrict
3.86 Network Access: Do anonymous Anonymous Network
not allow anonymous
enumeration of SAM
enumeration of SAM Shares: Network
accounts and shares: accounts and shares: Access: Do not allow
Enabled (Legacy Client, Enabled (Enterprise anonymous
Enterprise Client, and High and Specialized enumeration of SAM do-not-allow-anonymous-
Security) Security) accounts: Enabled enumeration-sam-accounts-shares
3.85 Network Access: Do
not allow anonymous
enumeration of SAM
accounts: Enabled (Legacy
Client, Enterprise Client, do-not-allow-anonymous-
and High Security) . . enumeration-sam
3.1.1 Network Access:

Table 2.13 Network Allow Anonymous 5/4/6/52 Network
Access: Allow anonymous SID/Name Translation: Access: Allow
SID/NAME translation: Disabled (Specialized anonymous SID/Name
Disabled Security) translation: Disabled Anonymous-SID-Name-Translation
. . .
. . .
3.5 [M] Access to

Security Event Log:
. . Auditors
. . .
5.2 Windows Server

2003 Built-in Accounts:
. . (4.048: CAT II) Disabled guest-account-status
. . . administrator-account-status
Table 3.73 Interactive
logon: Message title for 5.4.6.22 [AP] Display
users attempting to log on: Legal Notice: Interactive
"It is an offense to continue 3.2.1.27 Interactive Logon: Message title for
without proper Logon: Message Title for users attempting to log
authorization" (Legacy Users Attmpting to Log on: US Deparment of
Client, Enterprise Client, On: <Custom or DoJ Defense Warning
and High Security) Approved> Statement message-title-users-attempting-logon

logon: Message text for
users attempting to log on:
"This system is restricted
to authorized users.
Individuals attempting
unauthorized access will
be prosecuted. If
unauthorized, terminate
access now! Clicking on
OK indicates your
acceptance of the 3.2.1.26 Interactive
information in the Logon: Message Text for 5.4.6.22 Interactive
background. (Legacy Users Attempting to Log Logon: Message text for
Client, Enterprise Client, On: <Custom or DoJ users attempting to log
and High Security) Approved> on message-text-users-attempting-logon
. . .
. . .
5.4.6.38 [A] Disable

Administrator Automatic
. . Logon: Disabled enable-automatic-logon
. . .
5.4.6.47 [A] Disable

Media Autoplay: MSS:
Disable Autorun on all
drives: 255, disable Turn-off-Autoplay, no-drive-type-auto-
. . Autorun for all drives run
. . .
. .
. . .
. . .
5.4.6.41 [A] ICMP
Redirects: MSS:
(EnablEICMPRedirect)
Allow ICMP redirects to
override OSPF
generated routes:
. . Disabled enable-icmp-redirect
5.4.6.39 MISS:
DisableIPSourceRouting
3.2.1.69 MSS: IP Source , IP source routing
Routing protection level: packet spoofing: Highest
Highest Protection, protection, source
source routing is routing is completely
. automatically disabled disabled disable-ip-source-routing
3.2.1.74 MSS: Allow IRDP

to detect and configure
DefaultGateway
. addresses: Disabled . perform-router-discovery
. . .
. . .

logon: Do not display last
user name: Disabled
(default); Enabled (Legacy 3.2.1.24 Interactive
Client, Enterprise Client, Logon: Do Not Display
and High Security) Last User Name: Enabled . do-not-display-last-user-name
. . .
. . .
. . .
. . . hide-system-from-browse-list
5.4.6.40 [A] Detection of

Table. 3.246 Security Dead Gateways: MSS:
Consideration for Network (EnableDeadGWDetect)
Attack: 3.2.1.70 MSS: Allow Allow automatic
EnableDeadGWDetect = 0 automatic detection of detection of dead
(Legacy Client, Enterprise dead network gateways: network gateways:
Client, and High Security) Disabled Disabled enable-dead-gw-detect
Table 3.246 Security

Consideration for Network
Attacks: KeepAliveTime = 3.2.1.82 MSS: How often 5.4.6.49 MSS: How
300,000 (Legacy Client, keepalive packets are often keepalive packets
Enterprise Client, and High sent in milliseconds: are sent in milliseconds:
Security) 300000 300000 keep-alive-time
. . .
. . .
Table 3.248 Configure
NetBIOS Name Release
Security: Allow the
computer to ignore 5.4.6.42 [A] NetBIOS
NetBIOS name release Name Release: MSS:
requests except from (NoNameReleaseOnDe
WINS server: 3.2.1.73 MSS: Allow the mand) Allow computer to
NoNameReleaseOnDema computer to ignore ignore NetBIOS name
nd = 1 (Legacy Client, NetBIOS name release release requests except
Enterprise Client, and High requestions except from from WINS Servers:
Security) WINS servers: Enabled Enabled no-name-release-on-demand
Table 3.246 Security

Consideration for Network 3.2.1.72 MSS:
Attacks: EnablePMTUDiscovery,
EnablePMTUDiscovery = 0 Allow automatic detection
(Legacy Client, Enterprise of MTU size: Enabled
Client, and High Security) (Specialized Security) .
Table 3.246 Security 5.4.6.44 MSS

Consideration for Network (SynAttackProtect) Syn
Attacks: SynAttackProtect attack protection level:
= 1 (Legacy Client, Connections time out
Enterprise Client, and High sooner if a SYN attack is
Security) detected syn-attack-protect
. . .
. . . warning-level
5.4.6.6 ConGp: Prevent

the dial-up password
from being saved:
. . Enabled
Table 3.64 Domain

member: Digitally encrypt 5.4.6.16 [A] Encryption
or sign secure channel of Secure Channel
data (always): Enabled 3.2.1.19 Domain Member: Traffic: Domain Member:
(High Security); Disabled Digitally Encrypt Secure Digitally encrypt secure
(Legacy Client and Channel Data (When channel data (when
Enterprise Client) Possible): Enabled possible): Enabled
Table 3.65 Domain
member: Digitally encrypt 5.4.6.17: [A] Signing of
or sign secure channel Secure Channel Traffic:
data (when possible): 3.2.1.20 Domain Member: Domain Membore:
Enabled (Legacy Client, Digitally Sign Secure Digitally sign secure
Enterprise Client, and High Channel Data (When channel data (when
Security) Possible): Enabled possible): Enabled
Table 3.253 Enable Safe

DLL Search Order: Enable
Safe DLL search mode
(recommended): 5.4.6.48 [A] Safe DLL
SafeDllSearchMode = 1 3.2.1.80 MSS: Enable Search Mode: MSS:
(Legacy Client, Enterprise Safe DLL search mode: Enable Safe DLL search
Client, and High Security) Enabled mode: Enabled safe-dll-search-mode
8.3.5 Always wait for the

network at computer
. . startup: Enabled
. . .
. . .
8.3.6 Group Policy:

(3.080: CAT II) Turn off
backroung refresh of
Group Policy is set to
. . Disabled
. . .
8.3.9.2 Network Bridge:

(3.086: CAT II) The
setting Prohibit
installation and
configuration of network
Bridge on your DNS
doman network is set to
. . Enabled
8.3.10 Installation of
mode Drivers: (3.087:
CAT II) the setting
Disallow installation of
printers using kernel-
mode drivers is set to
. . Enabled
. .
Table 3.61 Domain

controller: Allow server 5.4.6.12 [A] Server
operators to schedule Operators Scheduling
tasks: Not Defined 3.2.1.15 Domain Tasks: Domain
(default); Disabled (Legacy Controller: Allow Server Controller: Allo server
Client, Enterprise Client, Operators to Schedule operators to schedule
and High Security) Tasks: Disabled tasks: Disabled
5.4.6.3 Accounts:
Rename administrator
account: Should not be
. . Administrator rename-administrator
5.4.6.4 Account:
Rename guest account:
Any value other than
. . Guest rename-guest
Table 3.81 Microsoft 5.4.6.30[A] Idle Time

network server: Amount of Before Suspending a
idle time required before Session: Microsoft
suspending session: 15 Network Server: Amount
minutes (Legacy Client, of idle time required
Enterprise Client, and High before suspending a amount-of-idle-time-required-before-
Security) ` session: 15 minutes suspending-session
5.4.7.76 [A] Global

System Object
Table 3.52 Audit: Audit the Permission Strength:
access of global system System objects:
objects: Disabled (Legacy 3.2.1.6 Audit: Audit the Strengthen default
Client, Enterprise Client, access of global system permissions of internal
and High Security) objects: Not Defined system objects: Enabled audit-access-global-system-objects
Table 3.53 Audit: Audit the

use of backup and restore
privilege: Disabled (Legacy 3.2.1.7 Audit: Audit the
Client, Enterprise Client, use of backup and restore
and High Security) privilege: Not Defined . audit-use-backup-restore-privilege
5.4.6.21 [A]
CTRL+ALT+DEL
Table 3.71 Interactive Security Attention
logon: Do not require Sequence: Interactive
CRTL+ALT+DEL: Disabled Logon: Do not require
(Legacy Client, Enterprise CTRL+ALT+DEL:
Client, and High Security) . Disabled do-not-require-ctrlaltdel
Table 3.96 Network

security: LAN Manager 3.2.1.50 Network
authentication level: Send Security: LAN Manager 5.4.6.64 [AP] LanMan
NTLM response only Authentication Level: Compatible Password
(default); Send NTLMv2 Send NTLMv2 (Legacy), Option Not Properly Set:
response only\refuse LM & Send NTLMv2, refuse LM Network Security: LAN
NTLM (High Security); (Enterprise), Send Manager authentication
Send NTLMv2 responses NTLMv2, refuse LM and level: Send NTLMv2
only (Legacy Client and NTLM (Specialized response only/refuse LM
Enterprise Client) Security) & NTLM
. . .
Table 3.57 Devices:

Prevent users from 5.4.6.9 [A] Secure Print
installing printer drivers: Driver Installation:
Enabled (Legacy Client, 3.2.1.11 Devices: Prevent Devices: Prevent users
Enterprise Client, and High users from installing from installing printer
Security) printer drivers: Enabled drivers: Enabled prevent-users-installing-printers
Table 3.100 Recovery

console: Allow automatic 5.4.6.68 [A] Recovery
administrative logon: 3.2.1.54 Recovery Console - Automatic
Disabled (Legacy Client, Console: Allow Automatic Logon: Allow automatic
Enterprise Client, and High Administrative Logon: administrative logon:
Security) Disabled Disabled
Table 3.101 Recovery 5.4.6.69 [A] Recovery

console: Allow floppy copy Console - Set
and access to all drives 3.2.1.55 Recovery Command: Recovery
and all folders: Disabled Console: Allow Floppy console: Allow floppy
(High Security); Enabled Copy and Access to All copy and access to all
(Legacy Client and Drives and All Folders: drives and folders:
Enterprise Client) Not Defined Disabled
3.2.1.12 Devices: Restrict
CD-ROM Access to
Locally Logged-On User restrict-cdrom-access-local-users-
. Only: Not Defined . only
Table 10.2 Devices: 5.4.6.10 [A] Secure

Restrict floppy access to 3.2.1.13 Devices: Restrict Removable Media:
locally logged-on user Floppy Access to Locally Devices: Restrict floppy
only: Enabled (Enterprise Logged-On User only: Not access to locally logged- restrict-floppy-access-local-users-
Client) Defined on user only: Enabled only
5.4.6.76 [A] Global

Table 3.108 System ojects: System Object
Strengthen default Permission Strength:
permissions of internal 3.2.1.62 System Objects: System Objects:
system objects: Enabled Strengthen default Strengthen default
(Legacy Client, Enterprise permissions of internal permissions of internal
Client, and High Security) system objects: Enabled system objects: Enabled
5.4.6.20 [AP] Strong

Table 3.69 Domain Session Key
member: Require strong (WIN2K/W2K3 Native
(W2K or later) session key: 3.2.1.23 Domain Member: Domains): Domain
Disabled (default); Enabled Require Strong (Windows Member: Require Strong
(Legacy Client, Enterprise 2000 or later) Session (Windows 2000 or later)
Client, and High Security) Key: Not Defined Session Key: Enabled require-strong-session-key
Table 3.80 Microsoft

network client: Send
unencrypted password to 3.2.1.35 Microsoft
third-party SMB servers: Network Client: Send 5.4.6.29 [A]
Disabled (Legacy Client, Unencrypted Password to Unencrypted Passwords
Enterprise Client, and High Connect to Third-Party to 3rd party SMB send-unencrypted-password-to-third-
Security) SMB Server: Disabled Servers: Disabled party-smb-servers
3.2.1.14 Devices: 5.4.6.11 [AP] Unsigned

Unsigned driver Driver installation
installation behavior: Behavior: Warn but
. "Warn, but allow . . . " allow installation
. . .
Table 3.75 Interactive 5.4.6.24 [A] Password

logon: Prompt user to Expiration Warning:
change password before 3.2.1.29 Interactive Interactive Logon:
expiration: 14 days Logon: Prompt User to Prompt user to change
(Legacy Client, Enterprise Change Password Before password before prompt-user-to-change-password-
Client, and High Security) Expiration: 14 days expiration: 14 days before-expiration
Table 3.54 Audit: Shut
down system immediately 5.4.6.5 [AP] Halt on
if unable to log security 3.2.1.8 Audit: Shut down Audit Failure: Audit: Shut
audits: Disabled (Legacy system immediately if down system
Client and Enterprise unable to log security immediately if unable to
Client); Enabled (High alerts: Enabled log security audits:
Security) (Specialized Security) Enabled shutdown-system-unable-log-audits
Table 3.102 Shutdown:

Allow system to be shut
down without having to log 3.2.1.56 Shutdown: Allow
on: Disabled (Legacy system to be shut down
Client, Enterprise Client, without having to log on:
. . .
Table 3.103 Shutdown: 5.4.6.71 [AP] Clear

Clear virtual memory page System Page File
file: Disabled (Legacy During Shutdown:
Client and Enterprise 3.2.1.57 Shutdown: Clear Shutdown: Clear virtual
Client); Enabled (High virtual memory pagefule: memory pagefile:
Security) Not Defined Enabled
5.4.6.27 [A] SMB Client

3.2.1.33 Microsoft Packet Signing
Network Client: Digitally (Always): Microsoft
sign communications Network Client: Digitally
(always): Enabled sign communications digitally-sign-communications-client-
. (Specialized Security) (always): Enabled always
digitally-sign-communications-client-
. . . server-agrees
5.4.6.31 [A] SMB Server

Packet Signing
3.2.1.37 Microsoft (Always): Microsoft
Network Server: Digitally Network Server: Digitally
sign communications sign communications digitally-sign-communications-server-
. (always): Not Defined (always): Enabled always
5.4.6.32 Microsoft
Microsoft network server: Network Server: digitally
Digitally sign sign server
communications (if client communications (if client digitally-sign-communications-server-
. agrees): Disabled agrees): Enabled client-agrees
5.4.6.23 Interactive
Logon: Number of
Table 3.74 Interactive previous logons to
logon: Number of previous 3.2.1.28 Interactive cache (in case Domain
logons to cache: 1 (Legacy Logon: Number of Controller is
Client); 0 (Enterprise Client Previous Logons to unavailable): 0 logons or
and High Security) Cache: Not Defined 1 logon number-of-previous-logons-to-cache
Table 3.56 Devices: 5.4.6.8 [A] Format and

Allowed to format and eject Eject Removable Media:
removable media: 3.2.1.10 Devices: Allowed Devices: Allowed to
Administrators (Legacy to format and eject Format and Eject
Client, Enterprise Client, removable media: Removable Media:
and High Security) Administrators Administrators allow-format-eject-removable-media
Table 3.64 Domain 5.4.6.15 [A] Encrypting

member: Digitally encrypt and Signing of Secure
or sign secure channel Channel Traffic: Domain
data: Enabled (High 3.2.1.18 Domain Member: Member: Digitally
Security); disabled (Legacy Digitally Encrypt or Sign encrypt or sign secure
Client and Enterprise Secure Channel Data channel data (always): digitally-encrypt-or-sign-secure-
Client) (Always): Not Defined Enabled channel-data-always
Table 3.65 Domain 5.4.6.16 [A] Encryption

member: Digitally encrypt of Secure Channel
secure channel data (when 3.2.1.19 Domain Member: Traffic: Domain Member:
possible): Enabled (Legacy Digitally Encrypt Secure Digitally encrypt secure
Client, Enterprise Client, Channel Data (When channel data (when digitally-encrypt-secure-channel-
and High Security) Possible): Enabled possible): Enabled data-when-possible
Table 3.66 Domain 5.4.6.17 [A] Signing of

member: Digitally sign Secure Channel Traffic:
secure channel data (when 3.2.1.20 Domain Member: Domain Member:
possible): Enabled (Legacy Digitally Sign Secure Digitally sign secure
Client, Enterprise Client, Channel Data (When channel data (when digitally-sign-secure-channel-data-
and High Security) Possible): Enabled possible): Enabled when-possible
Table 3.77 Interactive 5.4.6.26 [A] Smart Card

logon: Smart card removal Removal Option:
behavior: Lock Workstation 3.2.1.32 Interactive interactive Logon: Smart
(Enterprise Client and High Logon: Smart Card card removal behavior:
Security); Legacy Client is Removale Behavior: Lock Lock Workstation or
not defined Workstation Force Logoff smart-card-removal-behaviour
disable-machine-account-password-
. . . changes
. . .
Table 3.105 System 5.4.6.73 [A] FIPS
cryptography: Use FIPS compliant algorithms:
compliant algorithms for 3.2.1.59 System System cryptography:
encryption, hashing, and Cryptography: Use FIPS Use FIPS compliant
signing: Disabled (Legacy compliant algorithms for algorithms for
Client, Enterprise Client, encryption, hashing, and encryption, hashing, and
and High Security) signing: Not Defined signing: Enabled
Table 3.106 System

objects: Default owner for 5.4.6.74 [A] Object
objects created by Created by members of
members of the the Administrators
Administrators group: 3.2.1.60 System Objects: Group: System ojects:
Administrators group Default owner for objects Default owner for object
(default); Object creator created by members of created by members of
(Legacy Client, Enterprise the Administrators group: the Administrators
Client, and High Security) Object Creator groups: Object creator
Table 3.107 System 5.4.6.75 [A] Case

objects: Require case Insensitivity for Non-
insensitivity for non- Windows Subsystems:
Windows subsystems: 3.2.1.61 System objects: System object: Require
Enabled (Legacy Client, Require case insensitivity Case Insensitivity for
Enterprise Client, and High for non-Windows non-Windows
Security) subsystems: Not Defined Subsystems: Enabled
Table 3.51 Accounts: Limit 5.4.6.2 [A] Limit Blank

local account use of blank Passwords: Accounts:
passwords to console 3.2.1.3 Accounts: Limit Limit local account use
logon only: Enabled local account use of blank of blank passwords to
(Legacy Client, Enterprise passwords to console console logon only:
Client, and High Security) logon only: Enabled Enabled limit-blank-password-use
Table 3.55 Devices: Allow

undock without having to 5.4.6.7 [A] Undock
log on: Enabled (default); 3.2.1.9 Devices: Allow Without Loggon On:
Disabled (Legacy Client, undock without having to Devices: Allow Undock
Enterprise Client, and High log on: Enabled Without Having to Log
Security) (Specialized Security) On: Disabled allow-undock-no-logon
Table 3.62 Domain 5.4.6.13 [A] LDA Signing

controller: LDAP server 3.2.1.16 Domain Requirements (Domain
signing requirements: Not Controller: LDAP Server Controller): Domain
Defined (Legacy Client and Signing Requirements: controller: LDAP Server
Enterprise Client); Require Require Signing signing requirements:
signing (High Security) (Specialized Security) Require signing
Table 3.97 Network
security: LDAP client 3.2.1.51 Network 5.4.6.65 [A] LDAP Client
signing requirements: Security: LDAP client Signing: Network
Negotiate signing (Legacy signing requirements: security: LDAP client
Client, Enterprise Client, Negotiate Signing or signing requirements:
and High Security) Require Signing Negotiate signing
Table 3.63 Domain 5.4.6.14 [A] computer

controller: Refuse machine Account Password
account password 3.2.1.17 Domain change Requests:
changes: Not Defined Controller: Refuse Domain Controller:
(default); Disabled (Legacy machine account Refuse machine account
Client, Enterprise Client, password changes: password changes:
and High Security) Disabled Disabled
Table 3.68 Domain 5.4.6.19 [A] Maximum

member: Maximum Machine Account
machine account 3.2.1.22 Domain Member: Password Age: Domain
password age: 30 days Maximum Machine Member: Maximum
(Legacy Client, Enterprise Account Password Age: Machine Account maximum-machine-account-
Client, and High Security) 30 days Password Age: 30 password-age
5.4.6.25 [A] Domain

Table 3.76 Interactive Controller Authentication
logon: Require domain to Unlock Workstation:
controller authentication to 3.2.1.30 Interactive Interactive logon:
unlock workstation: Logon: Require Domain Require domain
Disabled (default); Enabled Controller authentication controller authentication
(Legacy Client, Enterprise to unlock workstation: Not to unlock workstation: require-domain-controller-
Client, and High Security) Applicable Enabled authentication-to-unlock
5.4.6.33 [A] forcibly

Table 3.84 Microsoft disconnect when logon
network server: Disconnect 3.2.1.30 Microsoft hours expire: Microsoft
clients when logon hours Network Server: network Server:
expire: Enabled (Legacy Disconnect clients when Disconnect clients when
Client, Enterprise Client, logon hours expire: logon hours expire: disconnect-client-when-logon-hours-
and High Security) Enabled Enabled expire
Table 3.87 Network 5.4.6.54 [A] Storage of

access: Do not allow credentials or .NET
storage of credentials or 3.2.1.40 Network Access: passports: Network
.NET Passports for Do not allow storage of Access: Do not allow
network authentications: credentials or .NET storage of credentials
Disabled (default); Enabled passports for network or .NET passports for
(Legacy Client, Enterprise authentication: Enabled network authentication: do-not-allow-storage-credentials-net-
Client, and High Security) (Specialized Security) Enabled passports-network-authn
Table 3.88 Network 5.4.6.55 [AP] Everyone
access: Let Everyone Permissions Apply to
permissions apply to Anonymous Users:
anonymous users: 3.2.1.41 Network Access: Network Access: Let
Disabled (Legacy Client, Let Everyone permissions everyone permissions
Enterprise Client, and High apply to anonymous apply to anonymous let-everyone-permissions-apply-to-
Security) users: Disabled users: Disabled anonymous-users
5.4.6.56 [MA]
Anonymous Access to
Named Pipes: Network
Access: Named pipes
that can be accessed
anonymously: COMNAP,
Table 3.89 Network COMNODE,
access: Named Pipes that SQL\QUERY,
can be accessed 3.2.1.42 Network Access: SPOOLSS,
anonymously: None Named pipes that can be EPMAPPER,
(Legacy Client, Enterprise accessed anonymously: LOCATOR, TrkWks, and
Client, and High Security) None TrkSvr named-pipes-accessed-anonymously
5.4.6.57 [MA] Remotely

Table 3.90 Network Accessible Registry
access: Remotely Paths: Network Access:
accessible registry paths: 3.2.1.43 Network Access: Remotely accessible
System\currentControlSet\ Remotely accessible registry paths:
Control\Products Options; registry paths: System\currentControlS
System\CurrentControlSet\ System\CurrentControlSet et\Control\ProductOption
Control\server \Control\Product Options, s,
Applications; System\CurrentControlSet System\CurrentControlS
Software\Microsoft\Windo \Control\Server et\Control\Server
ws NT\CurrentVersion Applications, Applications, Remotely-accessible-registry-paths,
(Legacy Client, Enterprise Software\Microsoft\Windo Software\Microsoft\Wind Remotely-accessible-registry-paths-
Client, and High Security) wsNT\CurrentVersion ows NT\CurrentVersion and-sub-paths
5.4.6.60 [MA]
Table 3.93 Network Anonymous Access to
Access: Shares that can Network Shares:
be accessed anonymously: 3.2.1.46 Network Access: Network Access: Shares
None (Legacy Client, Shares that can be that can be accessed Shares-that-can-be-accessed-
Enterprise Client, and High accessed anonymously: anonymously: <should anonymously -- NOTE:
Security) None be blank> COMMENTED OUT
Table 3.94 Network 5.4.6.61 [A] Sharing and

Access: Sharing and Security Model for Local
security model for local Accounts: Network
accounts: Classic - local Access: Sharing and
users authenticate as 3.2.1.47 Network Access: security model for local
themselves (Legacy Client, Sharing and security accounts: "Classis -
Enterprise Client, and High model for local accounts: local users authenticate Sharing-and-security-model-for-local-
Security) Classic as themselves" accounts
Table 3.95 Network 5.4.6.62 [AP] LAN
Security: Do not store LAN 3.2.1.48 Network Manager Hash Value:
Manager hash value on Security:Do not store LAN network security: Do not
next password change: Manager password hash store LAN Manager
Enabled (Legacy Client, value on next password hash value on next
Enterprise Client, and High change: Enabled password change: Do-not-store-LAN-Manager-hash-
Security) (Specialized Security) Enabled value-on-next-password-change
Table 2.14 Network

Security: Force Logoff
when logon hours expire: 3.2.1.49 Network
Disabled (default); Enabled Security: Force logoff 5.4.6.63 [A] force Logoff
(Legacy Client, Enterprise when logon hours expire: when Logon Hours Force-logoff-when-logon-hours-
Client, and High Security) Not Defined Expire: Enabled expire
3.2.1.52 Network 5.4.6.66 [A] Minimum

Security: Minimum Session Security for
session security for NTLM NTLM SSP-based
Table 3.98 Network SSP based clients: Clients: "Require
Security: Minimum session Require Message NTLMv2 session
security for NTLM SSP Integrity, Message security", "Require 128-
based clients: No minimum Confidentiality, NTLMv2 bit encryption", "Require
(Legacy Client); Enabled Session Security, 128-bit Message Integrity", and
all settings (Enterprise Encryption (Specialized "Require Message
Client and High Security) Security) Confidentiality"
3.2.1.52 Network 5.4.6.67 [A] Minimum

Security: Minimum Session Security for
Table 3.99 Network session security for NTLM NTLM SSP-based
Security: Minimum session SSP based clients: servers: "Require
security for NTLM SSP Require Message NTLMv2 session
based servers: No Integrity, Message security", Require 128-
minimum (Legacy Client); Confidentiality, NTLMv2 bit encryption", Require
Enabled all settings Session Security, 128-bit Message Integrity", and
(Enterprise Client and High Encryption (Specialized "Require Message
Security) Security) Confidentiality"
. . .
. . .
5.5.1 [AP] Password
Protected Screen
Savers: Passwords are
. . required
7.5.1 Configuring
Default User
3.2.1.84 MSS: The time Screensaver Options:
in seconds before the ScreenSaveTimeout:
screen saver grace 900 Seconds (15
. period expires: 0 minutes) screen-saver-grace-period
7.5.1 Configuring
Default User
Screensaver Options:
ScreenSaverIsSecure
. . :1
7.5.1 Configuring
Default User
. . ScreenSaveActive: 1
. . .
7.5.1 Configuring
Default User
ScreenSaveTimeout:
900 Seconds (15
. . minutes)
7.5.1 Configuring
Default User
ScreenSaverIsSecure
. . :1
7.5.1 Configuring
Default User
5.5.1 [AP] Password
Protected Screen
Savers: Passwords are
. . required
7.5.1 Configuring
Default User
. period expires: 0 minutes)
7.5.1 Configuring
Default User
ScreenSaverIsSecure
. . :1
7.5.1 Configuring
Default User
. . .
Table 3.251 Make

screensaver password
protection immediate: the
time in seconds before the
screen saver grace period 5.5.1 [AP] Password
expires: 0 (Legacy Client, Protected Screen
Enterprise Client, and High Savers: Passwords are
Security) . required
. . .
. . .
7.5.1 Configuring
Default User
. period expires: 0 minutes)
8.3.3.1 Always Install

with Elevated Privileges:
. . (4.037: CAT II) Disabled
. . .
8.3.3.3 Enable User

Control Over Installs:
8.3.3.4 Enable User to

Browse for Source While
Elevated: (5.052: CAT II)
. . Disabled

Use Media Source While
Elevated: (5.053: CAT II)
. . Disabled
8.3.3.7 Allow Admin to

Install from Terminal
Services Session:

Patch Elevated
Products: (5.054: CAT II)
. . Disabled
8.3.3.8 Cache
Transforms in Secure
Location on Workstation:
. . (5.056: CAT II) Enabled
5.6.4.1 [A] Media Player

- Disabling Media Player
for Automatic Updates:
. . Enabled
8.3.11 Media Player -

Automatic Downloads:
(5.061: CAT II) Prevent
Codec Download is set
. . to Enabled
5.6.5.3 [A] Windows
Messenger - internet
. . Access Blocked: 1
Table 3.167 Messenger: 8.3.4.1 Do Not Allow

Disabled (Legacy Client, Windows Messenger to
Enterprise Client, and High 4.1.13 Messenger: be Run: (5.017: CAT I)
Security) Disabled Enabled
8.3.4.2 Do Not
Automatically Start
Windows Messenger
Intially: (5.029: CAT I)
. . Enabled
7.6.15 Task
Scheduler Service:
(5.035: CAT III) Hide
Property Page is
. . Enabled
7.6.15 Task
Scheduler Service:
(5.036: CAT III)
Prohibit New Task
. Creation is Enabled
8.3.2.2 Limit User to

One Remote Session:
8.3.2.3 Limit Number of

Connections: (5.039:
. . CAT II) Enabled
8.3.2.4 Do Not Allow

New Client Connections: Allow-users-to-connect-remotely-
. . (5.040: CAT II) Enabled using-Terminal-Services
5.6.3.3 [A] Terminal

Services - Do Not Allow
Local Administrators to
Customize Permissions:
. . Enabled
Services - Remote
Control Settings: "Set
rules for remote control
of Terminal Services
. . user settings: Enabled

Services - Always
prompt client for
password upon Always-prompt-client-for-password-
. . connections: Enabled upon-connection
Table 3.255 Set client

connection encryption 5.6.3.6 [A] Terminal
level: High (Legacy Client, Services - Set Client
Enterprise Client, and High Connection Encryption Set-client-connection-encryption-
Security) . Level: Enabled level
8.3.2.5 Do Not Use

Temp Folders per
Session: (5.044: CAT II)
. . Disabled
8.3.2.6 Do Not Delete

Temp Folder upon Exit:

Services - Set time Limit
for Disconnected
Sessions: Enabled
("End a disconnected
. . session" is set to "1")
8.3.2.7 Set Time Limit

for Idle Sessions:
(5.047: CAT II) Enabled
and set to no more than
. . 15 minutes

Services - Allow
Reconnection from
Original Client Only:
. .. Enabled
8.3.2.8 Terminate
Session When Time
Limits are Reached:
8.3.2.1 Keep-Alive
Messages: (5.037: CAT
. . III) Enabled
5.6.8.1 [A] Remote

Assistance - Solicited
Remote Assistance:
. . Disabled Solicited-Remote-Assistance
5.6.8.2 [A] Remote

Assistance - Offer
Remote Assistance:
. . Disabled Offer-Remote-Assistance
Table 3.257 Error

Reporting: Disabled
(Legacy Client, Enterprise 5.6.9.1 Report Errors:
Client, and High Security) . Disabled
5.4.3.1 [M] User Logon

Restrictions: Enforce
user logon restrictions:
. . Enabled
5.4.3.2 [M] Service

Ticket Lifetime:
Maximum lifetime for
service ticket: 600
. . minutes
5.4.3.3 [M] User Ticket

Lifetime: Maximum
lifetime for user ticket:
. . 10 hours
. . .
5.4.3.5 [M] Computer

Clock Synchronization:
Maximum tolerance for
computer clock
synchronizations: 5
. . minutes
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. .
Table 3.199 Removale
Storage: Disabled
(Legacy Client,
Enterprise Client, and
High Security) . .
. . .
. . .
. . .
Updates: Disabled . .

Updates: Disabled . .

Updates: Disabled . . Configure-Automatic-Updates
. . .
Do-not-adjust-default-option-to-
. . . Install-Updates-and-Shut-Down
Do-not-display-Install-Updates-and-
. . . Shut-Down
. . .
Table 11.3 Automatic No-auto-restart-for-scheduled-

Updates: Disabled . . Automatic-Updates-installations
. . .
Table 11.3 Automatic Reschedule-Automatic-Updates-

Updates: Disabled . . scheduled-installations
2.2.2 Microsoft
Software Updates
Services: Specify
intranet Microsoft
update service
. . location: enabled
. . .
. . .
. . .
. . .
. . .
MachineAccessRestrictions
MachineLaunchRestrictions
Require-Smart-Card
Restrict-anonymous-access-to-
Named-Pipes-and-Shares
tcp-max-connect-response-
retransmissions
tcp-max-data-retransmissions
ntfs-disable-8dot3-name-creation
RPC-Endpoint-Mapper-Client-
Authentication
Restrictions-for-Unauthenticated-
RPC-clients
Domain-Profile-Firewall-Protect-All-
Network-Connections, Domain-
Profile-Firewall-State
Domain-Profile-Firewall-Do-Not-
Allow-Exceptions
Domain-Profile-Firewall-Allow-Local-
Program-Exceptions
Domain-Profile-Firewall-Allow-
Inbound-Remote-Administration-
Exception
Inbound-File-And-Printer-Sharing-
Exception
Inbound-Remote-Desktop-
Exceptions
Inbound-UPnP-Framework-
Exceptions
Domain-Profile-Firewall-Prohibit-
Notifications, Domain-Profile-Display-
Notification
Domain-Profile-Firewall-Prohibit-
Unicast-Response, Domain-Profile-
Allow-Unicast-Response
Domain-Profile-Firewall-Define-
Inbound-Port-Exceptions
Domain-Profile-Firewall-Allow-Local-
Port-Exceptions
Standard-Profile-Firewall-Protect-All-
Network-Connections
Standard-Profile-Firewall-Do-Not-
Allow-Exceptions
Standard-Profile-Firewall-Define-
Inbound-Program-Exceptions
Standard-Profile-Firewall-Allow-
Inbound-Remote-Administration-
Exception
Inbound-File-And-Printer-Sharing-
Exception,Standard-Profile-Firewall-
Allow-Inbound-File-And-Printer-
Sharing-Exceptions
Inbound-Remote-Desktop-
Exceptions
Inbound-UPnP-Framework-
Exceptions
Standard-Profile-Firewall-Prohibit-
Notifications
Standard-Profile-Firewall-Prohibit-
Unicast-Response
Standard-Profile-Firewall-Define-
Inbound-Port-Exceptions
Local-Port-Exceptions
3.2.1.78 MSS:
TCPMaxPortsExhausted,
How many dropped
connect requests to
initiate SYN attack
protection: 5
Domain-Profile-Inbound-
Connections
Domain-Profile-Outbound-
Connections
Domain-Profile-Apply-Local-
Firewall-Rules
Domain-Profile-Apply-Local-
Connection-Security-Rules
Private-Profile-Firewall-State
Private-Profile-Inbound-
Connections
Private-Profile-Outbound-
Connections
Private-Profile-Display-
Notification
Private-Profile-Allow-Unicast-
Response
Private-Profile-Apply-Local-
Firewall-Rules
Private-Profile-Apply-Local-
Public-Profile-Firewall-State
Public-Profile-Inbound-
Connections
Public-Profile-Outbound-
Connections
Public-Profile-Display-Notification
Public-Profile-Allow-Unicast-
Response
Public-Profile-Apply-Local-
Firewall-Rules
Public-Profile-Apply-Local-
Do-Not-Process-Legacy-Run-List
Do-Not-Process-Run-Once-List
Registry-Policy-Processing
Turn-off-Internet-download-for-
Web-publishing-and-online-
ordering-wizards
Turn-off-the-Windows-
Messenger-Customer-
Experience-Improvement-
Program
Turn-off-Search-Companion-
content-file-updates
Turn-off-printing-over-HTTP
Turn-off-downloading-of-print-
drivers-over-HTTP
Turn-off-Windows-Update-device-
driver-searching
Enumerate-administrator-
accounts-on-elevation
Require-trusted-path-for-
credential-entry
Deny-all-add-ons-unless-
specifically-allowed-in-the-Add-
on-List
Do-not-allow-passwords-to-be-
saved
Do-not-allow-drive-redirection
Prompt-for-password-on-resume-
from-hibernate-suspend
Do-not-preserve-zone-information-in-
file-attachments
Hide-mechanisms-to-remove-zone-
information
Notify-antivirus-programs-when-
opening-attachments
override-audit-policy-settings
Log-Access-For-Setup-Log
Windows-Search
Turn-Off-Microsoft-Peer-to-
Peer-Networking-Services
Prohibit-Access-of-the-
Windows-Connect-Now-
Wizards
Allow-remote-access-to-the-
PnP-interface
Do-not-create-system-
restore-point-when-new-
device-driver-installed
Do-not-send-Windows-Error-
Report-when-generic-driver-
is-installed-on-device
Turn-Off-Access-to-All-
Windows-Update-Feature
Turn-Off-Automatic-Root-
Certificates-Update
Turn-Off-Event-Views-
Events.asp-Links
Turn-Off-Handwriting-
Reconition-Error-Reporting
Turn-Off-Help-and-Support-
Center-Did-you-Know-
Content
Turn-Off-Help-and-Support-
Center-Microsoft-Knowledge-
Base-Search
Turn-Off-Internet-
Connection-Wizard-if-URL-
Connection-is-Referring-to-
Microsoft.com
Turn-Off-Internet-File-
Association-Service
Turn-Off-Registration-if-URL-
Connection-is-Referring-to-
Microsoft.com
Turn-Off-the-Order-Prints-
Picture-Task
Turn-off-the-Publish-to-Web-
task-for-files-and-folders
Turn-Off-Windows-Movies-
Maker-Automatic-Codec-
Downloads
Turn-Off-Windows-Movie-
Maker-Online-Web-Links
Turn-Off-Windows-Movie-
Maker-Saving-to-Online-
Video-Hosting-Provider
Do-Not-Display-the-Getting-
Started-Welcome-Screen-at-
Logon
Turn-off-Windows-Startup-
Sound
Require-a-Password-when-a-
Computer-Wakes-On-Battery
Require-a-Password-when-a-
Computer-Wakes-Plugged
Allow-only-Vista-or-later-
connections
Customization-Warning-
Messages
Turn-on-bandwidth-
optimization
Turn-on-session-logging
Prevent-IIS-Installation
Turn-Off-Active-Help
Turn-Off-Untrusted-Content
Turn-off-downloading-
enclosures
Allow-indexing-of-encrypted-
files
Prevent-indexing-uncached-
Exchange-folders
Turn-off-Windows-Calendar
Allow-Corporate-Redirection-
Customer-Experience-
Improvement-Program-
Uploads
Turn-off-Windows-Defender
Turn-off-heap-termination-
corruption
Turn-off-shell-protocol-
protected-mode
Prohibit-Non-Administrators-
applying-vendorpatches
Report-logon-server-not-
available-during-user-logon
Turn-off-communication-
features
Turn-off-windows-mail-app
Prevent-Windows-Media-
DRM-Internet-Access
Turn-off-windows-meeting-
space
Turn-on-windows-meeting-
space-auditing
Disable-unpacking-
installation-gadgets-not-
digitally-signed
Override-more-gadgets-Lnk
Turn-off-user-installed-
windows-sidebar-gidgets
do_not_allow_digital_locker_
to_run_var
turn_off_downloading_of_ga
me_information
ipv6_block_protocols_41
ipv6_block_udp_3544
8.3.1.1 Security
Zones: Use Only
Machine Settings:
(5.028: CAT II) Security-Zones-Use-only-machine-
. . Enabled settings
Internet-Explorer-Processes-
Restrict-ActiveX-Install
8.3.1.3 Security
Zones: Do Not Allow
Users to Add/Delete
Sites: (5.030: CAT II) Security-Zones-Do-not-allow-users-
. . Enabled to-add-delete-sites
8.3.1.6 Disable
Peridoic Check for
Internet Explorer
Software Updates:
(5.033: CAT II) Disable-Periodic-Check-for-Internet-
. . Enabled Explorer-software-updates
Zone-Elevation-Protection
Consistent-MIME-Handling
Allow-software-to-run-or-install-
even-if-the-signature-is-invalid
Internet-Explorer-Processes-MK-
Protocol
8.3.1.7 Disable
Software Update
Shell Notificiations on
Program Launch:
(5.034: CAT II) Disable-software-update-shell-
. . Disabled notifications-on-program-launch
Restrict-File-Download
8.3.1.5 Disable
Automatic Install of
Internet Explorer
Components: (5.032: Disable-Automatic-Install-of-Internet-
. . CAT II) Enabled Explorer-components
8.3.1.4 Make Proxy

Settings Per Machine:
(5.031: CAT II)
. . Enabled Make-proxy-settings-per-machine
Do-not-allow-users-to-enable-or-
disable-add-ons
Turn-off-Crash-Detection
Scripted-Window-Security-
Restrictions
8.3.1.2 Security
Zones: Do Not Allow
Users to Change
Policies: (5.029: CAT Security-Zones-Do-not-allow-users-
. . II) Enabled to-change-policies
MIME-Sniffing
Remove-CD-Burning-features
Remove-Security-tab
Internet-Explorer-
Maintenance-Policy-
Processing-Enabled
Internet-Explorer-
Maintenance-Policy-
Processing-Enabled
Internet-Explorer-
Maintenance-Policy-
Processing-Enabled
Turn-on-Mapper-IO-LLTDIO-
driver
driver
driver
Turn-on-Responder-RSPNDR-
driver
driver
driver
Configuration-of-Wireless-
Settings-Using-Windows-
Connect-Now
Connect-Now
Connect-Now
Approved-Installation-Sites-
for-ActiveX-Controls
Disable-Logging
Disable-Windows-Error-
Reporting
Do-Not-Send-Additional-Data
Configure-Corporate-
Windows-Error-Reporting
Remove-Default-Programs-
Link-from-the-Start-Menu
Turn-off-Help-Experience-
Improvement-Program
Turn-off-Help-Ratings
Turn-off-Windows-Online
Prevent-users-from-sharing-
files-within-their-profile
NIST SCAP Windows Vista
NIST Office 2007
OVAL (SCAP-WinVista-
Recommendations placeholder
OVAL.xml rev 2007-02-06)
oval:com.secure-
elements.oval:def:6009
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-elements.oval:def:6017
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-elements.oval:def:6574,
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
elements.oval:def:6075oval:com.secure
-elements.oval:def:6076
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
elements.oval:def:6547,
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
elements.oval:def:6548,oval:com.secur
e-elements.oval:def:6553
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:gov.nist.fdcc.vista:def:6698
oval:gov.nist.fdcc.vista:def:6703
oval:gov.nist.fdcc.vistafirewall:def:
6491
oval:gov.nist.fdcc.vistafirewall:def:
6492
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
oval:com.secure-
NIST SCAP
Microsoft Office 2007 NIST SCAP Microsoft Microsoft Office
Recommendations (Security Office 2007 OVAL (SCAP- 2007 XCCDF
Settings for Office 2007 Office2007-OVAL-Beta- (SCAP-Office2007-
Applications.xlsx) v1.xml) XCCDF-Beta-v1.xml
)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable VBA
for Office applications, Computer
Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\Disable
VBA for Office applications
DisableVBAForOfficeAppl
oval:org.mitre.oval:def:771 ications
system\Security Settings\ActiveX
Control Initialization (1 | 2 | 3 | 4 | 5 | 6)
ActiveXControlInitializatio
oval:org.mitre.oval:def:814 n
system\Privacy\Trust Center\Enable
Customer Experience Improvement EnableCustomerExperien
Program oval:org.mitre.oval:def:829 ceImprovementProgram
system\Privacy\Trust AutomaticallyReceiveSm
Center\Automatically receive small allUpdatesToImproveReli
updates to improve reliability oval:org.mitre.oval:def:1473 ability
system\Tools | Options | General |
Service Options...\Online
Content\Online content options (Never
show online content or entry points |
Search only offline content whenever
available | Search online content
whenever available)
oval:org.mitre.oval:def:1302 OnlineContentOptions
2007\Application Settings\Security\Trust
Center\VBA Macro Warning Settings
(Trust Bar warning for all macros | Trust
Bar warning for digitally signed macros
only (unsigned macros will be disabled)
| No Warnings for all macros but disable
all macros | No Security checks for
macros (Not recommended, code in all
documents can run))
VBAMacroWarningSettin
oval:org.mitre.oval:def:1403 gs-Access
2007\Excel Options\Security\Trust
documents can run))
oval:org.mitre.oval:def:649 gs-Excel
Center\Trust access to Visual Basic
Project
TrustAccessToVisualBasi
oval:org.mitre.oval:def:1560 cProject-Excel
2007\PowerPoint Options\Security\Trust
documents can run))
oval:org.mitre.oval:def:654 gs-PowerPoint
Project
oval:org.mitre.oval:def:665 cProject-PowerPoint
DisableRememberPassw
oval:org.mitre.oval:def:1298 ord
2007\Security\Security Form
Settings\Programmatic Security\Trusted
Add-insConfigure trusted add-ins
ConfigureAddInTrustLeve
oval:org.mitre.oval:def:1390 l
DisableRememberPassw
ordForInternetEmailAcco
oval:org.mitre.oval:def:1232 unts
2007\Security\Cryptography\Minimum
encryption settings
MinimumEncryptionSettin
oval:org.mitre.oval:def:661 gs
2007\Security\Cryptography\Do not
check e-mail address against address
DoNotCheckEmailAddres
of certificates being used
sAgainstAddressOfCertifi
oval:org.mitre.oval:def:1399 catesBeingUsed
2007\Security\Cryptography\Send all
signed messages as clear signed
messages
SendAllSignedMessages
oval:org.mitre.oval:def:1388 AsClearSignedMessages
2007\Security\Cryptography\Request an
S/MIME receipt for all S/MIME signed
RequestAnSMIMEReceip
messages
tForAllSMIMESignedMes
oval:org.mitre.oval:def:705 sages
display 'Publish to GAL' button
DoNotDisplayPublishToG
oval:org.mitre.oval:def:741 ALButton
2007\Security\Cryptography\Signature
Warning (Let user decide if they want to
be warned | Always warn about invalid
signatures | Never warn about invalid
signatures)
oval:org.mitre.oval:def:756 SignatureWarning
2007\Security\Cryptography\Enable
Cryptography Icons
oval:org.mitre.oval:def:1716 EnableCryptographyIcons
Status dialog box\Retrieving CRLs
(Certificate Revocation Lists) (Use
system Default | When online always
retreive the CRL | Never retreive the
CRL)
oval:org.mitre.oval:def:1700 RetrievingCRLs
2007\Word Options\Security\Trust
all macros | No )
VBMacroWarningSettings
oval:org.mitre.oval:def:1350 -Word
Project
oval:org.mitre.oval:def:1713 cProject-Word
WarnBeforePrintingSavin
gOrSendingAFileThatCon
tainsTrackedChangesOrC
oval:org.mitre.oval:def:788 omments
system\Miscellaneous\Block updates BlockUpdatesFromTheOf
from the Office Update Site from ficeUpdateSiteFromApply
applying oval:org.mitre.oval:def:1755 ing
2007\Application Settings\Web
Options\General\Underline hyperlinks
2007\Application
Settings\General\General\Number of
documents in the Recent Documents
list (0-9)
Center\Disable Trust Bar Notification for
unsigned application add-ins
Center\Disable all application add-ins
Center\Require that application add-ins
are signed by Trusted Publisher
Center\Trusted Locations\Disable all
trusted locations
Center\Trusted Locations\Allow Trusted
Locations not on the computer
Center\Trusted Locations\Modal Trust
Decision Only
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | E-Mail
- Office Button | Access Options |
Customize | All Commands | Insert
Hyperlink
- Database Tools | Database Tools |
Encrypt with Password
- Database Tools | Administer | Users
and Permission | User and Group
Permissions
and Permissions | User and Group
Accounts
and Permission | User-Level Security
Wizard...
- Database Tools | Database Tools |
Encode/Decode Database
- Database Tools | Macro | Visual Basic
- Database Tools | Macro | Run Macro
interface\Predefined\Database Tools |
Macro | Convert Macros to Visual Basic
interface\Predefined\Database Tools |
Macro | Create Shortcut Menu from
Macro
interface\Predefined\Disable shortcut
keys
- Ctrl+K (Office Button | Access Options
| Customize | All Commands | Insert
Hyperlinks)
- Alt+F11 (Database Tools | Macro |
Visual Basic)
2007\Miscellaneous\Default file format
(Access 2007 | Access 2002-2003)
2007\Miscellaneous\Do not prompt to
convert older databases
2007\Excel
Options\Proofing\Autocorrect
Options\Internet and network paths as
hyperlinks
2007\Excel Options\Save\Save Excel
files as (Excel Workbook (*.xlsx) | Excel
Macro-Enabled Workbook (*.xlsm) |
Excel Binary Workbook (*.xlsb) | Web
Page (*.htm; *.html) | Excel 97-2003
Workbook (*.xls) | Excel 5.0/95
Workbook (*.xls))
2007\Excel Options\Save\Disable
AutoRepublish
2007\Excel
Options\Save\AutoRepublish Warning
Alert (Always show the alert before
publishing | Never show the alert before
publishing)
2007\Excel Options\Security\Determine
whether to force encrypted macros to
be scanned in Microsoft Excel Open
XML workbooks
2007\Excel Options\Security\Force file
extension to match file type (Allow
different | Allow different, but warn |
Always match file type)
Center\Store macro in Personal Macro
Workbook by default
Center\Trusted LocationsAllow Trusted
Center\Trusted LocationsDisable all
trusted locations
2007\Excel Options\Advanced\Ignore
other applications
2007\Excel Options\Advanced\Ask to
update automatic links
2007\Excel Options\Advanced\Number
of documents in the Recent Documents
list (0-17)
2007\Excel Options\Advanced\Web
Options\GeneralSave any additional
data necessary to maintain formulas
2007\Excel Options\Advanced\Web
Options\GeneralLoad pictures from
Web pages not created in Excel
2007\Data Recovery\Do not show data
extraction options when opening corrupt
workbooks
2007\Data Recovery\Assume structured
storage format of workbook is intact
when recovering data
2007\Data Recovery\Corrupt formula
conversion (Convert unrecoverable
references to: values | #REF or
#NAME)
2007\Data Access Security\Connection
File Locations
2007\Data Access Security\Automatic
Query Refresh (Prompt for all
workbooks | Do not prompt; do not allow
auto refresh | Do not prompt; allow auto
refresh)
- Office Button | Excel Options |
Customize | All Commands | Save as
Web Page
Customize | All Commands | Web Page
Preview
- Office Button | Send | Email
- Insert | Links | Hyperlink
- Review | Changes | Protect Sheet
- Review | Changes | Protect Workbook
- Review | Changes | Protect and Share
Workbook
- View | Macros | Macros
- Developer | Code | Macros
- Developer | Code | Record Macro
- Developer | Code | Macro Security
- Developer | Code | Visual Basic
Customize | All Commands | Document
Location
keys
keys - Ctrl+K (Insert | Links | Hyperlink)
keys - Alt+F8 (Developer | Code |
Macros)
Visual Basic)
2007\Block file formats\Open\Block
opening of pre-release versions of file
formats new to Excel 2007
opening of Open XML file types
opening of Binary 12 file types
opening of Binary file types
opening of Html and Xmlss files types
opening of Xml file types
opening of DIF and SYLK file types
opening of Text file types
opening of Xll file type
2007\Block file formats\Save\Block
saving of Open Xml file types
saving of Binary12 file types
saving of Binary file types
saving of Html and Xmlss file types
saving Xml file types
saving DIF and SYLK file types
saving of Text file types
2007\Miscellaneous\Locally cache
network file storages
2007\Miscellaneous\Locally cache
PivotTable reports
2007\Miscellaneous\OLAP PivotTable
User Defined Function (UDF) security
setting (Allow ALL UDFs | Allow safe
UDFs only | Allow NO UDFs)
2007\Miscellaneous\Recognize
SmartTags
Templates\Microsoft Office InfoPath
2007\Tools | Options\General\Number
list (0 - 9)
2007\Tools |
Options\Advanced\Offline\Offline Mode
status (Disabled | Enabled, InfoPath in
Offline Mode | Enabled, InfoPath not in
Offline Mode)
- File | Print
- File | Send to Mail Recipient
- File | Open from SharePoint Site
- File | Print Preview
- File | Page Setup
- Insert | Hyperlinks...
- Tools | Set Language
- Tools | Customize...
- Tools | Options...
- Help | Microsoft Office Online
- Office Diagnostics
- Help | Activate Product...
- Print Default
keys
keys - Print Shortcut (Ctrl+P)
keys - Insert Hyperlink Shortcut (Ctrl+K)
2007\Security\Control behavior for
Windows SharePoint Services gradual
upgrade (Allow redirections to any
location | Allow redirections to Intranet
only | Block all redirections)
2007\Security\Disable opening of
solutions from the Internet security zone
2007\Security\Disable fully trusted
solutions full access to computer
2007\Security\Allow the use of ActiveX
Custom Controls in InfoPath forms
2007\Security\Run forms in restricted
mode if they do not specify a publish
location and use only features
introduced before InfoPath 2003 SP1
2007\Security\Allow file types as
attachments to forms
2007\Security\Block specific file types
as attachments to forms
2007\Security\Prevent users from
allowing unsafe file types to be attached
to forms
2007\Security\Display a warning that a
form is digitally signed
2007\Security\Control behavior when
opening forms in the Internet security
zone (Block | Prompt | Allow)
opening forms in the Intranet security
zone (Block | Prompt | Allow)
opening forms in the Local Machine
security zone (Block | Prompt | Allow)
opening forms in the Trusted Site
security zone (Block | Prompt | Allow)
2007\Security\Beaconing UI for forms
opened in InfoPath (Never show
beaconing UI | Always show beaconing
UI | Show UI if Form Template is from
Internet Zone)
2007\Security\Beaconing UI for forms
opened in InfoPath Editor ActiveX
(Never show beaconing UI | Always
show beaconing UI | Show UI if Form
Template is from Internet Zone)
2007\Security\Trust Center\Disable all
application add-ins
2007\Security\Trust Center\Require that
application add-ins are signed by
Trusted Publisher
2007\Security\Trust Center\Disable
Trust Bar Notification for unsigned
application add-ins
interface\Control behavior when
opening InfoPath e-mail forms
containing code or script (Run without
prompting | Prompt before running |
Never run)
interface\Disable sending form template
with e-mail forms
interface\Disable dynamic caching of
the form template in InfoPath e-mail
forms
interface\Disable sending InfoPath 2003
Forms as e-mail forms
interface\Disable e-mail forms running
in restricted security level
interface\Disable e-mail forms from the
Internet security zone
Intranet security zone
Full Trust security zone
interface\Disable InfoPath e-mail forms
in Outlook
2007\Restricted Features\Information
Rights Management
2007\Restricted Features\Custom code
2007\Miscellaneous\Email Forms
Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet
Zone)
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI
system\Global
via UI - Disallow in Word
system\Global
via UI - Disallow in Excel
system\Global
via UI - Disallow in PowerPoint
system\Global
via UI - Disallow in Access
system\Global
via UI - Disallow in Outlook
system\Global
Options\Customize\Disable all user
system\Global
customization of Quick Access Toolbar -
Disallow in Word
system\Global
Disallow in Excel
system\Global
Disallow in PowerPoint
system\Global
Disallow in Access
system\Global
Disallow in Outlook
system\Global
Options\Customize\Disable UI
extending from documents and
templates
system\Global
templates - Disallow in Word
system\Global
templates - Disallow in Excel
system\Global
templates - Disallow in PowerPoint
system\Global
templates - Disallow in Access
system\Global
templates - Disallow in Outlook
system\Tools | AutoCorrect Options...
(Excel, Word, PowerPoint and
Access)\Recognize smart tags in Excel
system\Tools | Options | General | Web
Options...\Disable Clip Art and Media
downloads from the client and from
Office Online website
Options...\Disable template downloads
from the client and from Office Online
website
Options...\Disable access to updates,
add-ins, and patches on the Office
Online website
Options...\Prevents users from
uploading document templates to the
Office Online community.
Options...\Disable training practice
downloads from the Office Online
website
Options...\Disable customer-submitted
templates downloads from Office Online
Options...\Files\Open Office documents
as read/write while browsing
Options...\Browsers\Rely on VML for
displaying graphics in browsers
Options...\Browsers\Allow PNG as an
output format
system\Tools | Options |
Spelling\Proofing Data
Collection\Improve Proofing Tools
system\Privacy\Trust Center\Disable
Opt-in Wizard on first run
system\Help\Microsoft Office Online
system\Security Settings\Disable
Password Caching
system\Security Settings\Disable all
Trust Bar notifications for security
issues
system\Security Settings\Protect
document metadata for rights managed
Office Open XML Files
system\Security Settings\Protect
document metadata for password
protected files.
system\Security Settings\Encryption
type for password protected Office
Open XML files
system\Security Settings\Encryption
type for password protected Office 97-
2003 files
system\Security Settings\Load Controls
in Forms3 (1 | 2 | 3 | 4)
system\Security Settings\Automation
Security (Disable macros by default |
Use application macro security level |
Macros enabled)
system\Security Settings\Prevent Word
and Excel from loading managed code
extensions
hyperlink warnings
password to open UI
system\Security Settings\Download
Office Controls
system\Security Settings\Disable All
ActiveX
system\Security Settings\Trust
Center\Allow mix of policy and user
locations
system\Smart Documents (Word,
Excel)\Disable Smart Document's use of
manifests
system\Smart Documents (Word,
Excel)\Completely disable the Smart
Documents feature in Word and Excel
system\Services\Fax\Disable Internet
Fax feature
system\Manage Restricted
Permissions\Prevent users from
changing permissions on rights
managed content
Permissions\Allow users with earlier
versions of Office to read with
browsers...
Permissions\Always require users to
connect to verify permission
Permissions\Always expand groups in
Office when restricting permission for
documents
Permissions\Never allow users to
specify groups when restricting
permission for documents
Permissions\Disable Microsoft Passport
service for content with restricted
permission
Permissions\Do not allow users to
upgrade Information Rights
Management configuration
system\Signing\Key Usage Filtering
system\Signing\EKU filtering
system\Signing\Legacy format
signatures
system\Signing\Suppress Office Signing
Providers (Enable Western and East
Asian | Suppress default Western |
Suppress default East Asian | Suppress
both Western and East Asian)
system\Signing\Suppress external
signature services menu item
system\Office Diagnostics\Disable
Check For Solutions
system\Microsoft Save As PDF and
XPS add-ins\Disable inclusion of
document properties in PDF and XPS
output
system\Document Information
Panel\Disable Document Information
Panel
system\Document Information
Panel\Document Information Panel
Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet
Zone)
system\Server Settings\Disable the
Office client from polling the Office
server for published links
system\Office 2007 Converters\Block
formats new to Word 2007 through the
Compatibility Pack for the 2007 Office
system and Word 2007 Open
XML/Word 97-2003 Format Converter
formats new to Excel 2007 through the
Compatibility Pack for the 2007 Office
system and Excel 2007 Converter
formats new to PowerPoint 2007
through the Compatibility Pack for the
2007 Office system and PowerPoint
2007 Converter
system\Miscellaneous\Control Blogging
(Enabled | Only SharePoint blogs
allowed | All blogging disabled)
system\Miscellaneous\Enable Smart
Resume
system\Miscellaneous\Do not upload
media files
system\Miscellaneous\Disable
hyperlinks to web templates in File |
New and task panes
system\Miscellaneous\Prevent access
to Web-based file storage
2007\Tools | Options...\Preferences\E-
mail Options\Do not allow attachment
previewing in Outlook
mail Options\Read e-mail as plain text
mail Options\Read signed e-mail as
plain text
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServicePrevent publishing to Office
Online
2007\Tools |
ServicePrevent publishing to a DAV
server
2007\Tools |
ServiceRestrict level of calendar details
users can publish (All options are
available | Disables 'Full details' |
Disables 'Full details' and 'Limited
details')
2007\Tools |
ServiceAccess to published calendars
2007\Tools |
ServiceRestrict upload method
2007\Tools |
Options...\Preferences\Junk E-mail\Hide
Junk Mail UI
2007\Tools |
Options...\Preferences\Junk E-mail\Junk
E-mail protection level (No Protection,
Low, High, Trusted Lists Only)
2007\Tools |
Options...\Preferences\Junk E-
mail\Trust E-mail from Contacts
2007\Tools |
Options...\Preferences\Junk E-mail\Add
e-mail recipients to users' Safe Senders
Lists
2007\Tools | Options...\Mail Setup\Dial-
up options
up options - Warn before switching dial-
up connection
up options - Hang up when finished
sending, receiving, or updating
up options - Automatically dial during a
background Send/Receive
2007\Tools | Options...\Mail Format\Do
not allow creating, replying, or
forwarding signatures for e-mail
messages
2007\Tools | Options...\Mail
Format\Internet Formatting\Send copy
of pictures with HTML messages
instead of reference to Internet location
Format\Internet Formatting\Outlook
Rich Text options (Convert to HTML |
Convert to Plain Text format | Send
Using Outlook Rich Text format)
Format\Internet Formatting\Plain text
options
Format\Internet Formatting\Plain text
options - Encode attachments in
UUENCODE format when sending a
plain text message
Format\Internet Formatting\Message
FormatSet message format (HTML |
Rich Text | Plain Text)
2007\Tools | Options...\Other\Make
Outlook the default program for E-mail,
Contacts, and Calendar
2007\Tools |
Options...\Other\Advanced\Do not allow
folders in non-default stores to be set as
folder home pages
2007\Tools |
Options...\Other\Advanced\Use Unicode
format when dragging e-mail message
to file system
2007\Tools |
Outlook object model scripts to run for
shared folders
2007\Tools |
Outlook object model scripts to run for
public folders
2007\Tools | Options...\Other\Person
Names\Set maximum level of online
status on a person name (Do not allow |
Allow everywhere except To and CC
field | Allow everywhere)
Names\Display online status on a
person name (Never | Everywhere
except To and CC field | Everywhere)
Names\Turn off Enable the Person
Names Smart Tag option
Settings\Outlook Security Mode
(Outlook Default Security | Use Security
Form from 'Outlook Security Settings'
Public Folder | Use Security Form from
'Outlook 10 Security Settings' Public
Folder | Use Outlook Security Group
Policy)
Settings\Attachment Security\Display
Level 1 attachments
Settings\Attachment Security\Allow
users to demote attachments to Level 2
Settings\Attachment Security\Do not
prompt about Level 1 attachments when
sending an item
Settings\Attachment Security\Do not
prompt about Level 1 attachments when
closing an item
Settings\Attachment Security\Allow in-
place activation of embedded OLE
objects
Settings\Attachment Security\Display
OLE package objects
Settings\Attachment Security\Add file
extensions to block as Level 1
Settings\Attachment Security\Remove
file extensions blocked as Level 1
Settings\Attachment Security\Add file
extensions to block as Level 2
Settings\Attachment Security\Remove
file extensions blocked as Level 2
Settings\Custom Form Security\Allow
scripts in one-off Outlook forms
Settings\Custom Form Security\Set
Outlook object model Custom Actions
execution prompt (Prompt User |
Automatically Approve | Automatically
Deny | Prompt user based on computer
security)
Settings\Custom Form Security\Set
control ItemProperty prompt (Prompt
User | Automatically Approve |
Automatically Deny | Prompt user based
on computer security)
Settings\Programmatic
Security\Configure Outlook object
model prompt when sending mail
(Prompt User | Automatically Approve |
model prompt when accessing an
address book (Prompt User |
Automatically Approve | Automatically
Deny | Prompt user based on computer
security)
model prompt when reading address
information (Prompt User | Automatically
Approve | Automatically Deny | Prompt
user based on computer security)
model prompt when responding to
meeting and task requests (Prompt
User | Automatically Approve |
model prompt when executing Save As
model prompt When accessing the
Formula property of a UserProperty
object (Prompt User | Automatically
Approve | Automatically Deny | Prompt
user based on computer security)
model prompt when accessing address
information via UserProperties.Find
2007\Security\Cryptography\Required
Certificate Authority
2007\Security\Cryptography\S/MIME
interoperability with external clients:
(Handle internally | Handle externally |
Handle if possible)
2007\Security\Cryptography\Always use
Rich Text formatting in S/MIME
messages
password settings
password settings - Default S/MIME
password time (minutes): (0 -
2147483647)
password settings - Maximum S/MIME
password time (minutes): (0 -
2147483647)
2007\Security\Cryptography\Message
Formats
2007\Security\Cryptography\Message
Formats - Support the following
message formats: (S/MIME | Exchange
| Fortezza | S/MIME and Exchange |
S/MIME and Fortezza | Exchange and
Fortezza | S/MIME, Exchange, and
Fortezza)
provide Continue option on Encryption
warning dialog boxes
2007\Security\Cryptography\Run in
FIPS compliant mode
2007\Security\Cryptography\Encrypt all
e-mail messages
2007\Security\Cryptography\Sign all e-
mail messages
2007\Security\Cryptography\URL for
S/MIME certificates
2007\Security\Cryptography\Ensure all
S/MIME signed messages have a label
receipt requests (Open message if
receipt can't be sent | Don't open
message if receipt can't be sent |
Always prompt before sending receipt |
Never send S/MIME )
2007\Security\Cryptography\Fortezza
certificate policies
2007\Security\Cryptography\Require
SuiteB algorithms for S/MIME
operations
Status dialog box\Missing CRLs
Status dialog box\Missing CRLs -
Indicate a missing CRL as a(n):
(warning | error)
Status dialog box\Missing root
certificates
Status dialog box\Missing root
certificates - Indicate a missing root
certificate as a(n): (neither error nor
warning | warning | error)
Status dialog box\Promote Level 2
errors as errors, not warnings
Status dialog box\Attachment Secure
Temporary Folder
2007\Security\Automatic Picture
Download Settings\Display pictures and
external content in HTML e-mail
Download Settings\Automatically
download content for e-mail from people
in Safe Senders and Safe Recipients
Lists
Download Settings\Do not permit
download of content from safe zones
Download Settings\Block Trusted Zones
Download Settings\Include Internet in
Safe Zones for Automatic Picture
Download
Download Settings\Include Intranet in
Safe Zones for Automatic Picture
Download
2007\Security\Trust Center\Security
setting for macros (Always warn | Never
warn, disable all | Warn for signed,
disable unsigned | No security check)
2007\Security\Trust Center\Enable links
in e-mail messages
2007\Security\Trust Center\Apply macro
security settings to macros, add-ins,
and SmartTags
2007\Tools | Account
Settings\Exchange\Automatically
configure profile based on Active
Directory Primary SMTP address
Settings\Exchange\Do not allow users
to change permissions on folders
Settings\Exchange\Enable RPC
encryption
Settings\Exchange\Authentication with
Exchange Server (Kerberos/NTLM
Password Authentication | Kerberos
Password Authentication | NTLM
Password Authentication)
2007\Tools | Account Settings\RSS
Feeds\Synchronize Outlook RSS Feeds
with Common Feed List
Feeds\Turn off RSS feature
Feeds\Automatically download
enclosures
Feeds\Download full text of articles as
HTML attachments
2007\Tools | Account Settings\Internet
Calendars\Automatically download
attachments
2007\Tools | Account Settings\Internet
Calendars\Do not include Internet
Calendar integration in Outlook
2007\Meeting Workspace\Disable user
entries to server list (Publish default,
allow others | Publish default, disallow
others)
2007\Miscellaneous\Do not expand
distribution lists
2007\PowerPoint Options\Save\Save
files in this format (PowerPoint
Presentation (*.pptx) | PowerPoint
Macro-Enabled Presentation (*.pptm) |
PowerPoint 97-2003 Presentation
(*.ppt))
2007\PowerPoint
Options\Advanced\Number of
documents in the Recent Documents
list (0 - 50)
2007\PowerPoint
Options\Security\Determine whether to
force encrypted macros to be scanned
in Microsoft PowerPoint Open XML
presentations
2007\PowerPoint Options\Security\Run
Programs (disable (don't run any
programs) | enable (prompt user before
running) | enable all (run without
prompting))
2007\PowerPoint
Options\Security\Make hidden markup
visible
2007\PowerPoint
Options\Security\Unblock automatic
download of linked images
trusted locations
- Office Button | PowerPoint Options |
Preview
- Review | Proofing | Language
- Office Button | PowerPoint Options |
Customize | All Commands | Document
Location
- Disable shortcut keys
- Ctrl+K (Insert | Links | Hyperlink)
- Alt+F8 (Developer | Code | Macros)
- Alt+F11 (Developer | Code | Visual
Basic)
formats new to PowerPoint 2007
opening of Open Xml files types
opening of Html file types
opening of Outlines
opening of Converters
saving of Open Xml file types
saving of Html file types
saving of Outlines
saving of GraphicFilters
2007\Block file
formats\Miscellaneous\Disable Slide
Update
2007\Word Options\Display\Hidden text
2007\Word Options\Save\Save files in
this format (Word document (*.docx) |
Single Files Web Page (*.mht) | Web
Page (*.htm; *.html) | Web Page,
Filtered (*.htm, *.html) | Rich Text
Format (*.rtf) | Plain Text (*.txt) | Word
6.0/95 (*.doc) | Word 6.0/95 - Chinese
(Simplified) (*.doc) | Word 6.0/95 -
Chinese (Traditional) (*.doc) | Word
6.0/95 - Japanese (*.doc) | Word 6.0/95
- Korean (*.doc) | Word 97-2002 &
6.0/95 - RTF | Word 5.1 for Macintosh
(*.mcw) | Word 5.0 for Macintosh
(*.mcw) | Word 2.x for Windows (*.doc) |
Works 4.0 for Windows (*.wps) |
WordPerfect 5.x for Windows (*.doc) |
WordPerfect 5.1 for DOS (*.doc) | Word
2007 Macro Enabled Document
(*.docm) | Word 2007 Macro Free
Template (*.dotx) | Word 2007 Macro
Enabled Template (*.dotm) | Word 97 -
2003 Document (*.doc) | Word 97 -
2003 Template (*.dot) | Flat XML
Document (*.xml))
2007\Word Options\Advanced\Number
list (0-50)
2007\Word Options\Advanced\Update
automatic links at Open
2007\Word Options\Advanced\E-mail
Options\Save smart tags in e-mail
Center\Determine whether to force
encrypted macros to be scanned in
Microsoft Word Open XML documents
trusted locations
- Office Button | Word Options |
Customize | All Commands | Save As
Web Page
- Office Button | Word Options |
Preview
- Review | Protect | Protect Document
- Developer | Code | Record Macro
- Developer | Templates | Document
Template
keys
keys - Ctrl+F (Home | Editing | Find)
keys - Ctrl+K (Insert | Links | Hyperlink)
Macros)
Visual Basic)
formats new to Word 2007
opening of Open XML file types
opening of HTML file types
opening of Word 2003 XML file types
opening of RTF file types
open Converters
opening of Text file types
opening of Internal file types
opening of files before version
saving of Open XML file types
saving of HTML file types
saving of Word 2003 XML file types
saving of RTF file types
saving of Converters
saving of Text file types
Computer Configuration\Administrative
2007 (Machine)\Security\InfoPath
APTCA Assembly Whitelist
2007 (Machine)\Security\Windows
Internet Explorer Feature Control Opt-In
(None | InfoPath.exe, Document
Information Panel and Workflow forms |
InfoPath.exe, Document Information
Panel, Workflow forms and 3rd Party
Hosting)
2007 (Machine)\Security\InfoPath
APTCA Assembly Whitelist Enforcement
(Machine)\Security Settings\Disable
Package Repair
(Machine)\Security Settings\IE
Security\Disable user name and
password
password - excel.exe
password - powerpnt.exe
password - pptview.exe
password - winword.exe
password - outlook.exe
password - spDesign.exe
password - msaccess.exe
Security\Bind to object
Security\Bind to object - excel.exe
Security\Bind to object - powerpnt.exe
Security\Bind to object - pptview.exe
Security\Bind to object - winword.exe
Security\Bind to object - outlook.exe
Security\Bind to object - spDesign.exe
Security\Bind to object - msaccess.exe
Security\Saved from URL
Security\Saved from URL - excel.exe
Security\Saved from URL -
powerpnt.exe
Security\Saved from URL - pptview.exe
Security\Saved from URL - winword.exe
Security\Saved from URL - outlook.exe
spDesign.exe
msaccess.exe
Security\Navigate URL
Security\Navigate URL - excel.exe
Security\Navigate URL - powerpnt.exe
Security\Navigate URL - pptview.exe
Security\Navigate URL - winword.exe
Security\Navigate URL - outlook.exe
Security\Navigate URL - spDesign.exe
Security\Navigate URL - msaccess.exe
Security\Block popups
Security\Block popups - excel.exe
Security\Block popups - powerpnt.exe
Security\Block popups - pptview.exe
Security\Block popups - winword.exe
Security\Block popups - outlook.exe
Security\Block popups - spDesign.exe
Security\Block popups - msaccess.exe
NIST SCAP
NIST SCAP
Microsoft Internet
Microsoft Internet
Explorer Version
Explorer Version 7.0
7.0 OVAL(SCAP-
XCCDF (SCAP-IE7-
IE7-OVAL-Beta-
XCCDF-Beta-v3.xml
v3.xml)
oval:org.mitre.oval:def:1 UseOnlyMachineSettings-
277, LocalComputer,
oval:org.mitre.oval:def:2 UseOnlyMachineSettings-
050 LocalComputer-Disabled
IEProcesses-
oval:org.mitre.oval:def:6 RestrictActiveXInstall-
58 LocalComputer
oval:org.mitre.oval:def:1 DoNotAllowUsersAddDele
400 teSites-LocalComputer
DisablePeriodicCheckForI
oval:org.mitre.oval:def:1 ESoftwareUpdates-
357 LocalComputer
oval:org.mitre.oval:def:6
20
IEProcesses-
oval:org.mitre.oval:d ConsistentMimeHandlin
ef:884 g-LocalComputer
AllowSoftwareRunInsta
llSignatureInvalid-
oval:org.mitre.oval:d LocalComputer,
ef:680, AllowSoftwareToRunun
oval:org.mitre.oval:d OrInstallEvenIfSignatur
ef:1392 eInvalid-LocalUser
IEProcesses-
oval:org.mitre.oval:d MKProtocolSecurityRes
ef:617 triction-LocalComputer
DisableSoftwareUpdate
oval:org.mitre.oval:d ShellNotifications-
ef:1188 LocalComputer
IEProcesses-
oval:org.mitre.oval:d RestrictFileDownload-
DisableAutomaticInstall
oval:org.mitre.oval:d OfIEComponents-
MakeProxySettingsPer
oval:org.mitre.oval:d Machine-
oval:org.mitre.oval:d DoNotAllowUsersEnabl
ef:1380, eDisableAddOns-
ef:1358, DoNotAllowUsersEnabl
oval:org.mitre.oval:d eDisableAddOns-
ef:1694 LocalUser
oval:org.mitre.oval:d TurnOffCrashDetection
ef:487 -LocalComputer
IEProcesses-
ScriptedWindowSecurit
oval:org.mitre.oval:d yRestrictions-
DoNotAllowUsersChang
oval:org.mitre.oval:d ePolicies-
IEProcesses-
oval:org.mitre.oval:d MimeSniffingSafetyFeat
ef:317 ure-LocalComputer
CheckSignatureDownlo
oval:org.mitre.oval:d adedPrograms-
DoNotAllowResettingIE
oval:org.mitre.oval:d Settings-
AllowCutCopyPasteOpe
rationsFromClipboardVi
aScript-InternetZone-
LocalComputer,
oval:org.mitre.oval:d AllowCutCopyPasteOpe
ef:506, rationsFromClipboardVi
oval:org.mitre.oval:d aScript-InternetZone-
ef:533 LocalUser
TurnOffFirst-RunOpt-
oval:org.mitre.oval:d In-InternetZone-
WebBrowserApplication
oval:org.mitre.oval:d s-InternetZone-
rationsFromClipboardVi
aScript-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d rationsFromClipboardVi
ef:249, aScript-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1393 LocalUser
TurnOffFirst-RunOpt-
In-
WebBrowserApplication
oval:org.mitre.oval:d s-RestrictedSitesZone-
oval:org.mitre.oval:d IncludeAllNetworkPaths
ef:559, -LocalComputer,
oval:org.mitre.oval:d IncludeAllNetworkPaths
ef:1370 -LocalUser
oval:org.mitre.oval:d DisableTheAdvancedPa
ef:934, ge-LocalComputer,
oval:org.mitre.oval:d DisableTheAdvancedPa
ef:660 ge-LocalUser
oval:org.mitre.oval:d DisableThePrivacyPage
ef:1111 -LocalComputer
oval:org.mitre.oval:d DisableTheSecurityPag
ef:672, e-LocalComputer,
oval:org.mitre.oval:d DisableTheSecurityPag
ef:601 e-LocalUser
PreventIgnoingCertifica
oval:org.mitre.oval:d teErrors-
ef:655, LocalComputer,
oval:org.mitre.oval:d PreventIgnoingCertifica
ef:1129 teErrors-LocalUser
oval:org.mitre.oval:d TurnOffChangingURLDi
ef:715 splay-LocalComputer
TurnOffConfiguringUpd
oval:org.mitre.oval:d ateCheckInterval-
oval:org.mitre.oval:d AddOnList-
oval:org.mitre.oval:d DenyAllAddOns-
oval:org.mitre.oval:d DisableConfiguringHist
ef:757, ory-LocalComputer,
oval:org.mitre.oval:d DisableConfiguringHist
ef:1365 ory-LocalUser
DisableChangingAutom
aticConfigurationSettin
oval:org.mitre.oval:d gs-LocalComputer,
ef:1285, DisableChangingAutom
oval:org.mitre.oval:d aticConfigurationSettin
ef:613 gs-LocalUser
DisableChangingConne
oval:org.mitre.oval:d ctionSettings-
oval:org.mitre.oval:d DisableChangingConne
ef:1128 ctionSettings-LocalUser
oval:org.mitre.oval:d DisableChangingProxyS
ef:398, ettings-LocalComputer,
oval:org.mitre.oval:d DisableChangingProxyS
ef:635 ettings-LocalUser
oval:org.mitre.oval:d DisableShowingSplash
ef:1164 Screen-LocalComputer
PreventFixSettingsFunc
oval:org.mitre.oval:d tionality-
oval:org.mitre.oval:d PreventFixSettingsFunc
ef:640 tionality-LocalUser
PreventParticipationInC
ustomerExperienceImp
rovementPrograms-
LocalComputer,
oval:org.mitre.oval:d PreventParticipationInC
ef:1171, ustomerExperienceImp
oval:org.mitre.oval:d rovementPrograms-
ef:1391 LocalUser
PreventPerformanceOf
oval:org.mitre.oval:d FirstRunCustomizeSetti
ef:1322 ngs-LocalComputer
PerventDeletationOfTe
mpInternetFiles-
ef:1382, PerventDeletationOfTe
oval:org.mitre.oval:d mpInternetFiles-
ef:703 LocalUser
TurnOffDeleteBrowsing
HistoryFunctionality-
ef:458, TurnOffDeleteBrowsing
oval:org.mitre.oval:d HistoryFunctionality-
ef:1474 LocalUser
oval:org.mitre.oval:d TurnOffManagingPhishi
ef:501 ngFilter-LocalComputer
TurnOffSecuritySetting
sCheckFeature-
ef:916, TurnOffSecuritySetting
oval:org.mitre.oval:d sCheckFeature-
ef:1034 LocalUser
oval:org.mitre.oval:d AllowActiveContentFro
ef:400 mCD-LocalComputer
AllowThird-
oval:org.mitre.oval:d PartyBrowserExtension
ef:110 s-LocalComputer
oval:org.mitre.oval:d AutomaticallyCheckIEU
ef:656, pdates-LocalComputer,
oval:org.mitre.oval:d AutomaticallyCheckForI
ef:1360 EUpdates-LocalUser
CheckServerCertificate
Revocation-
ef:172, CheckForServerCertific
oval:org.mitre.oval:d ateRevocation-
ef:1502 LocalUser
AccessDataSourcesAcr
ossDomains-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AccessDataSourcesAcr
ef:674, ossDomains-
oval:org.mitre.oval:d InternetZone-
ef:650 LocalUser
AllowDragDropOrCopyP
asteFiles-InternetZone-
ef:1083, AllowDragDropOrCopyP
oval:org.mitre.oval:d asteFiles-InternetZone-
ef:547 LocalUser
AllowFontDownloads-
InternetZone-
ef:524, AllowFontDownloads-
ef:659 LocalUser
AllowInstallationOfDesk
topItems-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AllowInstallationOfDesk
ef:223, topItems-
ef:541 LocalUser
AllowScriptInitiatedWin
dowsWithoutSizeOrPosi
tionConstraints-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d dowsWithoutSizeOrPosi
ef:589, tionConstraints-
ef:1476 LocalUser
AllowScriptlets-
AllowStatusBarUpdates
ViaScript-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AllowStatusBarUpdates
ef:226, ViaScript-
ef:1208 LocalUser
AutomaticPromptingFil
eDownloads-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AutomaticPromptingFil
ef:1113, eDownloads-
ef:562 LocalUser
DownloadSignedActive
XControls-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d DownloadSignedActive
ef:1199, XControls-
ef:546 LocalUser
DownloadUnsignedActi
veXControls-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d DownloadUnsignedActi
ef:391, veXControls-
ef:1200 LocalUser
InitializeScriptActiveXC
ontrolsNotMarkedAsSaf
e-InternetZone-
LocalComputer,
JavaPermissions-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d InitializeScriptActiveXC
ef:1040, ontrolsNotMarkedAsSaf
oval:org.mitre.oval:d e-InternetZone-
ef:739 LocalUser
oval:org.mitre.oval:d
ef:1174, JavaPermissions-
ef:725 LocalUser
LaunchingApplicationsA
ndFilesInIFRAME-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d LaunchingApplicationsA
ef:611, ndFilesInIFRAME-
ef:1487 LocalUser
LogonOptions-
InternetZone-
ef:691, LogonOptions-
ef:1123 LocalUser
LooseXAMLFiles-
NavigateSub-
framesAcrossDifferent
Domains-
InternetZone-
LocalComputer,
NavigateSub-
oval:org.mitre.oval:d framesAcrossDifferent
ef:612, Domains-
ef:1394 LocalUser
OpenFilesBasedOnCont
ent-InternetZone-
ef:953, OpenFilesBasedOnCont
oval:org.mitre.oval:d ent-InternetZone-
ef:1300 LocalUser
SoftwareChannelPermi
ssions-InternetZone-
ef:302, SoftwareChannelPermi
oval:org.mitre.oval:d ssions-InternetZone-
ef:1398 LocalUser
UsePop-upBlocker-
InternetZone-
ef:1179, UsePop-upBlocker-
ef:558 LocalUser
UserdataPersistence-
WebSitesInLessPrivileg
edWebContentZonesCa
nNavigateIntoThisZone
-InternetZone-
LocalComputer,
oval:org.mitre.oval:d edWebContentZonesCa
ef:265, nNavigateIntoThisZone
oval:org.mitre.oval:d -InternetZone-
ef:1432 LocalUser
oval:org.mitre.oval:d XPSFiles-InternetZone-
DisplayMixedContent-
oval:org.mitre.oval:d LockedDownInternetZo
ef:245 ne-LocalComputer
oval:org.mitre.oval:d IntranetZone-
oval:org.mitre.oval:d LockedDownIntranetZo
oval:org.mitre.oval:d LocalMachineZone-
oval:org.mitre.oval:d LockedDownLocalMachi
ef:418 neZone-LocalComputer
AccessDataSourcesAcr
ossDomains-
LocalComputer,
oval:org.mitre.oval:d AccessDataSourcesAcr
ef:652, ossDomains-
ef:750 LocalUser
AllowActiveScripting-
ef:293, AllowActiveScripting-
ef:561 LocalUser
AllowBinaryAndScriptB
ehaviors-
LocalComputer,
oval:org.mitre.oval:d AllowBinaryAndScriptB
ef:365, ehaviors-
ef:1314 LocalUser
AllowDragDropOrCopyP
asteFiles-
LocalComputer,
oval:org.mitre.oval:d AllowDragDropOrCopyP
ef:498, asteFiles-
ef:1465 LocalUser
AllowFileDownloads-
ef:1184, AllowFileDownloads-
ef:1318 LocalUser
AllowFontDownloads-
ef:1109, AllowFontDownloads-
ef:1410 LocalUser
AllowInstallationOfDesk
topItems-
LocalComputer,
oval:org.mitre.oval:d AllowInstallationOfDesk
ef:251, topItems-
ef:1257 LocalUser
AllowMETAREFRESH-
ef:1218, AllowMETAREFRESH-
ef:1270 LocalUser
dowsWithoutSizeOrPosi
tionConstraints-
LocalComputer,
oval:org.mitre.oval:d dowsWithoutSizeOrPosi
ef:1234, tionConstraints-
ef:574 LocalUser
AllowScriptlets-
AllowStatusBarUpdates
ViaScript-
LocalComputer,
oval:org.mitre.oval:d AllowStatusBarUpdates
ef:378, ViaScript-
ef:1320 LocalUser
AutomaticPromptingFil
eDownloads-
LocalComputer,
oval:org.mitre.oval:d AutomaticPromptingFil
ef:252, eDownloads-
ef:1312 LocalUser
DownloadSignedActive
XControls-
LocalComputer,
oval:org.mitre.oval:d DownloadSignedActive
ef:1019, XControls-
ef:1389 LocalUser
DownloadUnsignedActi
veXControls-
LocalComputer,
oval:org.mitre.oval:d DownloadUnsignedActi
ef:949, veXControls-
ef:579 LocalUser
InitializeScriptActiveXC
ontrolsNotMarkedAsSaf
e-RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d InitializeScriptActiveXC
ef:273, ontrolsNotMarkedAsSaf
oval:org.mitre.oval:d e-RestrictedSitesZone-
ef:1342 LocalUser
JavaPermissions-
ef:824, JavaPermissions-
ef:732 LocalUser
LaunchingApplicationsA
ndFilesInIFRAME-
LocalComputer,
oval:org.mitre.oval:d LaunchingApplicationsA
ef:274, ndFilesInIFRAME-
ef:1223 LocalUser
LogonOptions-
ef:326, LogonOptions-
ef:1378 LocalUser
LooseXAMLFiles-
NavigateSub-
framesAcrossDifferent
Domains-
LocalComputer,
NavigateSub-
oval:org.mitre.oval:d framesAcrossDifferent
ef:1229, Domains-
ef:1292 LocalUser
OpenFilesBasedOnCont
ent-
LocalComputer,
oval:org.mitre.oval:d OpenFilesBasedOnCont
ef:706, ent-
ef:1421 LocalUser
RunNETFrameworkReli
antComponentsNotSign
edWithAuthenticode-
LocalComputer,
RunNETFrameworkReli
oval:org.mitre.oval:d antComponentsNotSign
ef:329, edWithAuthenticode-
ef:599 LocalUser
RunNETFrameworkReli
antComponentsSigned
WithAuthenticode-
LocalComputer,
RunNETFrameworkReli
oval:org.mitre.oval:d antComponentsSigned
ef:276, WithAuthenticode-
ef:1428 LocalUser
RunActiveXControlsAnd
Plugins-
LocalComputer,
oval:org.mitre.oval:d RunActiveXControlsAnd
ef:571, Plugins-
ef:1594 LocalUser
ScriptActiveXControlsM
arkedSafeForScripting-
LocalComputer,
oval:org.mitre.oval:d ScriptActiveXControlsM
ef:602, arkedSafeForScripting-
ef:1274 LocalUser
ScriptingOfJavaApplets
-RestrictedSitesZone-
ef:280, ScriptingOfJavaApplets
oval:org.mitre.oval:d -RestrictedSitesZone-
ef:641 LocalUser
SoftwareChannelPermi
ssions-
LocalComputer,
oval:org.mitre.oval:d SoftwareChannelPermi
ef:290, ssions-
ef:1214 LocalUser
UsePop-upBlocker-
ef:1100, UsePop-upBlocker-
ef:1286 LocalUser
UserdataPersistence-
edWebContentZonesCa
nNavigateIntoThisZone
-RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d edWebContentZonesCa
ef:1219, nNavigateIntoThisZone
oval:org.mitre.oval:d -RestrictedSitesZone-
ef:1243 LocalUser
XPSFiles-
LockedDownRestricted
oval:org.mitre.oval:d SitesZone-
oval:org.mitre.oval:d TrustedSitesZone-
oval:org.mitre.oval:d LockedDownTrustedSit
ef:1183 esZone-LocalComputer
oval:org.mitre.oval:d EnableNativeXMLHttpS
ef:338 upport-LocalComputer
DisableSaveThisProgra
oval:org.mitre.oval:d mToDiskOption-
ef:645 LocalUser
oval:org.mitre.oval:d AllowInstallOnDemandI
ef:523 E-LocalUser
oval:org.mitre.oval:d TurnOffPageTransitions
ef:1206 -LocalUser
oval:org.mitre.oval:d DisableAutoCompleteF
ef:1516 orForms-LocalUser
oval:org.mitre.oval:d AllowInstallOnDemandI
ef:505 E-LocalUser
oval:org.mitre.oval:d DisableChangingCertific
ef:1362 ateSettings-LocalUser
oval:org.mitre.oval:d DisableExternalBrandin
ef:1384 gOfIE-LocalUser
oval:org.mitre.oval:d ConfigureOutlookExpre
ef:1238 ss-LocalUser
oval:org.mitre.oval:d InternetConnectionWiz
ef:604 ardSettings-LocalUser
oval:org.mitre.oval:d DisableInternetConnect
ef:1355 ionWizard-LocalUser
oval:org.mitre.oval:d DisableResetWebSettin
ef:1437 gsFeature-LocalUser
DisableDownloadingOf
oval:org.mitre.oval:d SiteSubscriptionConten
ef:1080 t-LocalUser
DisableAddingSchedule
oval:org.mitre.oval:d sForOfflinePages-
ef:1293 LocalUser
oval:org.mitre.oval:d DisableAddingChannels
ef:1383 -LocalUser
DisableEditingAndCreat
oval:org.mitre.oval:d ingOfScheduleGroups-
ef:1397 LocalUser
oval:org.mitre.oval:d DisableAllScheduledOffl
ef:1501 inePages-LocalUser
DisableEditingSchedule
oval:org.mitre.oval:d sForOfflinePages-
ef:1565 LocalUser
DisableChannelUserInt
oval:org.mitre.oval:d erfaceCompletely-
ef:1782 LocalUser
oval:org.mitre.oval:d DisableRemovingChann
ef:1801 els-LocalUser
DisableRemovingSched
oval:org.mitre.oval:d ulesForOfflinePages-
ef:1954 LocalUser
oval:org.mitre.oval:d DisableOfflinePageHitL
ef:2026 ogging-LocalUser
JavaPermissions-
oval:org.mitre.oval:d LockedDownIntranetZo
JavaPermissions-
oval:org.mitre.oval:d LocalMachineZone-
JavaPermissions-
oval:org.mitre.oval:d LockedDownLocalMachi
ef:1986 neZone-LocalComputer
JavaPermissions-
LockedDownRestricted
oval:org.mitre.oval:d SitesZone-
JavaPermissions-
oval:org.mitre.oval:d TrustedSitesZone-
JavaPermissions-
oval:org.mitre.oval:d LockedDownTrustedSit
ef:1699 esZone-LocalComputer

File and Registry Auditing and Permissions Configuration

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

File and Registry Auditing and Permissions Configuration

Загружено:

Авторское право:

Доступные форматы

CCE

Outline CCE Id CCE Description

File & Registry

File & Registry

The required auditing for (1) set of accounts

(1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions (1) set of accounts

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts

The required permissions (1) set of accounts