Академический Документы
Профессиональный Документы
Культура Документы
File
Permissions
Registry
Permissions
Auditing of "account
logon" events on success
should be enabled or
CCE-2628 disabled as appropriate.. enabled/disabled
Auditing of "account
logon" events on failure
should be enabled or
CCE-2543 disabled as appropriate.. enabled/disabled
DEPRECATED in favor
CCE-596 of CCE-2000, CCE-1646.
Auditing of "account
management" events on
success should be
enabled or disabled as
CCE-2000 appropriate.. enabled/disabled
Auditing of "account
management" events on
failure should be enabled
or disabled as
CCE-1646 appropriate.. enabled/disabled
DEPRECATED in favor
CCE-10 of CCE-2118, CCE-2390.
Auditing of "directory
service access" events on
success should be
enabled or disabled as
CCE-2118 appropriate.. enabled/disabled
Auditing of "directory
service access" events on
failure should be enabled
or disabled as
CCE-2390 appropriate.. enabled/disabled
DEPRECATED in favor
CCE-429 of CCE-1686, CCE-1744.
Auditing of "object
access" events on failure
should be enabled or
CCE-1991 disabled as appropriate.. enabled/disabled
DEPRECATED in favor
CCE-966 of CCE-2412, CCE-2347.
Auditing of "policy
change" events on
success should be
enabled or disabled as
CCE-2412 appropriate.. enabled/disabled
Auditing of "policy
change" events on failure
should be enabled or
CCE-2347 disabled as appropriate.. enabled/disabled
DEPRECATED in favor
CCE-874 of CCE-2431, CCE-2584.
Auditing of "process
tracking" events on failure
should be enabled or
CCE-2617 disabled as appropriate.. enabled/disabled
DEPRECATED in favor
CCE-149 of CCE-2420, CCE-1680.
Auditing of "system"
events on success should
be enabled or disabled as
CCE-2420 appropriate.. enabled/disabled
Auditing of "system"
events on failure should
be enabled or disabled as
CCE-1680 appropriate.. enabled/disabled
Service
Permissions
The correct service
permissions for the Alerter (1) set of accounts
service should be (2) list of
CCE-669 assigned. permissions
The correct service
permissions for the
Automatic Updates (1) set of accounts
service should be (2) list of
CCE-889 assigned. permissions
The correct service
permissions for the
Background Intelligent (1) set of accounts
Transfer service should be (2) list of
CCE-61 assigned. permissions
The "Additional
restrictions for anonymous
connections" policy should (1)
CCE-310 be set correctly. enabled/disabled
Additional
Registry
Settings
Administrative Shares
should be properly (1)
CCE-512 configured. allowed/removed
Automatic Execution of
the System Debugger
should be properly (1)
CCE-243 configured. enabled/disabled
Computer Browser
ResetBrowser Frames
should be properly
CCE-282 configured. (1) enabled/ignored
System availability to
Master Browser should be
CCE-139 properly configured. (1) available/hidden
Background Refresh of
Group Policy should be (1)
CCE-50 properly configured. enabled/disabled
Show Shared Internet
Connection Access UI
should be properly (1)
CCE-81 configured. enabled/disabled
Installation and
Configuration of Network
Bridge on the DNS
Domain Network should (1)
CCE-896 be properly configured. enabled/disabled
Disallow Installation of
Printers Using Kernel-
mode Drivers should be (1)
CCE-574 properly configured. enabled/disabled
DEPRECATED in favor
CCE-358 of CCE-156.
Security
Options
Screensaver
The "Current user
screensaver" policy (1)
CCE-764 should be set correctly. enabled/disabled
The "System
cryptography: Force
strong key protection for
user keys stored on the
computer" setting should
CCE-647 be configured correctly.
The "System settings:
optional subsystems"
setting should be
CCE-48 configured correctly.
MSS:
(TCPMaxConnectRespon
seRetransmission) SYN-
ACK retansmissions when
a connection request is (1) number of
CCE-577 not acknowledged seconds
MSS:
(TCPMaxDataRetransmis
sions) How many times
unacknowledged data is (1) number of
CCE-872 retransmitted seconds
Application Layer
CCE-43 Gateway Service
CCE-167 Application Management
Distributed Transaction
CCE-303 Coordinator
Network Location
CCE-825 Awareness (NLA)
NT LM Security Support
CCE-472 Provider
Remote Access
CCE-750 Connection Manager
Security Accounts
CCE-679 Manager
CCE-102 Server
CCE-428 Telephony
CCE-956 Themes
Uninterruptable Power
CCE-366 Supply
CCE-305 WebClient
Windows Image
CCE-234 Acquisition (WIA)
Windows Management
Instrumentation Driver
CCE-815 Extensions
Wireless Zero
CCE-604 Configuration
CCE-296 Workstation
MSS:
(NtfsDisable8dot3NameCr
eation) Enable the
computer to stop
generating 8.3 style
CCE-511 filenames. (1) reg_dword
Restrictions for
Unauthenticated RPC
CCE-423 clients (SP2 only) (1) enabled/disabled
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the
CCE-696 Domain Profile. (1) enabled/disabled
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the
CCE-632 Standard Profile. (1) enabled/disabled
Standard Profile: Define
CCE-196 port exceptions (SP2 only) (1) enabled/disabled
MSS:
TCPMaxPortsExhausted,
How many dropped
connect requests to
initiate SYN attack
CCE-418 protection.
CCE-2188 POSIX Subsystem File
Components
CCE-2258 Distributed Link Tracking
Server Service Disabled
CCE-1298 License LoggingService
Disabled
CCE-2166 Network News Transport
Protocol Service Disabled
Domain Profile -
CCE-485 Outbound Connections
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the Private
CCE-70 Profile. enabled/disabled
Unicast response to
multicast or broadcast
requests should be
enabled or disabled as
appropriate for the Public
CCE-414 Profile. enabled/disabled
Enumerate administrator
CCE-935 accounts on elevation
Hide mechanisms to
remove zone information
CCE-58 is set correcly.
Notify antivirus programs
when opening
attachments is set
CCE-372 correcly.
Outlook Express
attachment blocking is set
CCE-886 correctly.
1 = Do not prompt |
The "ActiveX Control 4 = Prompt user to
Initialization:" setting use control defaults
should be configured | 6 = Prompt user to
2003/2007 CCE-908 correctly. use persisted data
The "Enable Customer
Experience Improvement
Program" setting should
2007 CCE-184 be configured correctly. enabled/disabled
0 = Never show
online content or
entry points | 1 =
Search only offline
content whenever
available | 2 =
The "Online content Search online
options" setting should be content whenever
2007 CCE-967 configured correctly. available
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 =
Settings" setting should No Warnings for all
be configured correctly for macros but disable
2007 CCE-427 Access 2007. all macros
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 =
Settings" setting should No Warnings for all
be configured correctly for macros but disable
2007 CCE-649 Excel 2007. all macros
The "Trust access to
Visual Basic Project"
setting should be
configured correctly for
2003/2007 CCE-862 Excel 2007 and 2003. enabled/disabled
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 =
Settings" setting should No Warnings for all
be configured correctly for macros but disable
2007 CCE-567 PowerPoint 2007. all macros
0 = Use system
Default | 1 = When
The "Retrieving CRLs online always
(Certificate Revocation retreive the CRL | 2
Lists)" setting should be = Never retreive the
2007 CCE-395 configured correctly. CRL
1 = No Security
checks for macros |
2 = Trust Bar
warning for all
macros | 3 = Trust
Bar warning for
digitally signed
The "VBA Macro Warning macros only | 4 =
Settings" setting should No Warnings for all
be configured correctly for macros but disable
2007 CCE-659 Word 2007. all macros
The "Trust access to
Visual Basic Project"
setting should be
configured correctly for
2003/2007 CCE-703 Word 2007 and 2003. enabled/disabled
2007 CCE-1520
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
Access 2007.
2007 CCE-780
The "Modal Trust Decision enabled/disabled
Only" setting should be
configured correctly for
Access 2007.
2007 CCE-1214
The "Disable commands" enabled/disabled
setting should be
configured correctly for
Access 2007.
2007 CCE-1370
The "Disable commands - enabled/disabled
Office Button | E-Mail"
setting should be
configured correctly for
Access 2007.
2007 CCE-1268
The "Disable commands - enabled/disabled
Office Button | Access
Options | Customize | All
Commands | Insert
Hyperlink" setting should
be configured correctly for
Access 2007.
2007 CCE-1400
The "Disable commands - enabled/disabled
Database Tools |
Database Tools | Encrypt
with Password" setting
should be configured
correctly for Access 2007.
2007 CCE-1440
The "Disable commands - enabled/disabled
Database Tools |
Administer | Users and
Permission | User and
Group Permissions"
setting should be
configured correctly for
Access 2007.
2007 CCE-581
The "Disable commands - enabled/disabled
Database Tools |
Administer | Users and
Permissions | User and
Group Accounts" setting
should be configured
correctly for Access 2007.
2007 CCE-1480
The "Disable commands - enabled/disabled
Database Tools |
Administer | Users and
Permission | User-Level
Security Wizard..." setting
should be configured
correctly for Access 2007.
2007 CCE-1489
The "Disable commands - enabled/disabled
Database Tools |
Database Tools |
Encode/Decode
Database" setting should
be configured correctly for
Access 2007.
2007 CCE-1392
The "Disable commands - enabled/disabled
Database Tools | Macro |
Visual Basic" setting
should be configured
correctly for Access 2007.
2007 CCE-1414
The "Disable commands - enabled/disabled
Database Tools | Macro |
Run Macro" setting should
be configured correctly for
Access 2007.
2007 CCE-1418
The "Database Tools | enabled/disabled
Macro | Convert Macros to
Visual Basic" setting
should be configured
correctly for Access 2007.
2007 CCE-1405
The "Database Tools | enabled/disabled
Macro | Create Shortcut
Menu from Macro" setting
should be configured
correctly for Access 2007.
2007 CCE-1550
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
Access 2007.
2007 CCE-1075
The "Disable commands - enabled/disabled
Ctrl+K (Office Button |
Access Options |
Customize | All
Commands | Insert
Hyperlinks)" setting
should be configured
correctly for Access 2007.
2007 CCE-709
The "Disable commands - enabled/disabled
Alt+F11 (Database Tools |
Macro | Visual Basic)"
setting should be
configured correctly for
Access 2007.
2007 CCE-1502
The "Default file format enabled/disabled
(Access 2007 | Access
2002-2003)" setting
should be configured
correctly for Access 2007.
2007 CCE-1260
The "Do not prompt to enabled/disabled
convert older databases"
setting should be
configured correctly for
2007 CCE-1510 Access 2007.
The "Internet and network enabled/disabled
paths as hyperlinks"
setting should be
configured correctly for
Excel 2007.
2007 CCE-1532
The "Save Excel files as enabled/disabled
(Excel Workbook (*.xlsx) |
Excel Macro-Enabled
Workbook (*.xlsm) | Excel
Binary Workbook (*.xlsb) |
Web Page (*.htm; *.html) |
Excel 97-2003 Workbook
(*.xls) | Excel 5.0/95
Workbook (*.xls))" setting
should be configured
correctly for Excel 2007.
2007 CCE-1039
The "Disable enabled/disabled
AutoRepublish" setting
should be configured
2007 CCE-1295 correctly for Excel 2007.
The "AutoRepublish enabled/disabled
Warning Alert (Always
show the alert before
publishing | Never show
the alert before
publishing)
" setting should be
configured correctly for
Excel 2007.
2007 CCE-1334
The "Determine whether enabled/disabled
to force encrypted macros
to be scanned in Microsoft
Excel Open XML
workbooks" setting should
be configured correctly
2007 CCE-1308
The "Force file extension enabled/disabled
to match file type (Allow
different | Allow different,
but warn | Always match
file type)" setting should
be configured correctly for
Excel 2007.
2007 CCE-616
The "Store macro in enabled/disabled
Personal Macro Workbook
by default" setting should
be configured correctly
2007 CCE-1246
The "Disable all enabled/disabled
application add-ins"
setting should be
configured correctly for
2007 CCE-1251 Excel 2007.
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
Excel 2007.
2007 CCE-1524
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins"
setting should be
configured correctly for
Excel 2007.
2007 CCE-1422
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
Excel 2007.
2007 CCE-1444
The "Disable all trusted enabled/disabled
locations" setting should
be configured correctly for
Excel 2007.
2007 CCE-1449
The "Ignore other enabled/disabled
applications " setting
should be configured
correctly for Excel 2007.
2007 CCE-1471
The "Ask to update enabled/disabled
automatic links" setting
should be configured
2007 CCE-1119 correctly for Excel 2007.
The "Number of enabled/disabled
documents in the Recent
Documents list (0-17)"
setting should be
configured correctly for
Excel 2007.
2007 CCE-1378
The "Save any additional enabled/disabled
data necessary to
maintain formulas" setting
should be configured
correctly for Excel 2007.
2007 CCE-1277
The "Load pictures from enabled/disabled
Web pages not created in
Excel" setting should be
configured correctly for
2007 CCE-1464 Excel 2007.
The "Do not show data enabled/disabled
extraction options when
opening corrupt
workbooks" setting should
be configured correctly for
Excel 2007.
2007 CCE-1094
The "Assume structured enabled/disabled
storage format of
workbook is intact when
recovering data" setting
should be configured
correctly for Excel 2007.
2007 CCE-1129
The "Corrupt formula enabled/disabled
conversion (Convert
unrecoverable references
to: values | #REF or
#NAME)" setting should
be configured correctly for
Excel 2007.
2007 CCE-1389
The "Connection File enabled/disabled
Locations" setting should
be configured correctly for
Excel 2007.
2007 CCE-1433
The "Automatic Query enabled/disabled
Refresh (Prompt for all
workbooks | Do not
prompt; do not allow auto
refresh | Do not prompt;
allow auto refresh)"
setting should be
configured correctly for
Excel 2007.
2007 CCE-1323
The "Disable commands" enabled/disabled
setting should be
configured correctly for
Excel 2007.
2007 CCE-1469
The "Disable commands - enabled/disabled
Office Button | Excel
Options | Customize | All
Commands | Save as
Web Page" setting should
be configured correctly for
Excel 2007.
2007 CCE-1473
The "Disable commands - enabled/disabled
Office Button | Excel
Options | Customize | All
Commands | Web Page
Preview" setting should be
configured correctly for
Excel 2007.
2007 CCE-1499
The "Disable commands - enabled/disabled
Office Button | Send |
Email" setting should be
configured correctly for
Excel 2007.
2007 CCE-1024
The "Disable commands - enabled/disabled
Insert | Links | Hyperlink"
setting should be
configured correctly for
Excel 2007.
2007 CCE-1530
The "Disable commands - enabled/disabled
Review | Changes |
Protect Sheet" setting
should be configured
correctly for Excel 2007.
2007 CCE-1120
The "Disable commands - enabled/disabled
Review | Changes |
Protect Workbook" setting
should be configured
correctly for Excel 2007.
2007 CCE-1252
The "Disable commands - enabled/disabled
Review | Changes |
Protect and Share
Workbook" setting should
be configured correctly for
Excel 2007.
2007 CCE-1151
The "Disable commands - enabled/disabled
View | Macros | Macros"
setting should be
configured correctly for
Excel 2007.
2007 CCE-1301
The "Disable commands - enabled/disabled
Developer | Code |
Macros" setting should be
configured correctly for
Excel 2007.
2007 CCE-1310
The "Disable commands - enabled/disabled
Developer | Code |
Record Macro" setting
should be configured
correctly for Excel 2007.
2007 CCE-1213
The "Disable commands - enabled/disabled
Developer | Code | Macro
Security" setting should
be configured correctly for
Excel 2007.
2007 CCE-1362
The "Disable commands - enabled/disabled
Developer | Code | Visual
Basic" setting should be
configured correctly for
Excel 2007.
2007 CCE-1156
The "Disable commands - enabled/disabled
Office Button | Excel
Options | Customize | All
Commands | Document
Location" setting should
be configured correctly for
Excel 2007.
2007 CCE-1429
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
Excel 2007.
2007 CCE-1182
The "Disable shortcut enabled/disabled
keys - Ctrl+K (Insert |
Links | Hyperlink)" setting
should be configured
correctly for Excel 2007.
2007 CCE-1525
The "Disable shortcut enabled/disabled
keys - Alt+F8 (Developer |
Code | Macros)" setting
should be configured
correctly for Excel 2007.
2007 CCE-1547
The "Disable shortcut enabled/disabled
keys - Alt+F11 (Developer
| Code | Visual Basic)"
setting should be
configured correctly for
Excel 2007.
2007 CCE-1300
The "Block opening of enabled/disabled
pre-release versions of file
formats new to Excel
2007" setting should be
configured correctly for
Excel 2007.
2007 CCE-1331
The "Block opening of enabled/disabled
Open XML file types"
setting should be
configured correctly for
2007 CCE-1468 Excel 2007.
The "Block opening of enabled/disabled
Binary 12 file types"
setting should be
configured correctly for
2007 CCE-1490 Excel 2007.
The "Block opening of enabled/disabled
Binary file types" setting
should be configured
correctly for Excel 2007.
2007 CCE-1512
The "Block opening of enabled/disabled
Html and Xmlss files
types" setting should be
configured correctly for
2007 CCE-1543 Excel 2007.
The "Block opening of Xml enabled/disabled
file types" setting should
be configured correctly for
Excel 2007.
2007 CCE-1195
The "Block opening of DIF enabled/disabled
and SYLK file types"
setting should be
configured correctly for
2007 CCE-554 Excel 2007.
The "Block opening of enabled/disabled
Text file types" setting
should be configured
correctly for Excel 2007.
2007 CCE-1415
The "Block opening of Xll enabled/disabled
file type" setting should be
configured correctly for
Excel 2007.
2007 CCE-1437
The "Block saving of enabled/disabled
Open Xml file types"
setting should be
configured correctly for
2007 CCE-1446 Excel 2007.
The "Block saving of enabled/disabled
Binary12 file types" setting
should be configured
correctly for Excel 2007.
2007 CCE-1098
The "Block saving of enabled/disabled
Binary file types" setting
should be configured
correctly for Excel 2007.
2007 CCE-562
The "Block saving of Html enabled/disabled
and Xmlss file types"
setting should be
configured correctly for
2007 CCE-1507 Excel 2007.
The "Block saving Xml file enabled/disabled
types" setting should be
configured correctly for
Excel 2007.
2007 CCE-1406
The "Block saving DIF enabled/disabled
and SYLK file types"
setting should be
configured correctly for
2007 CCE-573 Excel 2007.
The "Block saving of Text enabled/disabled
file types" setting should
be configured correctly for
Excel 2007.
2007 CCE-1336
The "Locally cache enabled/disabled
network file storages"
setting should be
configured correctly for
2007 CCE-1230 Excel 2007.
The "Locally cache enabled/disabled
PivotTable reports" setting
should be configured
correctly for Excel 2007.
2007 CCE-1375
The "OLAP PivotTable enabled/disabled
User Defined Function
(UDF) security setting
(Allow ALL UDFs | Allow
safe UDFs only | Allow NO
UDFs)" setting should be
configured correctly for
Excel 2007.
2007 CCE-1380
The "Recognize enabled/disabled
SmartTags" setting should
be configured correctly for
2007 CCE-1376 Excel 2007.
The "Number of enabled/disabled
documents in the Recent
Documents list (0 - 9)"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1398
The "Offline Mode status enabled/disabled
(Disabled | Enabled,
InfoPath in Offline Mode |
Enabled, InfoPath not in
Offline Mode)" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-569
The "Disable commands" enabled/disabled
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1065
The "Disable commands - enabled/disabled
File | Print" setting should
be configured correctly for
InfoPath 2007.
2007 CCE-1361
The "Disable commands - enabled/disabled
File | Send to Mail
Recipient" setting should
be configured correctly for
InfoPath 2007.
2007 CCE-1096
The "Disable commands - enabled/disabled
File | Open from
SharePoint Site" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1391
The "Disable commands - enabled/disabled
File | Print Preview"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1519
The "Disable commands - enabled/disabled
File | Page Setup" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1523
The "Disable commands - enabled/disabled
Insert | Hyperlinks..."
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1171
The "Disable commands - enabled/disabled
Tools | Set Language"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1457
The "Disable commands - enabled/disabled
Tools | Customize..."
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1426
The "Disable commands - enabled/disabled
Tools | Options..." setting
should be configured
correctly for InfoPath
2007.
2007 CCE-805
The "Disable commands - enabled/disabled
Help | Microsoft Office
Online" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1453
The "Disable commands - enabled/disabled
Office Diagnostics" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1351
The "Disable commands - enabled/disabled
Help | Activate Product..."
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-620
The "Disable commands - enabled/disabled
Print Default" setting
should be configured
correctly for InfoPath
2007 CCE-1017 2007.
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1021
The "Disable shortcut enabled/disabled
keys - Print Shortcut
(Ctrl+P)" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1299
The "Disable shortcut enabled/disabled
keys - Insert Hyperlink
Shortcut (Ctrl+K)" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1197
The "Control behavior for enabled/disabled
Windows SharePoint
Services gradual upgrade
(Allow redirections to any
location | Allow
redirections to Intranet
only | Block all
redirections)" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-704
The "Disable opening of enabled/disabled
solutions from the Internet
security zone" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1105
The "Disable fully trusted enabled/disabled
solutions full access to
computer" setting should
be configured correctly for
2007 CCE-1114 InfoPath 2007.
The "Allow the use of enabled/disabled
ActiveX Custom Controls
in InfoPath forms" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-761
The "Run forms in enabled/disabled
restricted mode if they do
not specify a publish
location and use only
features introduced before
InfoPath 2003 SP1"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-739
The "Allow file types as enabled/disabled
attachments to forms"
setting should be
configured correctly for
2007 CCE-1259 InfoPath 2007.
The "Block specific file enabled/disabled
types as attachments to
forms" setting should be
configured correctly for
2007 CCE-1267 InfoPath 2007.
The "Prevent users from enabled/disabled
allowing unsafe file types
to be attached to forms"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1060
The "Display a warning enabled/disabled
that a form is digitally
signed" setting should be
configured correctly for
2007 CCE-955 InfoPath 2007.
The "Control behavior enabled/disabled
when opening forms in the
Internet security zone
(Block | Prompt | Allow)"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1479
The "Control behavior enabled/disabled
when opening forms in the
Intranet security zone
(Block | Prompt | Allow)"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1360
The "Control behavior enabled/disabled
when opening forms in the
Local Machine security
zone (Block | Prompt |
Allow)" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1386
The "Control behavior enabled/disabled
when opening forms in the
Trusted Site security zone
(Block | Prompt | Allow)"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-893
The "Beaconing UI for enabled/disabled
forms opened in InfoPath
(Never show beaconing
UI | Always show
beaconing UI | Show UI if
Form Template is from
Internet Zone)" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1290
The "Beaconing UI for enabled/disabled
forms opened in InfoPath
Editor ActiveX (Never
show beaconing UI |
Always show beaconing
UI | Show UI if Form
Template is from Internet
Zone)" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1381
The "Disable all enabled/disabled
application add-ins"
setting should be
configured correctly for
2007 CCE-1135 InfoPath 2007.
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
InfoPath 2007.
2007 CCE-1157
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins"
setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1434
The "Control behavior enabled/disabled
when opening InfoPath e-
mail forms containing
code or script (Run
without prompting |
Prompt before running |
Never run)" setting should
be configured correctly for
InfoPath 2007.
2007 CCE-1315
The "Disable sending form enabled/disabled
template with e-mail
forms" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1210
The "Disable dynamic enabled/disabled
caching of the form
template in InfoPath e-
mail forms" setting should
be configured correctly for
InfoPath 2007.
2007 CCE-1236
The "Disable sending enabled/disabled
InfoPath 2003 Forms as
e-mail forms" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-884
The "Disable e-mail forms enabled/disabled
running in restricted
security level" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1518
The "Disable e-mail forms enabled/disabled
from the Internet security
zone" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1170
The "Disable e-mail forms enabled/disabled
from the Intranet security
zone" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1316
The "Disable e-mail forms enabled/disabled
from the Full Trust security
zone" setting should be
configured correctly for
InfoPath 2007.
2007 CCE-1567
The "Disable InfoPath e- enabled/disabled
mail forms in Outlook"
setting should be
configured correctly for
2007 CCE-1265 InfoPath 2007.
The "Information Rights enabled/disabled
Management" setting
should be configured
correctly for InfoPath
2007 CCE-1538 2007.
The "Custom code" enabled/disabled
setting should be
configured correctly for
2007 CCE-1564 InfoPath 2007.
The "Email Forms enabled/disabled
Beaconing UI (Never
show UI | Always show UI
| Show UI if XSN is in
Internet Zone)" setting
should be configured
correctly for InfoPath
2007.
2007 CCE-1212
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI"
setting should be
configured correctly
2007 CCE-1344
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Word" setting
should be configured
correctly
2007 CCE-723
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Excel" setting
should be configured
correctly
2007 CCE-1384
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in PowerPoint"
setting should be
configured correctly
2007 CCE-1159
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Access"
setting should be
configured correctly
2007 CCE-1146
The "Disable user enabled/disabled
customization of Quick
Access Toolbar via UI -
Disallow in Outlook"
setting should be
configured correctly
2007 CCE-1542
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar" setting
should be configured
correctly
2007 CCE-582
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Word" setting should be
configured correctly
2007 CCE-1291
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Excel" setting should be
configured correctly
2007 CCE-1326
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in PowerPoint" setting
should be configured
correctly
2007 CCE-1330
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Access" setting should
be configured correctly
2007 CCE-1335
The "Disable all user enabled/disabled
customization of Quick
Access Toolbar - Disallow
in Outlook" setting should
be configured correctly
2007 CCE-1229
The "Disable UI extending enabled/disabled
from documents and
templates" setting should
be configured correctly
2007 CCE-630
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Word" setting should be
configured correctly
2007 CCE-1154
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Excel" setting should be
configured correctly
2007 CCE-1410
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
PowerPoint" setting
should be configured
correctly
2007 CCE-1432
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Access" setting should be
configured correctly
2007 CCE-1198
The "Disable UI extending enabled/disabled
from documents and
templates - Disallow in
Outlook" setting should be
configured correctly
2007 CCE-929
The "Recognize smart enabled/disabled
tags in Excel" setting
should be configured
correctly
2007 CCE-1074
The "Disable Clip Art and enabled/disabled
Media downloads from the
client and from Office
Online website" setting
should be configured
correctly
2007 CCE-1458
The "Disable template enabled/disabled
downloads from the client
and from Office Online
website" setting should be
configured correctly
2007 CCE-1233
The "Disable access to enabled/disabled
updates, add-ins, and
patches on the Office
Online website" setting
should be configured
correctly
2007 CCE-1379
The "Prevents users from enabled/disabled
uploading document
templates to the Office
Online community."
setting should be
configured correctly
2007 CCE-1401
The "Disable training enabled/disabled
practice downloads from
the Office Online website"
setting should be
configured correctly
2007 CCE-1528
The "Disable customer- enabled/disabled
submitted templates
downloads from Office
Online" setting should be
configured correctly
2007 CCE-1533
The "Open Office enabled/disabled
documents as read/write
while browsing" setting
should be configured
correctly
2007 CCE-646
The "Rely on VML for enabled/disabled
displaying graphics in
browsers" setting should
be configured correctly
2007 CCE-1438
The "Allow PNG as an enabled/disabled
output format" setting
should be configured
correctly
2007 CCE-711
The "Improve Proofing enabled/disabled
Tools" setting should be
configured correctly
2007 CCE-1292
The "Disable Opt-in
Wizard on first run" setting
should be configured
correctly.
2007 CCE-1615 enabled/disabled
The "Microsoft Office enabled/disabled
Online" setting should be
2007 CCE-1191 configured correctly
The "Disable Password enabled/disabled
Caching" setting should
be configured correctly
2007 CCE-1587
The "Disable all Trust Bar enabled/disabled
notifications for security
issues" setting should be
configured correctly
2007 CCE-1486
The "Protect document enabled/disabled
metadata for rights
managed Office Open
XML Files" setting should
be configured correctly
2007 CCE-1508
The "Protect document enabled/disabled
metadata for password
protected files." setting
should be configured
2007 CCE-1640 correctly
The "Encryption type for enabled/disabled
password protected Office
Open XML files" setting
should be configured
2007 CCE-1539 correctly
The "Encryption type for enabled/disabled
password protected Office
97-2003 files" setting
should be configured
2007 CCE-1561 correctly
The "Load Controls in enabled/disabled
Forms3 (1 | 2 | 3 | 4)"
setting should be
2007 CCE-1068 configured correctly
The "Automation Security enabled/disabled
(Disable macros by
default | Use application
macro security level |
Macros enabled)" setting
should be configured
correctly
2003/2007 CCE-1574
The "Prevent Word and enabled/disabled
Excel from loading
managed code
extensions" setting should
be configured correctly
2007 CCE-1239
The "Disable hyperlink enabled/disabled
warnings" setting should
be configured correctly
2007 CCE-1623
The "Disable password to enabled/disabled
open UI" setting should be
configured correctly
2007 CCE-1083
The "Download Office enabled/disabled
Controls" setting should
be configured correctly
2007 CCE-1343
The "Disable All ActiveX" enabled/disabled
setting should be
configured correctly
2007 CCE-1242
The "Allow mix of policy enabled/disabled
and user locations" setting
should be configured
correctly
2007 CCE-770
The "Disable Smart enabled/disabled
Document's use of
manifests" setting should
be configured correctly
2007 CCE-903
The "Completely disable enabled/disabled
the Smart Documents
feature in Word and
Excel" setting should be
configured correctly
2007 CCE-1555
The "Disable Internet Fax enabled/disabled
feature" setting should be
configured correctly
2007 CCE-1061
The "Prevent users from enabled/disabled
changing permissions on
rights managed content"
setting should be
configured correctly
2007 CCE-1603
The "Allow users with enabled/disabled
earlier versions of Office
to read with browsers..."
setting should be
configured correctly
2007 CCE-1612
The "Always require users enabled/disabled
to connect to verify
permission" setting should
be configured correctly
2007 CCE-1493
The "Always expand enabled/disabled
groups in Office when
restricting permission for
documents" setting should
be configured correctly
2007 CCE-1409
The "Never allow users to enabled/disabled
specify groups when
restricting permission for
documents" setting should
be configured correctly
2007 CCE-1589
The "Disable Microsoft enabled/disabled
Passport service for
content with restricted
permission" setting should
be configured correctly
2007 CCE-1237
The "Do not allow users to enabled/disabled
upgrade Information
Rights Management
configuration" setting
should be configured
correctly
2007 CCE-1404
The "Key Usage Filtering" enabled/disabled
setting should be
2007 CCE-1396 configured correctly
The "EKU filtering" setting enabled/disabled
should be configured
correctly
2007 CCE-1167
The "Legacy format enabled/disabled
signatures" setting should
be configured correctly
2007 CCE-1585
The "Suppress Office enabled/disabled
Signing Providers (Enable
Western and East Asian |
Suppress default Western
| Suppress default East
Asian | Suppress both
Western and East Asian)"
setting should be
configured correctly
2007 CCE-1572
The "Suppress external enabled/disabled
signature services menu
item" setting should be
configured correctly
2007 CCE-1220
The "Disable Check For enabled/disabled
Solutions" setting should
be configured correctly
2007 CCE-1634
The "Disable inclusion of enabled/disabled
document properties in
PDF and XPS output"
setting should be
configured correctly
2007 CCE-1643
The "Disable Document enabled/disabled
Information Panel" setting
should be configured
correctly
2007 CCE-1546
The "Document enabled/disabled
Information Panel
Beaconing UI (Never
show UI | Always show UI
| Show UI if XSN is in
Internet Zone)" setting
should be configured
correctly
2007 CCE-1505
The "Disable the Office enabled/disabled
client from polling the
Office server for published
links" setting should be
configured correctly
2007 CCE-1545
The "Block opening of enabled/disabled
pre-release versions of file
formats new to Word 2007
through the Compatibility
Pack for the 2007 Office
system and Word 2007
Open XML/Word 97-2003
Format Converter" setting
should be configured
correctly
2007 CCE-1549
The "Block opening of enabled/disabled
pre-release versions of file
formats new to Excel
2007 through the
Compatibility Pack for the
2007 Office system and
Excel 2007 Converter"
setting should be
configured correctly
2007 CCE-1431
The "Block opening of enabled/disabled
pre-release versions of file
formats new to
PowerPoint 2007 through
the Compatibility Pack for
the 2007 Office system
and PowerPoint 2007
Converter" setting should
be configured correctly
2007 CCE-1594
The "Control Blogging enabled/disabled
(Enabled | Only
SharePoint blogs allowed
| All blogging disabled)"
setting should be
configured correctly
2007 CCE-1241
The "Enable Smart enabled/disabled
Resume" setting should
be configured correctly
2007 CCE-1607
The "Do not upload media enabled/disabled
files" setting should be
configured correctly
2007 CCE-752
The "Disable hyperlinks to enabled/disabled
web templates in File |
New and task panes"
setting should be
2007 CCE-1166 configured correctly
The "Prevent access to enabled/disabled
Web-based file storage"
setting should be
configured correctly
2007 CCE-654
The "Do not allow enabled/disabled
attachment previewing in
Outlook" setting should be
configured correctly for
2007 CCE-1192 Outlook 2007.
The "Read e-mail as plain enabled/disabled
text" setting should be
configured correctly for
Outlook 2007.
2007 CCE-791
The "Read signed e-mail enabled/disabled
as plain text" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1456
The "Prevent publishing to enabled/disabled
Office Online" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1478
The "Prevent publishing to enabled/disabled
a DAV server" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1368
The "Restrict level of enabled/disabled
calendar details users can
publish (All options are
available | Disables 'Full
details' | Disables 'Full
details' and 'Limited
details')" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1641
The "Access to published enabled/disabled
calendars" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1266
The "Restrict upload enabled/disabled
method" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1399
The "Hide Junk Mail UI" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1187
The "Junk E-mail enabled/disabled
protection level (No
Protection, Low, High,
Trusted Lists Only)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1588
The "Trust E-mail from enabled/disabled
Contacts" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1117
The "Add e-mail recipients enabled/disabled
to users' Safe Senders
Lists" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1130
The "Dial-up options" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1093
The "Dial-up options - enabled/disabled
Warn before switching
dial-up connection" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1599
The "Dial-up options - enabled/disabled
Hang up when finished
sending, receiving, or
updating" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1621
The "Dial-up options - enabled/disabled
Automatically dial during a
background
Send/Receive" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1269
The "Do not allow enabled/disabled
creating, replying, or
forwarding signatures for
e-mail messages" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1419
The "Send copy of enabled/disabled
pictures with HTML
messages instead of
reference to Internet
location" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1551
The "Outlook Rich Text enabled/disabled
options (Convert to HTML
| Convert to Plain Text
format | Send Using
Outlook Rich Text format)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-655
The "Plain text options" enabled/disabled
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1592
The "Plain text options - enabled/disabled
Encode attachments in
UUENCODE format when
sending a plain text
message" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1614
The "Set message format enabled/disabled
(HTML | Rich Text | Plain
Text)" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1526
The "Make Outlook the enabled/disabled
default program for E-
mail, Contacts, and
Calendar" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1111
The "Do not allow folders enabled/disabled
in non-default stores to be
set as folder home pages"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1494
The "Use Unicode format enabled/disabled
when dragging e-mail
message to file system"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1287
The "Do not allow Outlook enabled/disabled
object model scripts to run
for shared folders" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1529
The "Do not allow Outlook enabled/disabled
object model scripts to run
for public folders" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1560
The "Set maximum level enabled/disabled
of online status on a
person name (Do not
allow | Allow everywhere
except To and CC field |
Allow everywhere)" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1596
The "Display online status enabled/disabled
on a person name (Never
| Everywhere except To
and CC field |
Everywhere)" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1604
The "Turn off Enable the enabled/disabled
Person Names Smart Tag
option" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1648
The "Outlook Security enabled/disabled
Mode (Outlook Default
Security | Use Security
Form from 'Outlook
Security Settings' Public
Folder | Use Security
Form from 'Outlook 10
Security Settings' Public
Folder | Use Outlook
Security Group Policy)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1516
The "Display Level 1 enabled/disabled
attachments" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1296
The "Allow users to enabled/disabled
demote attachments to
Level 2" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1388
The "Do not prompt about enabled/disabled
Level 1 attachments when
sending an item" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1652
The "Do not prompt about enabled/disabled
Level 1 attachments when
closing an item" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1569
The "Allow in-place enabled/disabled
activation of embedded
OLE objects" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1459
The "Display OLE enabled/disabled
package objects" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1608
The "Add file extensions enabled/disabled
to block as Level 1"
setting should be
configured correctly for
2007 CCE-1617 Outlook 2007.
The "Remove file enabled/disabled
extensions blocked as
Level 1" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1631
The "Add file extensions enabled/disabled
to block as Level 2"
setting should be
configured correctly for
2007 CCE-1155 Outlook 2007.
The "Remove file enabled/disabled
extensions blocked as
Level 2" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1556
The "Allow scripts in one- enabled/disabled
off Outlook forms" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1595
The "Set Outlook object enabled/disabled
model Custom Actions
execution prompt (Prompt
User | Automatically
Approve | Automatically
Deny | Prompt user based
on computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1436
The "Set control enabled/disabled
ItemProperty prompt
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)"
setting should be
configured correctly
2007 CCE-1586
The "Configure Outlook enabled/disabled
object model prompt when
sending mail (Prompt
User | Automatically
Approve | Automatically
Deny | Prompt user based
on computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1590
The "Configure Outlook enabled/disabled
object model prompt when
accessing an address
book (Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1004
The "Configure Outlook enabled/disabled
object model prompt when
reading address
information (Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1273
The "Configure Outlook enabled/disabled
object model prompt when
responding to meeting
and task requests (Prompt
User | Automatically
Approve | Automatically
Deny | Prompt user based
on computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1172
The "Configure Outlook enabled/disabled
object model prompt when
executing Save As
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1568
The "Configure Outlook enabled/disabled
object model prompt
When accessing the
Formula property of a
UserProperty object
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1573
The "Configure Outlook enabled/disabled
object model prompt when
accessing address
information via
UserProperties.Find
(Prompt User |
Automatically Approve |
Automatically Deny |
Prompt user based on
computer security)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1454
The "Required Certificate enabled/disabled
Authority" setting should
be configured correctly for
2007 CCE-1498 Outlook 2007.
The "S/MIME enabled/disabled
interoperability with
external clients: (Handle
internally | Handle
externally | Handle if
possible)" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1630
The "Always use Rich enabled/disabled
Text formatting in S/MIME
messages" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1626
The "S/MIME password enabled/disabled
settings" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1163
The "S/MIME password enabled/disabled
settings - Default S/MIME
password time (minutes):
(0 - 2147483647)" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1445
The "S/MIME password enabled/disabled
settings - Maximum
S/MIME password time
(minutes): (0 -
2147483647)" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1582
The "Message Formats" enabled/disabled
setting should be
configured correctly for
2007 CCE-1357 Outlook 2007.
The "Message Formats - enabled/disabled
Support the following
message formats:
(S/MIME | Exchange |
Fortezza | S/MIME and
Exchange | S/MIME and
Fortezza | Exchange and
Fortezza | S/MIME,
Exchange, and Fortezza)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1132
2007: The "Do not provide enabled/disabled
Continue option on
Encryption warning dialog
boxes" setting should be
configured correctly for
Outlook 2007. 2003: The
"Disable Continue button
on all Encryption warning
dialogs" setting should be
configured correctly.
2003/2007 CCE-1511
The "Run in FIPS enabled/disabled
compliant mode" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1018
The "Encrypt all e-mail enabled/disabled
messages" setting should
be configured correctly for
Outlook 2007 and 2003.
2003/2007 CCE-1181
The "Sign all e-mail enabled/disabled
messages" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1639
The "URL for S/MIME enabled/disabled
certificates" setting should
be configured correctly for
Outlook 2007.
2007 CCE-677
The "Ensure all S/MIME enabled/disabled
signed messages have a
label" setting should be
configured correctly for
2007 CCE-687 Outlook 2007.
The "S/MIME receipt enabled/disabled
requests (Open message
if receipt can't be sent |
Don't open message if
receipt can't be sent |
Always prompt before
sending receipt | Never
send S/MIME )" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1613
The "Fortezza certificate enabled/disabled
policies" setting should be
configured correctly for
2007 CCE-1402 Outlook 2007.
The "Require SuiteB enabled/disabled
algorithms for S/MIME
operations" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1658
The "Missing CRLs" enabled/disabled
setting should be
configured correctly for
2007 CCE-1662 Outlook 2007.
The "Missing CRLs - enabled/disabled
Indicate a missing CRL as
a(n): (warning | error)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1080
The "Missing root enabled/disabled
certificates" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1076
The "Missing root enabled/disabled
certificates - Indicate a
missing root certificate as
a(n): (neither error nor
warning | warning | error)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1636
The "Promote Level 2 enabled/disabled
errors as errors, not
warnings" setting should
be configured correctly for
2007 CCE-943 Outlook 2007.
The "Attachment Secure enabled/disabled
Temporary Folder" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1591
The "Display pictures and enabled/disabled
external content in HTML
e-mail" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1133
The "Automatically enabled/disabled
download content for e-
mail from people in Safe
Senders and Safe
Recipients Lists" setting
should be configured
correctly for Outlook 2007.
2007 CCE-725
The "Do not permit enabled/disabled
download of content from
safe zones" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1347
The "Block Trusted enabled/disabled
Zones" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1475
The "Include Internet in enabled/disabled
Safe Zones for Automatic
Picture Download" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1497
The "Include Intranet in enabled/disabled
Safe Zones for Automatic
Picture Download" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1501
The "Security setting for enabled/disabled
macros (Always warn |
Never warn, disable all |
Warn for signed, disable
unsigned | No security
check)" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1030
The "Enable links in e- enabled/disabled
mail messages" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1052
The "Apply macro security enabled/disabled
settings to macros, add-
ins, and SmartTags"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1462
The "Automatically enabled/disabled
configure profile based on
Active Directory Primary
SMTP address" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1281
The "Do not allow users to enabled/disabled
change permissions on
folders" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1303
The "Enable RPC enabled/disabled
encryption" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1082
The "Authentication with enabled/disabled
Exchange Server
(Kerberos/NTLM
Password Authentication |
Kerberos Password
Authentication | NTLM
Password Authentication)"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1712
The "Synchronize Outlook enabled/disabled
RSS Feeds with Common
Feed List" setting should
be configured correctly for
Outlook 2007.
2007 CCE-1131
The "Turn off RSS enabled/disabled
feature" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1620
The "Automatically enabled/disabled
download enclosures"
setting should be
configured correctly for
2007 CCE-1541 Outlook 2007.
The "Download full text of enabled/disabled
articles as HTML
attachments" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1311
The "Automatically enabled/disabled
download attachments"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1682
The "Do not include enabled/disabled
Internet Calendar
integration in Outlook"
setting should be
configured correctly for
Outlook 2007.
2007 CCE-1461
The "Disable user entries enabled/disabled
to server list (Publish
default, allow others |
Publish default, disallow
others)" setting should be
configured correctly for
Outlook 2007.
2007 CCE-1041
The "Do not expand enabled/disabled
distribution lists" setting
should be configured
correctly for Outlook 2007.
2007 CCE-1565
The "Save files in this enabled/disabled
format (PowerPoint
Presentation (*.pptx) |
PowerPoint Macro-
Enabled Presentation
(*.pptm) | PowerPoint 97-
2003 Presentation
(*.ppt))" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1719
The "Number of enabled/disabled
documents in the Recent
Documents list (0 - 50)"
setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1477
The "Determine whether enabled/disabled
to force encrypted macros
to be scanned in Microsoft
PowerPoint Open XML
presentations" setting
should be configured
correctly for PowerPoint
2007.
2007 CCE-1142
The "Run Programs enabled/disabled
(disable (don't run any
programs) | enable
(prompt user before
running) | enable all (run
without prompting))"
setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1649
The "Make hidden markup enabled/disabled
visible" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1279
The "Unblock automatic enabled/disabled
download of linked
images" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1451
The "Disable all enabled/disabled
application add-ins"
setting should be
configured correctly for
2007 CCE-1204 PowerPoint 2007.
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1107
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins"
setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-743
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-747
The "Disable all trusted enabled/disabled
locations" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-782
The "Disable commands" enabled/disabled
setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1327
The "Disable commands - enabled/disabled
Office Button | PowerPoint
Options | Customize | All
Commands | Web Page
Preview" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1723
The "Disable commands - enabled/disabled
Office Button | Send |
Email" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1366
The "Disable commands - enabled/disabled
Insert | Links | Hyperlink"
setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1679
The "Disable commands - enabled/disabled
Review | Proofing |
Language" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1173
The "Disable commands - enabled/disabled
View | Macros | Macros"
setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1714
The "Disable commands - enabled/disabled
Developer | Code |
Macros" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1485
The "Disable commands - enabled/disabled
Developer | Code | Macro
Security" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1687
The "Disable commands - enabled/disabled
Developer | Code | Visual
Basic" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1709
The "Disable commands - enabled/disabled
Office Button | PowerPoint
Options | Customize | All
Commands | Document
Location" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1463
The "Disable commands - enabled/disabled
Disable shortcut keys"
setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1467
The "Disable commands - enabled/disabled
Ctrl+K (Insert | Links |
Hyperlink)" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1740
The "Disable commands - enabled/disabled
Alt+F8 (Developer | Code
| Macros)" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1780
The "Disable commands - enabled/disabled
Alt+F11 (Developer | Code
| Visual Basic)" setting
should be configured
correctly for PowerPoint
2007.
2007 CCE-1661
The "Block opening of enabled/disabled
pre-release versions of file
formats new to
PowerPoint 2007" setting
should be configured
correctly for PowerPoint
2007.
2007 CCE-1688
The "Block opening of enabled/disabled
Open Xml files types"
setting should be
configured correctly for
2007 CCE-1701 PowerPoint 2007.
The "Block opening of enabled/disabled
Binary file types" setting
should be configured
correctly for PowerPoint
2007 CCE-1348 2007.
The "Block opening of enabled/disabled
Html file types" setting
should be configured
correctly for PowerPoint
2007 CCE-1644 2007.
The "Block opening of enabled/disabled
Outlines" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1194
The "Block opening of enabled/disabled
Converters" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1216
The "Block saving of enabled/disabled
Open Xml file types"
setting should be
configured correctly for
2007 CCE-1506 PowerPoint 2007.
The "Block saving of enabled/disabled
Binary file types" setting
should be configured
correctly for PowerPoint
2007 CCE-1136 2007.
The "Block saving of Html enabled/disabled
file types" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1766
The "Block saving of enabled/disabled
Outlines" setting should
be configured correctly for
PowerPoint 2007.
2007 CCE-1180
The "Block saving of enabled/disabled
GraphicFilters" setting
should be configured
correctly for PowerPoint
2007 CCE-1722 2007.
The "Disable Slide enabled/disabled
Update" setting should be
configured correctly for
PowerPoint 2007.
2007 CCE-1731
The "Hidden text" setting enabled/disabled
should be configured
correctly for Word 2007.
2007 CCE-885
The "Save files in this enabled/disabled
format (Word document
(*.docx) | Single Files Web
Page (*.mht) | Web Page
(*.htm; *.html) | Web
Page, Filtered (*.htm,
*.html) | Rich Text Format
(*.rtf) | Plain Text (*.txt) |
Word 6.0/95 (*.doc) |
Word 6.0/95 - Chinese
(Simplified) (*.doc) | Word
6.0/95 - Chinese
(Traditional) (*.doc) | Word
6.0/95 - Japanese (*.doc)
| Word 6.0/95 - Korean
(*.doc) | Word 97-2002 &
6.0/95 - RTF | Word 5.1
for Macintosh (*.mcw) |
Word 5.0 for Macintosh
(*.mcw) | Word 2.x for
Windows (*.doc) | Works
4.0 for Windows (*.wps) |
WordPerfect 5.x for
Windows (*.doc) |
WordPerfect 5.1 for DOS
(*.doc) | Word 2007 Macro
Enabled Document
(*.docm) | Word 2007
Macro Free Template
(*.dotx) | Word 2007
Macro Enabled Template
(*.dotm) | Word 97 - 2003
Document (*.doc) | Word
97 - 2003 Template (*.dot)
| Flat XML Document
2007 CCE-1656 (*.xml))" setting should be
configured correctly for
The "Number of enabled/disabled
documents in the Recent
Documents list (0-50)"
setting should be
configured correctly for
Word 2007.
2007 CCE-1537
The "Update automatic enabled/disabled
links at Open" setting
should be configured
2007 CCE-1249 correctly for Word 2007.
The "Save smart tags in enabled/disabled
e-mail" setting should be
configured correctly for
2007 CCE-1509 Word 2007.
The "Determine whether enabled/disabled
to force encrypted macros
to be scanned in Microsoft
Word Open XML
documents" setting should
be configured correctly for
Word 2007.
2007 CCE-1280
The "Disable all enabled/disabled
application add-ins"
setting should be
configured correctly for
2007 CCE-1681 Word 2007.
The "Require that enabled/disabled
application add-ins are
signed by Trusted
Publisher" setting should
be configured correctly for
Word 2007.
2007 CCE-1562
The "Disable Trust Bar enabled/disabled
Notification for unsigned
application add-ins"
setting should be
configured correctly for
Word 2007.
2007 CCE-1333
The "Allow Trusted enabled/disabled
Locations not on the
computer" setting should
be configured correctly for
Word 2007.
2007 CCE-1355
The "Disable all trusted enabled/disabled
locations" setting should
be configured correctly for
Word 2007.
2007 CCE-1637
The "Disable commands" enabled/disabled
setting should be
configured correctly for
Word 2007.
2007 CCE-1659
The "Disable commands - enabled/disabled
Office Button | Word
Options | Customize | All
Commands | Save As
Web Page" setting should
be configured correctly for
Word 2007.
2007 CCE-1329
The "Disable commands - enabled/disabled
Office Button | Word
Options | Customize | All
Commands | Web Page
Preview" setting should be
configured correctly for
Word 2007.
2007 CCE-1632
The "Disable commands - enabled/disabled
Office Button | Send |
Email" setting should be
configured correctly for
Word 2007.
2007 CCE-1425
The "Disable commands - enabled/disabled
Insert | Links | Hyperlink"
setting should be
configured correctly for
Word 2007.
2007 CCE-1196
The "Disable commands - enabled/disabled
Review | Protect | Protect
Document" setting should
be configured correctly for
Word 2007.
2007 CCE-936
The "Disable commands - enabled/disabled
View | Macros | Macros"
setting should be
configured correctly for
Word 2007.
2007 CCE-1354
The "Disable commands - enabled/disabled
Developer | Code |
Macros" setting should be
configured correctly for
Word 2007.
2007 CCE-1125
The "Disable commands - enabled/disabled
Developer | Code |
Record Macro" setting
should be configured
correctly for Word 2007.
2007 CCE-1742
The "Disable commands - enabled/disabled
Developer | Code | Macro
Security" setting should
be configured correctly for
Word 2007.
2007 CCE-1782
The "Disable commands - enabled/disabled
Developer | Code | Visual
Basic" setting should be
configured correctly for
Word 2007.
2007 CCE-1306
The "Disable commands - enabled/disabled
Developer | Templates |
Document Template"
setting should be
configured correctly for
Word 2007.
2007 CCE-1548
The "Disable shortcut enabled/disabled
keys" setting should be
configured correctly for
Word 2007.
2007 CCE-1716
The "Disable shortcut enabled/disabled
keys - Ctrl+F (Home |
Editing | Find)" setting
should be configured
correctly for Word 2007.
2007 CCE-1597
The "Disable shortcut enabled/disabled
keys - Ctrl+K (Insert |
Links | Hyperlink)" setting
should be configured
correctly for Word 2007.
2007 CCE-1689
The "Disable shortcut enabled/disabled
keys - Alt+F8 (Developer |
Code | Macros)" setting
should be configured
correctly for Word 2007.
2007 CCE-1570
The "Disable shortcut enabled/disabled
keys - Alt+F11 (Developer
| Code | Visual Basic)"
setting should be
configured correctly for
Word 2007.
2007 CCE-1720
The "Block opening of enabled/disabled
pre-release versions of file
formats new to Word
2007" setting should be
configured correctly for
Word 2007.
2007 CCE-1746
The "Block opening of enabled/disabled
Open XML file types"
setting should be
configured correctly for
2007 CCE-1504 Word 2007.
The "Block opening of enabled/disabled
Binary file types" setting
should be configured
correctly for Word 2007.
2007 CCE-1654
The "Block opening of enabled/disabled
HTML file types" setting
should be configured
correctly for Word 2007.
2007 CCE-1160
The "Block opening of enabled/disabled
Word 2003 XML file types"
setting should be
configured correctly for
2007 CCE-958 Word 2007.
The "Block opening of enabled/disabled
RTF file types" setting
should be configured
correctly for Word 2007.
2007 CCE-1579
The "Block open enabled/disabled
Converters" setting should
be configured correctly for
Word 2007.
2007 CCE-984
The "Block opening of enabled/disabled
Text file types" setting
should be configured
correctly for Word 2007.
2007 CCE-1072
The "Block opening of enabled/disabled
Internal file types" setting
should be configured
correctly for Word 2007.
2007 CCE-1503
The "Block opening of enabled/disabled
files before version"
setting should be
configured correctly for
2007 CCE-1371 Word 2007.
The "Block saving of enabled/disabled
Open XML file types"
setting should be
configured correctly for
2007 CCE-1019 Word 2007.
The "Block saving of enabled/disabled
Binary file types" setting
should be configured
correctly for Word 2007.
2007 CCE-1684
The "Block saving of enabled/disabled
HTML file types" setting
should be configured
correctly for Word 2007.
2007 CCE-1675
The "Block saving of Word enabled/disabled
2003 XML file types"
setting should be
configured correctly for
2007 CCE-1200 Word 2007.
The "Block saving of RTF enabled/disabled
file types" setting should
be configured correctly for
Word 2007.
2007 CCE-1741
The "Block saving of enabled/disabled
Converters" setting should
be configured correctly for
Word 2007.
2007 CCE-1231
The "Block saving of Text enabled/disabled
file types" setting should
be configured correctly for
Word 2007.
2007 CCE-1755
ms computer
config
The InfoPath APTCA enabled/disabled
Assembly Whitelist setting
should be configured
correctly.
2007 CCE-1169
The Windows Internet enabled/disabled
Explorer Feature Control
Opt-In (None |
InfoPath.exe, Document
Information Panel and
Workflow forms |
InfoPath.exe, Document
Information Panel,
Workflow forms and 3rd
Party Hosting) setting
should be configured
correctly.
2007 CCE-1735
The InfoPath APTCA enabled/disabled
Assembly Whitelist
Enforcement setting
should be configured
correctly.
2007 CCE-1739
The Disable Package enabled/disabled
Repair setting should be
configured correctly.
2007 CCE-933
The Disable user name enabled/disabled
and password setting
should be configured
correctly.
2007 CCE-1563
The Disable user name enabled/disabled
and password - excel.exe
setting should be
configured correctly.
2007 CCE-1215
The Disable user name enabled/disabled
and password -
powerpnt.exe setting
should be configured
correctly.
2007 CCE-1484
The Disable user name enabled/disabled
and password -
pptview.exe setting should
be configured correctly.
2007 CCE-1629
The Disable user name enabled/disabled
and password -
winword.exe setting
should be configured
correctly.
2007 CCE-1762
The Disable user name enabled/disabled
and password -
outlook.exe setting should
be configured correctly.
2007 CCE-1660
The Disable user name enabled/disabled
and password -
spDesign.exe setting
should be configured
correctly.
2007 CCE-1057
The Disable user name enabled/disabled
and password -
msaccess.exe setting
should be configured
correctly.
2007 CCE-1285
The Bind to object setting enabled/disabled
should be configured
correctly.
2007 CCE-1669
The Bind to object - enabled/disabled
excel.exe setting should
be configured correctly.
2007 CCE-1691
The Bind to object - enabled/disabled
powerpnt.exe setting
should be configured
correctly.
2007 CCE-1338
The Bind to object - enabled/disabled
pptview.exe setting should
be configured correctly.
2007 CCE-1717
The Bind to object - enabled/disabled
winword.exe setting
should be configured
correctly.
2007 CCE-1488
The Bind to object - enabled/disabled
outlook.exe setting should
be configured correctly.
2007 CCE-1638
The Bind to object - enabled/disabled
spDesign.exe setting
should be configured
correctly.
2007 CCE-1647
The Bind to object - enabled/disabled
msaccess.exe setting
should be configured
correctly.
2007 CCE-1294
The Saved from URL enabled/disabled
setting should be
configured correctly.
2007 CCE-1193
The Saved from URL - enabled/disabled
excel.exe setting should
be configured correctly.
2007 CCE-1352
The Saved from URL - enabled/disabled
powerpnt.exe setting
should be configured
correctly.
2007 CCE-928
The Saved from URL - enabled/disabled
pptview.exe setting should
be configured correctly.
2007 CCE-1576
The Saved from URL - enabled/disabled
pptview.exe setting should
be configured correctly.
2007 CCE-1100
The Saved from URL - enabled/disabled
outlook.exe setting should
be configured correctly.
2007 CCE-1232
The Saved from URL - enabled/disabled
spDesign.exe setting
should be configured
correctly.
2007 CCE-1774
The Saved from URL - enabled/disabled
msaccess.exe setting
should be configured
correctly.
2007 CCE-906
The Navigate URL setting enabled/disabled
should be configured
correctly.
2007 CCE-1034
The Navigate URL - enabled/disabled
excel.exe setting should
be configured correctly.
2007 CCE-1435
The Navigate URL - enabled/disabled
powerpnt.exe setting
should be configured
correctly.
2007 CCE-1708
The Navigate URL - enabled/disabled
pptview.exe setting should
be configured correctly.
2007 CCE-808
The Navigate URL - enabled/disabled
winword.exe setting
should be configured
correctly.
2007 CCE-1650
The Navigate URL - enabled/disabled
outlook.exe setting should
be configured correctly.
2007 CCE-1223
The Navigate URL - enabled/disabled
spDesign.exe setting
should be configured
correctly.
2007 CCE-1764
The Navigate URL - enabled/disabled
msaccess.exe setting
should be configured
correctly.
2007 CCE-1769
The Block popups setting enabled/disabled
should be configured
correctly.
2007 CCE-1152
The Block popups - enabled/disabled
excel.exe setting should
be configured correctly.
2007 CCE-1566
The Block popups - enabled/disabled
powerpnt.exe setting
should be configured
correctly.
2007 CCE-1077
The Block popups - enabled/disabled
pptview.exe setting should
be configured correctly.
2007 CCE-1606
The Block popups - enabled/disabled
winword.exe setting
should be configured
correctly.
2007 CCE-1738
The Block popups - enabled/disabled
outlook.exe setting should
be configured correctly.
2007 CCE-1262
The Block popups - enabled/disabled
spDesign.exe setting
should be configured
correctly.
2007 CCE-1663
The Block popups - enabled/disabled
msaccess.exe setting
should be configured
correctly.
2007 CCE-1544
new NIST
The "Prevent users from
customizing attachment
security settings" setting
should be configured
2007 CCE-1443 correctly. 1 = Enabled
0 = Uses default
administrative
settings | 1 = Look
in the Outlook
Security Settings
The "Outlook virus folder | 2 = Look in
security settings" setting the Outlook 10
should be configured Security Settings
2003 CCE-1522 correctly. folder
0 = Open message
if receipt can't be
sent | 1 = Always
prompt before
sending receipt | 2 =
Never send S/MIME
The "S/MIME receipt receipts | 3 = Don't
requests" setting should open message if
2003 CCE-1183 be configured correctly. receipt can't be sent
Internet Explorer
Processes (Restrict (1)
CCE-119 ActiveX Install) enabled/disabled
The "Security Zones: Do
Not Allow Users to
Add/Delete Sites" setting
should be configured (1)
CCE-146 correctly. enabled/disabled
Internet Explorer
Processes (Zone
CCE-347 Elevation Protection) enabled/disabled
The "Internet Explorer
Processes (Consistent
MIME Handling)" setting
should be configured
CCE-382 correctly. enabled/disabled
The "Installation of
desktop items" setting
should be configured
correctly for the Internet enabled/disabled/pr
CCE-355 Zone. ompt
The "Allow script-initiated
windows without size or
position constraints"
setting should be
configured correctly for
CCE-280 the Internet Zone. enabled/disabled
Custom/Disable
The "Java permissions" Java/High
setting should be safety/Low
configured correctly for safety/Medium
CCE-132 the Internet Zone. safety
Anonymous
logon/Automatic
logon only in
Intranet
zone/Automatic
logon with current
The "Logon" setting user name and
should be configured password/Prompt
correctly for the Internet for user name and
CCE-720 Zone. password
The "Userdata
persistence" setting
should be configured
correctly for the Internet
CCE-425 Zone. enabled/disabled
The "Installation of
desktop items" setting
should be configured
correctly for the Restricted enabled/disabled/pr
CCE-763 Sites Zone. ompt
Custom/Disable
The "Java permissions" Java/High
setting should be safety/Low
configured correctly for safety/Medium
CCE-925 the Restricted Sites Zone. safety
Anonymous
logon/Automatic
logon only in
Intranet
zone/Automatic
logon with current
The "Logon" setting user name and
should be configured password/Prompt
correctly for the Restricted for user name and
CCE-128 Sites Zone. password
The "Userdata
persistence" setting
should be configured
correctly for the Restricted
CCE-28 Sites Zone. enabled/disabled
Custom/Disable
The "Java permissions" Java/High
setting should be safety/Low
configured correctly for safety/Medium
CCE-675 the Trusted Sites Zone. safety
The "Configuration of
wireless settings using
Windows Connect Now"
setting should be
configured correctly for
Wireless Connect Now
CCE-734 over Ethernet (UPnP). enabled/disabled
The "Configuration of
wireless settings using
Windows Connect Now"
setting should be
configured correctly for
CCE-469 USB flash drives. enabled/disabled
The "Configuration of
wireless settings using
Windows Connect Now"
setting should be
configured correctly for
the Windows Portable
CCE-302 Device API. enabled/disabled
Computer-wide, rather
than per-user, assignment
of sites to zones for
Internet Explorer should
be enabled or disabled as enabled, disabled,
CCE-1005 appropriate. or not configured
The "Turn on Protected
Mode" setting should be
configured correctly for
CCE-281 the Internet Zone. enabled/disabled
The "Download signed
ActiveX controls" setting
should be configured
correctly for the Locked- enabled/disabled/pr
CCE-308 Down Internet Zone. ompt
Computer-wide, rather
than per-user, use of
Microsoft Spynet
Reporting for Windows
Defender should be
enabled or disabled as enabled, disabled,
CCE-312 appropriate. or not configured
The "Do Not Show First
Use Dialog Boxes" setting
for Windows Media Player
should be configured
CCE-1140 correctly. enabled/disabled
The "Prevent Desktop
Shortcut Creation" setting
for Windows Media Player
should be configured
CCE-313 correctly. enabled/disabled
Auditing of "System:
Security System
Extension" events on
success should be
enabled or disabled as
CCE-1270 appropriate. enabled/disabled
Auditing of "System:
Security System
Extension" events on
failure should be enabled
or disabled as
CCE-1102 appropriate. enabled/disabled
Auditing of "System:
System Integrity" events
on success should be
enabled or disabled as
CCE-856 appropriate. enabled/disabled
Auditing of "System:
System Integrity" events
on failure should be
enabled or disabled as
CCE-336 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logon" events on success
should be enabled or
CCE-1284 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logon" events on failure
should be enabled or
CCE-1097 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logoff" events on success
should be enabled or
CCE-493 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Logoff" events on failure
should be enabled or
CCE-996 disabled as appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Account Lockout" events
on success should be
enabled or disabled as
CCE-1264 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Account Lockout" events
on failure should be
enabled or disabled as
CCE-1282 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Main Mode" events
on success should be
enabled or disabled as
CCE-1207 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Main Mode" events
on failure should be
enabled or disabled as
CCE-351 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Quick Mode" events
on success should be
enabled or disabled as
CCE-1257 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Quick Mode" events
on failure should be
enabled or disabled as
CCE-1274 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Extended Mode"
events on success should
be enabled or disabled as
CCE-1028 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
IPsec Extended Mode"
events on failure should
be enabled or disabled as
CCE-362 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Special Logon" events on
success should be
enabled or disabled as
CCE-371 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Special Logon" events on
failure should be enabled
or disabled as
CCE-1038 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Other Logon/Logoff
Events" events on
success should be
enabled or disabled as
CCE-378 appropriate. enabled/disabled
Auditing of "Logon/Logoff:
Other Logon/Logoff
Events" events on failure
should be enabled or
CCE-1208 disabled as appropriate. enabled/disabled
Auditing of "Object
Access: File System"
events on success should
be enabled or disabled as
CCE-1085 appropriate. enabled/disabled
Auditing of "Object
Access: File System"
events on failure should
be enabled or disabled as
CCE-1340 appropriate. enabled/disabled
Auditing of "Object
Access: Registry" events
on success should be
enabled or disabled as
CCE-1138 appropriate. enabled/disabled
Auditing of "Object
Access: Registry" events
on failure should be
enabled or disabled as
CCE-1283 appropriate. enabled/disabled
Auditing of "Object
Access: Kernel Object"
events on success should
be enabled or disabled as
CCE-1288 appropriate. enabled/disabled
Auditing of "Object
Access: Kernel Object"
events on failure should
be enabled or disabled as
CCE-1305 appropriate. enabled/disabled
Auditing of "Object
Access: SAM" events on
success should be
enabled or disabled as
CCE-446 appropriate. enabled/disabled
Auditing of "Object
Access: SAM" events on
failure should be enabled
or disabled as
CCE-451 appropriate. enabled/disabled
Auditing of "Object
Access: Certification
Services" events on
success should be
enabled or disabled as
CCE-1345 appropriate. enabled/disabled
Auditing of "Object
Access: Certification
Services" events on
failure should be enabled
or disabled as
CCE-1261 appropriate. enabled/disabled
Auditing of "Object
Access: Application
Generated" events on
success should be
enabled or disabled as
CCE-1322 appropriate. enabled/disabled
Auditing of "Object
Access: Application
Generated" events on
failure should be enabled
or disabled as
CCE-379 appropriate. enabled/disabled
Auditing of "Object
Access: Handle
Manipulation" events on
success should be
enabled or disabled as
CCE-1363 appropriate. enabled/disabled
Auditing of "Object
Access: Handle
Manipulation" events on
failure should be enabled
or disabled as
CCE-1244 appropriate. enabled/disabled
Auditing of "Object
Access: File Share"
events on success should
be enabled or disabled as
CCE-1372 appropriate. enabled/disabled
Auditing of "Object
Access: File Share"
events on failure should
be enabled or disabled as
CCE-1033 appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Packet Drop" events on
success should be
enabled or disabled as
CCE-385 appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Packet Drop" events on
failure should be enabled
or disabled as
CCE-589 appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Connection" events on
success should be
enabled or disabled as
CCE-717 appropriate. enabled/disabled
Auditing of "Object
Access: Filtering Platform
Connection" events on
failure should be enabled
or disabled as
CCE-744 appropriate. enabled/disabled
Auditing of "Object
Access: Other Object
Access Events" events on
success should be
enabled or disabled as
CCE-642 appropriate. enabled/disabled
Auditing of "Object
Access: Other Object
Access Events" events on
failure should be enabled
or disabled as
CCE-1026 appropriate. enabled/disabled
Auditing of "Privilege Use:
Sensitive Privilege Use"
events on success should
be enabled or disabled as
CCE-488 appropriate. enabled/disabled
Auditing of "Privilege Use:
Sensitive Privilege Use"
events on failure should
be enabled or disabled as
CCE-1258 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: Process
Termination" events on
failure should be enabled
or disabled as
CCE-1250 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: DPAPI Activity"
events on success should
be enabled or disabled as
CCE-1413 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: DPAPI Activity"
events on failure should
be enabled or disabled as
CCE-699 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: RPC Events"
events on success should
be enabled or disabled as
CCE-1219 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: RPC Events"
events on failure should
be enabled or disabled as
CCE-1365 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: Process
Creation" events on
success should be
enabled or disabled as
CCE-913 appropriate. enabled/disabled
Auditing of "Detailed
Tracking: Process
Creation" events on failure
should be enabled or
CCE-1079 disabled as appropriate. enabled/disabled
Auditing of "Policy
Change: Audit Policy
Change" events on
success should be
enabled or disabled as
CCE-1110 appropriate. enabled/disabled
Auditing of "Policy
Change: Audit Policy
Change" events on failure
should be enabled or
CCE-991 disabled as appropriate. enabled/disabled
Auditing of "Policy
Change: Authentication
Policy Change" events on
success should be
enabled or disabled as
CCE-388 appropriate. enabled/disabled
Auditing of "Policy
Change: Authentication
Policy Change" events on
failure should be enabled
or disabled as
CCE-180 appropriate. enabled/disabled
Auditing of "Policy
Change: Authorization
Policy Change" events on
success should be
enabled or disabled as
CCE-187 appropriate. enabled/disabled
Auditing of "Policy
Change: Authorization
Policy Change" events on
failure should be enabled
or disabled as
CCE-448 appropriate. enabled/disabled
Auditing of "Policy
Change: MPSSVC Rule-
Level Policy Change"
events on success should
be enabled or disabled as
CCE-203 appropriate. enabled/disabled
Auditing of "Policy
Change: MPSSVC Rule-
Level Policy Change"
events on failure should
be enabled or disabled as
CCE-879 appropriate. enabled/disabled
Auditing of "Policy
Change: Filtering Platform
Policy Change" events on
success should be
enabled or disabled as
CCE-1042 appropriate. enabled/disabled
Auditing of "Policy
Change: Filtering Platform
Policy Change" events on
failure should be enabled
or disabled as
CCE-1112 appropriate. enabled/disabled
Auditing of "Policy
Change: Other Policy
Change Events" events
on success should be
enabled or disabled as
CCE-205 appropriate. enabled/disabled
Auditing of "Policy
Change: Other Policy
Change Events" events
on failure should be
enabled or disabled as
CCE-787 appropriate. enabled/disabled
Auditing of "Account
Management: User
Account Management"
events on success should
be enabled or disabled as
CCE-1043 appropriate. enabled/disabled
Auditing of "Account
Management: User
Account Management"
events on failure should
be enabled or disabled as
CCE-924 appropriate. enabled/disabled
Auditing of "Account
Management: Computer
Account Management"
events on success should
be enabled or disabled as
CCE-1070 appropriate. enabled/disabled
Auditing of "Account
Management: Computer
Account Management"
events on failure should
be enabled or disabled as
CCE-840 appropriate. enabled/disabled
Auditing of "Account
Management: Security
Group Management"
events on success should
be enabled or disabled as
CCE-1118 appropriate. enabled/disabled
Auditing of "Account
Management: Security
Group Management"
events on failure should
be enabled or disabled as
CCE-369 appropriate. enabled/disabled
Auditing of "Account
Management: Distribution
Group Management"
events on success should
be enabled or disabled as
CCE-515 appropriate. enabled/disabled
Auditing of "Account
Management: Distribution
Group Management"
events on failure should
be enabled or disabled as
CCE-1048 appropriate. enabled/disabled
Auditing of "Account
Management: Application
Group Management"
events on success should
be enabled or disabled as
CCE-801 appropriate. enabled/disabled
Auditing of "Account
Management: Application
Group Management"
events on failure should
be enabled or disabled as
CCE-1016 appropriate. enabled/disabled
Auditing of "Account
Management: Other
Account Management
Events" events on
success should be
enabled or disabled as
CCE-206 appropriate. enabled/disabled
Auditing of "Account
Management: Other
Account Management
Events" events on failure
should be enabled or
CCE-1202 disabled as appropriate. enabled/disabled
Auditing of "DS Access:
Directory Service
Changes" events on
success should be
enabled or disabled as
CCE-317 appropriate. enabled/disabled
Auditing of "Account
Logon: Other Account
Logon Events" events on
success should be
enabled or disabled as
CCE-214 appropriate. enabled/disabled
Auditing of "Account
Logon: Other Account
Logon Events" events on
failure should be enabled
or disabled as
CCE-226 appropriate. enabled/disabled
Auditing of "Account
Logon: Credential
Validation" events on
success should be
enabled or disabled as
CCE-1141 appropriate. enabled/disabled
Auditing of "Account
Logon: Credential
Validation" events on
failure should be enabled
or disabled as
CCE-229 appropriate. enabled/disabled
DISA Gold
Disk Check
CIS W2K Server
Name for
CCE Technical Mechanisms Level 2
W2K
Benchmark v2.2.1
(golddisk.win
2k.ecve.txt)
4.4.3.2 HKLM\Software
Everyone: Failures (this
key, propagate inheritable Reg Auditing Local
(1) defined by the object's SACL permission to all subkeys) Machine
4.4.3.3 HKLM\System
Everyone: Failures (this
key, propagate inheritable Reg Auditing Local
(1) defined by the object's SACL permission to all subkeys) Machine
4.4.1.16 %Program
Files%\Resource Kit
Administrators: Full; Resource Kit ACL
(1) defined by the object's DACL System: Full Servers and DCs
4.4.1.17 %Program
Files%\Resource Pro
Kit Administrators: Resource Kit ACL
(1) defined by the object's DACL Full; System: Full Workstation
4.4.1.1 %SystemDrive%\ - SystemDrive ACL
Administrators: Full;
System: Full; Creator
Owner: Full; Users: Read
and Execute, List
(1) defined by the object's DACL
4.4.1.2 %SystemDrive Autoexec.bat ACL
%\autoexec.bat -
Administrator: Full;
System: Full
4.4.1.12 %SystemDrive
%\Documents and
Settings\All Users
Administrators: Full; Documents and
System: Full; Users: Settings\All Users
(1) defined by the object's DACL Read and Execute, List ACL
4.4.1.13 %SystemDrive
%\Documents and
Settings\All
Users\Documents\DrWa
tson Administrators:
Full; System:
Full;Creator Owner:
Full; Users: Traverse
Folder/Execute File, List
Folder/Read Data,
Read Attributes, Read
Extended Attributes,
Read Permissions (This
folder, subfolders, and
files); Users: Traverse
Folder/Execute Files,
CreateFiles/Write Data,
Create Folder/Append
Data (Subfolders and
(1) defined by the object's DACL files only) DrWatson ACL
?
DrWatson Log
(1) defined by the object's DACL ACL
4.4.1.14 %SystemDrive Default User ACL
%\Documents and
Settings\Default User -
Administrators: Full;
System: Full; Users: Read
and Execute, List
4.4.1.8 %SystemDrive
%\ntdetect.com
Administrators: Full; NTDETECT.COM
(1) defined by the object's DACL System: Full ACL
4.4.1.9 %SystemDrive
%\ntldr - Administrators:
(1) defined by the object's DACL Full; System: Full NTLDR ACL
?
My Download
(1) defined by the object's DACL ACL
4.4.1.47 %SystemDrive
%\System Volume
Information (Do not
allow permissions on
this folder to be
(1) defined by the object's DACL replaced)
4.4.1.18 %SystemRoot
% Administrators:
Full; System: Full;
Creator Onwer: Full;
Users: Read and
(1) defined by the object's DACL Execute, List System Root ACL
4.4.1.18 %SystemRoot
% Administrators:
Full; System: Full;
Creator Onwer: Full;
Users: Read and
(1) defined by the object's DACL Execute, List System Root ACL
4.4.1.19 %SystemRoot
%\
$NtServicePackUninstal %SystemRoot%\
l$ Administrators: Full; $NtServicePackU
(1) defined by the object's DACL System: Full ninstall$
NT SP Uninstall
(1) defined by the object's DACL ? ACL
4.4.1.20 %SystemRoot
%\CSC
Administrators: Full;
(1) defined by the object's DACL System: Full CSC ACL
4.4.1.21 %SystemRoot
%\Debug -
Administrators: Full;
System: Full; Creator
Owner: Full; Users:
(1) defined by the object's DACL Read and Execute, List Debug ACL
4.4.1.22 %SystemRoot
%\Debug\UserMode -
Administrators: Full;
System: Full; Users:
Traverse
Folder/Execute File,
Listfolder/Read data,
Create files/Write data
(This folder, only);
Create files/Write data,
Create folders/Append UserMode
(1) defined by the object's DACL data(Files only) Directory ACL
4.4.1.31 %SystemRoot
%\regedit.exe
Administrators: Full;
(1) defined by the object's DACL System: Full regedit.exe ACL
?
4.4.1.23 %SystemRoot
%\Offline Web Pages
Ignore Parent
(1) defined by the object's DACL Permission Changes
4.4.1.24 %SystemRoot
%\Registration -
Administrators: Full;
System: Full; Users:
(1) defined by the object's DACL Read Registration ACL
4.4.1.25 %SystemRoot
%\repair -
Administrators: Full;
(1) defined by the object's DACL System: Full Repair ACL
4.4.1.26 %SystemRoot
%\security -
Administrators: Full;
System: Full; Creator
(1) defined by the object's DACL Owner: Full Security ACL
?
%SystemRoot
%\SYSVOL\doma
(1) defined by the object's DACL in\Policies
?
4.4.1.27 %SystemRoot
%\system32 -
Administrators: Full;
System: Full; Creator
Owner: Full; Users:
(1) defined by the object's DACL Read and Execute, List System32 ACL
4.4.1.36 %SystemRoot
%\system32\appmgmt
Administrators: Full;
System: Full; Users:
(1) defined by the object's DACL Read and Execute, List appmgmt ACL
4.4.1.28 %SystemRoot
%\system32\at.exe
Administrators: Full;
(1) defined by the object's DACL System: Full at.exe ACL
4.4.1.37 %SystemRoot
%\system32\config
Administrators: Full;
(1) defined by the object's DACL System: Full CONFIG ACL
?
%SystemRoot
%\System32\CO
NFIG\AppEvent.e
(1) defined by the object's DACL vt
?
%SystemRoot
%\System32\CO
NFIG\SecEvent.e
(1) defined by the object's DACL vt
4.4.1.38 %SystemRoot
%\system32\dllcache
Administrators: Full;
System: Full; Creator
(1) defined by the object's DACL Owner: Full dllcache ACL
4.4.1.39 %SystemRoot
%\system32\DTCLog -
Administrators: Full;
System: Full; Creator
Owner: Full; Users:
(1) defined by the object's DACL Read andExecute, List
4.4.1.40 %SystemRoot
%\system32\Group
Policy - Administrators:
Full; System: Full;
Authenticated Users:
(1) defined by the object's DACL Read andExecute, List GroupPolicy ACL
4.4.1.41 %SystemRoot
%\system32\ias -
Administrators: Full;
System: Full; Creator
(1) defined by the object's DACL Owner: Full ias ACL
4.4.1.29 %SystemRoot
%\system32\Ntbackup.
exe Administrators: NTbackup.exe
(1) defined by the object's DACL Full; System: Full ACL
4.4.1.42 %SystemRoot
%\system32\NTMSData
Administrators: Full;
(1) defined by the object's DACL System: Full NTMSData ACL
4.4.1.30 %SystemRoot
%\system32\rcp.exe
Administrators: Full;
(1) defined by the object's DACL System: Full Rcp.exe ACL
4.4.1.32 %SystemRoot
%\system32\regedt32.e
xe Administrators: Regedt32.exe
(1) defined by the object's DACL Full; System: Full ACL
4.4.1.43 %SystemRoot
%\system32\reinstallbacku
ps Administrators: Full;
System: Full; Creator
Owner: Full; PowerUsers:
(1) defined by the object's DACL Read and Execute, List
4.4.1.33 %SystemRoot
%\system32\rexec.exe
Administrators: Full;
(1) defined by the object's DACL System: Full Rexec.exe ACL
(1) defined by the object's DACL
4.4.1.34 %SystemRoot
%\system32\rsh.exe
Administrators: Full;
(1) defined by the object's DACL System: Full Rsh.exe ACL
4.4.1.44 %SystemRoot
%\system32\Setup
Administrators: Full;
System: Full; Users:
(1) defined by the object's DACL Read and Execute, List Setup ACL
?
4.4.1.45 %SystemRoot
%\system32\spool\print
ers Administrators:
Full; System: Full;
Creator Owner: Full;
Users:Traverse Folder,
Execute File, Read,
Read Extended
Attributes, Create Spool\Printers
(1) defined by the object's DACL folders, Append Data ACL
4.4.1.46 %SystemRoot
%\Tasks - (Do not allow
permissions on this folder
(1) defined by the object's DACL to be replaced)
?
MQSeries Queue
(1) defined by the object's DACL ACL
Registry ACL
Check
(1) defined by the object's DACL CLASSES_ROOT
? ?
4.4.2.2 HKLM\Software
Administrators Full;
System: Full; Creator
Owner: Full; Users: Registry ACL
(1) defined by the object's DACL Read Check Software
?
4.4.2.1
HKLM\Software\Classes -
Administrators: Full;
System: Full; Creator
(1) defined by the object's DACL Owner: Full; Users: Read
?
\
SOFTWARE\Clas
ses\Regfile\Shell\
(1) defined by the object's DACL Open\Command
4.4.2.4
HKLM\Software\Micros
oft\OS/2 Subsystem for
NT Administrators:
Full; System: Full; Reg ACL OS2
(1) defined by the object's DACL Creator Owner: Full Check test
4.4.2.5
HKLM\Software\Micros
oft\Windows
NT\CurrentVersion\Asr
Commands
Administrators: Full;
System: Full;Creator
Owner: Full; Users:
Read; Backup
Operators: Query
Value, Set Value,
Create Subkey,
EnumerateSubkeys,
Notify, Delete, Read Reg ACL Check
(1) defined by the object's DACL (this key and subkeys) AsrCommands
4.4.2.6
HKLM\Software\Micros
oft\Windows
NT\CurrentVersion\Perfl
ib Administrators: Full;
System: Full;
CreatorOwner: Full;
Interactive: Read (this Registry ACL
(1) defined by the object's DACL key and subkeys) Check Perflib
(1) defined by the object's DACL
4.4.2.7
HKLM\Software\Micros
oft\Windows\CurrentVer
sion\Group Policy -
Administrators: Full;
System:
Full;Authenticated Reg ACL Check
(1) defined by the object's DACL Users: Read Group Policy
4.4.2.8
HKLM\Software\Micros
oft\Windows\CurrentVer
sion\Installer -
Administrators Full;
System: Full; Users: Reg ACL Check
(1) defined by the object's DACL Read Installer
4.4.2.9
HKLM\Software\Micros
oft\Windows\CurrentVer
sion\Policies -
Administrators: Full;
System: Full;
AuthenticatedUsers: Reg ACL Check
(1) defined by the object's DACL Read Policies
4.4.2.11
HKLM\System\Clone
Allow inheritable
permissions to
(1) defined by the object's DACL propagate to this object
4.4.2.12
HKLM\System\ControlS
et001 - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset001
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset002
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset003
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset004
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset005
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset006
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset007
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset008
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset009
4.4.2.13
HKLM\System\ControlS
et00x - Administrators
Full; System: Full; Registry ACL
Creator Owner: Full; Check
(1) defined by the object's DACL Users: Read controlset010
4.4.2.15
HKLM\System\CurrentC
ontrolSet\Control\WMI\
Security
Administrators: Full;
System: Full; Creator
Owner: Full(this key Registry ACL
(1) defined by the object's DACL and subkeys) Check Security
4.4.2.16
HKLM\System\CurrentC
ontrolSet\Enum - (Do
not allow permissions
on this key to be
(1) defined by the object's DACL replaced)
4.4.2.17
HKLM\System\CurrentCon
trolSet\Hardware Profiles
Administrators Full; Registry ACL
System: Full; Creator Check Hardware
(1) defined by the object's DACL Owner: Full;Users: Read Profiles
4.4.2.18
HKLM\System\CurrentC
ontrolSet\Services\SNM
P\Parameters\Permitted
Managers -
Administrators Full; Registry ACL
System: Full;Creator Check Permitted
(1) defined by the object's DACL Owner: Full Managers
4.4.2.19
HKLM\System\CurrentC
ontrolSet\Services\SNM
P\Parameters\ValidCom
munities -
Administrators Full; Registry ACL
System: Full;Creator Check
(1) defined by the object's DACL Owner: Full ValidCommunities
4.4.2.21
HKU\.Default\Software\
Microsoft\NetDDE -
Administrators Full; Registry ACL
(1) defined by the object's DACL System: Full Check NetDDE
4.4.2.22
HKU\.Default\Software\
Microsoft\Protected
Storage System
(1) defined by the object's DACL Provider No entries
?
Registry ACL
Check
(1) defined by the object's DACL CLASSES_ROOT
(1) defined the SeTcbPrivilege setting in by Local or 4.2.2 Act as part of the User Right Check
Group Policy operating system: None Act as OS
(1) defined the SeBackupPrivilege setting in by Local 4.2.4 Back up files and User Right Check
or Group Policy directories: Administrators Backup
(1) defined the SeCreatePagefilePrivilege setting in by 4.2.7 Create a pagefile: User Right Check
Local or Group Policy Administrators create pagefile
(1) defined the SeCreateTokenPrivilege setting in by 4.2.8 Create a token User Right Check
Local or Group Policy object: None create token object
(1) defined the SeDebugPrivilege setting in by Local or 4.2.10 Debug Programs: User Right Check
Group Policy None debug programs
(1) defined the SeIncreaseQuotaPrivilege setting in by 4.2.18 Increase quotas: User Right Check
Local or Group Policy Administrators increase quotas
User Right Check
(1) defined the SeIncreaseBasePriorityPrivilege setting 4.2.19 Increase scheduling increase scheduling
in by Local or Group Policy priority: Administrators priority
Manage
Auditing and
4.2.25 Manage auditing Security Logs
(1) defined the SeSecurityPrivilege setting in by Local and security log: on a Member
or Group Policy Administrators Server
(1) defined the SeAssignPrimaryTokenPrivilege setting 4.2.30 Replace a process User Right replace
in by Local or Group Policy level token: None process token
(1) defined the SeRestorePrivilege setting in by Local 4.2.31 Restore files and
or Group Policy directories: Administrators User Right restore
Account Lockout
Threshold: 3 Bad Login Lockout Count
(1) defined by Local or Group Policy Attempts (maximum) (3)
? ?
Allow System to be
Shut Down Without
(1) defined by Local or Group Policy Having to Log On
?
Decoy Admin,
Account
(1) defined by Local or Group Policy Exists
? ?
(1) Anonymous
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Application Log: Restrict
Access to the
ces\EventLog\Application\RestrictGuestAccess (2) Guest Access to Logs: Application
defined by Group Policy Enabled Event Log value
(1)
Application Log: Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Retention Method: Application Event
ces\EventLog\Application\Retention (2) defined by Overwrite Events As Log retention key
Group Policy Needed value
Application Event
Log retention key
value
(1) Anonymous
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Security Log: Restrict
Access to the
ces\EventLog\Security\RestrictGuestAccess (2) defined Guest Access to Logs: Security Event
by Group Policy Enabled Log value
(1)
Security Log: Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Retention Method:
ces\EventLog\Application\Retention (2) defined by Overwrite Events As Security Event Log
Group Policy Needed retention key value
(1) Anonymous
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi System Log: Restrict Access to the
ces\EventLog\System\RestrictGuestAccess (2) defined Guest Access to Logs: System Event
by Group Policy Enabled Log value
(1)
System Log: Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Retention Method:
ces\EventLog\Application\Retention (2) defined by Overwrite Events As System Event Log
Group Policy Needed retention key value
System Event Log
retention key value
Password Complexity:
(1) defined by Local or Group Policy Enabled EnPasFlt Check
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\BITS\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\ClipSrv\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy 4.1.2 Clipbook Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Computer
ces\Browser\Start (2) defined by the Services 4.1.3 Computer Browser Browser
Administrative Tool (3) definied by Group Policy Disabled Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\FastUserSwitchingCompatibility\Start (2) defined by
the Services Administrative Tool (3) definied by Group
Policy
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\Fax\Start (2) defined by the Services Administrative 4.1.4 Fax Service
Tool (3) definied by Group Policy s Disabled
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\MSFTPSVC\Start (2) defined by the Services 4.1.5 FTP Publishing
Administrative Tool (3) definied by Group Policy Service Disabled
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\IISADMIN\Start (2) defined by the Services 4.1.6 IIS Admin Service
Administrative Tool (3) definied by Group Policy Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\CiSvc\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\Messenger\Start (2) defined by the Services 4.1.8 Messenger
Administrative Tool (3) definied by Group Policy Disabled
NetMeeting
(1) Remote
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.9 NetMeeting Remote
Desktop
ces\mnmsrvc\Start (2) defined by the Services Desktop Sharing Sharing
Administrative Tool (3) definied by Group Policy Disabled Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\RDSessMgr\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\SharedAccess\Start (2) defined by the Services 4.1.7 Internet Connection
Administrative Tool (3) definied by Group Policy Sharing Disabled
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\RemoteRegistry\Start (2) defined by the Services 4.1.10 Remote Registry
Administrative Tool (3) definied by Group Policy Service Disabled
Remote Access
(1) Auto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Connection
ces\RemoteAccess\Start (2) defined by the Services 4.1.11 Routing and Manager
Administrative Tool (3) definied by Group Policy Remote Access Disabled Disabled
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\RshSvc\Start (2) defined by the Services Remote Shell
Administrative Tool (3) definied by Group Policy Service
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\SIMPTCP\Start (2) defined by the Services Simple TCP/IP
Administrative Tool (3) definied by Group Policy Service
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.12 Simple Mail
ces\SMTPSVC\Start (2) defined by the Services Transfer Protocol (SMTP)
Administrative Tool (3) definied by Group Policy Disabled
?
(1)
4.1.13 Simple Network
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi Management Protocol
ces\SNMP\Start (2) defined by the Services (SNMP) Service
Administrative Tool (3) definied by Group Policy Disabled
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.14 Simple Network
ces\SNMPTRAP\Start (2) defined by the Services Management Protocol
Administrative Tool (3) definied by Group Policy (SNMP) Trap Disabled
(1) defined by the Services Administrative Tool (2)
definied by Group Policy
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\Schedule\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\TlntSvr\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy 4.1.15 Telnet Disabled Telnet Disabled
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\TermService\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\upnphost\Start (2) defined by the Services
Administrative Tool (3) definied by Group Policy
?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.16 World Wide Web
ces\W3SVC\Start (2) defined by the Services Publishing Services
Administrative
(1) Tool (3) definied by Group Policy Disabled
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\WindowsUpdate\AU\NoAutoUpdate (2) defined by
the Services Administrative Tool (3) definied by Group 4.1.17 Automatic Updates
Policy Not Defined
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi 4.1.18 Background
ces\BITS\Start (2) defined by the Services Intelligent Transfer Service
Administrative Tool (3) definied by Group Policy Not Defined
Print Services for
UNIX
(1) defined by the Services Administrative Tool (2)
definied by Group Policy
? ?
"Schedule" service
(1) set via Security Templates (2) definied by Group is run as the system
Policy account.
? ?
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont Restrict
rol\Lsa\RestrictAnonymous (2) defined by Local or Anonymous
Group Policy value
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\Lsa\RestrictAnonymousSAM (2) defined by Local or
Group Policy
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\Lsa\AnonymousNameLookup (2) defined by Local or
Group
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\EventLog\Application
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\EventLog\System
?
(1) Anonymous access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi to the event logs is
ces\EventLog\Security not restricted.
Guest Account
(1) Local Users and Groups MMC Disabled
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Message Text for Users
rentVersion\Policies\System\LegalNoticeText (2) defined Attempting to Log On:
by Local or Group Policy Custom
RemoveMessage or This
administrative
shares on workstation ?
(Professional):
HKLM\System\CurrentCon
(1) trolSet\Services\LanmanS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi erver\Parameters\AutoSha
ces\LanmanServer\Parameters\AutoShareWks reWks (REG_DWORD) 0
Disable Automatic
Execution of the System
Debugger: HKLM\ CIS: Automatic
Software\Microsoft\Windo
(1) ws Execution of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDeb the System
NT\CurrentVersion\AEDebug\Auto ug\Auto (REG_DWORD) 0 Debugger value
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Audit Log Warning
ces\Eventlog\Security\WarningLevel Level
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Encrypt Secure
ces\Netlogon\Parameters\SealSecureChannel (2) Channel Traffic
defined by Local or Group Policy Value
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Sign Secure
ces\Netlogon\Parameters\SignSecureChannel (2) Channel Traffic
defined by Local or Group Policy Value
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Sess
ion Manager\SafeDllSearchMode
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\CurrentVersion\Winlogon\SyncForegroundPolicy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\DeleteRoamingCache
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\system\LogonType
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\CurrentVersion\Policies\system\DisableBkGndGroup
Policy
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Network Connections\NC_ShowSharedAccessUI
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Network Connections\NC_AllowNetBridge_NLA
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Printers\KMPrintersAreBlocked
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Audit the access of global
ol\Lsa\AuditBaseObjects (2) defined by Local or Group system objects: Not
Policy Defined
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Audit the use of backup
ol\Lsa\FullPrivilegeAuditing (2) defined by Local or and restore privilege: Not
Group Policy Defined
(1)
Disable Ctrl+Alt+Del
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur CTRL+ALT+Delete security attention
rentVersion\Policies\System\DisableCAD (2) defined by Requirement for Logon: sequence is
Local or Group Policy Disabled Disabled.
(1)
LAN Manager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Authentication Level:
ol\Lsa\LMCompatibilityLevel (2) defined by Local or Send NTLMv2 response LMCompatibility
Group Policy only (minimum) Value
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Print\Providers\LanMan Print Prevent Users from
Print Driver
Services\Servers\AddPrinterDrivers (2) defined by Local Installing Printer Drivers: Installation
or Group Policy Enabled value
Recovery
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Recovery Console: Allow Console
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLev Automatic Administrative Autologon
el (2) defined by Local or Group Policy Logon: Disabled value
(1)
Strengthen Default
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr Permissions of Global
Strength
ol\Session Manager\ProtectionMode (2) defined by System Objects (e.g. permissions on
Local or Group Policy Symbolic Links): Enabled GSO value
?
(1)
Secure Channel: Require
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Strong (Windows 2000 or
ces\Netlogon\Parameters\RequireStrongKey (2) defined later) Session Key: Not
by Local or Group Policy Defined
Send
(1) unencrypted
Send Unencrypted
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Password to Connect to
password to
ces\LanmanWorkstation\Parameters\EnablePlainTextPas Third-Party SMB Servers: 3rd party SMB
sword (2) defined by Local or Group Policy Disabled value
Unsigned Driver
Installation Behavior:
Warn, but allow
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver installation (minimum) or Unsigned Driver
Signing\Policy (2) defined by Local or Group Policy Do Not Allow Installation. Behavior Value
Unsigned Non-Driver
Installation Behavior:
Warn, but allow
Unsigned Non-
installation (minimum) or Driver Behavior
(1) defined by Local or Group Policy Do Not Allow Installation Value
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur Allow System to be Shut The system allows
rentVersion\Policies\System\ShutdownWithoutLogon (2) Down Without Having to shutdown from the
defined by Local or Group Policy Log On: Disabled logon dialog box
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Session Manager\Memory Clear Virtual Memory
Management\ClearPageFileAtShutdown (2) defined by Pagefile When System Clear Pagefile
Local or Group Policy Shuts Down: Enabled value
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Client
ces\LanmanWorkstation\Parameters\RequireSecuritySig Communication (Always):
nature (2) defined by Local or Group Policy Not Defined
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Client
ces\LanmanWorkstation\Parameters\EnableSecuritySign Communication (When Enable Security
ature (2) defined by Local or Group Policy Possible): Enabled Signature Value
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Server
ces\LanManServer\Parameters\RequireSecuritySignatur Communication (Always):
e (2) defined by Local or Group Policy Not Defined
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Digitally Sign Server SMB Server
ces\LanManServer\Parameters\EnableSecuritySignature Communication (When Packet Signing
(2) defined by Local or Group Policy Possible): Enabled Value
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Number of Previous
NT\CurrentVersion\Winlogon\CachedLogonsCount (2) Logons to Cache: 1 Logon Caching
defined by Local or Group Policy (maximum) value (<= 2)
(1)
Secure Channel: Digitally
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Encrypt or Sign Secure
ces\Netlogon\Parameters\RequireSignOrSeal (2) Channel Data (Always):
defined by Local or Group Policy Not Defined
?
(1)
Secure Channel: Digitally
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Encrypt Secure Channel
ces\Netlogon\Parameters\SealSecureChannel (2) Data (When Possible):
defined by Local or Group Policy Enabled
?
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Secure Channel: Digitally
ces\Netlogon\Parameters\SignSecureChannel (2) Sign Secure Channel Data
defined by Local or Group Policy (When Possible): Enabled
(1)
Prevent System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi Maintenance of Computer Disable
ces\Netlogon\Parameters\DisablePasswordChange (2) Account Password: password
defined by Local or Group Policy Disabled change Value
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\NoDefaultAdminOwner (2) defined by Local or
Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Session Manager\Kernel\ObCaseInsensitive (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\LimitBlankPasswordUse (2) defined by Local or
Group Policy
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\System\UndockWithoutLogon (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi
ces\Netlogon\Parameters\MaximumPasswordAge (2)
defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceUnlockLogon (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi
ces\LanManServer\Parameters\EnableForcedLogoff (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\DisableDomainCreds (2) defined by Local or
Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\EveryoneIncludesAnonymous (2) defined by
Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi
ces\LanManServer\Parameters\NullSessionPipes (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\SecurePipeServers\Winreg\AllowedPathsHKLM (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi
ces\LanManServer\Parameters\NullSessionShares (2)
defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\ForceGuest (2) defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\NoLMHash (2) defined by Local or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local
or Group Policy
(1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
ol\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local
or Group Policy
Current user
(1) HKEY_CURRENT_USER\Control screensaver
Panel\Desktop\ScreenSaveTimeOut timeout
?
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\SCRNSAVE.EXE
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_USER\.DEFAULT\Control
Panel\Desktop\ScreenSaveActive
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\SCRNSAVE.EXE
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_CURRENT_USER\Control
Panel\Desktop\ScreenSaveActive
Enable User
(1) to Browse for
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Source While
ows\Installer\AllowLockDownBrowse Elevated
Enable User
(1) to Use Media
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Source While
ows\Installer\AllowLockDownMedia Elevated
Allow Admin
to Install
(1) from Terminal
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Services
ows\Installer\EnableAdminTSRemote Session
Enable User
(1) to Patch
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Elevated
ows\Installer\AllowLockDownPatch Products
Cache
Transforms in
(1) Secure
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind Location on
ows\Installer\TransformSecure Workstation
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
owsMediaPlayer\DisableAutoupdate
(1)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind
owsMediaPlayer\PreventCodecDownload
(1) ?
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Mess
enger\Client\{9b017612-c9f1-11d2-8d9f- Windows
0000f875c541}\Disabled (2) Messenger
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Mess Internet
engerService Access
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Mess
enger\Client\PreventRun
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Mess
enger\Client\PreventAutoRun
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window Hide Property
s\Task Scheduler5.0\Property Pages Pages
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window Prohibit New
s\Task Scheduler5.0\Task Creation Task Creation
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fSingleSessionPerUser
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\MaxInstanceCount
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fDenyTSConnections
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fWritableTSCCPermTab
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s NT\Terminal Services\Shadow
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fPromptForPassword
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\MinEncryptionLevel
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\PerSessionTempDir
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\DeleteTempDirsOnExit
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\MaxDisconnectionTime
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\MaxIdleTime
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fReconnectSame
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fResetBroken
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\KeepAliveEnable
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fAllowToGetHelp
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\Terminal Services\fAllowUnsolicited
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH
ealth\ErrorReporting\DoReport
-1
-1
-1
-1
-1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\TcpMaxDataRetransmissions
`
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
FileSystem\NtfsDisable8dot3NameCreation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
dows NT\RPC\EnableAuthEpResolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
dows NT\RPC\RestrictRemoteClients
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\En
ableFirewall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Do
NotAllowExceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Aut
horizedApplications\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\En
abled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Se
rvices\FileAndPrint\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Se
rvices\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Se
rvices\UPnPFramework\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Dis
ableNotifications
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogDroppedPackets (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile\Windows
Firewall: Allow Logging - Log Dropped Packets
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogFilePath (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Domain Profile\Windows Firewall: Allow Logging - Log
file path and name (3) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Domain Profile Tab\Logging\Name
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogFileSize (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Domain Profile\Windows Firewall: Allow Logging - Size
limit (KB)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Lo
gging\LogSuccessfulConnections (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile\Windows
Firewall: Allow Logging - Log successful connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Dis
ableUnicastResponsesToMulticastBroadcast
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Gl
oballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Gl
oballyOpenPorts\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\E
nableFirewall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\D
oNotAllowExceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\A
uthorizedApplications\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S
ervices\RemoteDesktop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S
ervices\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\I
CMPSettings\*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S
ervices\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\S
ervices\UPnPFramework\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\D
isableNotifications
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\L
ogging\LogDroppedPackets (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Standard Profile\Windows
Firewall: Allow Logging - Log Dropped Packets
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\L
ogging\LogFilePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\L
ogging\LogFileSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\L
ogging\LogSuccessfulConnections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\D
isableUnicastResponsesToMulticastBroadcast
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\G
loballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\StandardProfile\G
loballyOpenPorts\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\TCPMaxPortsExhausted
POSIX.EXE, "PSXSS.EXE" or "PSXDLL.DLL" exist
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Subsystems\Optional,
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Subsystems\Os2,
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment\Os2LibPath
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Subsystems\posix
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Bi
tBucket\NukeOnDelete
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Sy
stem\SCForceOption
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\EventLog\Setup\ChannelAccess
(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser
vices\Eventlog\Application\Windows Search Service\Start
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peer
net\Disabled
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\WCN\UI\DisableWcnUi
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\DeviceInstall\Settings\AllowRemoteRPC
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\DeviceInstall\Settings\DisableSystemRestore
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\DeviceInstall\Settings\DisableSendGenericDriverNotFoun
dToWER
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\WindowsUpdate\DisableWindowsUpdateAccess
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Syst
emCertificates\AuthRoot\DisableRootAutoUpdate
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Even
tViewer\MicrosoftEventVwrDisableLinks
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\HandwritingErrorReports\PreventHandwritingErrorReports
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH
ealth\HelpSvc\Headlines
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCH
ealth\HelpSvc\MicrosoftKBSearchs
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Internet Connection Wizard\ExitOnMSICW
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Explorer\NoInternetOpenWith
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Registration Wizard Control\NoRegistration
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Explorer\NoOnlinePrintsWizard
(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER]
\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Expl
orer\NoPublishingWizard
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
owsMovieMaker\CodecDownload
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
owsMovieMaker\WebHelp
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
owsMovieMaker\WebPublish
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Explorer\NoWelcomeScreen
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\System\DisableStartupSound
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Pow
er\PowerSettings\0e796bdb-100d-47d6-a2d5-
f7d2daa51f51\DCSettingIndex
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Pow
er\PowerSettings\0e796bdb-100d-47d6-a2d5-
f7d2daa51f51\ACSettingIndex
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\CreateEncryptedOnlyTickets
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\UseCustomMessages
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\UseBandwidthOptimization
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Wind
ows NT\Terminal Services\LoggingEnabled
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows NT\IIS\PreventIISInstall
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assis
tance\Client\1.0\NoActiveHelp
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assis
tance\Client\1.0\NoUntrustedContent
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Inter
net Explorer\Feeds\DisableEnclosureDownload
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows\Windows
Search\AllowIndexingEncryptedStoresOrItems
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows\Windows
Search\PreventIndexingUncachedExchangeFolders
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\TurnOffWinCal
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQM
Client\CorporateSQMURL
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows Defender\DisableAntiSpyware
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Explorer\NoHeapTerminationOnCorruption
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Installer\DisableLUAPatching
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\System\ReportControllerMissing
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows Mail\DisableCommunities
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows Mail\ManualLaunchAllowed
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMD
RM\DisableOnline
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Windows Collaboration\TurnOffWindowsCollaboration
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\Windows
Collaboration\TurnOnWindowsCollaborationAuditing
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadget
s
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLi
nk
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGa
dgets
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\CurrentVersion\Internet Settings\Use_HKLM_only
Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet Security
Explorer, Registry Keys:[HKLM | Zones: Use
HKCU]\Software\Policies\Microsoft\Windows\CurrentVers Only Machine
ion\Internet Settings\Security_HKLM_only Settings
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVE
XINSTALL!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVE
XINSTALL!explorer.exe, HKLM\Software\Policies\Local
Internet Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict ActiveX Install, Registry Keys:
[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVE
XINSTALL\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVE
XINSTALL\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVE
XINSTALL\iexplore.exe
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Wind
ows\CurrentVersion\Internet
Settings\Security_Zones_Map_Edit Local Internet
Options: GPO Settings:[Computer Configuration | User Security
Configuration]/Network/Internet Explorer, Registry Zones: Do Not
Keys:[HKLM | Allow Users
HKCU]\Software\Policies\Microsoft\Windows\CurrentVers to Add/Delete
ion\Internet Settings\Security_zones_map_edit Sites
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Inter Disable
net Explorer\InfoDelivery\Restrictions\NoUpdateCheck Periodic
Local Internet Options: GPO Settings:[Computer Check for
Configuration | User Configuration]/Network/Internet Internet
Explorer, Registry Keys:[HKLM | Explorer
HKCU]\Software\Policies\Microsoft\Internet Software
Explorer\Infodelivery\Restrictions\NoUpdateCheck Updates
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!
(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!
explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local
Internet Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Protection From Zone Elevation,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\
(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\
explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\i
explore.exe
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!
(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!
explorer.exe, HKLM\Software\Policies\Microsoft\Internet
E,Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Binary
Behavior Security Restriction, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\
(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\e
xplorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\ie
xplore.exe
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!
RunInvalidSignatures,Local Internet Options: GPO Settings:
[Computer Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Advanced Page , Registry
Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Download\RunInvalidSignatures
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local
Internet Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/MK Protocol Security Restriction,
Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PRO
TOCOL\iexplore.exe
(1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
tVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local
Internet Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer/Internet Control
Panel/Security Features/Restrict File Download, Registry Keys:
[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO
WNLOAD\(Reserved), [HKLM |
Disable
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO Software
WNLOAD\explorer.exe, [HKLM | Update Shell
HKCU]\Software\Policies\Microsoft\Internet Notifications
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO on Program
WNLOAD\iexplore.exe Launch
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO
WNLOAD!(Reserved),
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO
WNLOAD!explorer.exe, Local Internet Options: GPO Settings:
[Computer Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Restrict File
Download, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO
WNLOAD\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO
WNLOAD\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDO
WNLOAD\iexplore.exe
(1)
Disable
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Automatic
Options: GPO Settings:[Computer Configuration | User Install of
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM Internet
| HKCU]\Software\Policies\Microsoft\Internet Explorer
Explorer\Infodelivery\Restrictions\NoJITSetup Components
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local
Internet Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM
| Make Proxy
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\In Settings Per
ternet Settings\ProxySettingsPerUser Machine
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer, Registry Keys:
[HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Restrictions\NoExtensionManagement
HKLM\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoCrashDetection,Local Internet
Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM
| HKCU]\Software\Policies\Microsoft\Internet
Explorer\Restrictions\NoCrashDetection
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRIC
TIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRIC
TIONS!explorer.exe, Local Internet Options: GPO Settings:
[Computer Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Scripted
Window Security Restrictions, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRIC
TIONS\(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRIC
TIONS\explorer.exe, [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRIC
TIONS\iexplore.exe
(1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Window
s\CurrentVersion\Internet Settings\Security_options_edit,Local
Internet Options: GPO Settings:[Computer Configuration | User
Configuration]/Network/Internet Explorer, Registry Keys:[HKLM Security Zones:
| Do Not Allow
HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\In Users to
ternet Settings\Security_options_edit Change Policies
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!
(Reserved), HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!
explorer.exe, Local Internet Options: GPO Settings:[Computer
Configuration | User Configuration]/Network/Internet
Explorer/Internet Control Panel/Security Features/Mime
Sniffing Safety Feature, Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\
(Reserved), [HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\ex
plorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iex
plore.exe
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet Control
Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet
Explorer\Download\CheckExeSignatures
Local Internet Options: GPO Settings:[Computer Configuration
| User Configuration]/Network/Internet Explorer/Internet Control
Panel/Advanced Page , Registry Keys:[HKLM |
HKCU]\Software\Policies\Microsoft\Internet Explorer\Control
Panel\DisableRIED
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!
FormSuggest Passwords,
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel\FormSuggest Passwords
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!
NoJITSetup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!
Page_Transitions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use
FormSuggest, HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel!FormSuggest
HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoSelectDownloadDir
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!Certificates
HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions!NoExternalBranding
HKCU\Software\Microsoft\Outlook Express!
BlockExeAttachments
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!Connwiz Admin Lock
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel!ResetWebSettings
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoSubscriptionContent
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoAddingSubscriptions
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoAddingChannels
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoScheduledUpdates
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoEditingSubscriptions
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoChannelUI
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoRemovingChannels
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions
HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoChannelLogging
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogSuccessfulConnections (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Private Profile\Windows
Firewall: Allow Logging - Log successful connections (3)
Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall with Advanced Security\Windows Firewall
Properties\Private Profile Tab\Logging\Logged successful
connections
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogFilePath (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Private Profile\Windows Firewall: Allow Logging - Log
file path and name (3) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile Tab\Logging\Name
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Log
ging\LogFileSize (2) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Private Profile Tab\Logging\Size limit (KB)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logg
ing\LogDroppedPackets (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Public Profile\Windows
Firewall: Allow Logging - Log Dropped Packets
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logg
ing\LogSuccessfulConnections (2) Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Public Profile\Windows
Firewall: Allow Logging - Log successful connections (3)
Computer Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows
Firewall with Advanced Security\Windows Firewall
Properties\Public Profile Tab\Logging\Logged successful
connections
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logg
ing\LogFilePath (2) Computer Configuration\Administrative
Templates\Network\Network Connections\Windows
Firewall\Public Profile\Windows Firewall: Allow Logging - Log
file path and name (3) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile Tab\Logging\Name
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logg
ing\LogFileSize (2) Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows
Firewall Properties\Public Profile Tab\Logging\Size limit (KB)
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\tcpip6\Parameters\DisableComponents
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\tcpip6\Parameters\DisableComponents
(1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\tcpip6\Parameters\DisableComponents
? ?
4.4.3.1 %SystemDrive%
? ?
4.4.3.2
HKEY_LOCAL_MACHINE\Softw
are
? ?
4.4.3.3
HKEY_LOCAL_MACHINE\Syste
m
%AllUsersProfile%
?
%AllUsersProfile
%\Application Data
?
%AllUsersProfile
%\Application
Data\Microsoft
?
%AllUsersProfile
%\Application
Data\Microsoft\Crypt
o\DSSHKLMKeys
?
%AllUsersProfile
%\Application
Data\Microsoft\Crypt
o\RSAHKLMKeys
?
%AllUsersProfile
%\Application
Data\Microsoft\Dr
Watson
?
%AllUsersProfile
%\Application
Data\Microsoft\Dr
Watson\drwtsn32.lo
g
?
%AllUsersProfile
%\Application
Data\Microsoft\HTM
L Help
?
%AllUsersProfile
%\Application
Data\Microsoft\Medi
a Index
?
%AllUsersProfile
%\Documents\deskt
op.ini
?
%AllUsersProfile
%\DRM
?
%ProgramFiles%
%SystemDrive
%\autoexec.bat
%SystemDrive
%\config.sys
?
%SystemDrive
%\Documents and
Settings
?
%SystemDrive
%\Documents and
Settings\Administrat
or
?
%SystemDrive
%\Documents and
Settings\Default
User
?
%SystemDrive
%\io.sys
?
%SystemDrive
%\msdos.sys
?
%SystemDrive
%\ntbootdd.sys
?
%SystemDrive
%\ntdetect.com
?
%SystemDrive
%\ntldr
%SystemDrive
%\System Volume
Information
?
%SystemRoot%
?
%SystemRoot%\
$NtServicePackUnin
stall$
%SystemRoot
%\CSC
?
%SystemRoot
%\Debug
?
%SystemRoot
%\Debug\UserMode
? ?
%SystemRoot
%\Debug\UserMode
\userenv.log
?
%SystemRoot
%\Installer
?
%SystemRoot
%\Offline Web
Pages
?
%SystemRoot
%\Prefetch
%SystemRoot
%\Registration
?
%SystemRoot
%\Registration\CRM
Log
?
%SystemRoot
%\repair
?
%SystemRoot
%\security
%SystemRoot
%\Temp
?
%SystemRoot
%\system32
%SystemRoot
arp.exe ACL (CID:2002) %\system32\arp.exe
%SystemRoot 4.4.1.2 %SystemRoot
at.exe ACL (CID:2003) %\system32\at.exe %\system32\at.exe
?
4.4.1.3 %SystemRoot
attrib.exe ACL (CID:2004) %\system32\attrib.exe
?
4.4.1.4 %SystemRoot
cacls.exe ACL (CID:2005) %\system32\cacls.exe
?
%SystemRoot
%\system32\ciadv.m
sc
?
%SystemRoot
%\system32\Com\co
mexp.msc
?
%SystemRoot
%\system32\compm
gmt.msc
?
%SystemRoot
%\system32\config
?
4.4.1.5 %SystemRoot
debug.exe ACL (CID:2006) %\system32\debug.exe
?
%SystemRoot
%\system32\devmg
mt.msc
?
%SystemRoot
%\system32\dfrg.ms
c
?
%SystemRoot
%\system32\diskmg
mt.msc
?
%SystemRoot
%\system32\dllcach
e
? ?
4.4.1.6 %SystemRoot
%\system32\drwatson.exe
? ?
4.4.1.7 %SystemRoot
%\system32\drwtsn32.exe
?
4.4.1.8 %SystemRoot
edlin.exe ACL (CID:2007) %\system32\edlin.exe
?
%SystemRoot
%\system32\eventv
wr.msc
?
%SystemRoot
%\system32\fsmgmt
.msc
?
4.4.1.11 %SystemRoot
ftp.exe ACL (CID:2010) %\system32\ftp.exe
?
%SystemRoot
%\system32\gpedit.
msc
?
%SystemRoot
%\system32\Group
Policy
%SystemRoot
%\system32\ias
?
%SystemRoot
%\system32\lusrmgr
.msg
?
%SystemRoot
%\system32\MSDT
C
?
%SystemRoot
%\system32\nbstat.
exe
?
4.4.1.12 %SystemRoot
net.exe ACL (CID:2012) %\system32\net.exe
?
4.4.1.13 %SystemRoot
net1.exe ACL (CID:2013) %\system32\net1.exe
%SystemRoot
%\system32\netsh.e 4.4.1.14 %SystemRoot
netsh.exe ACL (CID:2014) xe %\system32\netsh.exe
%SystemRoot
netstat.exe ACL %\system32\netstat.
(CID:2015) exe
%SystemRoot
nslookup.exe ACL %\system32\nslook
(CID:2016) up.exe
%SystemRoot
ntbackup.exe ACL %\system32\Ntback
(CID:2017) up.exe
?
%SystemRoot
%\system32\NTMS
Data
?
%SystemRoot
%\system32\ntmsop
rq.msc
?
%SystemRoot
%\system32\ntmsm
gr.msc
?
%SystemRoot
%\system32\perfmo
n.msc
%SystemRoot
regedt32.exe ACL %\system32\regedt3 4.4.1.18 %SystemRoot
(CID:2020) 2.exe %\system32\regedt32.exe
%SystemRoot
%\system32\regini.e
regini.exe ACL (CID:2021) xe
?
%SystemRoot
%\system32\rexec.e 4.4.1.20 %SystemRoot
rexec.exe ACL (CID:2023) xe %\system32\rexec.exe
%SystemRoot
%\system32\route.e
route.exe ACL (CID:2024) xe
%SystemRoot
%\system32\RSoP.
msc
? ?
4.4.1.22 %SystemRoot
%\system32\runas.exe
?
4.4.1.23 %SystemRoot
sc.exe ACL (CID:2026) %\system32\sc.exe
%SystemRoot
secedit.exe ACL %\system32\secedit
(CID:2027) .exe
?
%SystemRoot
%\system32\secpol.
msc
?
%SystemRoot
%\system32\service
s.msc
?
%SystemRoot
%\system32\Setup
?
%SystemRoot
%\system32\spool\P
rinters
?
4.4.1.24 %SystemRoot
subst.exe ACL (CID:2028) %\system32\subst.exe
%SystemRoot
systeminfo.exe ACL %\system32\systemi
(CID:2029) nfo.exe
?
4.4.1.25 %SystemRoot
telnet.exe ACL (CID:2030) %\system32\telnet.exe
4.4.1.27 %SystemRoot
tlntsvr.exe ACL (CID:2032) %\system32\tlntsvr.exe
?
%SystemRoot
%\system32\wmimg
mt.msc
?
%SystemRoot
%\Tasks
? ?
?
HKEY_LOCAL_MA
CHINE\SOFTWARE 4.4.2.1 HKLM\Software
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Cryptogra
phy\Calais
?
HKEY_LOCAL_MA 4.4.2.9
CHINE\SOFTWARE HKLM\Software\Microsoft\MSDT
\Microsoft\MSDTC C
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\MSDTC\S
ecurity\XAKey
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\NetDDE
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\UPnP
Device Host
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows
NT\CurrentVersion\
Asr\Commands
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows
NT\CurrentVersion\
Perflib
?
HKEY_LOCAL_MA
CHINE\SOFTWARE 4.4.2.11
\Microsoft\Windows HKLM\SOFTWARE\Microsoft\Wi
NT\CurrentVersion\ ndows
SeCEdit NT\CurrentVersion\SeCEdit
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\
CurrentVersion\Grou
p Policy
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\ 4.4.2.2
CurrentVersion\Insta HKLM\Software\Microsoft\Windo
ller ws\CurrentVersion\Installer
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\ 4.4.2.3
CurrentVersion\Polic HKLM\Software\Microsoft\Windo
ies ws\CurrentVersion\Policies
?
HKEY_LOCAL_MA
CHINE\SOFTWARE 4.4.2.8
\Microsoft\Windows\ HKLM\SOFTWARE\Microsoft\Wi
CurrentVersion\Polic ndows\CurrentVersion\Policies\
ies\Ratings Ratings
?
HKEY_LOCAL_MA
CHINE\SOFTWARE
\Microsoft\Windows\
CurrentVersion\Tele
phony
?
HKEY_LOCAL_MA
CHINE\SYSTEM 4.4.2.4 HKLM\System
?
HKEY_LOCAL_MA
CHINE\SYSTEM\clo
ne
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\Class
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\Network
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\SecurePipeServ
Winreg ACL (CID:237) ers\winreg
? ?
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Con
trol\Wmi\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu 4.4.2.5
rrentControlSet\Enu HKLM\System\CurrentControlSe
m t\Enum
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Har
dware Profiles
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\AppMgmt\Secu
rity
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\ClipSrv\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\CryptSvc\Secur
ity
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\DNSCache
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Ersvc\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Eventlog\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\IRENUM\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Netbt
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Netdde\Securit
y
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Netddedsdm\S
ecurity
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\RemoteAccess
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Rpcss\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Samss\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Scarddrv\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Scardsvr\Securi
ty
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu 4.4.2.6
rrentControlSet\Serv HKLM\System\CurrentControlSe
ices\SNMP\Paramet t\Services\CurrentControlSet\Se
SNMP - Permitted ers\PermittedManag rvices\SNMP\Parameters\Permit
Managers (CID:1033) ers tedManagers
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu 4.4.2.7
rrentControlSet\Serv HKLM\System\CurrentControlSe
ices\SNMP\Paramet t\Services\CurrentControlSet\Se
SNMP Communities ers\ValidCommunitie rvices\SNMP\Parameters\ValidC
(CID:4046) s ommunities
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Stisvc\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\SysmonLog\Lo
g Queries
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Tapisrv\Security
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Tcpip
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\W32time\Securi
ty
?
HKEY_LOCAL_MA
CHINE\SYSTEM\Cu
rrentControlSet\Serv
ices\Wmi\Security
?
HKEY_USER\.DEF
AULT
?
HKEY_USER\.DEF
AULT\Software\Micr
osoft\NetDDE
?
?
? ?
?
HKEY_USER\.DEF
AULT\Software\Micr 4.4.2.10
osoft\SystemCertific HKEY_USER\.Default\Software\
ates\Root\Protected Microsoft\SystemCertificates\Ro
Roots ot\ProtectedRoots
Access this
computer from a
network:
User Right Check Logon Administrators, 4.2.1 Access this computer from
on network (CID:152) Users the network
User Right Check act as Act as part of the 4.2.2 Act as part of the operating
OS (CID:153) operating system system
Force shutdown
from a remote
User Right Check remote system: 4.2.19 Force shutdown from a
shutdown (CID:165) Administrators remote system
Generate security
audits: LOCAL
SERVICE,
User Right Check generate NETWORK
security audits (CID:173) SERVICE 4.2.20 Generate security audits
Adjust memory
quotas for a
process:
Administrators,NET
User Right Check increase WORK SERVICE, 4.2.4 Adjust memory quotas for
quotas (CID:166) LOCAL SERVICE a process
User Right Check increase Increase scheduling
scheduling priority priority: 4.2.21 Increase scheduling
(CID:167) Administrators priority
Log on locally:
User Right Check log on Administrators,
locally (CID:172) Users 4.2.26 Log on locally
?
Manage auditing
and security log: 4.2.27 Manage auditing and
Administrators security log
Modify firmware
environment
User Right Check modify variables: 4.2.28 Modify firmware
firmware (CID:174) Administrators environment values
Profile single
User Right Check Profile process:
single process (CID:175) Administrators 4.2.30 Profile single process
Remove computer
from docking
station:
User Right Check undock Administrators, 4.2.32 Remove computer from
(CID:177) Users docking station
Replace a process
level token: LOCAL
User Right replace process SERVICE, NETWORK 4.2.33 Replace a process level
token (CID:178) SERVICE token
Take ownership of
files or other
User Right take ownership objects: 4.2.37 Take ownership of file or
(CID:182) Administrators other objects
Synchronize
User Right synch directory directory service 4.2.36 Synchronize directory
(CID:181) data: No One service data
Enable computer
User Right Check allow and user accounts 4.2.18 Enable computer and
trust for delegation to be trusted for user accounts to be trusted for
(CID:164) delegation: No One delegation
Deny logon as a
service: No One 4.2.15 Deny logon as a service
Deny logon through
User Right deny logon Terminal Services: 4.2.17 Deny logon through
terminal service (CID:738) Everyone Terminal Service
Perform volume
User Right perform volume maintenance tasks: 4.2.29 Perform volume
maintenance (CID:739) Administrators maintenance tasks
Reset account
lockout counter after 2.2.3.3 Reset Account Lockout
Lockout Reset (CID:45) (15 min.) After
Account lockout
duration (15 2.2.3.1 Account Lockout
Lockout Duration (CID:44) minutes) Duration
Account lockout
threshold (3 invalid 2.2.3.2 Account Lockout
Lockout Count (CID:43) attempts) Threshold
Audit account
Account management management 2.2.1.2 Audit Account
auditing (CID:51) (Success, Failure) Management
Audit account
Account management management 2.2.1.2 Audit Account
auditing (CID:51) (Success, Failure) Management
Audit directory
service access (No 2.2.1.3 Audit Directory Service
auditing) Access
?
Audit directory
service access (No 2.2.1.3 Audit Directory Service
auditing) Access
Audit process
tracking (No
Auditing) 2.2.1.8 Audit Process Tracking
?
Audit process
tracking (No
Auditing) 2.2.1.8 Audit Process Tracking
system event auditing Audit system events
(CID:59) (Success, Failure) 2.2.1.9 Audit System Events
Passwords must
meet complexity
requirements
(Enabled) 2.2.2.4 Password Complexity
Enforce password
history (24
Password History (CID:42) passwords) 2.2.2.5 Password History
Store password
using reversible
encryption for all
Reversible Pwd Encryption users in the domain 2.2.2.6 Store Passwords using
(CID:232) (Disabled) Reversible Encryption
? ?
4.1.1 Alerter
? ?
4.1.4 Clipbook
Computer Browser
Disabled (CID:22) 4.1.5 Computer Browser
?
? ?
Internet Information
System Installed - IIS
Admin (CIS:4066) 4.1.8 IIS Admin Service
? ?
Windows Messenger
Internet Access (CIS:4036) 4.1.10 Messenger
?
NetMeeting Romote
Desktop Sharing Disabled 4.1.12 NetMeeting Remote
(CIS:730) Desktop Sharing
?
23 - Telnet Disabled
(CIS:23) 4.1.20 Telnet
?
? ?
4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
? ? 4.1 Available Services
(Permissions on services listed
here: Administrators: Full
Control; System: Read, Start,
Stop, and Pause)
Network access: Do
not allow
anonymous
enumeration of SAM 3.1.3 Network Access: Do not
Restrict Anonymous value accounts and allow Anonymous Enumeration
(CIS:97) shares: Enabled of SAM Accounts and Shares
?
Network access: Do
not allow
anonymous 3.1.2 Network Access: Do not
enumeration of SAM allow Anonymous Enumeration
accounts: Enabled of SAM Accounts
?
Network access:
Allow anonymous 3.1.1 Network Access: Allow
SID/Name Anonymous SID/Name
translation: Disabled Translation
Accounts: Guest
Guest Account Disabled account status: 3.2.1.2 Accounts: Guest Account
(CIS:29) Disabled Status
? Accounts:
Administrator
account status: 3.2.1.1 Accounts: Administrator
Enabled Account Status
?
Interactive logon:
Message title for 3.2.1.27 Interactive Logon:
users attempting to Message Title for Users
log on Attempting to Log On
?
Interactive logon:
Message test for
users attempting to 3.2.1.26 Interactive Logon:
log on: <Configure Message Text for Users
Locally> Attempting to Log On
? ?
? ?
Interactive logon:
Do no display last
user name - 3.2.1.24 Interactive Logon: Do
Enabled Not Display Last User Name
3.2.2.22 Hide workstation from
? Network Browser listing:
HKEY_LOCAL_MACHINE\Syste
CIS: Hide computer Name m\CurrentControlSet\Services\L
from other domain anmanserver\Parameters\Hidde
controllers value (CID:761) n
? ?
3.2.2.12 Protect the Default
Gateway network setting:
HKEY_LOCAL_MACHINE\Syste
m\CurrentControlSet\Services\Tc
pip\Parameters\EnableDeadGW
Detect
? ?
Internet Connection
Sharing (CID:942)
?
Disallow Installation of
Printers Using Kernel-
mode Drivers (CID:948)
Domain controller:
Allow server
operators to 3.2.1.15 Domain Controller:
schedule tasks: Not Allow Server Operators to
Defined Schedule Tasks
Accounts: Rename
administrator
Administrator Account account: 3.2.1.4 Accounts: Rename
Renamed (CID:30) Administrator Administrator Account
Accounts: Rename
Guest Account Renamed guest account: 3.2.1.5 Accounts: Rename
(CID:31) <Configure locally> Guest Account
Microsoft network
server: Amount of 3.2.1.35 Microsoft Network
Amount of idle time before idle time required Server: Amount of Idle Time
disconnecting value before suspending Required Before Disconnecting
(CID:213) session Session
?
Interactive logon:
Do not require
CTRL+ALT+DEL: 3.2.1.25 Interactive Logon: Do
Disabled not require CTRL+ALT+DEL
Network security:
LAN Manager
authentication level:
Send LM & NTLM -
use NTLMv2
LMCompatibility Value session security if 3.2.1.47 Network Security: LAN
(CID:123) negotiated Manager Authentication Level
Devices: Prevent
users from installing
Print Driver Installation printer drivers: 3.2.1.11 Devices: Prevent users
value (CID:99) Enabled from installing printer drivers
Recovery console:
Allow automatic 3.2.1.51 Recovery Console:
Recovery Console administrative Allow Automatic Administrative
Autologon value (CID:117) logon: Disabled Logon
Recovery console:
Allow floppy copy
and access to all 3.2.1.52 Recovery Console:
Recovery Console Full drives and all Allow Floppy Copy and Access
Access Value (CID:119) folders: Disabled to All Drives and All Folders
?
Devices: Restrict
CD-ROM access to 3.2.1.12 Devices: Restrict CD-
locally logged-on ROM Access to Locally Logged-
user only: Enabled On User Only
Devices: Restrict
floppy access to 3.2.1.13 Devices: Restrict
locally logged-on Floppy Access to Locally
Floppy Allocation (CID:89) user only: Enabled Logged-On User Only
System objects:
Strengthen default
permissions of
internal system
objects (e.g. 3.2.1.58 System objects:
Strength permissions on Symbolic Links): Strengthen default permissions
GSO value (CID:204) Enabled of internal system objects
Domain member:
Domain member: Require Require strong
strong (Windows 2000 or (Windows 2000 or 3.2.1.23 Domain Member:
later) session key value later) session key: Require Strong (Windows 2000
(CID:770) Enabled or later) Session Key
Microsoft network
client: Send 3.2.1.34 Microsoft Network
Send unencrypted unencrypted Client: Send Unencrypted
password to 3rd party SMB password to third- Password to Connect to Third-
value (CID:207) party SMB servers Party SMB Server
Devices: Unsigned
driver installation
Unsigned Driver Behavior behavior: Warn but 3.2.1.14 Devices: Unsigned
Value (CID:127) allow installation Driver Installation Behavior
Interactive logon:
Prompt user to
change password 3.2.1.29 Interactive Logon:
Password Expiration value before expiration: 14 Prompt User to Change
(CID:199) days Password Before Expiration
Audit: Shut down
system immediately
if unable to log 3.2.1.8 Audit: Shut Down system
Crash on audit fail Value security audits: immediately if unable to log
(CID:121) Disabled security alerts
Shutdown: Allow
system to be shut 3.2.1.53 Shutdown: Allow
Shutdown before logon down without having System to be Shut Down
Check (CID:217) to log on: Enabled Without Having to Log On
? ?
Shutdown: Clear
Clear Pagefile value virtual memory 3.2.1.54 Shutdown: Clear Virtual
(CID:101) pagefile: Disabled Memory Pagefile
?
Microsoft network
client: Digitally sign 3.2.1.32 Microsoft Network
communications Client: Digitally sign
(always) communications (always)
Microsoft network
server: Digitally sign 3.2.1.36 Microsoft Network
communications Server: Digitally sign
(always) communications (always)
?
Microsoft network
server: Digitally sign 3.2.1.37 Microsoft Network
communications (if Server: Digitally sign
client agrees): communications (if client
Enabled agrees)
Interactive logon:
Number of previous
logons to cache (in
case domain 3.2.1.28 Interactive Logon:
Logon Caching value controller is not Number of Previous Logons to
(CID:91) available): 0 logons Cache
Devices: Allowed to
format and eject 3.2.1.10 Devices: Allowed to
NTFS Media Ejection value removable media: format and eject removable
(CID:2010) Administrators media
Domain member:
Digitally encrypt or
Digitally encrypt or sign sign secure channel 3.2.1.18 Domain Member:
secure channel data data (always): Not Digitally Encrypt or Sign Secure
(always) value (CID:743) Defined Channel Data (Always)
Domain member:
Digitally encrypt
secure channel data 3.2.1.19 Domain Member:
Sign Secure Channel (when possible): Digitally Encrypt Secure
Traffic Value (CID:109) Enabled Channel Data (When Possible)
Domain member:
Digitally sign secure 3.2.1.20 Domain Member:
Sign Secure Channel channel data (when Digitally Sign Secure Channel
Traffic Value (CID:107) possible): Enabled Data (When Possible)
Interactive logon:
Smart card removal
Smart Card Removal behavior: Lock 3.2.1.31 Interactive Logon:
Behavior Value (CID:125) Workstation Smart Card Removal Behavior
Domain member:
Disable machine 3.2.1.21 Domain Member:
Disable password change account password Disable Machine Account
Value (CID:111) changes:Disabled Password Changes
System
cryptography: Use
FIPS compliant
Use FIPS compliant algorithms for 3.2.1.55 System Cryptography:
algorithms for encryption, encryption, hashing, Use FIPS compliant algorithms
hashing, and signing and signing: for encryption, hashing, and
(CID:804) Enabled signing
System objects:
Default owner for
objects created by
Default owner for objects members of the 3.2.1.56 System objects: Default
created by members of the Administrators owner for objects created by
Administrators group group: Object members of the Administrators
(CID:807) Creator group
System objects:
Require case
System Object: Require insensitivity for non-
Case Insensitivity for Non- Windows 3.2.1.57 System objects:
Windows Subsystems subsystems: Require case insensitivity for
(CID:810) Enabled non-Windows subsystems
Devices: Allow
undock without
having to log on: 3.2.1.9 Devices: Allow undock
Disabled without having to log on
?
Domain controller:
LDAP server signing 3.2.1.16 Domain Controller:
requirements: Not LDAP Server Signing
Defined Requirements
Network security: 3.2.1.48 Network Security:
LDAP client signing LDAP client signing LDAP client signing
requirements (CID:795) requirements requirements
?
Domain controller:
Refuse machine 3.2.1.19(note: different
account password enumeration) Domain Controller:
changes: Not Refuse machine account
Defined password changes
Domain member:
Accounts: Maximum Maximum machine 3.2.1.22 Domain Member:
machine account password account password Maximum Machine Account
age value (CID:767) age: 7 Days Password Age
Interactive logon:
Require Domain
Domain Controller Controller 3.2.1.30 Interactive Logon:
Authentication to Unlock authentication to Require Domain Controller
Workstation Value unlock workstation: authentication to unlock
(CID:777) Enabled workstation
Microsoft network
server: Disconnect
Automatically log off user clients when logon 3.2.1.38 Microsoft Network
when logon time expires hours expire: Server: Disconnect clients when
value (CID:210) Enabled logon hours expire
Network access:
Named Pipes that
can be accessed 3.2.1.41 Network Access:
anonymously: Not Named pipes that can be
Defined accessed anonymously
?
Network access:
Remotely accessible
registry paths:
Classic - local users 3.2.1.42 Network Access:
authenticate as Remotely accessible registry
themselves paths
?
Network access:
Shares that can be
accessed 3.2.1.43 Network Access:
anonymously: Not Shares that can be accessed
Defined anonymously
Network access:
Sharing and security
model for local
accounts: Classic -
Sharing and security model local users 3.2.1.44 Network Access:
for local accounts Value authenticate as Sharing and security model for
(CID:786) themselves local accounts
Network security:
Do not store LAN Manager Do not store LAN 3.2.1.45 Network Security: Do
hash value on next Manager hash value not store LAN Manager
password change on next password password hash value on next
(CID:789) change: Enabled password change
Network security:
Force logoff when 3.2.1.46 Network Security:
Logon Time Enforcement logon hours expire: Force logoff when logon hours
(CID:46) Enabled expire
Network security:
Minimum session
security for NTLM
SSP based
(including secure
RPC) clients:
Require NTLMv2 3.2.1.49 Network Security:
Minimum session security session security, Minimum session security for
for NTLM SSP based Require 128-bit NTLM SSP based (including
clients (CID:798) encryption secure RPC) clients
Network security:
Minimum session
security for NTLM
SSP based
(including secure
RPC) servers:
Require NTLMv2 3.2.1.50 Network Security:
Minimum session security session security, Minimum session security for
for NTLM SSP based Require 128-bit NTLM SSP based (including
servers (CID:801) encryption secure RPC) servers
Chapter 10:
Modifying File
System Security
Non-NTFS Partition Settings with 4.3.1 Ensure volumes are using
(CID:10) Security Templates the NTFS file system
?
Default user scrnsave.exe
(CID:67)
?
Cache Transforms in
Secure Location on
Workstation (CID:908)
Set client
Set Client Connection connection
Encryption (CID:867) encryption level
Set Time Limit for Idle Set time limit for idle
Sessions (CID:879) sessions
Keep-Alive Messages
(CID:846)
?
Solicited Remote
Assistance (CID:933)
?
Unsolicited Remote
Assistance (CID:936)
?
Enforce user logon
restrictions
(Enabled)
?
Maximum lifetime
for service ticket
(600 minutes)
?
Maximum lifetime
for user ticket (10
hours)
? Maximum lifetime
for user ticket
renewal (7 days)
?
Maximum tolerance
for computer clock
synchronization (5
minutes)
5.1.1.1 RPC
Endpiont Mapper
Client Authentication
(SP2 only)
5.1.1.2 Restrictions
for Unauthenticated
RPC clients (SP2
only)
5.2.1.1.1.1 Protect
all network
connections (SP2
only)
5.2.1.1.1.2 Do not
allow exceptions
(SP2 only)
5.2.1.1.1.3 Allow
local program
exceptions
5.2.1.1.1.4 Allow
remote
administration
5.2.1.1.1.6 Allow
ICMP exceptions
(SP2 only)
5.2.1.1.1.7 Allow
Remote Desktop
exception (SP2 only)
5.2.1.1.1.8 Allow
UPnP framework
exception (SP2 only)
5.2.1.1.1.9 Prohibit
notifications
5.2.1.1.1.10 Log
dropped packets
(SP2 only)
5.2.1.1.1.13 Log
successful
connections (SP2
only)
5.2.1.1.1.14 Prohibit
unicast response to
multicast or
broadcast (SP2
only)
5.2.1.1.1.15 Define
port exceptions (SP2
only)
5.2.1.1.16 Allow
local port exceptions
(SP2 only)
5.2.1.1.2.1 Protect
all network
connections (SP2
only)
5.2.1.1.2.2 Do not
allow exceptions
(SP2 only)
5.2.1.1.2.3 Allow
local program
exceptions (SP2
only)
5.2.1.1.2.4 Allow
remote
administration
exception (SP2 only)
5.2.1.1.2.7 Allow
Remote Desktop
exception (SP2 only)
5.2.1.1.2.8 Allow
UPnP framework
exception (SP2 only)
5.2.1.1.2.9 Prohibit
notifications (SP2
only)
5.2.1.1.2.10 Log
Dropped Packets
(SP2 only)
5.2.1.1.2.13 Log
Successful
Connections (SP2
only)
5.2.1.1.2.14 Prohibit
unicast response to
multicast or
broadcast (SP2
only)
5.2.1.1.2.15 Define
port exceptions (SP2
only)
5.2.1.1.2.16 Allow
local port exceptions
(SP2 only)
5.2.1.1. Windows
Firewall
Disable Periodic Check for
Internet Explorer Software
Updates (CID:834)
Disable Automatic Install of
Internet Explorer
Components (CID:831)
NIST 800-68
CIS WXP Pro NIST 800-68
NIST 800-68 Windows XP
Benchmark Windows XP OVAL
Windows XPPDF XCCDF (NIST-800-
v2.01 OVAL (NIST-800-68-53-
(SP800-68- 68-53-
(cis-winxp- WinXPPro_OVAL_
20051102.pdf) WinXPPro_XCCDF
oval.xml) 10102006.xml)
_10102006.xml)
%SystemRoot
%\system32\regedit.exe
Table: 9.19 Value:
Administrators: Full
System: Full regedit.exePermissions oval:gov.nist.1:def:146
%SystemRoot
%\system32\arp.exe
Table: 9.1 Value:
Administrators: Full
System: Full arp.exePermissions oval:gov.nist.1:def:128
%SystemRoot
%\system32\at.exe Table:
9.2 Value: Administrators:
%SystemRoot
Full System: Full at.exePermissions oval:gov.nist.1:def:129
%\system32\attrib.exe
Table: 9.3 Value:
Administrators: Full
System: Full attrib.exePermissions oval:gov.nist.1:def:130
%SystemRoot
%\System32\cacls.exe
Table: 9.4 Value:
Administrators: Full
System: Full cacls.exePermissions oval:gov.nist.1:def:131
%SystemRoot
%\System32\debug.exe
Table: 9.5 Value:
Administrators: Full
System: Full oval:gov.nist.1:def:132 debug.exePermissions
%SystemRoot
%\system32\edlin.exe
Table: 9.6 Value:
Administrators: Full
System: Full edlin.exePermissions oval:gov.nist.1:def:133
%SystemRoot
%\system32\eventcreate.
exe Table: 9.7 Value:
Administrators: Full eventcreate.exePermission
System: Full s oval:gov.nist.1:def:134
%SystemRoot
%\System32\eventtriggers eventtriggers.exePermissio
.exe Table: 9.8 Value: 9.8 ns oval:gov.nist.1:def:135
%SystemRoot
%\system32\ftp.exe
Table: 9.9 Value:
Administrators: Full
System: Full ftp.exePermissions oval:gov.nist.1:def:136
%SystemRoot
%\system32\nbtstat.ex
e Table: 9.10 Value:
Administrators: Full
System: Full nbtstat.exePermissions oval:gov.nist.1:def:137
%SystemRoot
%\system32\net.exe
Table: 9.11 Value:
Administrators: Full
System: Full net.exePermissions oval:gov.nist.1:def:138
%SystemRoot
%\system32\net1.exe
Table: 9.12 Value:
Administrators: Full
System: Full net1.exePermissions oval:gov.nist.1:def:139
%SystemRoot
%\system32\netsh.exe
Table: 9.13 Value:
Administrators: Full
System: Full netsh.exePermissions oval:gov.nist.1:def:140
%SystemRoot
%\system32\netstat.ex
e Table: 9.14 Value:
Administrators: Full
System: Full netstat.exePermissions oval:gov.nist.1:def:141
%SystemRoot
%\system32\nslookup.
exe Table: 9.15 Value:
Administrators: Full
System: Full nslookup.exePermissions oval:gov.nist.1:def:142
%SystemRoot
%\system32\Ntbackup.
exe Table: 9.16 Value:
Administrators: Full
System: Full ntbackup.exePermissions oval:gov.nist.1:def:143
%SystemRoot
%\system32\rcp.exe
Table: 9.17 Value:
Administrators: Full
System: Full rcp.exePermissions oval:gov.nist.1:def:144
%SystemRoot
%\system32\reg.exe
Table: 9.18 Value:
Administrators: Full
System: Full reg.exePermissions oval:gov.nist.1:def:145
%SystemRoot
%\system32\Regedt32.ex
e Table: 9.20 Value:
Administrators: Full
System: Full regedt32.exePermissions oval:gov.nist.1:def:147
%SystemRoot
%\system32\regini.exe
Table: 9.21 Value:
Administrators: Full
System: Full regini.exePermissions oval:gov.nist.1:def:148
%SystemRoot
%\system32\regsvr32.exe
Table: 9.22 Value:
Administrators: Full
System: Full regsvr32.exePermissions oval:gov.nist.1:def:149
%SystemRoot
%\system32\rexec.exe
Table: 9.23 Value:
Administrators: Full
System: Full rexec.exePermissions oval:gov.nist.1:def:150
%SystemRoot
%\system32\route.exe
Table: 9.24 Value:
Administrators: Full
System: Full route.exePermissions oval:gov.nist.1:def:151
%SystemRoot
%\system32\rsh.exe
Table: 9.25 Value:
Administrators: Full
System: Full rsh.exePermissions oval:gov.nist.1:def:152
%SystemRoot
%\system32\sc.exe Table:
9.26 Value:
Administrators: Full
System: Full sc.exePermissions oval:gov.nist.1:def:153
%SystemRoot
%\system32\secedit.exe
Table: 9.27 Value:
Administrators: Full
System: Full secedit.exePermissions oval:gov.nist.1:def:154
%SystemRoot
%\system32\subst.exe
Table: 9.28 Value:
Administrators: Full
System: Full subst.exePermissions oval:gov.nist.1:def:155
%SystemRoot
%\system32\systeminfo.e
xe Table: 9.29 Value:
Administrators: Full
System: Full systeminfo.exePermissions oval:gov.nist.1:def:156
%SystemRoot
%\system32\telnet.exe
Table: 9.30 Value:
Administrators: Full
System: Full telnet.exePermissions oval:gov.nist.1:def:157
%SystemRoot
%\system32\tftp.exe
Table: 9.31 Value:
Administrators: Full
System: Full tftp.exePermissions oval:gov.nist.1:def:158
%SystemRoot
%\system32\tlntsvr.exe
Table: 9.32 Value:
Administrators: Full
System: Full tlntsvr.exePermissions oval:gov.nist.1:def:159
Deny access to this
computer from the
network Table: 4.15 Value:
Guests, SUPPORT DenyAccessFromNetwork oval:gov.nist.1:def:175
ManageAuditingAndSecurit
Manage auditing and yLog,
security log Table: 4.29 ManageAuditingAndSecurit oval:gov.nist.1:def:187,
Value: Administrators yLogNone oval:gov.nist.1:def:235
Modify firmware
environment values Table: ModifyFirmwareEnvironme
4.30 Value: Administrators ntValues oval:gov.nist.1:def:188
Profile single process
Table: 4.32 Value:
Administrators ProfileSingleProcess oval:gov.nist.1:def:190
Profile system
performance Table: 4.33
Value: Administrators ProfileSystemPerformance oval:gov.nist.1:def:191
Replace a process-level
token Table: 4.35 Value:
LOCAL SERVICE, ReplaceProcessLevelToke
NETWORK SERVICE n oval:gov.nist.1:def:193
AddWorkstationsToDomain
Add workstations to ,
domain Table: 4.3 Value: AddWorkstationsToDomain oval:gov.nist.1:def:163,
Administrators None oval:gov.nist.1:def:232
Profile volume
maintenance tasks Table: PerformVolumeMaintenanc
4.31 Value: Administrators eTasks oval:gov.nist.1:def:189
Audit account
management Table: 3.2
Value success, failure AuditAccountManagement oval:gov.nist.1:def:29
Audit account
management Table: 3.2
Value success, failure AuditAccountManagement oval:gov.nist.1:def:29
Retention method
forsystem log Table: 6.11 SecurityLogRetentionMeth
Value: as needed od oval:gov.nist.1:def:204
Background Intelligent
Transfer Service Table:
8.5 Value: not defined *** ***
Computer Browswer
Service Table: 8.9 Value:
disabled BrowserService oval:gov.nist.1:def:211
Fast User
SwitchingCompatibility
Table: 8.17 Value: not
defined
Simple Mail
TransferProtocol
(SMTP) Table: 8.59
Value: disabled SMTPService oval:gov.nist.1:def:220
Simple
NetworkManagement
Protocol(SNMP) Service
Table: 8.60 Value:
disabled SNMPService oval:gov.nist.1:def:221
Simple
NetworkManagement
Protocol(SNMP) Trap
Table: 8.61 Value:
disabled SNMPTrap oval:gov.nist.1:def:222
Simple ServiceDiscovery
Protocol(SSDP)
DiscoveryService Table:
8.62 Value: disabled SSDPService oval:gov.nist.1:def:223
Network access: Do
notallow
anonymousenumeration
of SAMaccounts and
shares Table: 5.45 Value: AnonymousEnumerationOf
enabled AccountsAndShares oval:gov.nist.1:def:88
Network access: Do
notallow
anonymousenumeration
of SAMaccounts Table: AnonymousEnumerationOf
5.44 Value: enabled Accounts oval:gov.nist.1:def:87
Network access:
Allowanonymous
SID/Nametranslation
Table: 5.43 Value:
disabled
Accounts: Guestaccount
status Table: 5.2 Value:
disabled GuestAccountStatus oval:gov.nist.1:def:243
Accounts:
Administratoraccount
status Table: 5.1 Value: AdministratorAccountStatu
enabled s oval:gov.nist.1:def:242
Interactive logon:
Messagetitle for users
attempting tolog on
Table: 5.30 Value:
<DoJ Approved> LogonMessageTitle oval:gov.nist.1:def:71
Interactive logon:
Messagetext for users
attempting tolog on Table:
5.29 Value: <DoJ
approved> LogonMessageText oval:gov.nist.1:def:70
MSS:
(AutoShareWks)Enable
AdministrativeShares
Table: 5.72 Value: not
defined
MSS:
(AutoAdminLogon)Enable
Automatic Logon Table:
5.70 Value: disabled AutomaticLogonDisabled oval:gov.nist.1:def:110
MSS: (AutoReboot)
AllowWindows to
automaticallyrestart after
a system crash Table:
5.71 Value: not defined
MSS:
(NoDriveTypeAutoRun)Di
sable Autorun for alldrives DisableAutorunForAllDrive
Table: 5.80 Value: 255 s
MSS:
(EnableICMPRedirect)Allo
w ICMP redirects
tooverride OSPF
generatedroutes Table: AllowICMPRedirectsDisabl
5.76 Value: disabled ed oval:gov.nist.1:def:113
MSS:
(DisableIPSourceRouting)
IP source routing
protectionlevel Table: 5.73
Value:
Highestprotection,source
routingis IPSourceRoutingProtection
completelydisabled Level oval:gov.nist.1:def:111
MSS:
(PerformRouterDiscovery)
Allow IRDP to detect
andconfigure
DefaultGatewayaddresse
s Table: 5.83 Value:
enabled
MSS: RouterDiscovery oval:gov.nist.1:def:121
(NoDefaultExempt)Enable
NoDefaultExemptfor
IPSec Filtering Table: 5.79
Value: Multicast,
broadcast, and ISAKMP NoDefaultExemptForIPSec
are exempt Filtering oval:gov.nist.1:def:116
oval:gov.nist.1:def:117
Interactive logon: Do
notdisplay last user name
Table: 5.27 Value: LastUserNameNotDisplaye
enabled dForLogon oval:gov.nist.1:def:68
MSS: (Hidden)
HideComputer From the
BrowseList Table: 5.77
Value: enabled HideFromBrowseList oval:gov.nist.1:def:114
MSS:
(EnableDeadGWDetect)Al
low automatic detectionof
dead network gateways
Table: 5.75 Value: AutomaticDetectionOfDead
disabled GWs oval:gov.nist.1:def:112
MSS:
(KeepAliveTime)How
often keep-alivepackets
are sent inmilliseconds
Table: 5.78 Value:
300,000ms (5 minutes) KeepAliveTime oval:gov.nist.1:def:115
MSS:
(NoNameReleaseOnDem
and) Allow the computer
toignore NetBIOS
namerelease requests
exceptfrom WINS servers
Table: 5.81 Value:
enabled NameReleaseRequests oval:gov.nist.1:def:118
MSS: (SynAttackProtect)
Syn attact protection level
Table: 5.86 Value:
Connections time out
sooner if attack is
detected (1) SynAttackProtectionLevel oval:gov.nist.1:def:124
MSS: (WarningLevel)
Percentage threshold for
the security event log at
which the system will
generate a warning Table: EventLogThresholdWarnin
5.89 Value: 90 g oval:gov.nist.1:def:127
MSS:
(DisableSavePassword)Pr
event the dial-uppassword
from being saved Table:
5.74 Value: not defined
MSS:
(SafeDllSearchMode)Ena
ble Safe DLL searchmode
Table: 5.84 value: enabled SafeDLLSearchMode oval:gov.nist.1:def:122
Domain controller: Allow
server operators to
schedule tasks Table:
5.17 Value: not defined
Accounts: Rename
administrator account
Table: 5.4 Value: not
defined
Microsoft network
server:Amount of idle
timerequired before
suspendingsession Table:
5.39 Value: 15 minutes SessionTimeout oval:gov.nist.1:def:83
Network security:
LANManager
authenticationlevel Table:
5.55 Value: Send
NTLMv2responseonly\ref LANManagerAuthenticatio
use LM& NTLM or Send nRefuseLM,
NTLMv2 response LANManagerAuthenticatio oval:gov.nist.1:def:97,
only\refuse LM nRefuseLM_NTLM oval:gov.nist.1:def:96
Recovery console:
Allowautomatic
administrativelogon Table: RecoveryConsoleAutoLog
5.59 Value: disabled on oval:gov.nist.1:def:101
Recovery console:
Allowfloppy copy and
access toall drives and all
folders Table: 5.60 Value: RecoveryConsoleFullSyste
disabled mAccess oval:gov.nist.1:def:102
Devices: Restrict CD-
ROM access to locally
logged-on user only Table: RecoveryConsoleFullSyste
5.14 Value: disabled mAccess oval:gov.nist.1:def:102
System objects:
Strengthendefault
permissions ofinternal
system objects(e.g.
Symbolic Links) Table: InternalSystemObjectsPer
5.67 Value: enabled missions oval:gov.nist.1:def:109
Domain member:
Requirestrong (Windows
2000 orlater) session key
Table: 5.25 Value:
enabled RequireStrongSessionKey oval:gov.nist.1:def:66
Microsoft network
client:Send
unencryptedpassword to
third-partySMB servers
Table: 5.38 Value: UnencryptedSMBPasswor
disabled ds oval:gov.nist.1:def:82
Interactive logon:
Promptuser to change
passwordbefore
expiration Table: 5.32
Value: 14 days PasswordExpirationPrompt oval:gov.nist.1:def:74
Audit: Shut down system
immediately if unable to
log security audits Table:
5.8 Value: not defined
Shutdown: Clear
virtualmemory pagefile
Table: 5.62 Value:
enabled ClearPagefileOnShutdown oval:gov.nist.1:def:104
Microsoft network
client:Digitally
signcommunications
(always) Table: 5.36 ClientAlwaysSignCommuni
Value: enabled cations oval:gov.nist.1:def:79
Microsoft network
client:Digitally
signcommunications (if
serveragrees) Table: 5.37 SignCommunicationsIfServ
Value: enabled erAgrees oval:gov.nist.1:def:81
Microsoft network
server:Digitally
signcommunications
(always) Table: 5.40 ServerAlwaysSignCommu
Value: enabled nications oval:gov.nist.1:def:84
Microsoft network
server:Digitally
signcommunications (if
clientagrees) Table: 5.41 SignCommunicationsIfClie
Value: enabled ntAgrees oval:gov.nist.1:def:85
Interactive logon:
Numberof previous logons
to cache(in case domain
controlleris not available)
Table: 5.31 Value: 0
logons or 2 logons PreviousLogonsCached oval:gov.nist.1:def:72
Devices: Allowed to
format and eject RestrictAccessToFormatAn
removeable media Table: dEjectRemovableMediaAd
5.12 Value: Administrators ministrators,
or Administrators and RestrictAccessToFormatAn oval:gov.nist.1:def:43,
interactive users dEjectRemovableMedia oval:gov.nist.1:def:44
Domain member:
Digitallyencrypt or sign
securechannel data
(always) Table: 5.20 AlwaysDigitallyEncryptSec
Value: enabled ureChannelData oval:gov.nist.1:def:61
Domain member:
Digitallyencrypt secure
channeldata (when
possible) Table: 5.21 WhenPossibleDigitallyEncr
Value: enabled yptSecureChannelData oval:gov.nist.1:def:62
Domain member:
Digitallysign secure
channel data(when
possible) Table: 5.22 WhenPossibleDigitallySign
Value: enabled SecureChannelData oval:gov.nist.1:def:63
Domain member:
Disablemachine account
passwordchanges Table: MachineAccountPassword
5.23 Value: disabled Changes oval:gov.nist.1:def:64
System cryptography:
UseFIPS compliant
algorithmsfor encryption,
hashing,and signing
Table: 5.64 Value enabled FIPSCompliantEncryption oval:gov.nist.1:def:105
System objects:
Defaultowner for objects
createdby members of
theAdministrators group
Table: 5.65 Value: Object AdministratorsGroupObject
creator CreatorOwner oval:gov.nist.1:def:106
System objects:
Requirecase insensitivity
for non-Windows
subsystems Table: 5.66
Value: enabled RequireCaseInsensitivity oval:gov.nist.1:def:107
Domain member:
Maximummachine
account passwordage MaximumMachineAccount
Table: 5.24 Value:30 days PasswordAge oval:gov.nist.1:def:65
Interactive logon:
RequireDomain
Controllerauthentication to
unlockworkstation Table:
5.33 Value: enabled or DomainControllerAuthentic
disabled ationRequired oval:gov.nist.1:def:75
Microsoft network
server:Disconnect clients
whenlogon hours expire
Table: 5.42 Value:
enabled LogonTimeExpiration oval:gov.nist.1:def:86
Network access: Do
notallow storage of
credentialsor .NET
Passports fornetwork
authentication Table: 5.46
Value: enabled CredentialsStorage oval:gov.nist.1:def:89
Network access:
LetEveryone
permissionsapply to
anonymous users Table: AnonymousUsersPermissi
5.47 Value: disabled ons oval:gov.nist.1:def:90
Network access:
Remotelyaccessible
registry
Networkpaths Table: 5.49
access:
Value:
NamedPipes that can be
System\CurrentControlSet
accessedanonymously
\Control\ProductOptions,
Table: 5.48 Value:
System\CurrentControlSet
COMNAPCOMNODESQL
\Control\Print\Printers,Sys
\QUERYSPOOLSSLLSR AnonymouslyAccessedNa
tem\CurrentControlSet\Co
PCbrowser medPipes oval:gov.nist.1:def:91
ntrol\Server Applications,
System\CurrentControlSet
\Services\Eventlog,Softwa
re\Microsoft\OLAP Server,
Software\Microsoft\Windo
ws
NT\CurrentVersion,Syste
m\CurrentControlSet\Cont
rol\ContentIndex,
System\CurrentControlSet
\Control\Terminal
Server,System\CurrentCo
ntrolSet\Control\Terminal
Server\UserConfig,
System\CurrentControlSet
\Control\TerminalServer\D RemotelyAccessibleRegist
efaultUserConfiguration ryPaths oval:gov.nist.1:def:92
Network access:
Sharesthat can be
accessedanonymously
Table: 5.51 Value: AnonymouslyAccessedSha
COMCFGDFS$ res oval:gov.nist.1:def:93
Network access:
Sharingand security
model for localaccounts
Table: 5.52 Value: Classic
- local users authenticate LocalAccountsSecurityMod
as themselves el oval:gov.nist.1:def:94
Network security: Do
notstore LAN Manager
hashvalue on next
passwordchange Table:
5.53 Value: enabled` LANManagerHashStorage oval:gov.nist.1:def:95
Network security:
Forcelogoff when logon
hoursexpire Table: 5.54
Value: enabled ForceLogoff oval:gov.nist.1:def:244
Network security:
Minimumsession security
for NTLMSSP based
(includingsecure RPC)
clients Table: 5.57 Value:
Require message
integrityRequire message
confidentialityRequire
NTLMv2 session
securityRequire 128-bit NTLM_SSP_BasedClients
encryption SessionSecurity oval:gov.nist.1:def:99
Network security:
Minimumsession security
for NTLMSSP based
(includingsecure RPC)
servers Table: 5.58 Value:
Require message
integrityRequire message
confidentialityRequire
NTLMv2 session
securityRequire 128-bit NTLM_SSP_BasedServers
encryption SessionSecurity oval:gov.nist.1:def:100
MSS:
(ScreenSaverGracePer
iod)The time in
seconds beforethe
screen saver
graceperiod expires ScreenSaverGracePerio
Table: 5.85 Value: 0 d oval:gov.nist.1:def:123
Create global objects
Table: 4.12 Value: not
defined
Impersonate a client
after authentication
Table: 4.23 Value: not
defined
DCOM: Machine
access of the global
system objects Table:
5.9 Value: disabled
DCOM: Machine
Launch Restrictions in
the Security Descriptor
Definition Language
(SDDL) syntax Table:
5.10 Value: not defined
Interactive logon:
Display user
information when the
session is locked Table:
5.26 Value: not defined
Interactive logon:
Requre smart card
Table: 5.34 Value: not
defined
Network access:
Restrict anonymous
access to named pipes
and shares Table: 5.50
Value: not defined
System cryptography:
Force strong key
protection for user keys
stored on the computer
Table: 5.63 Value: not
defined
System settings:
optional subsystems
Table: 5.68 Value: not
defined
MSS:
(TCPMaxDataRetrans
missions) How many
times unacknowledged
data is retransmitted TCPMaxDataRetransmi
Table: 5.88 Value: 3 ssions oval:gov.nist.1:def:126
Backup Operators
Table: 7.1 Value: none BackupOperators oval:gov.nist.1:def:206
Power Users Table: 7.2
Value: none PowerUsers oval:gov.nist.1:def:207
Application Layer
Gateway Service Table:
8.2 Value: not defined
Application
Management Table: 8.3
Value: not defined
Cryptographic Services
Table: 8.10 Value: not
defined
Distributed Link
Tracking Client Table:
8.12 Value: not defined
Distributed Transaction
Coordinator Table: 8.13
Value: not defined
Human Interface
Device Access Table:
8.21 Value: not defined
IMAPI CD-Burning
COM Service Table:
8.23 Value: not defined
NT LM Security
Support Provider Table:
8.38 Value: not defined
Performance Logs and
Alerts Table: 8.39
Value: not defined
System Event
Notification Table: 8.63
Value: not defined
System Restore
Service Table: 8.64
Value: not defined
TCP/IP NetBIOS
Helper Table: 8.66
Value: not defined
Telephony Table: 8.67
Value: not defined
Themes Table: 8.70
Value: not defined
Uninterruptable Power
Supply Table: 8.71
Value: not defined
Windows Management
Instrumentation Driver
Extensions Table: 8.80
Value: not defined
Wireless Zero
Configuration Table:
8.82 Value: not defined
WMI Performance
Adapter Table: 8.83
Value: not defined
MSS:
(NtfsDisable8dot3Nam
eCreation) Enable the
computer to stop
generating 8.3 style
filenames. Table: 5.82 Disable8Dot3NameCrea
Value: enabled tion oval:gov.nist.1:def:119
5.2.1.1.2.4 Allow
remote
administration
exception (SP2 only)
5.2.1.1.2.7 Allow
Remote Desktop
exception (SP2 only)
OVAL10088
OVAL10219
Microsoft Security NIST SCAP Windows
Center for Internet
Guide for DISA Stig for Vista XCCDF (SCAP-
Security Windows
Windows Server Windows 2003 WinVista-XCCDF.xml rev
Server 2003
2003 2007-02-06)
Table 3.28 Deny access to
this computer from the
network: ANONYMOUS
LOGON; Built-in
Administrator, Guests;
Support_388945a0; Guest;
all NON-Operating System 4.2.15 Deny access to
service accounts (Legacy this computer from the
Client, Enterprise Client, network (minimum): Not
and High Security) Defined .
4.2.28 Log on as a
. service: Not Defined .
. . .
. . .
. . .
Retention-Method-For-Application-
. . Log
5.4.7.3 [AP] Preserving
Table 3.116 Retention Security Events:
method for application log: Retention method for
As needed (Legacy Client, application log: Do not
Enterprise Client, and High 2.2.4.1.3 Log Retention overwrite events (clear
Security) Method: Not Defined log manually)
. . .
. . .
. . .
7.6.2 Background
Table 11.4 Background Intelligent Transfer
Intelligent Transfer Service (BITs): Disable if
Service: Disabled . not needed
. . .
. . .
. . .
. . .
4.1.15 NetMeeting
Remote Desktop Sharing:
. Disabled .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . . administrator-account-status
Table 3.73 Interactive
logon: Message title for 5.4.6.22 [AP] Display
users attempting to log on: Legal Notice: Interactive
"It is an offense to continue 3.2.1.27 Interactive Logon: Message title for
without proper Logon: Message Title for users attempting to log
authorization" (Legacy Users Attmpting to Log on: US Deparment of
Client, Enterprise Client, On: <Custom or DoJ Defense Warning
and High Security) Approved> Statement message-title-users-attempting-logon
. . .
. . .
. . .
. .
. . .
. . .
5.4.6.41 [A] ICMP
Redirects: MSS:
(EnablEICMPRedirect)
Allow ICMP redirects to
override OSPF
generated routes:
. . Disabled enable-icmp-redirect
5.4.6.39 MISS:
DisableIPSourceRouting
3.2.1.69 MSS: IP Source , IP source routing
Routing protection level: packet spoofing: Highest
Highest Protection, protection, source
source routing is routing is completely
. automatically disabled disabled disable-ip-source-routing
. . .
. . .
. . .
. . .
. . .
. . . hide-system-from-browse-list
. . .
. . .
Table 3.248 Configure
NetBIOS Name Release
Security: Allow the
computer to ignore 5.4.6.42 [A] NetBIOS
NetBIOS name release Name Release: MSS:
requests except from (NoNameReleaseOnDe
WINS server: 3.2.1.73 MSS: Allow the mand) Allow computer to
NoNameReleaseOnDema computer to ignore ignore NetBIOS name
nd = 1 (Legacy Client, NetBIOS name release release requests except
Enterprise Client, and High requestions except from from WINS Servers:
Security) WINS servers: Enabled Enabled no-name-release-on-demand
. . .
. . . warning-level
. . .
. . .
. . .
. .
5.4.6.3 Accounts:
Rename administrator
account: Should not be
. . Administrator rename-administrator
5.4.6.4 Account:
Rename guest account:
Any value other than
. . Guest rename-guest
. . .
. . .
. . .
digitally-sign-communications-client-
. . . server-agrees
5.4.6.32 Microsoft
Microsoft network server: Network Server: digitally
Digitally sign sign server
communications (if client communications (if client digitally-sign-communications-server-
. agrees): Disabled agrees): Enabled client-agrees
5.4.6.23 Interactive
Logon: Number of
Table 3.74 Interactive previous logons to
logon: Number of previous 3.2.1.28 Interactive cache (in case Domain
logons to cache: 1 (Legacy Logon: Number of Controller is
Client); 0 (Enterprise Client Previous Logons to unavailable): 0 logons or
and High Security) Cache: Not Defined 1 logon number-of-previous-logons-to-cache
disable-machine-account-password-
. . . changes
. . .
Table 3.105 System 5.4.6.73 [A] FIPS
cryptography: Use FIPS compliant algorithms:
compliant algorithms for 3.2.1.59 System System cryptography:
encryption, hashing, and Cryptography: Use FIPS Use FIPS compliant
signing: Disabled (Legacy compliant algorithms for algorithms for
Client, Enterprise Client, encryption, hashing, and encryption, hashing, and
and High Security) signing: Not Defined signing: Enabled
5.4.6.56 [MA]
Anonymous Access to
Named Pipes: Network
Access: Named pipes
that can be accessed
anonymously: COMNAP,
Table 3.89 Network COMNODE,
access: Named Pipes that SQL\QUERY,
can be accessed 3.2.1.42 Network Access: SPOOLSS,
anonymously: None Named pipes that can be EPMAPPER,
(Legacy Client, Enterprise accessed anonymously: LOCATOR, TrkWks, and
Client, and High Security) None TrkSvr named-pipes-accessed-anonymously
5.4.6.60 [MA]
Table 3.93 Network Anonymous Access to
Access: Shares that can Network Shares:
be accessed anonymously: 3.2.1.46 Network Access: Network Access: Shares
None (Legacy Client, Shares that can be that can be accessed Shares-that-can-be-accessed-
Enterprise Client, and High accessed anonymously: anonymously: <should anonymously -- NOTE:
Security) None be blank> COMMENTED OUT
. . .
. . .
5.5.1 [AP] Password
Protected Screen
Savers: Passwords are
. . required
7.5.1 Configuring
Default User
3.2.1.84 MSS: The time Screensaver Options:
in seconds before the ScreenSaveTimeout:
screen saver grace 900 Seconds (15
. period expires: 0 minutes) screen-saver-grace-period
7.5.1 Configuring
Default User
Screensaver Options:
ScreenSaverIsSecure
. . :1
7.5.1 Configuring
Default User
Screensaver Options:
. . ScreenSaveActive: 1
. . .
7.5.1 Configuring
Default User
Screensaver Options:
ScreenSaveTimeout:
900 Seconds (15
. . minutes)
7.5.1 Configuring
Default User
Screensaver Options:
ScreenSaverIsSecure
. . :1
7.5.1 Configuring
Default User
Screensaver Options:
. . ScreenSaveActive: 1
5.5.1 [AP] Password
Protected Screen
Savers: Passwords are
. . required
7.5.1 Configuring
Default User
3.2.1.84 MSS: The time Screensaver Options:
in seconds before the ScreenSaveTimeout:
screen saver grace 900 Seconds (15
. period expires: 0 minutes)
7.5.1 Configuring
Default User
Screensaver Options:
ScreenSaverIsSecure
. . :1
7.5.1 Configuring
Default User
Screensaver Options:
. . ScreenSaveActive: 1
. . .
. . .
. . .
7.5.1 Configuring
Default User
3.2.1.84 MSS: The time Screensaver Options:
in seconds before the ScreenSaveTimeout:
screen saver grace 900 Seconds (15
. period expires: 0 minutes)
8.3.3.8 Cache
Transforms in Secure
Location on Workstation:
. . (5.056: CAT II) Enabled
8.3.4.2 Do Not
Automatically Start
Windows Messenger
Intially: (5.029: CAT I)
. . Enabled
7.6.15 Task
Scheduler Service:
(5.035: CAT III) Hide
Property Page is
. . Enabled
7.6.15 Task
Scheduler Service:
(5.036: CAT III)
Prohibit New Task
. Creation is Enabled
8.3.2.8 Terminate
Session When Time
Limits are Reached:
. . (5.049: CAT II) Enabled
8.3.2.1 Keep-Alive
Messages: (5.037: CAT
. . III) Enabled
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. .
Table 3.199 Removale
Storage: Disabled
(Legacy Client,
Enterprise Client, and
High Security) . .
. . .
. . .
. . .
Table 11.3 Automatic
Updates: Disabled . .
. . .
Do-not-adjust-default-option-to-
. . . Install-Updates-and-Shut-Down
Do-not-display-Install-Updates-and-
. . . Shut-Down
. . .
. . .
2.2.2 Microsoft
Software Updates
Services: Specify
intranet Microsoft
update service
. . location: enabled
. . .
. . .
. . .
. . .
. . .
MachineAccessRestrictions
MachineLaunchRestrictions
Require-Smart-Card
Restrict-anonymous-access-to-
Named-Pipes-and-Shares
tcp-max-connect-response-
retransmissions
tcp-max-data-retransmissions
ntfs-disable-8dot3-name-creation
RPC-Endpoint-Mapper-Client-
Authentication
Restrictions-for-Unauthenticated-
RPC-clients
Domain-Profile-Firewall-Protect-All-
Network-Connections, Domain-
Profile-Firewall-State
Domain-Profile-Firewall-Do-Not-
Allow-Exceptions
Domain-Profile-Firewall-Allow-Local-
Program-Exceptions
Domain-Profile-Firewall-Allow-
Inbound-Remote-Administration-
Exception
Domain-Profile-Firewall-Allow-
Inbound-File-And-Printer-Sharing-
Exception
Domain-Profile-Firewall-Allow-
Inbound-Remote-Desktop-
Exceptions
Domain-Profile-Firewall-Allow-
Inbound-UPnP-Framework-
Exceptions
Domain-Profile-Firewall-Prohibit-
Notifications, Domain-Profile-Display-
Notification
Domain-Profile-Firewall-Prohibit-
Unicast-Response, Domain-Profile-
Allow-Unicast-Response
Domain-Profile-Firewall-Define-
Inbound-Port-Exceptions
Domain-Profile-Firewall-Allow-Local-
Port-Exceptions
Standard-Profile-Firewall-Protect-All-
Network-Connections
Standard-Profile-Firewall-Do-Not-
Allow-Exceptions
Standard-Profile-Firewall-Define-
Inbound-Program-Exceptions
Standard-Profile-Firewall-Allow-
Inbound-Remote-Administration-
Exception
Standard-Profile-Firewall-Allow-
Inbound-File-And-Printer-Sharing-
Exception,Standard-Profile-Firewall-
Allow-Inbound-File-And-Printer-
Sharing-Exceptions
Standard-Profile-Firewall-Allow-
Inbound-Remote-Desktop-
Exceptions
Standard-Profile-Firewall-Allow-
Inbound-UPnP-Framework-
Exceptions
Standard-Profile-Firewall-Prohibit-
Notifications
Standard-Profile-Firewall-Prohibit-
Unicast-Response
Standard-Profile-Firewall-Define-
Inbound-Port-Exceptions
Standard-Profile-Firewall-Allow-
Local-Port-Exceptions
3.2.1.78 MSS:
TCPMaxPortsExhausted,
How many dropped
connect requests to
initiate SYN attack
protection: 5
Domain-Profile-Inbound-
Connections
Domain-Profile-Outbound-
Connections
Domain-Profile-Apply-Local-
Firewall-Rules
Domain-Profile-Apply-Local-
Connection-Security-Rules
Private-Profile-Firewall-State
Private-Profile-Inbound-
Connections
Private-Profile-Outbound-
Connections
Private-Profile-Display-
Notification
Private-Profile-Allow-Unicast-
Response
Private-Profile-Apply-Local-
Firewall-Rules
Private-Profile-Apply-Local-
Connection-Security-Rules
Public-Profile-Firewall-State
Public-Profile-Inbound-
Connections
Public-Profile-Outbound-
Connections
Public-Profile-Display-Notification
Public-Profile-Allow-Unicast-
Response
Public-Profile-Apply-Local-
Firewall-Rules
Public-Profile-Apply-Local-
Connection-Security-Rules
Do-Not-Process-Legacy-Run-List
Do-Not-Process-Run-Once-List
Registry-Policy-Processing
Turn-off-Internet-download-for-
Web-publishing-and-online-
ordering-wizards
Turn-off-the-Windows-
Messenger-Customer-
Experience-Improvement-
Program
Turn-off-Search-Companion-
content-file-updates
Turn-off-printing-over-HTTP
Turn-off-downloading-of-print-
drivers-over-HTTP
Turn-off-Windows-Update-device-
driver-searching
Enumerate-administrator-
accounts-on-elevation
Require-trusted-path-for-
credential-entry
Deny-all-add-ons-unless-
specifically-allowed-in-the-Add-
on-List
Do-not-allow-passwords-to-be-
saved
Do-not-allow-drive-redirection
Prompt-for-password-on-resume-
from-hibernate-suspend
Do-not-preserve-zone-information-in-
file-attachments
Hide-mechanisms-to-remove-zone-
information
Notify-antivirus-programs-when-
opening-attachments
override-audit-policy-settings
Log-Access-For-Setup-Log
Windows-Search
Turn-Off-Microsoft-Peer-to-
Peer-Networking-Services
Prohibit-Access-of-the-
Windows-Connect-Now-
Wizards
Allow-remote-access-to-the-
PnP-interface
Do-not-create-system-
restore-point-when-new-
device-driver-installed
Do-not-send-Windows-Error-
Report-when-generic-driver-
is-installed-on-device
Turn-Off-Access-to-All-
Windows-Update-Feature
Turn-Off-Automatic-Root-
Certificates-Update
Turn-Off-Event-Views-
Events.asp-Links
Turn-Off-Handwriting-
Reconition-Error-Reporting
Turn-Off-Help-and-Support-
Center-Did-you-Know-
Content
Turn-Off-Help-and-Support-
Center-Microsoft-Knowledge-
Base-Search
Turn-Off-Internet-
Connection-Wizard-if-URL-
Connection-is-Referring-to-
Microsoft.com
Turn-Off-Internet-File-
Association-Service
Turn-Off-Registration-if-URL-
Connection-is-Referring-to-
Microsoft.com
Turn-Off-the-Order-Prints-
Picture-Task
Turn-off-the-Publish-to-Web-
task-for-files-and-folders
Turn-Off-Windows-Movies-
Maker-Automatic-Codec-
Downloads
Turn-Off-Windows-Movie-
Maker-Online-Web-Links
Turn-Off-Windows-Movie-
Maker-Saving-to-Online-
Video-Hosting-Provider
Do-Not-Display-the-Getting-
Started-Welcome-Screen-at-
Logon
Turn-off-Windows-Startup-
Sound
Require-a-Password-when-a-
Computer-Wakes-On-Battery
Require-a-Password-when-a-
Computer-Wakes-Plugged
Allow-only-Vista-or-later-
connections
Customization-Warning-
Messages
Turn-on-bandwidth-
optimization
Turn-on-session-logging
Prevent-IIS-Installation
Turn-Off-Active-Help
Turn-Off-Untrusted-Content
Turn-off-downloading-
enclosures
Allow-indexing-of-encrypted-
files
Prevent-indexing-uncached-
Exchange-folders
Turn-off-Windows-Calendar
Allow-Corporate-Redirection-
Customer-Experience-
Improvement-Program-
Uploads
Turn-off-Windows-Defender
Turn-off-heap-termination-
corruption
Turn-off-shell-protocol-
protected-mode
Prohibit-Non-Administrators-
applying-vendorpatches
Report-logon-server-not-
available-during-user-logon
Turn-off-communication-
features
Turn-off-windows-mail-app
Prevent-Windows-Media-
DRM-Internet-Access
Turn-off-windows-meeting-
space
Turn-on-windows-meeting-
space-auditing
Disable-unpacking-
installation-gadgets-not-
digitally-signed
Override-more-gadgets-Lnk
Turn-off-user-installed-
windows-sidebar-gidgets
do_not_allow_digital_locker_
to_run_var
turn_off_downloading_of_ga
me_information
ipv6_block_protocols_41
ipv6_block_udp_3544
8.3.1.1 Security
Zones: Use Only
Machine Settings:
(5.028: CAT II) Security-Zones-Use-only-machine-
. . Enabled settings
Internet-Explorer-Processes-
Restrict-ActiveX-Install
8.3.1.3 Security
Zones: Do Not Allow
Users to Add/Delete
Sites: (5.030: CAT II) Security-Zones-Do-not-allow-users-
. . Enabled to-add-delete-sites
8.3.1.6 Disable
Peridoic Check for
Internet Explorer
Software Updates:
(5.033: CAT II) Disable-Periodic-Check-for-Internet-
. . Enabled Explorer-software-updates
Internet-Explorer-Processes-
Zone-Elevation-Protection
Internet-Explorer-Processes-
Consistent-MIME-Handling
Allow-software-to-run-or-install-
even-if-the-signature-is-invalid
Internet-Explorer-Processes-MK-
Protocol
8.3.1.7 Disable
Software Update
Shell Notificiations on
Program Launch:
(5.034: CAT II) Disable-software-update-shell-
. . Disabled notifications-on-program-launch
Internet-Explorer-Processes-
Restrict-File-Download
8.3.1.5 Disable
Automatic Install of
Internet Explorer
Components: (5.032: Disable-Automatic-Install-of-Internet-
. . CAT II) Enabled Explorer-components
Turn-off-Crash-Detection
Internet-Explorer-Processes-
Scripted-Window-Security-
Restrictions
8.3.1.2 Security
Zones: Do Not Allow
Users to Change
Policies: (5.029: CAT Security-Zones-Do-not-allow-users-
. . II) Enabled to-change-policies
Internet-Explorer-Processes-
MIME-Sniffing
Remove-CD-Burning-features
Remove-Security-tab
Internet-Explorer-
Maintenance-Policy-
Processing-Enabled
Internet-Explorer-
Maintenance-Policy-
Processing-Enabled
Internet-Explorer-
Maintenance-Policy-
Processing-Enabled
Turn-on-Mapper-IO-LLTDIO-
driver
Turn-on-Mapper-IO-LLTDIO-
driver
Turn-on-Mapper-IO-LLTDIO-
driver
Turn-on-Responder-RSPNDR-
driver
Turn-on-Responder-RSPNDR-
driver
Turn-on-Responder-RSPNDR-
driver
Configuration-of-Wireless-
Settings-Using-Windows-
Connect-Now
Configuration-of-Wireless-
Settings-Using-Windows-
Connect-Now
Configuration-of-Wireless-
Settings-Using-Windows-
Connect-Now
Approved-Installation-Sites-
for-ActiveX-Controls
Disable-Logging
Disable-Windows-Error-
Reporting
Do-Not-Send-Additional-Data
Configure-Corporate-
Windows-Error-Reporting
Remove-Default-Programs-
Link-from-the-Start-Menu
Turn-off-Help-Experience-
Improvement-Program
Turn-off-Help-Ratings
Turn-off-Windows-Online
Prevent-users-from-sharing-
files-within-their-profile
NIST SCAP Windows Vista
NIST Office 2007
OVAL (SCAP-WinVista-
Recommendations placeholder
OVAL.xml rev 2007-02-06)
oval:com.secure-
elements.oval:def:6009
oval:com.secure-
elements.oval:def:6007
oval:com.secure-
elements.oval:def:6008
oval:com.secure-
elements.oval:def:6010
oval:com.secure-
elements.oval:def:6010
oval:com.secure-
elements.oval:def:6011
oval:com.secure-
elements.oval:def:6011
oval:com.secure-
elements.oval:def:6012
oval:com.secure-
elements.oval:def:6012
oval:com.secure-
elements.oval:def:6013
oval:com.secure-
elements.oval:def:6013
oval:com.secure-
elements.oval:def:6014
oval:com.secure-
elements.oval:def:6014
oval:com.secure-
elements.oval:def:6015
oval:com.secure-
elements.oval:def:6015
oval:com.secure-
elements.oval:def:6016
oval:com.secure-
elements.oval:def:6016
oval:com.secure-elements.oval:def:6017
oval:com.secure-elements.oval:def:6017
oval:com.secure-
elements.oval:def:6018
oval:com.secure-
elements.oval:def:6018
oval:com.secure-
elements.oval:def:6509
oval:com.secure-
elements.oval:def:6506
oval:com.secure-
elements.oval:def:6512
oval:com.secure-
elements.oval:def:6511
oval:com.secure-
elements.oval:def:6507
oval:com.secure-
elements.oval:def:6513
oval:com.secure-
elements.oval:def:6510
oval:com.secure-
elements.oval:def:6508
oval:com.secure-
elements.oval:def:6514
oval:com.secure-elements.oval:def:6002
oval:com.secure-
elements.oval:def:6003
oval:com.secure-
elements.oval:def:6006
oval:com.secure-elements.oval:def:6004
oval:com.secure-elements.oval:def:6001
oval:com.secure-elements.oval:def:6005
oval:com.secure-
elements.oval:def:6601
oval:com.secure-
elements.oval:def:6595
oval:com.secure-
elements.oval:def:6071
oval:com.secure-
elements.oval:def:6070
oval:com.secure-
elements.oval:def:6020
oval:com.secure-
elements.oval:def:6019
oval:com.secure-
elements.oval:def:6042
oval:com.secure-
elements.oval:def:6041
oval:com.secure-
elements.oval:def:6054
oval:com.secure-elements.oval:def:6574,
oval:com.secure-elements.oval:def:6060
oval:com.secure-
elements.oval:def:6057
oval:com.secure-
elements.oval:def:6055
oval:com.secure-
elements.oval:def:6063
oval:com.secure-
elements.oval:def:6039
oval:com.secure-
elements.oval:def:6058
oval:com.secure-
elements.oval:def:6056
oval:com.secure-
elements.oval:def:6059
oval:com.secure-
elements.oval:def:6061
oval:com.secure-
elements.oval:def:6066
oval:com.secure-
elements.oval:def:6069
oval:com.secure-elements.oval:def:6064
oval:com.secure-
elements.oval:def:6022
oval:com.secure-
elements.oval:def:6023
oval:com.secure-
elements.oval:def:6050
oval:com.secure-
elements.oval:def:6024
oval:com.secure-
elements.oval:def:6025
oval:com.secure-
elements.oval:def:6040
oval:com.secure-
elements.oval:def:6030
oval:com.secure-
elements.oval:def:6031
oval:com.secure-
elements.oval:def:6032
oval:com.secure-
elements.oval:def:6038
oval:com.secure-
elements.oval:def:6049
oval:com.secure-
elements.oval:def:6044
oval:com.secure-
elements.oval:def:6027
oval:com.secure-
elements.oval:def:6047
oval:com.secure-
elements.oval:def:6048
oval:com.secure-
elements.oval:def:6051
oval:com.secure-
elements.oval:def:6052
oval:com.secure-
elements.oval:def:6043
oval:com.secure-
elements.oval:def:6029
oval:com.secure-
elements.oval:def:6034
oval:com.secure-
elements.oval:def:6033
oval:com.secure-
elements.oval:def:6035
oval:com.secure-
elements.oval:def:6046
oval:com.secure-
elements.oval:def:6036
oval:com.secure-
elements.oval:def:6021
oval:com.secure-
elements.oval:def:6028
oval:com.secure-
elements.oval:def:6037
oval:com.secure-
elements.oval:def:6045
oval:com.secure-
elements.oval:def:6053
oval:com.secure-
elements.oval:def:6072
oval:com.secure-
elements.oval:def:6073
oval:com.secure-
elements.oval:def:6074
oval:com.secure-
elements.oval:def:6075oval:com.secure
-elements.oval:def:6076
oval:com.secure-
elements.oval:def:6079
oval:com.secure-
elements.oval:def:6080
oval:com.secure-
elements.oval:def:6081
oval:com.secure-
elements.oval:def:6065
oval:com.secure-
elements.oval:def:6597
oval:com.secure-
elements.oval:def:6599
oval:com.secure-
elements.oval:def:6600
oval:com.secure-
elements.oval:def:6564
oval:com.secure-
elements.oval:def:6563
oval:com.secure-
elements.oval:def:6604
oval:com.secure-
elements.oval:def:6603
oval:com.secure-
elements.oval:def:6602
oval:com.secure-
elements.oval:def:6605
oval:com.secure-
elements.oval:def:6606
oval:com.secure-elements.oval:def:6082
oval:com.secure-
elements.oval:def:6077
oval:com.secure-
elements.oval:def:6067
oval:com.secure-
elements.oval:def:6068
oval:com.secure-
elements.oval:def:6062
oval:com.secure-
elements.oval:def:6566
oval:com.secure-
elements.oval:def:6565
oval:com.secure-
elements.oval:def:6547,
oval:com.secure-
elements.oval:def:6515
oval:com.secure-
elements.oval:def:6544
oval:com.secure-
elements.oval:def:6541
oval:com.secure-
elements.oval:def:6537
oval:com.secure-
elements.oval:def:6536
oval:com.secure-
elements.oval:def:6538
oval:com.secure-
elements.oval:def:6539
oval:com.secure-
elements.oval:def:6545,
oval:com.secure-
elements.oval:def:6518
oval:com.secure-
elements.oval:def:6546,
oval:com.secure-
elements.oval:def:6519
oval:com.secure-
elements.oval:def:6542
oval:com.secure-
elements.oval:def:6540
oval:com.secure-
elements.oval:def:6559
oval:com.secure-
elements.oval:def:6556
oval:com.secure-
elements.oval:def:6555
oval:com.secure-
elements.oval:def:6549
oval:com.secure-
elements.oval:def:6548,oval:com.secur
e-elements.oval:def:6553
oval:com.secure-
elements.oval:def:6550
oval:com.secure-
elements.oval:def:6551
oval:com.secure-
elements.oval:def:6557
oval:com.secure-
elements.oval:def:6558
oval:com.secure-
elements.oval:def:6554
oval:com.secure-
elements.oval:def:6552
oval:com.secure-
elements.oval:def:6516
oval:com.secure-
elements.oval:def:6517
oval:com.secure-
elements.oval:def:6520
oval:com.secure-
elements.oval:def:6521
oval:com.secure-
elements.oval:def:6522
oval:com.secure-
elements.oval:def:6523
oval:com.secure-
elements.oval:def:6524
oval:com.secure-
elements.oval:def:6525
oval:com.secure-
elements.oval:def:6526
oval:com.secure-
elements.oval:def:6527
oval:com.secure-
elements.oval:def:6528
oval:com.secure-
elements.oval:def:6529
oval:com.secure-
elements.oval:def:6530
oval:com.secure-
elements.oval:def:6531
oval:com.secure-
elements.oval:def:6532
oval:com.secure-
elements.oval:def:6533
oval:com.secure-
elements.oval:def:6534
oval:com.secure-
elements.oval:def:6535
oval:com.secure-
elements.oval:def:6560
oval:com.secure-
elements.oval:def:6561
oval:com.secure-
elements.oval:def:6562
oval:com.secure-
elements.oval:def:6568
oval:com.secure-
elements.oval:def:6569
oval:com.secure-
elements.oval:def:6570
oval:com.secure-
elements.oval:def:6571
oval:com.secure-
elements.oval:def:6572
oval:com.secure-
elements.oval:def:6573
oval:com.secure-
elements.oval:def:6575
oval:com.secure-
elements.oval:def:6576
oval:com.secure-
elements.oval:def:6594
oval:com.secure-
elements.oval:def:6596
oval:com.secure-
elements.oval:def:6598
oval:com.secure-
elements.oval:def:6500
oval:com.secure-
elements.oval:def:6714
oval:com.secure-
elements.oval:def:6502
oval:com.secure-
elements.oval:def:6503
oval:com.secure-
elements.oval:def:6504
oval:com.secure-
elements.oval:def:6505
oval:com.secure-
elements.oval:def:6026
oval:com.secure-
elements.oval:def:6701
oval:com.secure-
elements.oval:def:6148
oval:com.secure-
elements.oval:def:6662
oval:com.secure-
elements.oval:def:6665
oval:com.secure-
elements.oval:def:6667
oval:com.secure-
elements.oval:def:6668
oval:com.secure-
elements.oval:def:6669
oval:com.secure-
elements.oval:def:6673
oval:com.secure-
elements.oval:def:6674
oval:com.secure-
elements.oval:def:6675
oval:com.secure-
elements.oval:def:6676
oval:com.secure-
elements.oval:def:6677
oval:com.secure-
elements.oval:def:6678
oval:com.secure-
elements.oval:def:6679
oval:com.secure-
elements.oval:def:6680
oval:com.secure-
elements.oval:def:6681
oval:com.secure-
elements.oval:def:6682
oval:com.secure-
elements.oval:def:6567
oval:com.secure-
elements.oval:def:6696
oval:com.secure-
elements.oval:def:6684
oval:com.secure-
elements.oval:def:6697
oval:com.secure-
elements.oval:def:6687
oval:com.secure-
elements.oval:def:6688
oval:com.secure-
elements.oval:def:6689
oval:com.secure-
elements.oval:def:6690
oval:com.secure-
elements.oval:def:6691
oval:com.secure-
elements.oval:def:6692
oval:com.secure-
elements.oval:def:6693
oval:com.secure-
elements.oval:def:6694
oval:com.secure-
elements.oval:def:6107
oval:com.secure-
elements.oval:def:6108
oval:com.secure-
elements.oval:def:6109
oval:com.secure-
elements.oval:def:6110
oval:com.secure-
elements.oval:def:6704
oval:com.secure-
elements.oval:def:6705
oval:com.secure-
elements.oval:def:6111
oval:com.secure-
elements.oval:def:6112
oval:com.secure-
elements.oval:def:6113
oval:com.secure-
elements.oval:def:6118
oval:com.secure-
elements.oval:def:6119
oval:com.secure-
elements.oval:def:6122
oval:com.secure-
elements.oval:def:6123
oval:com.secure-
elements.oval:def:6124
oval:com.secure-
elements.oval:def:6125
oval:com.secure-
elements.oval:def:6126
oval:com.secure-
elements.oval:def:6127
oval:com.secure-
elements.oval:def:6128
oval:com.secure-
elements.oval:def:6129
oval:com.secure-
elements.oval:def:6130
oval:com.secure-
elements.oval:def:6131
oval:gov.nist.fdcc.vista:def:6698
oval:gov.nist.fdcc.vista:def:6703
oval:gov.nist.fdcc.vistafirewall:def:
6491
oval:gov.nist.fdcc.vistafirewall:def:
6492
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
oval:com.secure-
elements.oval:def:6584
oval:com.secure-
elements.oval:def:6592
oval:com.secure-
elements.oval:def:6582
oval:com.secure-
elements.oval:def:6578
oval:com.secure-
elements.oval:def:6591
oval:com.secure-
elements.oval:def:6588
oval:com.secure-
elements.oval:def:6586
oval:com.secure-
elements.oval:def:6587
oval:com.secure-
elements.oval:def:6579
oval:com.secure-
elements.oval:def:6593
oval:com.secure-
elements.oval:def:6577
oval:com.secure-
elements.oval:def:6581
oval:com.secure-
elements.oval:def:6580
oval:com.secure-
elements.oval:def:6585
oval:com.secure-
elements.oval:def:6590
oval:com.secure-
elements.oval:def:6583
oval:com.secure-
elements.oval:def:6589
oval:com.secure-
elements.oval:def:6716
oval:com.secure-
elements.oval:def:6717
oval:com.secure-
elements.oval:def:6671
oval:com.secure-
elements.oval:def:6671
oval:com.secure-
elements.oval:def:6671
oval:com.secure-
elements.oval:def:6660
oval:com.secure-
elements.oval:def:6660
oval:com.secure-
elements.oval:def:6660
oval:com.secure-
elements.oval:def:6661
oval:com.secure-
elements.oval:def:6661
oval:com.secure-
elements.oval:def:6661
oval:com.secure-
elements.oval:def:6666
oval:com.secure-
elements.oval:def:6666
oval:com.secure-
elements.oval:def:6666
oval:com.secure-
elements.oval:def:6695
oval:com.secure-
elements.oval:def:6114
oval:com.secure-
elements.oval:def:6115
oval:com.secure-
elements.oval:def:6117
oval:com.secure-
elements.oval:def:6706
oval:com.secure-
elements.oval:def:6709
oval:com.secure-
elements.oval:def:6710
oval:com.secure-
elements.oval:def:6711
oval:com.secure-
elements.oval:def:6713
oval:com.secure-
elements.oval:def:6715
NIST SCAP
Microsoft Office 2007 NIST SCAP Microsoft Microsoft Office
Recommendations (Security Office 2007 OVAL (SCAP- 2007 XCCDF
Settings for Office 2007 Office2007-OVAL-Beta- (SCAP-Office2007-
Applications.xlsx) v1.xml) XCCDF-Beta-v1.xml
)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable VBA
for Office applications, Computer
Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\Disable
VBA for Office applications
DisableVBAForOfficeAppl
oval:org.mitre.oval:def:771 ications
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\ActiveX
Control Initialization (1 | 2 | 3 | 4 | 5 | 6)
ActiveXControlInitializatio
oval:org.mitre.oval:def:814 n
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Privacy\Trust Center\Enable
Customer Experience Improvement EnableCustomerExperien
Program oval:org.mitre.oval:def:829 ceImprovementProgram
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Privacy\Trust AutomaticallyReceiveSm
Center\Automatically receive small allUpdatesToImproveReli
updates to improve reliability oval:org.mitre.oval:def:1473 ability
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General |
Service Options...\Online
Content\Online content options (Never
show online content or entry points |
Search only offline content whenever
available | Search online content
whenever available)
oval:org.mitre.oval:def:1302 OnlineContentOptions
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Security\Trust
Center\VBA Macro Warning Settings
(Trust Bar warning for all macros | Trust
Bar warning for digitally signed macros
only (unsigned macros will be disabled)
| No Warnings for all macros but disable
all macros | No Security checks for
macros (Not recommended, code in all
documents can run))
VBAMacroWarningSettin
oval:org.mitre.oval:def:1403 gs-Access
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\VBA Macro Warning Settings
(Trust Bar warning for all macros | Trust
Bar warning for digitally signed macros
only (unsigned macros will be disabled)
| No Warnings for all macros but disable
all macros | No Security checks for
macros (Not recommended, code in all
documents can run))
VBAMacroWarningSettin
oval:org.mitre.oval:def:649 gs-Excel
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Trust access to Visual Basic
Project
TrustAccessToVisualBasi
oval:org.mitre.oval:def:1560 cProject-Excel
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Trust
Center\VBA Macro Warning Settings
(Trust Bar warning for all macros | Trust
Bar warning for digitally signed macros
only (unsigned macros will be disabled)
| No Warnings for all macros but disable
all macros | No Security checks for
macros (Not recommended, code in all
documents can run))
VBAMacroWarningSettin
oval:org.mitre.oval:def:654 gs-PowerPoint
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Trust
Center\Trust access to Visual Basic
Project
TrustAccessToVisualBasi
oval:org.mitre.oval:def:665 cProject-PowerPoint
DisableRememberPassw
oval:org.mitre.oval:def:1298 ord
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic Security\Trusted
Add-insConfigure trusted add-ins
ConfigureAddInTrustLeve
oval:org.mitre.oval:def:1390 l
DisableRememberPassw
ordForInternetEmailAcco
oval:org.mitre.oval:def:1232 unts
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Minimum
encryption settings
MinimumEncryptionSettin
oval:org.mitre.oval:def:661 gs
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not
check e-mail address against address
DoNotCheckEmailAddres
of certificates being used
sAgainstAddressOfCertifi
oval:org.mitre.oval:def:1399 catesBeingUsed
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Send all
signed messages as clear signed
messages
SendAllSignedMessages
oval:org.mitre.oval:def:1388 AsClearSignedMessages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Request an
S/MIME receipt for all S/MIME signed
RequestAnSMIMEReceip
messages
tForAllSMIMESignedMes
oval:org.mitre.oval:def:705 sages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not
display 'Publish to GAL' button
DoNotDisplayPublishToG
oval:org.mitre.oval:def:741 ALButton
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Warning (Let user decide if they want to
be warned | Always warn about invalid
signatures | Never warn about invalid
signatures)
oval:org.mitre.oval:def:756 SignatureWarning
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Enable
Cryptography Icons
oval:org.mitre.oval:def:1716 EnableCryptographyIcons
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Retrieving CRLs
(Certificate Revocation Lists) (Use
system Default | When online always
retreive the CRL | Never retreive the
CRL)
oval:org.mitre.oval:def:1700 RetrievingCRLs
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\VBA Macro Warning Settings
(Trust Bar warning for all macros | Trust
Bar warning for digitally signed macros
only (unsigned macros will be disabled)
| No Warnings for all macros but disable
all macros | No )
VBMacroWarningSettings
oval:org.mitre.oval:def:1350 -Word
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Trust access to Visual Basic
Project
TrustAccessToVisualBasi
oval:org.mitre.oval:def:1713 cProject-Word
WarnBeforePrintingSavin
gOrSendingAFileThatCon
tainsTrackedChangesOrC
oval:org.mitre.oval:def:788 omments
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Block updates BlockUpdatesFromTheOf
from the Office Update Site from ficeUpdateSiteFromApply
applying oval:org.mitre.oval:def:1755 ing
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Web
Options\General\Underline hyperlinks
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application
Settings\General\General\Number of
documents in the Recent Documents
list (0-9)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Security\Trust
Center\Disable Trust Bar Notification for
unsigned application add-ins
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Security\Trust
Center\Disable all application add-ins
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Security\Trust
Center\Require that application add-ins
are signed by Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Security\Trust
Center\Trusted Locations\Disable all
trusted locations
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Security\Trust
Center\Trusted Locations\Allow Trusted
Locations not on the computer
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Application Settings\Security\Trust
Center\Trusted Locations\Modal Trust
Decision Only
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | E-Mail
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Access Options |
Customize | All Commands | Insert
Hyperlink
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Database Tools | Database Tools |
Encrypt with Password
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Database Tools | Administer | Users
and Permission | User and Group
Permissions
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Database Tools | Administer | Users
and Permissions | User and Group
Accounts
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Database Tools | Administer | Users
and Permission | User-Level Security
Wizard...
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Database Tools | Database Tools |
Encode/Decode Database
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Database Tools | Macro | Visual Basic
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Database Tools | Macro | Run Macro
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Database Tools |
Macro | Convert Macros to Visual Basic
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Database Tools |
Macro | Create Shortcut Menu from
Macro
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Ctrl+K (Office Button | Access Options
| Customize | All Commands | Insert
Hyperlinks)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Disable items in user
interface\Predefined\Disable commands
- Alt+F11 (Database Tools | Macro |
Visual Basic)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Miscellaneous\Default file format
(Access 2007 | Access 2002-2003)
User Configuration\Administrative
Templates\Microsoft Office Access
2007\Miscellaneous\Do not prompt to
convert older databases
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel
Options\Proofing\Autocorrect
Options\Internet and network paths as
hyperlinks
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Save\Save Excel
files as (Excel Workbook (*.xlsx) | Excel
Macro-Enabled Workbook (*.xlsm) |
Excel Binary Workbook (*.xlsb) | Web
Page (*.htm; *.html) | Excel 97-2003
Workbook (*.xls) | Excel 5.0/95
Workbook (*.xls))
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Save\Disable
AutoRepublish
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel
Options\Save\AutoRepublish Warning
Alert (Always show the alert before
publishing | Never show the alert before
publishing)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Determine
whether to force encrypted macros to
be scanned in Microsoft Excel Open
XML workbooks
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Force file
extension to match file type (Allow
different | Allow different, but warn |
Always match file type)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Store macro in Personal Macro
Workbook by default
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Disable all application add-ins
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Require that application add-ins
are signed by Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Disable Trust Bar Notification for
unsigned application add-ins
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Trusted LocationsAllow Trusted
Locations not on the computer
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Security\Trust
Center\Trusted LocationsDisable all
trusted locations
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Ignore
other applications
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Ask to
update automatic links
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Number
of documents in the Recent Documents
list (0-17)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Web
Options\GeneralSave any additional
data necessary to maintain formulas
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Excel Options\Advanced\Web
Options\GeneralLoad pictures from
Web pages not created in Excel
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Recovery\Do not show data
extraction options when opening corrupt
workbooks
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Recovery\Assume structured
storage format of workbook is intact
when recovering data
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Recovery\Corrupt formula
conversion (Convert unrecoverable
references to: values | #REF or
#NAME)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Access Security\Connection
File Locations
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Data Access Security\Automatic
Query Refresh (Prompt for all
workbooks | Do not prompt; do not allow
auto refresh | Do not prompt; allow auto
refresh)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Excel Options |
Customize | All Commands | Save as
Web Page
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Excel Options |
Customize | All Commands | Web Page
Preview
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Send | Email
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Insert | Links | Hyperlink
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Changes | Protect Sheet
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Changes | Protect Workbook
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Changes | Protect and Share
Workbook
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- View | Macros | Macros
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macros
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Record Macro
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macro Security
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Visual Basic
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Excel Options |
Customize | All Commands | Document
Location
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F8 (Developer | Code |
Macros)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F11 (Developer | Code |
Visual Basic)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of pre-release versions of file
formats new to Excel 2007
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Open XML file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Binary 12 file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Html and Xmlss files types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Xml file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of DIF and SYLK file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Text file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Open\Block
opening of Xll file type
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Open Xml file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Binary12 file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Html and Xmlss file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving Xml file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving DIF and SYLK file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Block file formats\Save\Block
saving of Text file types
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\Locally cache
network file storages
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\Locally cache
PivotTable reports
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\OLAP PivotTable
User Defined Function (UDF) security
setting (Allow ALL UDFs | Allow safe
UDFs only | Allow NO UDFs)
User Configuration\Administrative
Templates\Microsoft Office Excel
2007\Miscellaneous\Recognize
SmartTags
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Tools | Options\General\Number
of documents in the Recent Documents
list (0 - 9)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Tools |
Options\Advanced\Offline\Offline Mode
status (Disabled | Enabled, InfoPath in
Offline Mode | Enabled, InfoPath not in
Offline Mode)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- File | Print
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- File | Send to Mail Recipient
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- File | Open from SharePoint Site
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- File | Print Preview
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- File | Page Setup
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Insert | Hyperlinks...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Tools | Set Language
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Tools | Customize...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Tools | Options...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Help | Microsoft Office Online
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Office Diagnostics
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Help | Activate Product...
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable commands
- Print Default
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Print Shortcut (Ctrl+P)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Insert Hyperlink Shortcut (Ctrl+K)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior for
Windows SharePoint Services gradual
upgrade (Allow redirections to any
location | Allow redirections to Intranet
only | Block all redirections)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Disable opening of
solutions from the Internet security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Disable fully trusted
solutions full access to computer
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Allow the use of ActiveX
Custom Controls in InfoPath forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Run forms in restricted
mode if they do not specify a publish
location and use only features
introduced before InfoPath 2003 SP1
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Allow file types as
attachments to forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Block specific file types
as attachments to forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Prevent users from
allowing unsafe file types to be attached
to forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Display a warning that a
form is digitally signed
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Internet security
zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Intranet security
zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Local Machine
security zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Control behavior when
opening forms in the Trusted Site
security zone (Block | Prompt | Allow)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Beaconing UI for forms
opened in InfoPath (Never show
beaconing UI | Always show beaconing
UI | Show UI if Form Template is from
Internet Zone)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Beaconing UI for forms
opened in InfoPath Editor ActiveX
(Never show beaconing UI | Always
show beaconing UI | Show UI if Form
Template is from Internet Zone)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Trust Center\Disable all
application add-ins
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Trust Center\Require that
application add-ins are signed by
Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Security\Trust Center\Disable
Trust Bar Notification for unsigned
application add-ins
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Control behavior when
opening InfoPath e-mail forms
containing code or script (Run without
prompting | Prompt before running |
Never run)
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable sending form template
with e-mail forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable dynamic caching of
the form template in InfoPath e-mail
forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable sending InfoPath 2003
Forms as e-mail forms
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms running
in restricted security level
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms from the
Internet security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms from the
Intranet security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable e-mail forms from the
Full Trust security zone
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Disable items in user
interface\Disable InfoPath e-mail forms
in Outlook
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Restricted Features\Information
Rights Management
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Restricted Features\Custom code
User Configuration\Administrative
Templates\Microsoft Office InfoPath
2007\Miscellaneous\Email Forms
Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet
Zone)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Word
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in PowerPoint
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Access
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable user
customization of Quick Access Toolbar
via UI - Disallow in Outlook
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Word
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in PowerPoint
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Access
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable all user
customization of Quick Access Toolbar -
Disallow in Outlook
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Word
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in PowerPoint
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Access
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Global
Options\Customize\Disable UI
extending from documents and
templates - Disallow in Outlook
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | AutoCorrect Options...
(Excel, Word, PowerPoint and
Access)\Recognize smart tags in Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable Clip Art and Media
downloads from the client and from
Office Online website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable template downloads
from the client and from Office Online
website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable access to updates,
add-ins, and patches on the Office
Online website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Prevents users from
uploading document templates to the
Office Online community.
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable training practice
downloads from the Office Online
website
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Disable customer-submitted
templates downloads from Office Online
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Files\Open Office documents
as read/write while browsing
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Browsers\Rely on VML for
displaying graphics in browsers
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options | General | Web
Options...\Browsers\Allow PNG as an
output format
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Tools | Options |
Spelling\Proofing Data
Collection\Improve Proofing Tools
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Privacy\Trust Center\Disable
Opt-in Wizard on first run
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Help\Microsoft Office Online
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable
Password Caching
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable all
Trust Bar notifications for security
issues
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Protect
document metadata for rights managed
Office Open XML Files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Protect
document metadata for password
protected files.
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Encryption
type for password protected Office
Open XML files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Encryption
type for password protected Office 97-
2003 files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Load Controls
in Forms3 (1 | 2 | 3 | 4)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Automation
Security (Disable macros by default |
Use application macro security level |
Macros enabled)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Prevent Word
and Excel from loading managed code
extensions
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable
hyperlink warnings
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable
password to open UI
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Download
Office Controls
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Disable All
ActiveX
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Security Settings\Trust
Center\Allow mix of policy and user
locations
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Smart Documents (Word,
Excel)\Disable Smart Document's use of
manifests
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Smart Documents (Word,
Excel)\Completely disable the Smart
Documents feature in Word and Excel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Services\Fax\Disable Internet
Fax feature
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Prevent users from
changing permissions on rights
managed content
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Allow users with earlier
versions of Office to read with
browsers...
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Always require users to
connect to verify permission
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Always expand groups in
Office when restricting permission for
documents
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Never allow users to
specify groups when restricting
permission for documents
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Disable Microsoft Passport
service for content with restricted
permission
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Manage Restricted
Permissions\Do not allow users to
upgrade Information Rights
Management configuration
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Key Usage Filtering
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\EKU filtering
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Legacy format
signatures
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Suppress Office Signing
Providers (Enable Western and East
Asian | Suppress default Western |
Suppress default East Asian | Suppress
both Western and East Asian)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Signing\Suppress external
signature services menu item
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office Diagnostics\Disable
Check For Solutions
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Microsoft Save As PDF and
XPS add-ins\Disable inclusion of
document properties in PDF and XPS
output
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Document Information
Panel\Disable Document Information
Panel
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Document Information
Panel\Document Information Panel
Beaconing UI (Never show UI | Always
show UI | Show UI if XSN is in Internet
Zone)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Server Settings\Disable the
Office client from polling the Office
server for published links
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office 2007 Converters\Block
opening of pre-release versions of file
formats new to Word 2007 through the
Compatibility Pack for the 2007 Office
system and Word 2007 Open
XML/Word 97-2003 Format Converter
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office 2007 Converters\Block
opening of pre-release versions of file
formats new to Excel 2007 through the
Compatibility Pack for the 2007 Office
system and Excel 2007 Converter
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Office 2007 Converters\Block
opening of pre-release versions of file
formats new to PowerPoint 2007
through the Compatibility Pack for the
2007 Office system and PowerPoint
2007 Converter
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Control Blogging
(Enabled | Only SharePoint blogs
allowed | All blogging disabled)
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Enable Smart
Resume
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Do not upload
media files
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Disable
hyperlinks to web templates in File |
New and task panes
User Configuration\Administrative
Templates\Microsoft Office 2007
system\Miscellaneous\Prevent access
to Web-based file storage
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Preferences\E-
mail Options\Do not allow attachment
previewing in Outlook
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Preferences\E-
mail Options\Read e-mail as plain text
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Preferences\E-
mail Options\Read signed e-mail as
plain text
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServicePrevent publishing to Office
Online
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServicePrevent publishing to a DAV
server
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServiceRestrict level of calendar details
users can publish (All options are
available | Disables 'Full details' |
Disables 'Full details' and 'Limited
details')
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServiceAccess to published calendars
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Calendar
Options\Microsoft Office Online Sharing
ServiceRestrict upload method
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-mail\Hide
Junk Mail UI
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-mail\Junk
E-mail protection level (No Protection,
Low, High, Trusted Lists Only)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-
mail\Trust E-mail from Contacts
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Preferences\Junk E-mail\Add
e-mail recipients to users' Safe Senders
Lists
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options - Warn before switching dial-
up connection
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options - Hang up when finished
sending, receiving, or updating
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Setup\Dial-
up options - Automatically dial during a
background Send/Receive
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail Format\Do
not allow creating, replying, or
forwarding signatures for e-mail
messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Send copy
of pictures with HTML messages
instead of reference to Internet location
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Outlook
Rich Text options (Convert to HTML |
Convert to Plain Text format | Send
Using Outlook Rich Text format)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Plain text
options
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Plain text
options - Encode attachments in
UUENCODE format when sending a
plain text message
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Mail
Format\Internet Formatting\Message
FormatSet message format (HTML |
Rich Text | Plain Text)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Make
Outlook the default program for E-mail,
Contacts, and Calendar
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Do not allow
folders in non-default stores to be set as
folder home pages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Use Unicode
format when dragging e-mail message
to file system
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Do not allow
Outlook object model scripts to run for
shared folders
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools |
Options...\Other\Advanced\Do not allow
Outlook object model scripts to run for
public folders
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Person
Names\Set maximum level of online
status on a person name (Do not allow |
Allow everywhere except To and CC
field | Allow everywhere)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Person
Names\Display online status on a
person name (Never | Everywhere
except To and CC field | Everywhere)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Options...\Other\Person
Names\Turn off Enable the Person
Names Smart Tag option
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Outlook Security Mode
(Outlook Default Security | Use Security
Form from 'Outlook Security Settings'
Public Folder | Use Security Form from
'Outlook 10 Security Settings' Public
Folder | Use Outlook Security Group
Policy)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Display
Level 1 attachments
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Allow
users to demote attachments to Level 2
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Do not
prompt about Level 1 attachments when
sending an item
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Do not
prompt about Level 1 attachments when
closing an item
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Allow in-
place activation of embedded OLE
objects
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Display
OLE package objects
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Add file
extensions to block as Level 1
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Remove
file extensions blocked as Level 1
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Add file
extensions to block as Level 2
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Attachment Security\Remove
file extensions blocked as Level 2
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Custom Form Security\Allow
scripts in one-off Outlook forms
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Custom Form Security\Set
Outlook object model Custom Actions
execution prompt (Prompt User |
Automatically Approve | Automatically
Deny | Prompt user based on computer
security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Custom Form Security\Set
control ItemProperty prompt (Prompt
User | Automatically Approve |
Automatically Deny | Prompt user based
on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when sending mail
(Prompt User | Automatically Approve |
Automatically Deny | Prompt user based
on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when accessing an
address book (Prompt User |
Automatically Approve | Automatically
Deny | Prompt user based on computer
security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when reading address
information (Prompt User | Automatically
Approve | Automatically Deny | Prompt
user based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when responding to
meeting and task requests (Prompt
User | Automatically Approve |
Automatically Deny | Prompt user based
on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when executing Save As
(Prompt User | Automatically Approve |
Automatically Deny | Prompt user based
on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt When accessing the
Formula property of a UserProperty
object (Prompt User | Automatically
Approve | Automatically Deny | Prompt
user based on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Security Form
Settings\Programmatic
Security\Configure Outlook object
model prompt when accessing address
information via UserProperties.Find
(Prompt User | Automatically Approve |
Automatically Deny | Prompt user based
on computer security)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Required
Certificate Authority
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
interoperability with external clients:
(Handle internally | Handle externally |
Handle if possible)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Always use
Rich Text formatting in S/MIME
messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
password settings
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
password settings - Default S/MIME
password time (minutes): (0 -
2147483647)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
password settings - Maximum S/MIME
password time (minutes): (0 -
2147483647)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Message
Formats
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Message
Formats - Support the following
message formats: (S/MIME | Exchange
| Fortezza | S/MIME and Exchange |
S/MIME and Fortezza | Exchange and
Fortezza | S/MIME, Exchange, and
Fortezza)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Do not
provide Continue option on Encryption
warning dialog boxes
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Run in
FIPS compliant mode
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Encrypt all
e-mail messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Sign all e-
mail messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\URL for
S/MIME certificates
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Ensure all
S/MIME signed messages have a label
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\S/MIME
receipt requests (Open message if
receipt can't be sent | Don't open
message if receipt can't be sent |
Always prompt before sending receipt |
Never send S/MIME )
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Fortezza
certificate policies
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Require
SuiteB algorithms for S/MIME
operations
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing CRLs
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing CRLs -
Indicate a missing CRL as a(n):
(warning | error)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing root
certificates
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Missing root
certificates - Indicate a missing root
certificate as a(n): (neither error nor
warning | warning | error)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Promote Level 2
errors as errors, not warnings
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Cryptography\Signature
Status dialog box\Attachment Secure
Temporary Folder
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Display pictures and
external content in HTML e-mail
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Automatically
download content for e-mail from people
in Safe Senders and Safe Recipients
Lists
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Do not permit
download of content from safe zones
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Block Trusted Zones
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Include Internet in
Safe Zones for Automatic Picture
Download
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Automatic Picture
Download Settings\Include Intranet in
Safe Zones for Automatic Picture
Download
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Trust Center\Security
setting for macros (Always warn | Never
warn, disable all | Warn for signed,
disable unsigned | No security check)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Trust Center\Enable links
in e-mail messages
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Security\Trust Center\Apply macro
security settings to macros, add-ins,
and SmartTags
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Automatically
configure profile based on Active
Directory Primary SMTP address
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Do not allow users
to change permissions on folders
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Enable RPC
encryption
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account
Settings\Exchange\Authentication with
Exchange Server (Kerberos/NTLM
Password Authentication | Kerberos
Password Authentication | NTLM
Password Authentication)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Synchronize Outlook RSS Feeds
with Common Feed List
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Turn off RSS feature
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Automatically download
enclosures
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\RSS
Feeds\Download full text of articles as
HTML attachments
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\Internet
Calendars\Automatically download
attachments
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Tools | Account Settings\Internet
Calendars\Do not include Internet
Calendar integration in Outlook
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Meeting Workspace\Disable user
entries to server list (Publish default,
allow others | Publish default, disallow
others)
User Configuration\Administrative
Templates\Microsoft Office Outlook
2007\Miscellaneous\Do not expand
distribution lists
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Save\Save
files in this format (PowerPoint
Presentation (*.pptx) | PowerPoint
Macro-Enabled Presentation (*.pptm) |
PowerPoint 97-2003 Presentation
(*.ppt))
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Advanced\Number of
documents in the Recent Documents
list (0 - 50)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Determine whether to
force encrypted macros to be scanned
in Microsoft PowerPoint Open XML
presentations
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Run
Programs (disable (don't run any
programs) | enable (prompt user before
running) | enable all (run without
prompting))
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Make hidden markup
visible
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint
Options\Security\Unblock automatic
download of linked images
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Trust
Center\Disable all application add-ins
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Trust
Center\Require that application add-ins
are signed by Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Trust
Center\Disable Trust Bar Notification for
unsigned application add-ins
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Trust
Center\Trusted LocationsAllow Trusted
Locations not on the computer
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\PowerPoint Options\Security\Trust
Center\Trusted LocationsDisable all
trusted locations
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | PowerPoint Options |
Customize | All Commands | Web Page
Preview
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Send | Email
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Insert | Links | Hyperlink
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Proofing | Language
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- View | Macros | Macros
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macros
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macro Security
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Visual Basic
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | PowerPoint Options |
Customize | All Commands | Document
Location
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Disable shortcut keys
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Alt+F8 (Developer | Code | Macros)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Disable items in user
interface\Predefined\Disable commands
- Alt+F11 (Developer | Code | Visual
Basic)
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of pre-release versions of file
formats new to PowerPoint 2007
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Open Xml files types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Binary file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Html file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Outlines
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Open\Block
opening of Converters
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Open Xml file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Binary file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Html file types
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of Outlines
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file formats\Save\Block
saving of GraphicFilters
User Configuration\Administrative
Templates\Microsoft Office PowerPoint
2007\Block file
formats\Miscellaneous\Disable Slide
Update
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Display\Hidden text
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Save\Save files in
this format (Word document (*.docx) |
Single Files Web Page (*.mht) | Web
Page (*.htm; *.html) | Web Page,
Filtered (*.htm, *.html) | Rich Text
Format (*.rtf) | Plain Text (*.txt) | Word
6.0/95 (*.doc) | Word 6.0/95 - Chinese
(Simplified) (*.doc) | Word 6.0/95 -
Chinese (Traditional) (*.doc) | Word
6.0/95 - Japanese (*.doc) | Word 6.0/95
- Korean (*.doc) | Word 97-2002 &
6.0/95 - RTF | Word 5.1 for Macintosh
(*.mcw) | Word 5.0 for Macintosh
(*.mcw) | Word 2.x for Windows (*.doc) |
Works 4.0 for Windows (*.wps) |
WordPerfect 5.x for Windows (*.doc) |
WordPerfect 5.1 for DOS (*.doc) | Word
2007 Macro Enabled Document
(*.docm) | Word 2007 Macro Free
Template (*.dotx) | Word 2007 Macro
Enabled Template (*.dotm) | Word 97 -
2003 Document (*.doc) | Word 97 -
2003 Template (*.dot) | Flat XML
Document (*.xml))
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Advanced\Number
of documents in the Recent Documents
list (0-50)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Advanced\Update
automatic links at Open
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Advanced\E-mail
Options\Save smart tags in e-mail
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Determine whether to force
encrypted macros to be scanned in
Microsoft Word Open XML documents
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Disable all application add-ins
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Require that application add-ins
are signed by Trusted Publisher
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Disable Trust Bar Notification for
unsigned application add-ins
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Trusted LocationsAllow Trusted
Locations not on the computer
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Word Options\Security\Trust
Center\Trusted LocationsDisable all
trusted locations
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Word Options |
Customize | All Commands | Save As
Web Page
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Word Options |
Customize | All Commands | Web Page
Preview
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Office Button | Send | Email
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Insert | Links | Hyperlink
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Review | Protect | Protect Document
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- View | Macros | Macros
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macros
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Record Macro
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Macro Security
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Code | Visual Basic
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable commands
- Developer | Templates | Document
Template
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Ctrl+F (Home | Editing | Find)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F8 (Developer | Code |
Macros)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Disable items in user
interface\Predefined\Disable shortcut
keys - Alt+F11 (Developer | Code |
Visual Basic)
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of pre-release versions of file
formats new to Word 2007
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Open XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of HTML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Word 2003 XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of RTF file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
open Converters
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Text file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of Internal file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Open\Block
opening of files before version
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Open XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Binary file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of HTML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Word 2003 XML file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of RTF file types
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Converters
User Configuration\Administrative
Templates\Microsoft Office Word
2007\Block file formats\Save\Block
saving of Text file types
Computer Configuration\Administrative
Templates\Microsoft Office InfoPath
2007 (Machine)\Security\InfoPath
APTCA Assembly Whitelist
Computer Configuration\Administrative
Templates\Microsoft Office InfoPath
2007 (Machine)\Security\Windows
Internet Explorer Feature Control Opt-In
(None | InfoPath.exe, Document
Information Panel and Workflow forms |
InfoPath.exe, Document Information
Panel, Workflow forms and 3rd Party
Hosting)
Computer Configuration\Administrative
Templates\Microsoft Office InfoPath
2007 (Machine)\Security\InfoPath
APTCA Assembly Whitelist Enforcement
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\Disable
Package Repair
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Disable user name and
password - msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Bind to object - msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL -
powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL -
spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Saved from URL -
msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Navigate URL - msaccess.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups - excel.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups - powerpnt.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups - pptview.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups - winword.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups - outlook.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups - spDesign.exe
Computer Configuration\Administrative
Templates\Microsoft Office 2007 system
(Machine)\Security Settings\IE
Security\Block popups - msaccess.exe
NIST SCAP
NIST SCAP
Microsoft Internet
Microsoft Internet
Explorer Version
Explorer Version 7.0
7.0 OVAL(SCAP-
XCCDF (SCAP-IE7-
IE7-OVAL-Beta-
XCCDF-Beta-v3.xml
v3.xml)
oval:org.mitre.oval:def:1 UseOnlyMachineSettings-
277, LocalComputer,
oval:org.mitre.oval:def:2 UseOnlyMachineSettings-
050 LocalComputer-Disabled
IEProcesses-
oval:org.mitre.oval:def:6 RestrictActiveXInstall-
58 LocalComputer
oval:org.mitre.oval:def:1 DoNotAllowUsersAddDele
400 teSites-LocalComputer
DisablePeriodicCheckForI
oval:org.mitre.oval:def:1 ESoftwareUpdates-
357 LocalComputer
oval:org.mitre.oval:def:6
20
IEProcesses-
oval:org.mitre.oval:d ConsistentMimeHandlin
ef:884 g-LocalComputer
AllowSoftwareRunInsta
llSignatureInvalid-
oval:org.mitre.oval:d LocalComputer,
ef:680, AllowSoftwareToRunun
oval:org.mitre.oval:d OrInstallEvenIfSignatur
ef:1392 eInvalid-LocalUser
IEProcesses-
oval:org.mitre.oval:d MKProtocolSecurityRes
ef:617 triction-LocalComputer
DisableSoftwareUpdate
oval:org.mitre.oval:d ShellNotifications-
ef:1188 LocalComputer
IEProcesses-
oval:org.mitre.oval:d RestrictFileDownload-
ef:320 LocalComputer
DisableAutomaticInstall
oval:org.mitre.oval:d OfIEComponents-
ef:1198 LocalComputer
MakeProxySettingsPer
oval:org.mitre.oval:d Machine-
ef:1181 LocalComputer
oval:org.mitre.oval:d DoNotAllowUsersEnabl
ef:1380, eDisableAddOns-
oval:org.mitre.oval:d LocalComputer,
ef:1358, DoNotAllowUsersEnabl
oval:org.mitre.oval:d eDisableAddOns-
ef:1694 LocalUser
oval:org.mitre.oval:d TurnOffCrashDetection
ef:487 -LocalComputer
IEProcesses-
ScriptedWindowSecurit
oval:org.mitre.oval:d yRestrictions-
ef:465 LocalComputer
DoNotAllowUsersChang
oval:org.mitre.oval:d ePolicies-
ef:1404 LocalComputer
IEProcesses-
oval:org.mitre.oval:d MimeSniffingSafetyFeat
ef:317 ure-LocalComputer
CheckSignatureDownlo
oval:org.mitre.oval:d adedPrograms-
ef:395 LocalComputer
DoNotAllowResettingIE
oval:org.mitre.oval:d Settings-
ef:583 LocalComputer
AllowCutCopyPasteOpe
rationsFromClipboardVi
aScript-InternetZone-
LocalComputer,
oval:org.mitre.oval:d AllowCutCopyPasteOpe
ef:506, rationsFromClipboardVi
oval:org.mitre.oval:d aScript-InternetZone-
ef:533 LocalUser
TurnOffFirst-RunOpt-
oval:org.mitre.oval:d In-InternetZone-
ef:1119 LocalComputer
WebBrowserApplication
oval:org.mitre.oval:d s-InternetZone-
ef:242 LocalComputer
AllowCutCopyPasteOpe
rationsFromClipboardVi
aScript-
RestrictedSitesZone-
LocalComputer,
AllowCutCopyPasteOpe
oval:org.mitre.oval:d rationsFromClipboardVi
ef:249, aScript-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1393 LocalUser
TurnOffFirst-RunOpt-
In-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:621 LocalComputer
WebBrowserApplication
oval:org.mitre.oval:d s-RestrictedSitesZone-
ef:580 LocalComputer
oval:org.mitre.oval:d IncludeAllNetworkPaths
ef:559, -LocalComputer,
oval:org.mitre.oval:d IncludeAllNetworkPaths
ef:1370 -LocalUser
oval:org.mitre.oval:d DisableTheAdvancedPa
ef:934, ge-LocalComputer,
oval:org.mitre.oval:d DisableTheAdvancedPa
ef:660 ge-LocalUser
oval:org.mitre.oval:d DisableThePrivacyPage
ef:1111 -LocalComputer
oval:org.mitre.oval:d DisableTheSecurityPag
ef:672, e-LocalComputer,
oval:org.mitre.oval:d DisableTheSecurityPag
ef:601 e-LocalUser
PreventIgnoingCertifica
oval:org.mitre.oval:d teErrors-
ef:655, LocalComputer,
oval:org.mitre.oval:d PreventIgnoingCertifica
ef:1129 teErrors-LocalUser
oval:org.mitre.oval:d TurnOffChangingURLDi
ef:715 splay-LocalComputer
TurnOffConfiguringUpd
oval:org.mitre.oval:d ateCheckInterval-
ef:1187 LocalComputer
oval:org.mitre.oval:d AddOnList-
ef:626 LocalComputer
oval:org.mitre.oval:d DenyAllAddOns-
ef:1278 LocalComputer
oval:org.mitre.oval:d DisableConfiguringHist
ef:757, ory-LocalComputer,
oval:org.mitre.oval:d DisableConfiguringHist
ef:1365 ory-LocalUser
DisableChangingAutom
aticConfigurationSettin
oval:org.mitre.oval:d gs-LocalComputer,
ef:1285, DisableChangingAutom
oval:org.mitre.oval:d aticConfigurationSettin
ef:613 gs-LocalUser
DisableChangingConne
oval:org.mitre.oval:d ctionSettings-
ef:355, LocalComputer,
oval:org.mitre.oval:d DisableChangingConne
ef:1128 ctionSettings-LocalUser
oval:org.mitre.oval:d DisableChangingProxyS
ef:398, ettings-LocalComputer,
oval:org.mitre.oval:d DisableChangingProxyS
ef:635 ettings-LocalUser
oval:org.mitre.oval:d DisableShowingSplash
ef:1164 Screen-LocalComputer
PreventFixSettingsFunc
oval:org.mitre.oval:d tionality-
ef:448, LocalComputer,
oval:org.mitre.oval:d PreventFixSettingsFunc
ef:640 tionality-LocalUser
PreventParticipationInC
ustomerExperienceImp
rovementPrograms-
LocalComputer,
oval:org.mitre.oval:d PreventParticipationInC
ef:1171, ustomerExperienceImp
oval:org.mitre.oval:d rovementPrograms-
ef:1391 LocalUser
PreventPerformanceOf
oval:org.mitre.oval:d FirstRunCustomizeSetti
ef:1322 ngs-LocalComputer
PerventDeletationOfTe
mpInternetFiles-
oval:org.mitre.oval:d LocalComputer,
ef:1382, PerventDeletationOfTe
oval:org.mitre.oval:d mpInternetFiles-
ef:703 LocalUser
TurnOffDeleteBrowsing
HistoryFunctionality-
oval:org.mitre.oval:d LocalComputer,
ef:458, TurnOffDeleteBrowsing
oval:org.mitre.oval:d HistoryFunctionality-
ef:1474 LocalUser
oval:org.mitre.oval:d TurnOffManagingPhishi
ef:501 ngFilter-LocalComputer
TurnOffSecuritySetting
sCheckFeature-
oval:org.mitre.oval:d LocalComputer,
ef:916, TurnOffSecuritySetting
oval:org.mitre.oval:d sCheckFeature-
ef:1034 LocalUser
oval:org.mitre.oval:d AllowActiveContentFro
ef:400 mCD-LocalComputer
AllowThird-
oval:org.mitre.oval:d PartyBrowserExtension
ef:110 s-LocalComputer
oval:org.mitre.oval:d AutomaticallyCheckIEU
ef:656, pdates-LocalComputer,
oval:org.mitre.oval:d AutomaticallyCheckForI
ef:1360 EUpdates-LocalUser
CheckServerCertificate
Revocation-
oval:org.mitre.oval:d LocalComputer,
ef:172, CheckForServerCertific
oval:org.mitre.oval:d ateRevocation-
ef:1502 LocalUser
AccessDataSourcesAcr
ossDomains-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AccessDataSourcesAcr
ef:674, ossDomains-
oval:org.mitre.oval:d InternetZone-
ef:650 LocalUser
AllowDragDropOrCopyP
asteFiles-InternetZone-
oval:org.mitre.oval:d LocalComputer,
ef:1083, AllowDragDropOrCopyP
oval:org.mitre.oval:d asteFiles-InternetZone-
ef:547 LocalUser
AllowFontDownloads-
InternetZone-
oval:org.mitre.oval:d LocalComputer,
ef:524, AllowFontDownloads-
oval:org.mitre.oval:d InternetZone-
ef:659 LocalUser
AllowInstallationOfDesk
topItems-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AllowInstallationOfDesk
ef:223, topItems-
oval:org.mitre.oval:d InternetZone-
ef:541 LocalUser
AllowScriptInitiatedWin
dowsWithoutSizeOrPosi
tionConstraints-
InternetZone-
LocalComputer,
AllowScriptInitiatedWin
oval:org.mitre.oval:d dowsWithoutSizeOrPosi
ef:589, tionConstraints-
oval:org.mitre.oval:d InternetZone-
ef:1476 LocalUser
AllowScriptlets-
oval:org.mitre.oval:d InternetZone-
ef:1043 LocalComputer
AllowStatusBarUpdates
ViaScript-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AllowStatusBarUpdates
ef:226, ViaScript-
oval:org.mitre.oval:d InternetZone-
ef:1208 LocalUser
AutomaticPromptingFil
eDownloads-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d AutomaticPromptingFil
ef:1113, eDownloads-
oval:org.mitre.oval:d InternetZone-
ef:562 LocalUser
DownloadSignedActive
XControls-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d DownloadSignedActive
ef:1199, XControls-
oval:org.mitre.oval:d InternetZone-
ef:546 LocalUser
DownloadUnsignedActi
veXControls-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d DownloadUnsignedActi
ef:391, veXControls-
oval:org.mitre.oval:d InternetZone-
ef:1200 LocalUser
InitializeScriptActiveXC
ontrolsNotMarkedAsSaf
e-InternetZone-
LocalComputer,
JavaPermissions-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d InitializeScriptActiveXC
ef:1040, ontrolsNotMarkedAsSaf
oval:org.mitre.oval:d e-InternetZone-
ef:739 LocalUser
oval:org.mitre.oval:d
ef:1174, JavaPermissions-
oval:org.mitre.oval:d InternetZone-
ef:725 LocalUser
LaunchingApplicationsA
ndFilesInIFRAME-
InternetZone-
LocalComputer,
oval:org.mitre.oval:d LaunchingApplicationsA
ef:611, ndFilesInIFRAME-
oval:org.mitre.oval:d InternetZone-
ef:1487 LocalUser
LogonOptions-
InternetZone-
oval:org.mitre.oval:d LocalComputer,
ef:691, LogonOptions-
oval:org.mitre.oval:d InternetZone-
ef:1123 LocalUser
LooseXAMLFiles-
oval:org.mitre.oval:d InternetZone-
ef:240 LocalComputer
NavigateSub-
framesAcrossDifferent
Domains-
InternetZone-
LocalComputer,
NavigateSub-
oval:org.mitre.oval:d framesAcrossDifferent
ef:612, Domains-
oval:org.mitre.oval:d InternetZone-
ef:1394 LocalUser
OpenFilesBasedOnCont
ent-InternetZone-
oval:org.mitre.oval:d LocalComputer,
ef:953, OpenFilesBasedOnCont
oval:org.mitre.oval:d ent-InternetZone-
ef:1300 LocalUser
SoftwareChannelPermi
ssions-InternetZone-
oval:org.mitre.oval:d LocalComputer,
ef:302, SoftwareChannelPermi
oval:org.mitre.oval:d ssions-InternetZone-
ef:1398 LocalUser
UsePop-upBlocker-
InternetZone-
oval:org.mitre.oval:d LocalComputer,
ef:1179, UsePop-upBlocker-
oval:org.mitre.oval:d InternetZone-
ef:558 LocalUser
UserdataPersistence-
oval:org.mitre.oval:d InternetZone-
ef:1108 LocalComputer
WebSitesInLessPrivileg
edWebContentZonesCa
nNavigateIntoThisZone
-InternetZone-
LocalComputer,
WebSitesInLessPrivileg
oval:org.mitre.oval:d edWebContentZonesCa
ef:265, nNavigateIntoThisZone
oval:org.mitre.oval:d -InternetZone-
ef:1432 LocalUser
oval:org.mitre.oval:d XPSFiles-InternetZone-
ef:628 LocalComputer
DisplayMixedContent-
oval:org.mitre.oval:d LockedDownInternetZo
ef:245 ne-LocalComputer
DisplayMixedContent-
oval:org.mitre.oval:d IntranetZone-
ef:1166 LocalComputer
DisplayMixedContent-
oval:org.mitre.oval:d LockedDownIntranetZo
ef:247 ne-LocalComputer
DisplayMixedContent-
oval:org.mitre.oval:d LocalMachineZone-
ef:383 LocalComputer
DisplayMixedContent-
oval:org.mitre.oval:d LockedDownLocalMachi
ef:418 neZone-LocalComputer
AccessDataSourcesAcr
ossDomains-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d AccessDataSourcesAcr
ef:652, ossDomains-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:750 LocalUser
AllowActiveScripting-
RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:293, AllowActiveScripting-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:561 LocalUser
AllowBinaryAndScriptB
ehaviors-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d AllowBinaryAndScriptB
ef:365, ehaviors-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1314 LocalUser
AllowDragDropOrCopyP
asteFiles-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d AllowDragDropOrCopyP
ef:498, asteFiles-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1465 LocalUser
AllowFileDownloads-
RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:1184, AllowFileDownloads-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1318 LocalUser
AllowFontDownloads-
RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:1109, AllowFontDownloads-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1410 LocalUser
AllowInstallationOfDesk
topItems-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d AllowInstallationOfDesk
ef:251, topItems-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1257 LocalUser
AllowMETAREFRESH-
RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:1218, AllowMETAREFRESH-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1270 LocalUser
AllowScriptInitiatedWin
dowsWithoutSizeOrPosi
tionConstraints-
RestrictedSitesZone-
LocalComputer,
AllowScriptInitiatedWin
oval:org.mitre.oval:d dowsWithoutSizeOrPosi
ef:1234, tionConstraints-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:574 LocalUser
AllowScriptlets-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1217 LocalComputer
AllowStatusBarUpdates
ViaScript-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d AllowStatusBarUpdates
ef:378, ViaScript-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1320 LocalUser
AutomaticPromptingFil
eDownloads-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d AutomaticPromptingFil
ef:252, eDownloads-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1312 LocalUser
DownloadSignedActive
XControls-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d DownloadSignedActive
ef:1019, XControls-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1389 LocalUser
DownloadUnsignedActi
veXControls-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d DownloadUnsignedActi
ef:949, veXControls-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:579 LocalUser
InitializeScriptActiveXC
ontrolsNotMarkedAsSaf
e-RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d InitializeScriptActiveXC
ef:273, ontrolsNotMarkedAsSaf
oval:org.mitre.oval:d e-RestrictedSitesZone-
ef:1342 LocalUser
JavaPermissions-
RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:824, JavaPermissions-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:732 LocalUser
LaunchingApplicationsA
ndFilesInIFRAME-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d LaunchingApplicationsA
ef:274, ndFilesInIFRAME-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1223 LocalUser
LogonOptions-
RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:326, LogonOptions-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1378 LocalUser
LooseXAMLFiles-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:275 LocalComputer
NavigateSub-
framesAcrossDifferent
Domains-
RestrictedSitesZone-
LocalComputer,
NavigateSub-
oval:org.mitre.oval:d framesAcrossDifferent
ef:1229, Domains-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1292 LocalUser
OpenFilesBasedOnCont
ent-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d OpenFilesBasedOnCont
ef:706, ent-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1421 LocalUser
RunNETFrameworkReli
antComponentsNotSign
edWithAuthenticode-
RestrictedSitesZone-
LocalComputer,
RunNETFrameworkReli
oval:org.mitre.oval:d antComponentsNotSign
ef:329, edWithAuthenticode-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:599 LocalUser
RunNETFrameworkReli
antComponentsSigned
WithAuthenticode-
RestrictedSitesZone-
LocalComputer,
RunNETFrameworkReli
oval:org.mitre.oval:d antComponentsSigned
ef:276, WithAuthenticode-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1428 LocalUser
RunActiveXControlsAnd
Plugins-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d RunActiveXControlsAnd
ef:571, Plugins-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1594 LocalUser
ScriptActiveXControlsM
arkedSafeForScripting-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d ScriptActiveXControlsM
ef:602, arkedSafeForScripting-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1274 LocalUser
ScriptingOfJavaApplets
-RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:280, ScriptingOfJavaApplets
oval:org.mitre.oval:d -RestrictedSitesZone-
ef:641 LocalUser
SoftwareChannelPermi
ssions-
RestrictedSitesZone-
LocalComputer,
oval:org.mitre.oval:d SoftwareChannelPermi
ef:290, ssions-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1214 LocalUser
UsePop-upBlocker-
RestrictedSitesZone-
oval:org.mitre.oval:d LocalComputer,
ef:1100, UsePop-upBlocker-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1286 LocalUser
UserdataPersistence-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:300 LocalComputer
WebSitesInLessPrivileg
edWebContentZonesCa
nNavigateIntoThisZone
-RestrictedSitesZone-
LocalComputer,
WebSitesInLessPrivileg
oval:org.mitre.oval:d edWebContentZonesCa
ef:1219, nNavigateIntoThisZone
oval:org.mitre.oval:d -RestrictedSitesZone-
ef:1243 LocalUser
XPSFiles-
oval:org.mitre.oval:d RestrictedSitesZone-
ef:1176 LocalComputer
DisplayMixedContent-
LockedDownRestricted
oval:org.mitre.oval:d SitesZone-
ef:314 LocalComputer
DisplayMixedContent-
oval:org.mitre.oval:d TrustedSitesZone-
ef:1153 LocalComputer
DisplayMixedContent-
oval:org.mitre.oval:d LockedDownTrustedSit
ef:1183 esZone-LocalComputer
oval:org.mitre.oval:d EnableNativeXMLHttpS
ef:338 upport-LocalComputer
DisableSaveThisProgra
oval:org.mitre.oval:d mToDiskOption-
ef:645 LocalUser
oval:org.mitre.oval:d AllowInstallOnDemandI
ef:523 E-LocalUser
oval:org.mitre.oval:d TurnOffPageTransitions
ef:1206 -LocalUser
oval:org.mitre.oval:d DisableAutoCompleteF
ef:1516 orForms-LocalUser
oval:org.mitre.oval:d AllowInstallOnDemandI
ef:505 E-LocalUser
oval:org.mitre.oval:d DisableChangingCertific
ef:1362 ateSettings-LocalUser
oval:org.mitre.oval:d DisableExternalBrandin
ef:1384 gOfIE-LocalUser
oval:org.mitre.oval:d ConfigureOutlookExpre
ef:1238 ss-LocalUser
oval:org.mitre.oval:d InternetConnectionWiz
ef:604 ardSettings-LocalUser
oval:org.mitre.oval:d DisableInternetConnect
ef:1355 ionWizard-LocalUser
oval:org.mitre.oval:d DisableResetWebSettin
ef:1437 gsFeature-LocalUser
DisableDownloadingOf
oval:org.mitre.oval:d SiteSubscriptionConten
ef:1080 t-LocalUser
DisableAddingSchedule
oval:org.mitre.oval:d sForOfflinePages-
ef:1293 LocalUser
oval:org.mitre.oval:d DisableAddingChannels
ef:1383 -LocalUser
DisableEditingAndCreat
oval:org.mitre.oval:d ingOfScheduleGroups-
ef:1397 LocalUser
oval:org.mitre.oval:d DisableAllScheduledOffl
ef:1501 inePages-LocalUser
DisableEditingSchedule
oval:org.mitre.oval:d sForOfflinePages-
ef:1565 LocalUser
DisableChannelUserInt
oval:org.mitre.oval:d erfaceCompletely-
ef:1782 LocalUser
oval:org.mitre.oval:d DisableRemovingChann
ef:1801 els-LocalUser
DisableRemovingSched
oval:org.mitre.oval:d ulesForOfflinePages-
ef:1954 LocalUser
oval:org.mitre.oval:d DisableOfflinePageHitL
ef:2026 ogging-LocalUser
JavaPermissions-
oval:org.mitre.oval:d LockedDownIntranetZo
ef:2039 ne-LocalComputer
JavaPermissions-
oval:org.mitre.oval:d LocalMachineZone-
ef:1422 LocalComputer
JavaPermissions-
oval:org.mitre.oval:d LockedDownLocalMachi
ef:1986 neZone-LocalComputer
JavaPermissions-
LockedDownRestricted
oval:org.mitre.oval:d SitesZone-
ef:1753 LocalComputer
JavaPermissions-
oval:org.mitre.oval:d TrustedSitesZone-
ef:1379 LocalComputer
JavaPermissions-
oval:org.mitre.oval:d LockedDownTrustedSit
ef:1699 esZone-LocalComputer