# Security Configuration Assessment

# CIS Checks for Windows 2016 RTM

# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# Based on:
# Center for Internet Security Benchmark for Microsoft Windows Server 2019 RTM
(Release 1809) v1.0.1 - 11-22-2019

policy:
id: "cis_win2019"
file: "cis_win2019.yml"
name: "CIS Benchmark for Windows Server 2019 RTM "
description: "This document provides prescriptive guidance for establishing a
secure configuration posture for Microsoft Windows Server 2019."
references:
- https://www.cisecurity.org/cis-benchmarks/

requirements:
title: "Check that the Windows platform is Windows Server 2019 RTM"
description: "Requirements for running the CIS benchmark under Windows Server
2019 RTM"
condition: all
rules:
- 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName ->
r:^Windows Server 2019'

checks:

###############################################
# 1 Account Policies
###############################################
###############################################
# 1.1 Password Policy
###############################################

# 1.1.2 Maximum password age (Scored)

- id: 16500
title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
description: "This policy setting defines how long a user can use their
password before it expires. Values for this policy setting range from 0 to 999
days. If you set the value to 0, the password will never expire. Because attackers
can crack passwords, the more frequently you change the password the less
opportunity an attacker has to use a cracked password. However, the lower this
value is set, the higher the potential for an increase in calls to help desk
support due to users having to change their password or forgetting which password
is current. The recommended state for this setting is 60 or fewer days, but not 0."
rationale: "The longer a password exists the higher the likelihood that it will
be compromised by a brute force attack, by an attacker gaining general knowledge
about the user, or by the user sharing the password. Configuring the Maximum
password age setting to 0 so that users are never required to change their
passwords is a major security risk because that allows a compromised password to be
used by the malicious user for as long as the valid user is authorized access."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 60 or fewer days, but not 0: Computer Configuration\\
Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\
Maximum password age."
compliance:
- cis: ["1.1.2"]
- cis_csc: ["16.5"]
- pci_dss: ["8.2.4"]
- tsc: ["CC6.1"]
references:
- 'CCE-37167-4'
condition: all
rules:
- 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\
Parameters -> MaximumPasswordAge -> 0'
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
-> MaximumPasswordAge -> n:^(\d+) compare <= 60'

###############################################
# 2 Local Policies
###############################################
###############################################
# 2.3 Security Options
###############################################

# 2.3.1.2 Accounts: Block Microsoft accounts (Scored)

- id: 16501
title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add
or log on with Microsoft accounts"
description: "This policy setting prevents users from adding new Microsoft
accounts on this computer. The recommended state for this setting is: Users can't
add or log on with Microsoft accounts."
rationale: "Organizations that want to effectively implement identity
management policies and maintain firm control of what accounts are used to log onto
their computers will probably want to block Microsoft accounts. Organizations may
also need to block Microsoft accounts in order to meet the requirements of
compliance standards that apply to their information systems."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Users can't add or log on with Microsoft accounts : Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\
Security Options\\Accounts: Block Microsoft accounts."
compliance:
- cis: ["2.3.1.2"]
- cis_csc: ["16"]
- pci_dss: ["8.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-36147-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> NoConnectedUser -> 3'

# 2.3.1.4 Accounts: Limit local account use of blank passwords to console logon
only (Scored)
- id: 16502
 title: "Ensure 'Accounts: Limit local account use of blank passwords to console
logon only' is set to 'Enabled'"
description: "This policy setting determines whether local accounts that are
not password protected can be used to log on from locations other than the physical
computer console. If you enable this policy setting, local accounts that have blank
passwords will not be able to log on to the network from remote client computers.
Such accounts will only be able to log on at the keyboard of the computer. The
recommended state for this setting is: Enabled."
rationale: "Blank passwords are a serious threat to computer security and
should be forbidden through both organizational policy and suitable technical
measures. In fact, the default settings for Active Directory domains require
complex passwords of at least seven characters. However, if users with the ability
to create new accounts bypass your domainbased password policies, they could create
accounts with blank passwords. For example, a user could build a stand-alone
computer, create one or more accounts with blank passwords, and then join the
computer to the domain. The local accounts with blank passwords would still
function. Anyone who knows the name of one of these unprotected accounts could then
use it to log on."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account
use of blank passwords to console logon only."
compliance:
- cis: ["2.3.1.4"]
- cis_csc: ["16"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
references:
- 'CCE-37615-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa ->
LimitBlankPasswordUse -> 1'

# 2.3.2.1 Audit: Force audit policy subcategory settings (Windows Vista or later)
to override audit policy category settings (Scored)
- id: 16503
title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista
or later) to override audit policy category settings' is set to 'Enabled'"
description: "This policy setting allows administrators to enable the more
precise auditing capabilities present in Windows Vista. The Audit Policy settings
available in Windows Server 2003 Active Directory do not yet contain settings for
managing the new auditing subcategories. To properly apply the auditing policies
prescribed in this baseline, the Audit: Force audit policy subcategory settings
(Windows Vista or later) to override audit policy category settings setting needs
to be configured to Enabled. The recommended state for this setting is: Enabled.
*Important*: Be very cautious about audit settings that can generate a large volume
of traffic. For example, if you enable either success or failure auditing for all
of the Privilege Use subcategories, the high volume of audit events generated can
make it difficult to find other types of entries in the Security log. Such a
configuration could also have a significant impact on system performance."
rationale: "Prior to the introduction of auditing subcategories in Windows
Vista, it was difficult to track events at a per-system or per-user level. The
larger event categories created too many events and the key information that needed
to be audited was difficult to find."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy
subcategory settings (Windows Vista or later) to override audit policy category
settings."
compliance:
- cis: ["2.3.2.1"]
- cis_csc: ["6.2"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- 'CCE-37850-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa ->
SCENoApplyLegacyAuditPolicy -> 1'

# 2.3.2.2 Audit: Shut down system immediately if unable to log security audits
(Scored)
- id: 16504
title: "Ensure 'Audit: Shut down system immediately if unable to log security
audits' is set to 'Disabled'"
description: "This policy setting determines whether the system shuts down if
it is unable to log Security events. It is a requirement for Trusted Computer
System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent
auditable events from occurring if the audit system is unable to log them.
Microsoft has chosen to meet this requirement by halting the system and displaying
a stop message if the auditing system experiences a failure. When this policy
setting is enabled, the system will be shut down if a security audit cannot be
logged for any reason. The recommended state for this setting is: Disabled."
rationale: "If the computer is unable to record events to the Security log,
critical evidence or important troubleshooting information may not be available for
review after a security incident. Also, an attacker could potentially generate a
large volume of Security log events to purposely force a computer shutdown."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Audit: Shut down system
immediately if unable to log security audits."
compliance:
- cis: ["2.3.2.2"]
- cis_csc: ["6"]
- pci_dss: ["10.7"]
references:
- 'CCE-35907-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa ->
CrashOnAuditFail -> 0'

# 2.3.4.1 Devices: Allowed to format and eject removable media (Scored)

- id: 16505
title: "Ensure 'Devices: Allowed to format and eject removable media' is set to
'Administrators'"
description: "This policy setting determines who is allowed to format and eject
removable NTFS media. You can use this policy setting to prevent unauthorized users
from removing data on one computer to access it on another computer on which they
have local administrator privileges. The recommended state for this setting is:
Administrators."
rationale: "Users may be able to move data on removable disks to a different
computer where they have administrative privileges. The user could then take
ownership of any file, grant themselves full control, and view or modify any file.
The fact that most removable storage devices will eject media by pressing a
mechanical button diminishes the advantage of this policy setting."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Administrators and Interactive Users: Computer Configuration\\
Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\
Devices: Allowed to format and eject removable media."
compliance:
- cis: ["2.3.4.1"]
- cis_csc: ["5.1"]
- pci_dss: ["7.2"]
- tsc: ["CC6.4"]
references:
- 'CCE-37701-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
-> AllocateDASD -> 0'

# 2.3.4.2 Devices: Prevent users from installing printer drivers (Scored)

- id: 16506
title: "Ensure 'Devices: Prevent users from installing printer drivers' is set
to 'Enabled'"
description: "For a computer to print to a shared printer, the driver for that
shared printer must be installed on the local computer. This security setting
determines who is allowed to install a printer driver as part of connecting to a
shared printer. The recommended state for this setting is: Enabled. Note: This
setting does not affect the ability to add a local printer. This setting does not
affect Administrators."
rationale: "It may be appropriate in some organizations to allow users to
install printer drivers on their own workstations. However, you should allow only
Administrators, not users, to do so on servers, because printer driver installation
on a server may unintentionally cause the computer to become less stable. A
malicious user could install inappropriate printer drivers in a deliberate attempt
to damage the computer, or a user might accidentally install malicious software
that masquerades as a printer driver. It is feasible for an attacker to disguise a
Trojan horse program as a printer driver. The program may appear to users as if
they must use it to print, but such a program could unleash malicious code on your
computer network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from
installing printer drivers."
compliance:
- cis: ["2.3.4.2"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4","2.2.5"]
- nist_800_53: ["CM.1"]
- tsc: ["CC6.3","CC5.2"]
references:
- 'CCE-37942-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\
LanMan Print Services\Servers -> AddPrinterDrivers -> 1'

# 2.3.5.1 Domain controller: Allow server operators to schedule tasks (Scored)

- id: 16507
 title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is
set to 'Disabled' (DC only)"
description: "This policy setting determines whether members of the Server
Operators group are allowed to submit jobs by means of the AT schedule facility.
The impact of this policy setting configuration should be small for most
organizations. Users, including those in the Server Operators group, will still be
able to create jobs by means of the Task Scheduler Wizard, but those jobs will run
in the context of the account with which the user authenticates when they set up
the job. Note: An AT Service Account can be modified to select a different account
rather than the LOCAL SYSTEM account. To change the account, open System Tools,
click Scheduled Tasks, and then click Accessories folder. Then click AT Service
Account on the Advanced menu. The recommended state for this setting is: Disabled."
rationale: "If you enable this policy setting, jobs that are created by server
operators by means of the AT service will execute in the context of the account
that runs that service. By default, that is the local SYSTEM account. If you enable
this policy setting, server operators could perform tasks that SYSTEM is able to do
but that they would typically not be able to do, such as add their account to the
local Administrators group."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Domain controller: Allow
server operators to schedule tasks."
compliance:
- cis: ["2.3.5.1"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-37848-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl
-> 0'

# 2.3.5.2 Domain controller: LDAP server signing requirements (Scored)

- id: 16508
title: "Ensure 'Domain controller: LDAP server signing requirements' is set to
'Require signing' (DC only)"
description: "This policy setting determines whether the Lightweight Directory
Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The
recommended state for this setting is: Require signing. Note: Domain member
computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set
to Negotiate signing or higher. If not, they will fail to authenticate once the
above Require signing value is configured on the Domain Controllers. Fortunately,
Negotiate signing is the default in the client configuration. Note #2: This policy
setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP
simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are
shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind
through SSL to talk to a Domain Controller. Note #3: Before enabling this setting,
you should first ensure that there are no clients (including server-based
applications) that are configured to authenticate with Active Directory via
unsigned LDAP, because changing this setting will break those applications. Such
applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS),
or IPsec-protected connections."
rationale: "Unsigned network traffic is susceptible to man-in-the-middle
attacks. In such attacks, an intruder captures packets between the server and the
client, modifies them, and then forwards them to the client. Where LDAP servers are
concerned, an attacker could cause a client to make decisions that are based on
false records from the LDAP directory. To lower the risk of such an intrusion in an
organization's network, you can implement strong physical security measures to
protect the network infrastructure. Also, you could implement Internet Protocol
security (IPsec) authentication header mode (AH), which performs mutual
authentication and packet integrity for IP traffic to make all types of man- in-
the-middle attacks extremely difficult. Additionally, allowing the use of regular,
unsigned LDAP permits credentials to be received over the network in clear text,
which could very easily result in the interception of account passwords by other
systems on the network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Require signing: Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller:
LDAP server signing requirements."
compliance:
- cis: ["2.3.5.2"]
- cis_csc: ["3"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-
text-ldap-binds-to-your-dcs/
- 'CCE-35904-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters ->
LDAPServerIntegrity -> 2'

# 2.3.5.3 Domain controller: Refuse machine account password changes (Scored)

- id: 16509
title: "Ensure 'Domain controller: Refuse machine account password changes' is
set to 'Disabled' (DC only)"
description: "This security setting determines whether Domain Controllers will
refuse requests from member computers to change computer account passwords. The
recommended state for this setting is: Disabled."
rationale: "If you enable this policy setting on all Domain Controllers in a
domain, domain members will not be able to change their computer account passwords,
and those passwords will be more susceptible to attack."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse
machine account password changes."
compliance:
- cis: ["2.3.5.3"]
- cis_csc: ["16"]
- pci_dss: ["8.2.4"]
- tsc: ["CC6.1"]
references:
- 'CCE-36921-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
-> RefusePasswordChange -> 0'

# 2.3.6.1 Domain member: Digitally encrypt or sign secure channel data (always)
(Scored)
- id: 16510
title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data
(always)' is set to 'Enabled'"
 description: "This policy setting determines whether all secure channel traffic
that is initiated by the domain member must be signed or encrypted. The recommended
state for this setting is: Enabled."
rationale: "When a computer joins a domain, a computer account is created.
After it joins the domain, the computer uses the password for that account to
create a secure channel with the Domain Controller for its domain every time that
it restarts. Requests that are sent on the secure channel are authenticated-and
sensitive information such as passwords are encrypted-but the channel is not
integrity-checked, and not all information is encrypted. Digital encryption and
signing of the secure channel is a good idea where it is supported. The secure
channel protects domain credentials as they are sent to the Domain Controller."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Domain member: Digitally
encrypt or sign secure channel data (always)."
compliance:
- cis: ["2.3.6.1"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36142-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
-> RequireSignOrSeal -> 1'

# 2.3.6.2 Domain member: Digitally encrypt secure channel data (when possible)
(Scored)
- id: 16511
title: "Ensure 'Domain member: Digitally encrypt secure channel data (when
possible)' is set to 'Enabled'"
description: "This policy setting determines whether a domain member should
attempt to negotiate encryption for all secure channel traffic that it initiates.
The recommended state for this setting is: Enabled."
rationale: "When a computer joins a domain, a computer account is created.
After it joins the domain, the computer uses the password for that account to
create a secure channel with the Domain Controller for its domain every time that
it restarts. Requests that are sent on the secure channel are authenticated-and
sensitive information such as passwords are encrypted-but the channel is not
integrity-checked, and not all information is encrypted. Digital encryption and
signing of the secure channel is a good idea where it is supported. The secure
channel protects domain credentials as they are sent to the Domain Controller."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Domain member: Digitally
encrypt secure channel data (when possible)."
compliance:
- cis: ["2.3.6.2"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37130-2'
condition: all
 rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
-> SealSecureChannel -> 1'

# 2.3.6.3 Domain member: Digitally sign secure channel data (when possible)
(Scored)
- id: 16512
title: "Ensure 'Domain member: Digitally sign secure channel data (when
possible)' is set to 'Enabled'"
description: "This policy setting determines whether a domain member should
attempt to negotiate whether all secure channel traffic that it initiates must be
digitally signed. Digital signatures protect the traffic from being modified by
anyone who captures the data as it traverses the network. The recommended state for
this setting is: Enabled."
rationale: "When a computer joins a domain, a computer account is created.
After it joins the domain, the computer uses the password for that account to
create a secure channel with the Domain Controller for its domain every time that
it restarts. Requests that are sent on the secure channel are authenticated-and
sensitive information such as passwords are encrypted-but the channel is not
integrity-checked, and not all information is encrypted. Digital encryption and
signing of the secure channel is a good idea where it is supported. The secure
channel protects domain credentials as they are sent to the Domain Controller."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign
secure channel data (when possible)."
compliance:
- cis: ["2.3.6.3"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37222-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
-> SignSecureChannel -> 1'

# 2.3.6.4 Domain member: Disable machine account password changes (Scored)

- id: 16513
title: "Ensure 'Domain member: Disable machine account password changes' is set
to 'Disabled'"
description: "This policy setting determines whether a domain member can
periodically change its computer account password. Computers that cannot
automatically change their account passwords are potentially vulnerable, because an
attacker might be able to determine the password for the system's domain account.
The recommended state for this setting is: Disabled."
rationale: "The default configuration for Windows Server 2003-based computers
that belong to a domain is that they are automatically required to change the
passwords for their accounts every 30 days. If you disable this policy setting,
computers that run Windows Server 2003 will retain the same passwords as their
computer accounts. Computers that are no longer able to automatically change their
account password are at risk from an attacker who could determine the password for
the computer's domain account."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine
account password changes."
compliance:
- cis: ["2.3.6.4"]
- cis_csc: ["16"]
- pci_dss: ["8.2.4"]
- tsc: ["CC6.1"]
references:
- 'CCE-37508-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
-> DisablePasswordChange -> 0'

# 2.3.6.6 Domain member: Require strong (Windows 2000 or later) session key
(Scored)
- id: 16514
title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session
key' is set to 'Enabled'"
description: "When this policy setting is enabled, a secure channel can only be
established with Domain Controllers that are capable of encrypting secure channel
data with a strong (128-bit) session key. To enable this policy setting, all Domain
Controllers in the domain must be able to encrypt secure channel data with a strong
key, which means all Domain Controllers must be running Microsoft Windows 2000 or
newer. The recommended state for this setting is: Enabled."
rationale: "Session keys that are used to establish secure channel
communications between Domain Controllers and member computers are much stronger in
Windows 2000 than they were in previous Microsoft operating systems. Whenever
possible, you should take advantage of these stronger session keys to help protect
secure channel communications from attacks that attempt to hijack network sessions
and eavesdropping. (Eavesdropping is a form of hacking in which network data is
read or altered in transit. The data can be modified to hide or change the sender,
or be redirected.)"
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Domain member: Require strong
(Windows 2000 or later) session key."
compliance:
- cis: ["2.3.6.6"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37614-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
-> RequireStrongKey -> 1'

# 2.3.7.1 Interactive logon: Do not require CTRL+ALT+DEL (Scored)

- id: 16515
title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to
'Disabled'"
description: "This policy setting determines whether users must press
CTRL+ALT+DEL before they log on. The recommended state for this setting is:
Disabled."
rationale: "Microsoft developed this feature to make it easier for users with
certain types of physical impairments to log on to computers that run Windows. If
users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that
attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon,
user passwords are communicated by means of a trusted path. An attacker could
install a Trojan horse program that looks like the standard Windows logon dialog
box and capture the user's password. The attacker would then be able to log on to
the compromised account with whatever level of privilege that user has."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not
require CTRL+ALT+DEL"
compliance:
- cis: ["2.3.7.1"]
- cis_csc: ["8"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- 'CCE-37637-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> DisableCAD -> 0'

# 2.3.7.2 Interactive logon: Do not display last user name (Scored)

- id: 16516
title: "Ensure 'Interactive logon: Don't display last signed-in' is set to
'Enabled'"
description: "This policy setting determines whether the account name of the
last user to log on to the client computers in your organization will be displayed
in each computer's respective Windows logon screen. Enable this policy setting to
prevent intruders from collecting account names visually from the screens of
desktop or laptop computers in your organization. The recommended state for this
setting is: Enabled."
rationale: "An attacker with access to the console (for example, someone with
physical access or someone who is able to connect to the server through Remote
Desktop Services) could view the name of the last user who logged on to the server.
The attacker could then try to guess the password, use a dictionary, or use a
brute-force attack to try and log on."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Interactive logon: Don't
display last signed-in."
compliance:
- cis: ["2.3.7.2"]
- cis_csc: ["13"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- 'CCE-36056-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> DontDisplayLastUserName -> 1'

# 2.3.7.3 Interactive logon: Machine inactivity limit (Scored)

- id: 16517
title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or
fewer second(s), but not 0'"
description: "Windows notices inactivity of a logon session, and if the amount
of inactive time exceeds the inactivity limit, then the screen saver will run,
locking the session. The recommended state for this setting is: 900 or fewer
second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it
disables the machine inactivity limit."
rationale: "If a user forgets to lock their computer when they walk away it's
possible that a passerby will hijack it."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\
Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\
Interactive logon: Machine inactivity limit."
compliance:
- cis: ["2.3.7.3"]
- cis_csc: ["16.5"]
- pci_dss: ["8.1.8"]
- tsc: ["CC6.1"]
references:
- 'CCE-38235-8'
condition: all
rules:
- 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\System -> InactivityTimeoutSecs -> 0'
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900'

# 2.3.7.6 - Interactive logon: Number of previous logons to cache (in case domain
controller is not available)' is set to '4 or fewer logon(s)
- id: 16518
title: "Ensure 'Interactive logon: Number of previous logons to cache (in case
domain controller is not available)' is set to '4 or fewer logon(s)'"
description: "This policy setting determines whether a user can log on to a
Windows domain using cached account information."
rationale: "The number that is assigned to this policy setting indicates the
number of users whose logon information the computer will cache locally."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon:
Number of previous logons to cache (in case domain controller is not available)."
compliance:
- cis: ["2.3.7.6"]
- cis_csc: ["16"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
references:
- 'CCE-38240-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
-> CachedLogonsCount -> r:^0$|^1$|^2$|^3$|^4$'

# 2.3.7.7 Interactive logon: Prompt user to change password before expiration

(Scored)
- id: 16519
 title: "Ensure 'Interactive logon: Prompt user to change password before
expiration' is set to 'between 5 and 14 days'"
description: "This policy setting determines how far in advance users are
warned that their password will expire. It is recommended that you configure this
policy setting to at least 5 days but no more than 14 days to sufficiently warn
users when their passwords will expire. The recommended state for this setting is:
between 5 and 14 days."
rationale: "It is recommended that user passwords be configured to expire
periodically. Users will need to be warned that their passwords are going to
expire, or they may inadvertently be locked out of the computer when their
passwords expire. This condition could lead to confusion for users who access the
network locally, or make it impossible for users to access your organization's
network through dial-up or virtual private network (VPN) connections."
remediation: "To establish the recommended configuration via GP, set the
following UI path to a value between 5 and 14 days: Computer Configuration\\
Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\
Interactive logon: Prompt user to change password before expiration."
compliance:
- cis: ["2.3.7.7"]
- cis_csc: ["16"]
- pci_dss: ["8.2.4"]
- tsc: ["CC6.1"]
references:
- 'CCE-37622-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
-> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14'

# 2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication

to unlock workstation' is set to 'Enabled' (MS only) (Scored)
- id: 16520
title: "Ensure 'Interactive logon: Require Domain Controller Authentication to
unlock workstation' is set to 'Enabled'"
description: "Logon information is required to unlock a locked computer. For
domain accounts, this security setting determines whether it is necessary to
contact a Domain Controller to unlock a computer. The recommended state for this
setting is: Enabled ."
rationale: "By default, the computer caches in memory the credentials of any
users who are authenticated locally. The computer uses these cached credentials to
authenticate anyone who attempts to unlock the console. When cached credentials are
used, any changes that have recently been made to the account - such as user rights
assignments, account lockout, or the account being disabled - are not considered or
applied after the account is authenticated. User privileges are not updated, and
(more importantly) disabled accounts are still able to unlock the console of the
computer."
remediation: "To implement the recommended configuration via GP, set the
following UI path to Enabled:Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Interactive logon: Require
Domain Controller Authentication to unlock workstation"
compliance:
- cis: ["2.3.7.8"]
- cis_csc: ["16.9"]
- pci_dss: ["8.6"]
- tsc: ["CC6.1"]
references:
- 'CCE-38240-8'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
-> ForceUnlockLogon -> 1'

# 2.3.7.9 Interactive logon: Smart card removal behavior (Scored)

- id: 16521
title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock
Workstation' or higher"
description: "This policy setting determines what happens when the smart card
for a logged-on user is removed from the smart card reader. The recommended state
for this setting is: Lock Workstation. Configuring this setting to Force Logoff or
Disconnect if a Remote Desktop Services session also conforms to the benchmark."
rationale: "Users sometimes forget to lock their workstations when they are
away from them, allowing the possibility for malicious users to access their
computers. If smart cards are used for authentication, the computer should
automatically lock itself when the card is removed to ensure that only the user
with the smart card is accessing resources using those credentials."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Lock Workstation (or, if applicable for your environment,
Force Logoff or Disconnect if a Remote Desktop Services session): Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\
Security Options\\Interactive logon: Smart card removal behavior."
compliance:
- cis: ["2.3.7.9"]
- cis_csc: ["16.5"]
- pci_dss: ["8.6"]
- tsc: ["CC6.1"]
references:
- 'CCE-38333-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
-> ScRemoveOption -> r:^1$|^2$|^3$'

# 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)'

is set to 'Enabled'
- id: 16522
title: "Ensure 'Microsoft network client: Digitally sign communications
(always)' is set to 'Enabled'"
description: "This policy setting determines whether packet signing is required
by the SMB client component. Note: When Windows Vista-based computers have this
policy setting enabled and they connect to file or print shares on remote servers,
it is important that the setting is synchronized with its companion setting,
Microsoft network server: Digitally sign communications (always), on those servers.
For more information about these settings, see the 'Microsoft network client and
server: Digitally sign communications (four related settings)' section in Chapter 5
of the Threats and Countermeasures guide. The recommended state for this setting
is: Enabled."
rationale: "Session hijacking uses tools that allow attackers who have access
to the same network as the client or server to interrupt, end, or steal a session
in progress. Attackers can potentially intercept and modify unsigned SMB packets
and then modify the traffic and forward it so that the server might perform
undesirable actions. Alternatively, the attacker could pose as the server or client
after legitimate authentication and gain unauthorized access to data. SMB is the
resource sharing protocol that is supported by many Windows operating systems. It
is the basis of NetBIOS and many other protocols. SMB signatures authenticate both
users and the servers that host the data. If either side fails the authentication
process, data transmission will not take place."
 remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Microsoft network client:
Digitally sign communications (always)."
compliance:
- cis: ["2.3.8.1"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36325-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\
Parameters -> RequireSecuritySignature -> 1'

# 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if

server agrees)' is set to 'Enabled'
- id: 16523
title: "Ensure 'Microsoft network client: Digitally sign communications (if
server agrees)' is set to 'Enabled'"
description: "This policy setting determines whether the SMB client will
attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB
clients on your network makes them fully effective for packet signing with all
clients and servers in your environment. The recommended state for this setting is:
Enabled."
rationale: "Session hijacking uses tools that allow attackers who have access
to the same network as the client or server to interrupt, end, or steal a session
in progress. Attackers can potentially intercept and modify unsigned SMB packets
and then modify the traffic and forward it so that the server might perform
undesirable actions. Alternatively, the attacker could pose as the server or client
after legitimate authentication and gain unauthorized access to data. SMB is the
resource sharing protocol that is supported by many Windows operating systems. It
is the basis of NetBIOS and many other protocols. SMB signatures authenticate both
users and the servers that host the data. If either side fails the authentication
process, data transmission will not take place."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Microsoft network client:
Digitally sign communications (if server agrees)."
compliance:
- cis: ["2.3.8.2"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36269-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\
Parameters -> EnableSecuritySignature -> 1'

# 2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-

party SMB servers' is set to 'Disabled'
- id: 16524
 title: "Ensure 'Microsoft network client: Send unencrypted password to third-
party SMB servers' is set to 'Disabled'"
description: "This policy setting determines whether the SMB redirector will
send plaintext passwords during authentication to third-party SMB servers that do
not support password encryption. It is recommended that you disable this policy
setting unless there is a strong business case to enable it. If this policy setting
is enabled, unencrypted passwords will be allowed across the network. The
recommended state for this setting is: Disabled."
rationale: "If you enable this policy setting, the server can transmit
passwords in plaintext across the network to other computers that offer SMB
services, which is a significant security risk. These other computers may not use
any of the SMB security mechanisms that are included with Windows Server 2003."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send
unencrypted password to third-party SMB servers."
compliance:
- cis: ["2.3.8.3"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37863-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\
Parameters -> EnablePlainTextPassword -> 0'

# 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before
suspending session' is set to '15 or fewer minute(s), but not 0'
- id: 16525
title: "Ensure 'Microsoft network server: Amount of idle time required before
suspending session' is set to '15 or fewer minute(s), but not 0'"
description: "This policy setting allows you to specify the amount of
continuous idle time that must pass in an SMB session before the session is
suspended because of inactivity. Administrators can use this policy setting to
control when a computer suspends an inactive SMB session. If client activity
resumes, the session is automatically reestablished. A value of 0 appears to allow
sessions to persist indefinitely. The maximum value is 99999, which is over 69
days; in effect, this value disables the setting. The recommended state for this
setting is: 15 or fewer minute(s), but not 0."
rationale: "Each SMB session consumes server resources, and numerous null
sessions will slow the server or possibly cause it to fail. An attacker could
repeatedly establish SMB sessions until the server's SMB services become slow or
unresponsive."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\
Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\
Microsoft network server: Amount of idle time required before suspending session."
compliance:
- cis: ["2.3.9.1"]
- cis_csc: ["3"]
- pci_dss: ["8.1.8"]
- tsc: ["CC6.1"]
references:
- 'CCE-38046-9'
condition: all
 rules:
- 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> AutoDisconnect -> 0'
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15'

# 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)'

is set to 'Enabled'
- id: 16526
title: "Ensure 'Microsoft network server: Digitally sign communications
(always)' is set to 'Enabled'"
description: "This policy setting determines whether packet signing is required
by the SMB server component. Enable this policy setting in a mixed environment to
prevent downstream clients from using the workstation as a network server. The
recommended state for this setting is: Enabled."
rationale: "Session hijacking uses tools that allow attackers who have access
to the same network as the client or server to interrupt, end, or steal a session
in progress. Attackers can potentially intercept and modify unsigned SMB packets
and then modify the traffic and forward it so that the server might perform
undesirable actions. Alternatively, the attacker could pose as the server or client
after legitimate authentication and gain unauthorized access to data. SMB is the
resource sharing protocol that is supported by many Windows operating systems. It
is the basis of NetBIOS and many other protocols. SMB signatures authenticate both
users and the servers that host the data. If either side fails the authentication
process, data transmission will not take place."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Microsoft network server:
Digitally sign communications (always)."
compliance:
- cis: ["2.3.9.2"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37864-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> RequireSecuritySignature -> 1'

# 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if

client agrees)' is set to 'Enabled'
- id: 16527
title: "Ensure 'Microsoft network server: Digitally sign communications (if
client agrees)' is set to 'Enabled'"
description: "This policy setting determines whether the SMB server will
negotiate SMB packet signing with clients that request it. If no signing request
comes from the client, a connection will be allowed without a signature if the
Microsoft network server: Digitally sign communications (always) setting is not
enabled. Note: Enable this policy setting on SMB clients on your network to make
them fully effective for packet signing with all clients and servers in your
environment. The recommended state for this setting is: Enabled."
rationale: "Session hijacking uses tools that allow attackers who have access
to the same network as the client or server to interrupt, end, or steal a session
in progress. Attackers can potentially intercept and modify unsigned SMB packets
and then modify the traffic and forward it so that the server might perform
undesirable actions. Alternatively, the attacker could pose as the server or client
after legitimate authentication and gain unauthorized access to data. SMB is the
resource sharing protocol that is supported by many Windows operating systems. It
is the basis of NetBIOS and many other protocols. SMB signatures authenticate both
users and the servers that host the data. If either side fails the authentication
process, data transmission will not take place."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Microsoft network server:
Digitally sign communications (if client agrees)."
compliance:
- cis: ["2.3.9.3"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-35988-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> EnableSecuritySignature -> 1'

# 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours
expire' is set to 'Enabled'
- id: 16528
title: "Ensure 'Microsoft network server: Disconnect clients when logon hours
expire' is set to 'Enabled'"
description: "This security setting determines whether to disconnect users who
are connected to the local computer outside their user account's valid logon hours.
This setting affects the Server Message Block (SMB) component. If you enable this
policy setting you should also enable Network security: Force logoff when logon
hours expire (Rule 2.3.11.6). If your organization configures logon hours for
users, this policy setting is necessary to ensure they are effective. The
recommended state for this setting is: Enabled."
rationale: "If your organization configures logon hours for users, then it
makes sense to enable this policy setting. Otherwise, users who should not have
access to network resources outside of their logon hours may actually be able to
continue to use those resources with sessions that were established during allowed
hours."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Microsoft network server:
Disconnect clients when logon hours expire."
compliance:
- cis: ["2.3.9.4"]
- cis_csc: ["16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-37972-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> EnableForcedLogOff -> 1'

# 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation
level' is set to 'Accept if provided by client' or higher
 - id: 16529
title: "Ensure 'Microsoft network server: Server SPN target name validation
level' is set to 'Accept if provided by client' or higher"
description: "This policy setting controls the level of validation a computer
with shared folders or printers (the server) performs on the service principal name
(SPN) that is provided by the client computer when it establishes a session using
the server message block (SMB) protocol. The server message block (SMB) protocol
provides the basis for file and print sharing and other networking operations, such
as remote Windows administration. The SMB protocol supports validating the SMB
server service principal name (SPN) within the authentication blob provided by a
SMB client to prevent a class of attacks against SMB servers referred to as SMB
relay attacks. This setting will affect both SMB1 and SMB2. The recommended state
for this setting is: Accept if provided by client. Configuring this setting to
Required from client also conforms to the benchmark. Note: Since the release of the
MS KB3161561 security patch, this setting can cause significant issues (such as
replication problems, group policy editing issues and blue screen crashes) on
Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule
18.5.14.1). CIS therefore recommends against deploying this setting on Domain
Controllers."
rationale: "The identity of a computer can be spoofed to gain unauthorized
access to network resources."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Accept if provided by client (configuring to Required from
client also conforms to the benchmark): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network
server: Server SPN target name validation level."
compliance:
- cis: ["2.3.9.5"]
- cis_csc: ["14"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-
description-of-the-security-update-for-windows-n
- 'CCE-36170-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\
Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1'

# 2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM

accounts' is set to 'Enabled'
- id: 16530
title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM
accounts' is set to 'Enabled'"
description: "This policy setting controls the ability of anonymous users to
enumerate the accounts in the Security Accounts Manager (SAM). If you enable this
policy setting, users with anonymous connections will not be able to enumerate
domain account user names on the systems in your environment. This policy setting
also allows additional restrictions on anonymous connections. The recommended state
for this setting is: Enabled. Note: This policy has no effect on Domain
Controllers."
rationale: "An unauthorized user could anonymously list account names and use
the information to attempt to guess passwords or perform social engineering
attacks. (Social engineering attacks try to deceive users in some way to obtain
passwords or some form of security information)"
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network access: Do not allow
anonymous enumeration of SAM accounts."
compliance:
- cis: ["2.3.10.2"]
- cis_csc: ["16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36316-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa ->
RestrictAnonymousSAM -> 1'

# 2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM

accounts and shares' is set to 'Enabled'
- id: 16531
title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM
accounts and shares' is set to 'Enabled'"
description: "This policy setting controls the ability of anonymous users to
enumerate SAM accounts as well as shares. If you enable this policy setting,
anonymous users will not be able to enumerate domain account user names and network
share names on the systems in your environment. The recommended state for this
setting is: Enabled. Note: This policy has no effect on Domain Controllers."
rationale: "An unauthorized user could anonymously list account names and
shared resources and use the information to attempt to guess passwords or perform
social engineering attacks. (Social engineering attacks try to deceive users in
some way to obtain passwords or some form of security information)"
remediation: "To establish the recommended configuration via GP, set the
following U path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network access: Do not allow
anonymous enumeration of SAM accounts and shares."
compliance:
- cis: ["2.3.10.3"]
- cis_csc: ["16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36316-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa ->
RestrictAnonymous -> 1'

# 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and
credentials for network authentication' is set to 'Enabled' (Scored)
- id: 16532
title: "Ensure 'Network access: Do not allow storage of passwords and
credentials for network authentication' is set to 'Enabled'"
description: "This policy setting determines whether Credential Manager
(formerly called Stored User Names and Passwords) saves passwords or credentials
for later use when it gains domain authentication. The recommended state for this
setting is: Enabled. Note: Changes to this setting will not take effect until
Windows is restarted."
rationale: "Passwords that are cached can be accessed by the user when logged
on to the computer. Although this information may sound obvious, a problem can
arise if the user unknowingly executes hostile code that reads the passwords and
forwards them to another, unauthorized user."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network access: Do not allow
storage of passwords and credentials for network authentication."
compliance:
- cis: ["2.3.10.4"]
- cis_csc: ["16.14"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-38119-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa ->
DisableDomainCreds -> 1'

# 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous

users' is set to 'Disabled'
- id: 16533
title: "Ensure 'Network access: Let Everyone permissions apply to anonymous
users' is set to 'Disabled'"
description: "This policy setting determines what additional permissions are
assigned for anonymous connections to the computer. The recommended state for this
setting is: Disabled."
rationale: "An unauthorized user could anonymously list account names and
shared resources and use the information to attempt to guess passwords, perform
social engineering attacks, or launch DoS attacks."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone
permissions apply to anonymous users."
compliance:
- cis: ["2.3.10.5"]
- cis_csc: ["14", "16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36148-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa ->
EveryoneIncludesAnonymous -> 0'

# 2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
- id: 16534
title: "Configure 'Network access: Named Pipes that can be accessed
anonymously'"
description: "This policy setting determines which communication sessions, or
pipes, will have attributes and permissions that allow anonymous access. The
recommended state for this setting is: (Domain Controller) LSARPC, NETLOGON, SAMR
(Member Server) <blank> (i.e. None), or (when the legacy Computer Browser service
is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services
Role with Remote Desktop Licensing Role Service will require a special exception to
this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to
be accessed anonymously."
rationale: "Limiting named pipes that can be accessed anonymously will reduce
the attack surface of the system."
remediation: "To establish the recommended configuration via GP, configure the
following UI path: Computer Configuration\\Policies\\Windows Settings\\Security
Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be
accessed anonymously."
 compliance:
- cis: ["2.3.10.6"]
- cis_csc: ["14.1", "16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-38258-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> NullSessionPipes -> r:LSARPC && r:NETLOGON && r:SAMR'

# 2.3.10.8 Configure 'Network access: Remotely accessible registry paths'

- id: 16535
title: "Configure 'Network access: Remotely accessible registry paths'"
description: "This policy setting determines which registry paths will be
accessible over the network, regardless of the users or groups listed in the access
control list (ACL) of the winreg registry key. Note: This setting does not exist in
Windows XP. There was a setting with that name in Windows XP, but it is called
'Network access: Remotely accessible registry paths and sub- paths' in Windows
Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you
configure this setting you specify a list of one or more objects. The delimiter
used when entering the list is a line feed or carriage return, that is, type the
first object on the list, press the Enter button, type the next object, press Enter
again, etc. The setting value is stored as a comma-delimited list in group policy
security templates. It is also rendered as a comma-delimited list in Group Policy
Editor's display pane and the Resultant Set of Policy console. It is recorded in
the registry as a line-feed delimited list in a REG_MULTI_SZ value."
rationale: "The registry is a database that contains computer configuration
information, and much of the information is sensitive. An attacker could use this
information to facilitate unauthorized activities. To reduce the risk of such an
attack, suitable ACLs are assigned throughout the registry to help protect it from
access by unauthorized users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\
CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\
CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security
Settings\\Local Policies\\Security Options\\Network access: Remotely accessible
registry paths."
compliance:
- cis: ["2.3.10.8"]
- cis_csc: ["14", "16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-37194-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\
Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\
ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\
Microsoft\\Windows NT\\CurrentVersion'

# 2.3.10.9 Configure 'Network access: Remotely accessible registry paths and sub-
paths'
- id: 16536
title: "Configure 'Network access: Remotely accessible registry paths and sub-
paths'"
description: "This policy setting determines which registry paths and sub-paths
will be accessible over the network, regardless of the users or groups listed in
the access control list (ACL) of the winreg registry key. Note: In Windows XP this
setting is called 'Network access: Remotely accessible registry paths,' the setting
with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows
Server 2003 does not exist in Windows XP. Note #2: When you configure this setting
you specify a list of one or more objects. The delimiter used when entering the
list is a line feed or carriage return, that is, type the first object on the list,
press the Enter button, type the next object, press Enter again, etc. The setting
value is stored as a comma-delimited list in group policy security templates. It is
also rendered as a comma-delimited list in Group Policy Editor's display pane and
the Resultant Set of Policy console. It is recorded in the registry as a line-feed
delimited list in a REG_MULTI_SZ value."
rationale: "The registry contains sensitive computer configuration information
that could be used by an attacker to facilitate unauthorized activities. The fact
that the default ACLs assigned throughout the registry are fairly restrictive and
help to protect the registry from access by unauthorized users reduces the risk of
such an attack."
remediation: "To establish the recommended configuration via GP, set the
following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers |
System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server |
Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows
| NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex |
System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\
Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal
Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\
CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\
Security Options\\Network access: Remotely accessible registry paths | and sub-
paths. When a server holds the Active Directory Certificate Services Role with
Certification Authority Role Service, the above list should also include: System\\
CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature
installed, the above list should also include: System\\CurrentControlSet\\
Services\\WINS"
compliance:
- cis: ["2.3.10.9"]
- cis_csc: ["14", "16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36347-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\
Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\
CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|
System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\
Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\
Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\
CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\
Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows
NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\
CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS'

# 2.3.10.10 Ensure 'Network access: Restrict anonymous access to Named Pipes and
Shares' is set to 'Enabled'
- id: 16537
title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and
Shares' is set to 'Enabled'"
description: "When enabled, this policy setting restricts anonymous access to
only those shares and pipes that are named in the Network access: Named pipes that
can be accessed anonymously and Network access: Shares that can be accessed
anonymously settings. This policy setting controls null session access to shares on
your computers by adding RestrictNullSessAccess with the value 1 in the
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters
registry key. This registry value toggles null session shares on or off to control
whether the server service restricts unauthenticated clients' access to named
resources. The recommended state for this setting is: Enabled."
rationale: "Null sessions are a weakness that can be exploited through shares
(including the default shares) on computers in your environment."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network access: Restrict
anonymous access to Named Pipes and Shares."
compliance:
- cis: ["2.3.10.10"]
- cis_csc: ["14", "16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36021-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> RestrictNullSessAccess -> 1'

# 2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls
to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)
- id: 16538
title: "Ensure 'Network access: Restrict clients allowed to make remote calls
to SAM' is set to 'Administrators: Remote Access: Allow'"
description: "This policy setting allows you to restrict remote RPC connections
to SAM. The recommended state for this setting is: Administrators: Remote Access:
Allow . Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and
set this value in Group Policy."
rationale: "To ensure that an unauthorized user cannot anonymously list local
account names or groups and use the information to attempt to guess passwords or
perform social engineering attacks. (Social engineering attacks try to deceive
users in some way to obtain passwords or some form of security information.)"
remediation: "To establish the recommended configuration via GP, set the
following UI path to Administrators: Remote Access: Allow: Computer Configuration\\
Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\
Network access: Restrict clients allowed to make remote calls to SAM"
compliance:
- cis: ["2.3.10.11"]
- cis_csc: ["5.1", "9.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa ->
restrictremotesam -> O:BAG:BAD:(A;;RC;;;BA)'

# 2.3.10.12 Ensure 'Network access: Shares that can be accessed anonymously' is set
to 'None'
- id: 16539
title: "Ensure 'Network access: Shares that can be accessed anonymously' is set
to 'None'"
description: "This policy setting determines which network shares can be
accessed by anonymous users. The default configuration for this policy setting has
little effect because all users have to be authenticated before they can access
shared resources on the server. The recommended state for this setting is: <blank>
(i.e. None)"
rationale: "It is very dangerous to allow any values in this setting. Any
shares that are listed can be accessed by any network user, which could lead to the
exposure or corruption of sensitive data."
remediation: "To establish the recommended configuration via GP, set the
following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Local Policies\\Security Options\\Network access:
Shares that can be accessed anonymously."
compliance:
- cis: ["2.3.10.12"]
- cis_csc: ["14", "16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-38095-6'
condition: any
rules:
- 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> NullSessionShares'
- 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters -> NullSessionShares -> r:\.'

# 2.3.10.13 Ensure 'Network access: Sharing and security model for local accounts'
is set to 'Classic - local users authenticate as themselves'
- id: 16540
title: "Ensure 'Network access: Sharing and security model for local accounts'
is set to 'Classic - local users authenticate as themselves'"
description: "This policy setting determines how network logons that use local
accounts are authenticated. The Classic option allows precise control over access
to resources, including the ability to assign different types of access to
different users for the same resource. The Guest only option allows you to treat
all users equally. In this context, all users authenticate as Guest only to receive
the same access level to a given resource. The recommended state for this setting
is: Classic - local users authenticate as themselves. Note: This setting does not
affect interactive logons that are performed remotely by using such services as
Telnet or Remote Desktop Services (formerly called Terminal Services)"
rationale: "With the Guest only model, any user who can authenticate to your
computer over the network does so with guest privileges, which probably means that
they will not have write access to shared resources on that computer. Although this
restriction does increase security, it makes it more difficult for authorized users
to access shared resources on those computers because ACLs on those resources must
include access control entries (ACEs) for the Guest account. With the Classic
model, local accounts should be password protected. Otherwise, if Guest access is
enabled, anyone can use those user accounts to access shared system resources."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Classic - local users authenticate as themselves: Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\
Security Options\\Network access: Sharing and security model for local accounts."
compliance:
- cis: ["2.3.10.13"]
- cis_csc: ["14", "16"]
- pci_dss: ["7.1.3"]
- tsc: ["CC6.4"]
references:
- 'CCE-37623-6'
condition: all
 rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest ->
0'

# 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity
for NTLM' is set to 'Enabled'
- id: 16541
title: "Ensure 'Network security: Allow Local System to use computer identity
for NTLM' is set to 'Enabled'"
description: "This policy setting determines whether Local System services that
use Negotiate when reverting to NTLM authentication can use the computer identity.
This policy is supported on at least Windows 7 or Windows Server 2008 R2. The
recommended state for this setting is: Enabled."
rationale: "When connecting to computers running versions of Windows earlier
than Windows Vista or Windows Server 2008 (non-R2), services running as Local
System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity.
In Windows 7, if you are connecting to a computer running Windows Server 2008 or
Windows Vista, then a system service uses either the computer identity or a NULL
session. When connecting with a NULL session, a system-generated session key is
created, which provides no protection but allows applications to sign and encrypt
data without errors. When connecting with the computer identity, both signing and
encryption is supported in order to provide data protection."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network security: Allow Local
System to use computer identity for NTLM."
compliance:
- cis: ["2.3.11.1"]
- cis_csc: ["14", "16"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-38341-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId
-> 1'

# 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is

set to 'Disabled'
- id: 16542
title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is
set to 'Disabled'"
description: "This policy setting determines whether NTLM is allowed to fall
back to a NULL session when used with LocalSystem. The recommended state for this
setting is: Disabled."
rationale: "NULL sessions are less secure because by definition they are
unauthenticated."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network security: Allow
LocalSystem NULL session fallback."
compliance:
- cis: ["2.3.11.2"]
- cis_csc: ["14"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
 - nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37035-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 ->
allownullsessionfallback -> 0'

# 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this

computer to use online identities' is set to 'Disabled'
- id: 16543
title: "Ensure 'Network Security: Allow PKU2U authentication requests to this
computer to use online identities' is set to 'Disabled'"
description: "This setting determines if online identities are able to
authenticate to this computer. The Public Key Cryptography Based User-to-User
(PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented
as a security support provider (SSP). The SSP enables peer-to-peer authentication,
particularly through the Windows 7 media and file sharing feature called Homegroup,
which permits sharing between computers that are not members of a domain. With
PKU2U, a new extension was introduced to the Negotiate authentication package,
Spnego.dll. In previous versions of Windows, Negotiate decided whether to use
Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll,
which is treated as an authentication protocol by Windows, supports Microsoft SSPs
including PKU2U. When computers are configured to accept authentication requests by
using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to
log on. The PKU2U SSP obtains a local certificate and exchanges the policy between
the peer computers. When validated on the peer computer, the certificate within the
metadata is sent to the logon peer for validation and associates the user's
certificate to a security token and the logon process completes. The recommended
state for this setting is: Disabled."
rationale: "The PKU2U protocol is a peer-to-peer authentication protocol -
authentication should be managed centrally in most managed networks."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U
authentication requests to this computer to use online identities."
compliance:
- cis: ["2.3.11.3"]
- cis_csc: ["16.9"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-38047-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u ->
AllowOnlineID -> 0'

# 2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for

Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future
encryption types'
- id: 16544
title: "Ensure 'Network Security: Configure encryption types allowed for
Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future
encryption types'"
description: "This policy setting allows you to set the encryption types that
Kerberos is allowed to use. The recommended state for this setting is:
AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy
applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your
environment and verify whether you can safely remove it. For the purposes of
scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting."
rationale: "The strength of each encryption algorithm varies from one to the
next, choosing stronger algorithms will reduce the risk of compromise however doing
so may cause issues when the computer attempts to authenticate with systems that do
not support them."
remediation: "To establish the recommended configuration via GP, set the
following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types:
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local
Policies\\Security Options\\Network security: Configure encryption types allowed
for Kerberos."
compliance:
- cis: ["2.3.11.4"]
- cis_csc: ["16.14"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
references:
- 'CCE-37755-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System\Kerberos\Parameters -> SupportedEncryptionTypes -> r:2147483644|2147483640'

# 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next
password change' is set to 'Enabled'
- id: 16545
title: "Ensure 'Network security: Do not store LAN Manager hash value on next
password change' is set to 'Enabled'"
description: "This policy setting determines whether the LAN Manager (LM) hash
value for the new password is stored when the password is changed. The LM hash is
relatively weak and prone to attack compared to the cryptographically stronger
Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the
security database, passwords can then be easily compromised if the database is
attacked. Note: Older operating systems and some third-party applications may fail
when this policy setting is enabled. Also, note that the password will need to be
changed on all accounts after you enable this setting to gain the proper benefit.
The recommended state for this setting is: Enabled."
rationale: "The SAM file can be targeted by attackers who seek access to
username and password hashes. Such attacks use special tools to crack passwords,
which can then be used to impersonate users and gain access to resources on your
network. These types of attacks will not be prevented if you enable this policy
setting, but it will be much more difficult for these types of attacks to succeed."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network security: Do not store
LAN Manager hash value on next password change."
compliance:
- cis: ["2.3.11.5"]
- cis_csc: ["16.14"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-36326-7'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash ->
1'

# 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set
to 'Enabled'
- id: 16546
title: "Ensure 'Network security: Force logoff when logon hours expire' is set
to 'Enabled'"
description: "This policy setting determines whether to disconnect users who
are connected to the local computer outside their user account's valid logon hours.
This setting affects the Server Message Block (SMB) component. If you enable this
policy setting you should also enable Microsoft network server: Disconnect clients
when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is:
Enabled. Note: This recommendation is unscored because there is not a documented
registry value that corresponds to it. We still strongly encourage that it be
configured as Enabled, to ensure that logon hours (when configured) are properly
enforced."
rationale: "If this setting is disabled, a user could remain connected to the
computer outside of their allotted logon hours."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network security: Force logoff
when logon hours expire."
compliance:
- cis: ["2.3.11.6"]
- cis_csc: ["16"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36270-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\
Parameters -> EnableForcedLogOff -> 1'

# 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to

'Send NTLMv2 response only. Refuse LM & NTLM'
- id: 16547
title: "Ensure 'Network security: LAN Manager authentication level' is set to
'Send NTLMv2 response only. Refuse LM & NTLM'"
description: "LAN Manager (LM) was a family of early Microsoft client/server
software (predating Windows NT) that allowed users to link personal computers
together on a single network. LM network capabilities included transparent file and
print sharing, user security features, and network administration tools. In Active
Directory domains, the Kerberos protocol is the default authentication protocol.
However, if the Kerberos protocol is not negotiated for some reason, Active
Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM,
NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to
authenticate all Windows clients when they perform the following operations: -Join
a domain -Authenticate between Active Directory forests -Authenticate to down-level
domains -Authenticate to computers that do not run Windows 2000, Windows Server
2003, or Windows XP -Authenticate to computers that are not in the domain. The
Network security: LAN Manager authentication level setting determines which
challenge/response authentication protocol is used for network logons. This choice
affects the level of authentication protocol used by clients, the level of session
security negotiated, and the level of authentication accepted by servers. The
recommended state for this setting is: Send NTLMv2 response only. Refuse LM &
NTLM."
rationale: "Windows 2000 and Windows XP clients were configured by default to
send LM and NTLM authentication responses (Windows 95-based and Windows 98-based
clients only send LM). The default settings in OSes predating Windows Vista /
Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and
use their resources. However, this meant that LM responses - the weakest form of
authentication response - were sent over the network, and it was potentially
possible for attackers to sniff that traffic to more easily reproduce the user's
password. The Windows 95, Windows 98, and Windows NT operating systems cannot use
the Kerberos version 5 protocol for authentication. For this reason, in a Windows
Server 2003 domain, these computers authenticate by default with both the LM and
NTLM protocols for network authentication. You can enforce a more secure
authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2.
For the logon process, NTLMv2 uses a secure channel to protect the authentication
process. Even if you use NTLMv2 for older clients and servers, Windows-based
clients and servers that are members of the domain will use the Kerberos
authentication protocol to authenticate with Windows Server 2003 or newer Domain
Controllers. For these reasons, it is strongly preferred to restrict the use of LM
& NTLM (non-v2) as much as possible."
remediation: "To establish the recommended configuration via GP, set the
following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\
Security Options\\Network security: LAN Manager authentication level."
compliance:
- cis: ["2.3.11.7"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36173-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa ->
LmCompatibilityLevel -> 5'

# 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to

'Negotiate signing' or higher
- id: 16548
title: "Ensure 'Network security: LDAP client signing requirements' is set to
'Negotiate signing' or higher"
description: "This policy setting determines the level of data signing that is
requested on behalf of clients that issue LDAP BIND requests. Note: This policy
setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP
simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are
included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to
communicate with a Domain Controller. The recommended state for this setting is:
Negotiate signing. Configuring this setting to Require signing also conforms to the
benchmark."
rationale: "Unsigned network traffic is susceptible to man-in-the-middle
attacks in which an intruder captures the packets between the client and server,
modifies them, and then forwards them to the server. For an LDAP server, this
susceptibility means that an attacker could cause a server to make decisions that
are based on false or altered data from the LDAP queries. To lower this risk in
your network, you can implement strong physical security measures to protect the
network infrastructure. Also, you can make all types of man-in-the-middle attacks
extremely difficult if you require digital signatures on all network packets by
means of IPsec authentication headers."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Negotiate signing (configuring to Require signing also
conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Network security: LDAP client
signing requirements."
compliance:
- cis: ["2.3.11.8"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36858-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP ->
LDAPClientIntegrity -> n:(\d+) compare >= 1'

# 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based
(including secure RPC) clients' is set to 'Require NTLMv2 session security, Require
128-bit encryption'
- id: 16549
title: "Ensure 'Network security: Minimum session security for NTLM SSP based
(including secure RPC) clients' is set to 'Require NTLMv2 session security, Require
128-bit encryption'"
description: "This policy setting determines which behaviors are allowed by
clients for applications using the NTLM Security Support Provider (SSP). The SSP
Interface (SSPI) is used by applications that need authentication services. The
setting does not modify how the authentication sequence works but instead require
certain behaviors in applications that use the SSPI. The recommended state for this
setting is: Require NTLMv2 session security, Require 128-bit encryption. Note:
These values are dependent on the Network security: LAN Manager Authentication
Level (Rule 2.3.11.7) security setting value."
rationale: "You can enable both options for this policy setting to help protect
network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being
exposed or tampered with by an attacker who has gained access to the same network.
In other words, these options help protect against man-in-the-middle attacks."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Require NTLMv2 session security, Require 128-bit encryption:
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local
Policies\\Security Options\\Network security: Minimum session security for NTLM SSP
based (including secure RPC) clients."
compliance:
- cis: ["2.3.11.9"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37553-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 ->
NTLMMinClientSec -> 537395200'

# 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based
(including secure RPC) servers' is set to 'Require NTLMv2 session security, Require
128-bit encryption'
- id: 16550
 title: "Ensure 'Network security: Minimum session security for NTLM SSP based
(including secure RPC) servers' is set to 'Require NTLMv2 session security, Require
128-bit encryption'"
description: "This policy setting determines which behaviors are allowed by
servers for applications using the NTLM Security Support Provider (SSP). The SSP
Interface (SSPI) is used by applications that need authentication services. The
setting does not modify how the authentication sequence works but instead require
certain behaviors in applications that use the SSPI. The recommended state for this
setting is: Require NTLMv2 session security, Require 128-bit encryption. Note:
These values are dependent on the Network security: LAN Manager Authentication
Level (Rule 2.3.11.7) security setting value."
rationale: "You can enable all of the options for this policy setting to help
protect network traffic that uses the NTLM Security Support Provider (NTLM SSP)
from being exposed or tampered with by an attacker who has gained access to the
same network. That is, these options help protect against man-in-the-middle
attacks."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Require NTLMv2 session security, Require 128-bit encryption:
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local
Policies\\Security Options\\Network security: Minimum session security for NTLM SSP
based (including secure RPC) servers."
compliance:
- cis: ["2.3.11.10"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- https://workbench.cisecurity.org/benchmarks/288
- 'CCE-37835-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 ->
NTLMMinServerSec -> 537395200'

# 2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on'
is set to 'Disabled'
- id: 16551
title: "Ensure 'Shutdown: Allow system to be shut down without having to log
on' is set to 'Disabled'"
description: "This policy setting determines whether a computer can be shut
down when a user is not logged on. If this policy setting is enabled, the shutdown
command is available on the Windows logon screen. It is recommended to disable this
policy setting to restrict the ability to shut down the computer to users with
credentials on the system. The recommended state for this setting is: Disabled.
Note: In Server 2008 R2 and older versions, this setting had no impact on Remote
Desktop (RDP) / Terminal Services sessions - it only affected the local console.
However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above,
where if set to Enabled, RDP sessions are also allowed to shut down or restart the
server."
rationale: "Users who can access the console locally could shut down the
computer. Attackers could also walk to the local console and restart the server,
which would cause a temporary DoS condition. Attackers could also shut down the
server and leave all of its applications and services unavailable. As noted in the
Description above, the Denial of Service (DoS) risk of enabling this setting
dramatically increases in Windows Server 2012 (non-R2) and above, as even remote
users could then shut down or restart the server from the logon screen of an RDP
session."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be
shut down without having to log on."
compliance:
- cis: ["2.3.13.1"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-36788-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> ShutdownWithoutLogon -> 0'

# 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows

subsystems' is set to 'Enabled'
- id: 16552
title: "Ensure 'System objects: Require case insensitivity for non-Windows
subsystems' is set to 'Enabled'"
description: "This policy setting determines whether case insensitivity is
enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive.
However, the kernel supports case sensitivity for other subsystems, such as the
Portable Operating System Interface for UNIX (POSIX). Because Windows is case
insensitive (but the POSIX subsystem will support case sensitivity), failure to
enforce this policy setting makes it possible for a user of the POSIX subsystem to
create a file with the same name as another file by using mixed case to label it.
Such a situation can block access to these files by another user who uses typical
Win32 tools, because only one of the files will be available. The recommended state
for this setting is: Enabled."
rationale: "Because Windows is case-insensitive but the POSIX subsystem will
support case sensitivity, failure to enable this policy setting would make it
possible for a user of that subsystem to create a file with the same name as
another file but with a different mix of upper and lower case letters. Such a
situation could potentially confuse users when they try to access such files from
normal Win32 tools because only one of the files will be available."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\System objects: Require case
insensitivity for non- Windows subsystems."
compliance:
- cis: ["2.3.15.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-37885-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\
Kernel -> ObCaseInsensitive -> 1'

# 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal

system objects (e.g. Symbolic Links)' is set to 'Enabled'
- id: 16553
title: "Ensure 'System objects: Strengthen default permissions of internal
system objects (e.g. Symbolic Links)' is set to 'Enabled'"
description: "This policy setting determines the strength of the default
discretionary access control list (DACL) for objects. Active Directory maintains a
global list of shared system resources, such as DOS device names, mutexes, and
semaphores. In this way, objects can be located and shared among processes. Each
type of object is created with a default DACL that specifies who can access the
objects and what permissions are granted. The recommended state for this setting
is: Enabled."
rationale: "This setting determines the strength of the default DACL for
objects. Windows maintains a global list of shared computer resources so that
objects can be located and shared among processes. Each type of object is created
with a default DACL that specifies who can access the objects and with what
permissions."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\System objects: Strengthen
default permissions of internal system objects (e.g. Symbolic Links)"
compliance:
- cis: ["2.3.15.2"]
- cis_csc: ["14.4"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-37644-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager ->
ProtectionMode -> 1'

# 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in
Administrator account' is set to 'Enabled'
- id: 16554
title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in
Administrator account' is set to 'Enabled'"
description: "This policy setting controls the behavior of Admin Approval Mode
for the built-in Administrator account. The recommended state for this setting is:
Enabled."
rationale: "One of the risks that the User Account Control feature introduced
with Windows Vista is trying to mitigate is that of malicious software running
under elevated credentials without the user or administrator being aware of its
activity. An attack vector for these programs was to discover the password of the
account named 'Administrator' because that user account was created for all
installations of Windows. To address this risk, in Windows Vista and newer, the
built-in Administrator account is now disabled by default. In a default
installation of a new computer, accounts with administrative control over the
computer are initially set up in one of two ways: - If the computer is not joined
to a domain, the first user account you create has the equivalent permissions as a
local administrator. - If the computer is joined to a domain, no local
administrator accounts are created. The Enterprise or Domain Administrator must log
on to the computer and create one if a local administrator account is warranted.
Once Windows is installed, the built-in Administrator account may be manually
enabled, but we strongly recommend that this account remain disabled."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\User Account Control: Admin
Approval Mode for the Built-in Administrator account."
compliance:
- cis: ["2.3.17.1"]
- cis_csc: ["5.1"]
 - pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36494-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> FilterAdministratorToken -> 1'

# 2.3.17.2 Ensure 'User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure
desktop'
- id: 16555
title: "Ensure 'User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure
desktop'"
description: "This policy setting controls the behavior of the elevation prompt
for administrators. The recommended state for this setting is: Prompt for consent
on the secure desktop."
rationale: "One of the risks that the UAC feature introduced with Windows Vista
is trying to mitigate is that of malicious software running under elevated
credentials without the user or administrator being aware of its activity. This
setting raises awareness to the administrator of elevated privilege operations and
permits the administrator to prevent a malicious program from elevating its
privilege when the program attempts to do so."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Prompt for consent on the secure desktop: Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\
Security Options\\User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode."
compliance:
- cis: ["2.3.17.2"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-37029-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> ConsentPromptBehaviorAdmin -> r:^2$'

# 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for
standard users' is set to 'Automatically deny elevation requests'
- id: 16556
title: "Ensure 'User Account Control: Behavior of the elevation prompt for
standard users' is set to 'Automatically deny elevation requests'"
description: "This policy setting controls the behavior of the elevation prompt
for standard users. The recommended state for this setting is: Automatically deny
elevation requests."
rationale: "One of the risks that the User Account Control feature introduced
with Windows Vista is trying to mitigate is that of malicious programs running
under elevated credentials without the user or administrator being aware of their
activity. This setting raises awareness to the user that a program requires the use
of elevated privilege operations and requires that the user be able to supply
administrative credentials in order for the program to run."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Automatically deny elevation requests: Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\
Security Options\\User Account Control: Behavior of the elevation prompt for
standard users."
compliance:
- cis: ["2.3.17.3"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1.2"]
- tsc: ["CC6.4"]
references:
- 'CCE-36864-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> ConsentPromptBehaviorUser -> 0'

# 2.3.17.4 Ensure 'User Account Control: Detect application installations and

prompt for elevation' is set to 'Enabled'
- id: 16557
title: "Ensure 'User Account Control: Detect application installations and
prompt for elevation' is set to 'Enabled'"
description: "This policy setting controls the behavior of application
installation detection for the computer. The recommended state for this setting is:
Enabled."
rationale: "Some malicious software will attempt to install itself after being
given permission to run. For example, malicious software with a trusted application
shell. The user may have given permission for the program to run because the
program is trusted, but if they are then prompted for installation of an unknown
component this provides another way of trapping the software before it can do
damage."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\User Account Control: Detect
application installations and prompt for elevation."
compliance:
- cis: ["2.3.17.4"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36533-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> EnableInstallerDetection -> 1'

# 2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that
are installed in secure locations' is set to 'Enabled'
- id: 16558
title: "Ensure 'User Account Control: Only elevate UIAccess applications that
are installed in secure locations' is set to 'Enabled'"
description: "This policy setting controls whether applications that request to
run with a User Interface Accessibility (UIAccess) integrity level must reside in a
secure location in the file system. Secure locations are limited to the
following: ...\\Program Files\\, including subfolders; ...\\Windows\\
system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions
of Windows). Note: Windows enforces a public key infrastructure (PKI) signature
check on any interactive application that requests to run with a UIAccess integrity
level regardless of the state of this security setting. The recommended state for
this setting is: Enabled."
rationale: "UIAccess Integrity allows an application to bypass User Interface
Privilege Isolation (UIPI) restrictions when an application is elevated in
privilege from a standard user to an administrator. This is required to support
accessibility features such as screen readers that are transmitting user interfaces
to alternative forms. A process that is started with UIAccess rights has the
following abilities: - To set the foreground window. - To drive any application
window using SendInput function. - To use read input for all integrity levels using
low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -
To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher
integrity input queue."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\User Account Control: Only
elevate UIAccess applications that are installed in secure locations."
compliance:
- cis: ["2.3.17.5"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-37057-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> EnableSecureUIAPaths -> 1'

# 2.3.17.6 Ensure 'User Account Control: Run all administrators in Admin Approval
Mode' is set to 'Enabled'
- id: 16559
title: "Ensure 'User Account Control: Run all administrators in Admin Approval
Mode' is set to 'Enabled'"
description: "This policy setting controls the behavior of all User Account
Control (UAC) policy settings for the computer. If you change this policy setting,
you must restart your computer. The recommended state for this setting is: Enabled.
Note: If this policy setting is disabled, the Security Center notifies you that the
overall security of the operating system has been reduced."
rationale: "This is the setting that turns on or off UAC. If this setting is
disabled, UAC will not be used and any security benefits and risk mitigations that
are dependent on UAC will not be present on the system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\User Account Control: Run all
administrators in Admin Approval Mode."
compliance:
- cis: ["2.3.17.6"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36869-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> EnableLUA -> 1'

# 2.3.17.7 Ensure 'User Account Control: Switch to the secure desktop when
prompting for elevation' is set to 'Enabled'
- id: 16560
title: "Ensure 'User Account Control: Switch to the secure desktop when
prompting for elevation' is set to 'Enabled'"
description: "This policy setting controls whether the elevation request prompt
is displayed on the interactive user's desktop or the secure desktop. The
recommended state for this setting is: Enabled."
rationale: "Standard elevation prompt dialog boxes can be spoofed, which may
cause users to disclose their passwords to malicious software. The secure desktop
presents a very distinct appearance when prompting for elevation, where the user
desktop dims, and the elevation prompt UI is more prominent. This increases the
likelihood that users who become accustomed to the secure desktop will recognize a
spoofed elevation prompt dialog box and not fall for the trick."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\User Account Control: Switch
to the secure desktop when prompting for elevation."
compliance:
- cis: ["2.3.17.7"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-36866-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> PromptOnSecureDesktop -> 1'

# 2.3.17.8 Ensure 'User Account Control: Virtualize file and registry write
failures to per-user locations' is set to 'Enabled'
- id: 16561
title: "Ensure 'User Account Control: Virtualize file and registry write
failures to per-user locations' is set to 'Enabled'"
description: "This policy setting controls whether application write failures
are redirected to defined registry and file system locations. This policy setting
mitigates applications that run as administrator and write run-time application
data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\
Software. The recommended state for this setting is: Enabled."
rationale: "This setting reduces vulnerabilities by ensuring that legacy
applications only write data to permitted locations."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Local Policies\\Security Options\\User Account Control:
Virtualize file and registry write failures to per-user locations."
compliance:
- cis: ["2.3.17.8"]
- pci_dss: ["6.5.8"]
- tsc: ["CC6.1"]
references:
- 'CCE-37064-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System -> EnableVirtualization -> 1'

###############################################
# 9 Windows Firewall with Advanced Security
###############################################
###############################################
# 9.1 Domain Profile
###############################################

# 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On

(recommended)'
- id: 16562
title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On
(recommended)'"
description: "Select On (recommended) to have Windows Firewall with Advanced
Security use the settings for this profile to filter network traffic. If you select
Off, Windows Firewall with Advanced Security will not use any of the firewall rules
or connection security rules for this profile. The recommended state for this
setting is: On (recommended)."
rationale: "If the firewall is turned off all traffic will be able to access
the system and an attacker may be more easily able to remotely exploit a weakness
in a network service."
remediation: "To establish the recommended configuration via GP, set the
following UI path to On (recommended): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\
Firewall state."
compliance:
- cis: ["9.1.1"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-36062-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile -> EnableFirewall -> 1'

# 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block

(default)'
- id: 16563
title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block
(default)'"
description: "This setting determines the behavior for inbound connections that
do not match an inbound firewall rule. The recommended state for this setting is:
Block (default)."
rationale: "If the firewall allows all traffic to access the system then an
attacker may be more easily able to remotely exploit a weakness in a network
service."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Block (default): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\
Inbound connections."
compliance:
- cis: ["9.1.2"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-38117-8'
condition: all
 rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile -> DefaultInboundAction -> 1'

# 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow

(default)'
- id: 16564
title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to
'Allow (default)'"
description: "This setting determines the behavior for outbound connections
that do not match an outbound firewall rule. The recommended state for this setting
is: Allow (default)."
rationale: "Some people believe that it is prudent to block all outbound
connections except those specifically approved by the user or administrator.
Microsoft disagrees with this opinion, blocking outbound connections by default
will force users to deal with a large number of dialog boxes prompting them to
authorize or block applications such as their web browser or instant messaging
software. Additionally, blocking outbound traffic has little value because if an
attacker has compromised the system they can reconfigure the firewall anyway."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Allow (default): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\
Outbound connections."
compliance:
- cis: ["9.1.3"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-36146-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile -> DefaultOutboundAction -> 0'

# 9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set

to 'No'
- id: 16565
title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is
set to 'No'"
description: "Select this option to have Windows Firewall with Advanced
Security display notifications to the user when a program is blocked from receiving
inbound connections. The recommended state for this setting is: No. Note: When the
Apply local firewall rules setting is configured to No, it's recommended to also
configure the Display a notification setting to No. Otherwise, users will continue
to receive messages that ask if they want to unblock a restricted inbound
connection, but the user's response will be ignored."
rationale: "Firewall notifications can be complex and may confuse the end
users, who would not be able to address the alert."
remediation: "To establish the recommended configuration via GP, set the
following UI path to No: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings
Customize\\Display a notification."
compliance:
- cis: ["9.1.4"]
- pci_dss: ["7.2"]
- tsc: ["CC6.4"]
 references:
- 'CCE-38041-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile -> DisableNotifications -> 1'

# 9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\

System32\logfiles\firewall\domainfw.log'
- id: 16566
title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT
%\\System32\\logfiles\\firewall\\domainfw.log'"
description: "Use this option to specify the path and name of the file in which
Windows Firewall will write its log information. The recommended state for this
setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log:
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows
Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows
Firewall Properties\\Domain Profile\\Logging Customize\\Name"
compliance:
- cis: ["9.1.5"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37482-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\
domainfw.log'

# 9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to
'16384 KB or greater'
- id: 16567
title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to
'16384 KB or greater'"
description: "Use this option to specify the size limit of the file in which
Windows Firewall will write its log information. The recommended state for this
setting is: 16,384 KB or greater."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\
Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\
Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain
Profile\\Logging Customize\\Size limit (KB)."
compliance:
- cis: ["9.1.6"]
- cis_csc: ["6.3"]
 - pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-36088-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'

# 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to
'Yes'
- id: 16568
title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set
to 'Yes'"
description: "Use this option to log when Windows Firewall with Advanced
Security discards an inbound packet for any reason. The log records why and when
the packet was dropped. Look for entries with the word DROP in the action column of
the log. The recommended state for this setting is: Yes."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\
Log dropped packets."
compliance:
- cis: ["9.1.7"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37523-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile\Logging -> LogDroppedPackets -> 1'

# 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is

set to 'Yes'
- id: 16569
title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections'
is set to 'Yes'"
description: "Use this option to log when Windows Firewall with Advanced
Security allows an inbound connection. The log records why and when the connection
was formed. Look for entries with the word ALLOW in the action column of the log.
The recommended state for this setting is: Yes."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\
Log successful connections."
compliance:
- cis: ["9.1.8"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-36393-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile\Logging -> LogSuccessfulConnections -> 1'

###############################################
# 9.2 Private Profile
###############################################

# 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On

(recommended)'
- id: 16570
title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On
(recommended)'"
description: "Select On (recommended) to have Windows Firewall with Advanced
Security use the settings for this profile to filter network traffic. If you select
Off, Windows Firewall with Advanced Security will not use any of the firewall rules
or connection security rules for this profile. The recommended state for this
setting is: On (recommended)."
rationale: "If the firewall is turned off all traffic will be able to access
the system and an attacker may be more easily able to remotely exploit a weakness
in a network service."
remediation: "To establish the recommended configuration via GP, set the
following UI path to On (recommended): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\
Firewall state."
compliance:
- cis: ["9.2.1"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-38239-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile -> EnableFirewall -> 1'

# 9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block

(default)'
- id: 16571
title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to
'Block (default)'"
 description: "This setting determines the behavior for inbound connections that
do not match an inbound firewall rule. The recommended state for this setting is:
Block (default)."
rationale: "If the firewall allows all traffic to access the system then an
attacker may be more easily able to remotely exploit a weakness in a network
service."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Block (default): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\
Inbound connections."
compliance:
- cis: ["9.2.2"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-38042-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile -> DefaultInboundAction -> 1'

# 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow

(default)'
- id: 16572
title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to
'Allow (default)'"
description: "This setting determines the behavior for outbound connections
that do not match an outbound firewall rule. The recommended state for this setting
is: Allow (default). Note: If you set Outbound connections to Block and then deploy
the firewall policy by using a GPO, computers that receive the GPO settings cannot
receive subsequent Group Policy updates unless you create and deploy an outbound
rule that enables Group Policy to work. Predefined rules for Core Networking
include outbound rules that enable Group Policy to work. Ensure that these outbound
rules are active, and thoroughly test firewall profiles before deploying."
rationale: "Some people believe that it is prudent to block all outbound
connections except those specifically approved by the user or administrator.
Microsoft disagrees with this opinion, blocking outbound connections by default
will force users to deal with a large number of dialog boxes prompting them to
authorize or block applications such as their web browser or instant messaging
software. Additionally, blocking outbound traffic has little value because if an
attacker has compromised the system they can reconfigure the firewall anyway."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Allow (default): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\
Outbound connections."
compliance:
- cis: ["9.2.3"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-38332-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile -> DefaultOutboundAction -> 0'
# 9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set
to 'No'
- id: 16573
title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is
set to 'No'"
description: "Select this option to have Windows Firewall with Advanced
Security display notifications to the user when a program is blocked from receiving
inbound connections. The recommended state for this setting is: No. Note: When the
Apply local firewall rules setting is configured to No, it's recommended to also
configure the Display a notification setting to No. Otherwise, users will continue
to receive messages that ask if they want to unblock a restricted inbound
connection, but the user's response will be ignored."
rationale: "Firewall notifications can be complex and may confuse the end
users, who would not be able to address the alert."
remediation: "To establish the recommended configuration via GP, set the
following UI path to No: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings
Customize\\Display a notification."
compliance:
- cis: ["9.2.4"]
- pci_dss: ["7.2"]
- tsc: ["CC6.4"]
references:
- 'CCE-37621-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile -> DisableNotifications -> 1'

# 9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\

System32\logfiles\firewall\privatefw.log'
- id: 16574
title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to
'%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'"
description: "Use this option to specify the path and name of the file in which
Windows Firewall will write its log information. The recommended state for this
setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log:
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows
Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows
Firewall Properties\\Private Profile\\Logging Customize\\Name"
compliance:
- cis: ["9.2.5"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37569-1'
condition: all
 rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\
privatefw.log'

# 9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to
'16384 KB or greater'
- id: 16575
title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to
'16384 KB or greater'"
description: "Use this option to specify the size limit of the file in which
Windows Firewall will write its log information. The recommended state for this
setting is: 16,384 KB or greater."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\
Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\
Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private
Profile\\Logging Customize\\Size limit (KB)."
compliance:
- cis: ["9.2.6"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-38178-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'

# 9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to
'Yes'
- id: 16576
title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set
to 'Yes'"
description: "Use this option to log when Windows Firewall with Advanced
Security discards an inbound packet for any reason. The log records why and when
the packet was dropped. Look for entries with the word DROP in the action column of
the log. The recommended state for this setting is: Yes."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging
Customize\\Log dropped packets."
compliance:
- cis: ["9.2.7"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
 - gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-35972-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile\Logging -> LogDroppedPackets -> 1'

# 9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is

set to 'Yes'
- id: 16577
title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections'
is set to 'Yes'"
description: "Use this option to log when Windows Firewall with Advanced
Security allows an inbound connection. The log records why and when the connection
was formed. Look for entries with the word ALLOW in the action column of the log.
The recommended state for this setting is: Yes."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging
Customize\\Log successful connections."
compliance:
- cis: ["9.2.8"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37387-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PrivateProfile\Logging -> LogSuccessfulConnections -> 1'

###############################################
# 9.3 Public Profile
###############################################

# 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On

(recommended)'
- id: 16578
title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On
(recommended)'"
description: "Select On (recommended) to have Windows Firewall with Advanced
Security use the settings for this profile to filter network traffic. If you select
Off, Windows Firewall with Advanced Security will not use any of the firewall rules
or connection security rules for this profile. The recommended state for this
setting is: On (recommended)."
rationale: "If the firewall is turned off all traffic will be able to access
the system and an attacker may be more easily able to remotely exploit a weakness
in a network service."
remediation: "To establish the recommended configuration via GP, set the
following UI path to On (recommended): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\
Firewall state."
compliance:
- cis: ["9.3.1"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-37862-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile -> EnableFirewall -> 1'

# 9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block

(default)'
- id: 16579
title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block
(default)'"
description: "This setting determines the behavior for inbound connections that
do not match an inbound firewall rule. The recommended state for this setting is:
Block (default)."
rationale: "If the firewall allows all traffic to access the system then an
attacker may be more easily able to remotely exploit a weakness in a network
service."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Block (default): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\
Inbound connections."
compliance:
- cis: ["9.3.2"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-36057-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile -> DefaultInboundAction -> 1'

# 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow

(default)'
- id: 16580
title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to
'Allow (default)'"
description: "This setting determines the behavior for outbound connections
that do not match an outbound firewall rule. The recommended state for this setting
is: Allow (default). Note: If you set Outbound connections to Block and then deploy
the firewall policy by using a GPO, computers that receive the GPO settings cannot
receive subsequent Group Policy updates unless you create and deploy an outbound
rule that enables Group Policy to work. Predefined rules for Core Networking
include outbound rules that enable Group Policy to work. Ensure that these outbound
rules are active, and thoroughly test firewall profiles before deploying."
rationale: "Some people believe that it is prudent to block all outbound
connections except those specifically approved by the user or administrator.
Microsoft disagrees with this opinion, blocking outbound connections by default
will force users to deal with a large number of dialog boxes prompting them to
authorize or block applications such as their web browser or instant messaging
software. Additionally, blocking outbound traffic has little value because if an
attacker has compromised the system they can reconfigure the firewall anyway."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Allow (default): Computer Configuration\\Policies\\Windows
Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows
Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\
Outbound connections."
compliance:
- cis: ["9.3.3"]
- cis_csc: ["9.2"]
- pci_dss: ["1.2.3"]
- tsc: ["CC6.1"]
references:
- 'CCE-37434-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile -> DefaultOutboundAction -> 0'

# 9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set

to 'No'
- id: 16581
title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is
set to 'No'"
description: "Select this option to have Windows Firewall with Advanced
Security display notifications to the user when a program is blocked from receiving
inbound connections. The recommended state for this setting is: No."
rationale: "Some organizations may prefer to avoid alarming users when firewall
rules block certain types of network activity. However, notifications can be
helpful when troubleshooting network issues involving the firewall."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings
Customize\\Display a notification."
compliance:
- cis: ["9.3.4"]
- pci_dss: ["7.2"]
- tsc: ["CC6.4"]
references:
- 'CCE-38043-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile -> DisableNotifications -> 1'

# 9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is
set to 'No'
- id: 16582
title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules'
is set to 'No'"
description: "This setting controls whether local administrators are allowed to
create local firewall rules that apply together with firewall rules configured by
Group Policy. The recommended state for this setting is: No. Note: When the Apply
local firewall rules setting is configured to No, it's recommended to also
configure the Display a notification setting to No. Otherwise, users will continue
to receive messages that ask if they want to unblock a restricted inbound
connection, but the user's response will be ignored."
rationale: "iWhen in the Public profile, there should be no special local
firewall exceptions per computer. These settings should be managed by a centralized
policy."
remediation: "To establish the recommended configuration via GP, set the
following UI path to No: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings
Customize\\Apply local firewall rules."
compliance:
- cis: ["9.3.5"]
- cis_csc: ["5.1"]
- pci_dss: ["7.2"]
- tsc: ["CC6.4"]
references:
- 'CCE-37861-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile -> AllowLocalPolicyMerge -> 0'

# 9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security
rules' is set to 'No'
- id: 16583
title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection
security rules' is set to 'No'"
description: "This setting controls whether local administrators are allowed to
create connection security rules that apply together with connection security rules
configured by Group Policy. The recommended state for this setting is: No."
rationale: "Users with administrative privileges might create firewall rules
that expose the system to remote attack."
remediation: "To establish the recommended configuration via GP, set the
following UI path to No: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings
Customize\\Apply local connection security rules."
compliance:
- cis: ["9.3.6"]
- cis_csc: ["5.1"]
- pci_dss: ["7.2"]
- tsc: ["CC6.4"]
references:
- 'CCE-36268-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile -> AllowLocalIPsecPolicyMerge -> 0'

# 9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\

System32\logfiles\firewall\publicfw.log'
- id: 16584
title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT
%\\System32\\logfiles\\firewall\\publicfw.log'"
description: "Use this option to specify the path and name of the file in which
Windows Firewall will write its log information. The recommended state for this
setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log:
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows
Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows
Firewall Properties\\Public Profile\\Logging Customize\\Name"
compliance:
- cis: ["9.3.7"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37266-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\
publicfw.log'

# 9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to
'16384 KB or greater'
- id: 16585
title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to
'16384 KB or greater'"
description: "Use this option to specify the size limit of the file in which
Windows Firewall will write its log information. The recommended state for this
setting is: 16,384 KB or greater."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\
Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\
Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public
Profile\\Logging Customize\\Size limit (KB)."
compliance:
- cis: ["9.3.8"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-36395-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'

# 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to
'Yes'
- id: 16586
title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set
to 'Yes'"
description: "Use this option to log when Windows Firewall with Advanced
Security discards an inbound packet for any reason. The log records why and when
the packet was dropped. Look for entries with the word DROP in the action column of
the log. The recommended state for this setting is: Yes."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\
Log dropped packets."
compliance:
- cis: ["9.3.9"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37265-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile\Logging -> LogDroppedPackets -> 1'

# 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is

set to 'Yes'
- id: 16587
title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections'
is set to 'Yes'"
description: "Use this option to log when Windows Firewall with Advanced
Security allows an inbound connection. The log records why and when the connection
was formed. Look for entries with the word ALLOW in the action column of the log.
The recommended state for this setting is: Yes."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\
Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with
Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\
Log successful connections."
compliance:
- cis: ["9.3.10"]
- cis_csc: ["6.2"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
 - 'CCE-36394-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
PublicProfile\Logging -> LogSuccessfulConnections -> 1'

###############################################
# 17 Advanced Audit Policy Configuration
###############################################

###############################################
# 18 Administrative Templates (Computer)
###############################################
###############################################
# 18.1 Control Panel
###############################################
# 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
- id: 16588
title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'"
description: "Disables the lock screen camera toggle switch in PC Settings and
prevents a camera from being invoked on the lock screen. The recommended state for
this setting is: Enabled."
rationale: "Disabling the lock screen camera extends the protection afforded by
the lock screen to camera features."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera.
Note: This Group Policy path may not exist by default. It is provided by the Group
Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft
Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.1.1.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38347-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -
> NoLockScreenCamera -> 1'

# 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
- id: 16589
title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'"
description: "Disables the lock screen slide show settings in PC Settings and
prevents a slide show from playing on the lock screen. The recommended state for
this setting is: Enabled."
rationale: "Disabling the lock screen slide show extends the protection
afforded by the lock screen to slide show contents."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show.
Note: This Group Policy path may not exist by default. It is provided by the Group
Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft
Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.1.1.2"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38348-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -
> NoLockScreenSlideshow -> 1'
# 18.1.2.2 Ensure 'Allow input personalization' is set to 'Disabled'
- id: 16590
title: "Ensure 'Allow input personalization' is set to 'Disabled'"
description: "This policy enables the automatic learning component of input
personalization that includes speech, inking, and typing. Automatic learning
enables the collection of speech and handwriting patterns, typing history,
contacts, and recent calendar information. It is required for the use of Cortana.
Some of this collected information may be stored on the user's OneDrive, in the
case of inking and typing; some of the information will be uploaded to Microsoft to
personalize speech. The recommended state for this setting is: Disabled."
rationale: "If this setting is Enabled sensitive information could be stored in
the cloud or sent to Microsoft."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Control Panel\\Regional and Language Options\\Allow input
personalization Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template Globalization.admx/adml that is included with
the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
compliance:
- cis: ["18.1.2.2"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38347-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization ->
AllowInputPersonalization -> 0'

# 18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled' (Scored)

- id: 16591
title: "Ensure 'Allow Online Tips' is set to 'Disabled'"
description: "This policy setting configures the retrieval of online tips and
help for the Settings app. The recommended state for this setting is: Disabled ."
rationale: "Due to privacy concerns, data should never be sent to any 3rd party
since this data could contain sensitive information."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not
exist by default. It is provided by the Group Policy template
ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709
Administrative Templates (or newer)."
compliance:
- cis: ["18.1.3"]
 - cis_csc: ["9.1"]
- pci_dss: ["1.3.4"]
- tsc: ["CC6.6"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer -> AllowOnlineTips -> 0'

###############################################
# Section 18.2 - LAPS
###############################################
# 18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed
- id: 16592
title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed"
description: "In May 2015, Microsoft released the Local Administrator Password
Solution (LAPS) tool, which is free and supported software that allows an
organization to automatically set randomized and unique local Administrator account
passwords on domain-attached workstations and Member Servers. The passwords are
stored in a confidential attribute of the domain computer account and can be
retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool
requires a small Active Directory Schema update in order to implement, as well as
installation of a Group Policy Client Side Extension (CSE) on targeted computers.
Please see the LAPS documentation for details. LAPS supports Windows Vista or newer
workstation OSes, and Server 2003 or newer server OSes. LAPS does not support
standalone computers - they must be joined to a domain. Note: Organizations that
utilize 3rd-party commercial software to manage unique & complex local
Administrator passwords on domain members may opt to disregard these LAPS
recommendations. Note #2: LAPS is only designed to manage local Administrator
passwords, and is therefore not recommended (or supported) for use directly on
Domain Controllers, which do not have a traditional local Administrator account. We
strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member
servers and workstations."
rationale: "Due to the difficulty in managing local Administrator passwords,
many organizations choose to use the same password on all workstations and/or
Member Servers when deploying them. This creates a serious attack surface security
risk because if an attacker manages to compromise one system and learn the password
to its local Administrator account, then they can leverage that account to
instantly gain access to all other computers that also use that password for their
local Administrator account."
remediation: "In order to utilize LAPS, a minor Active Directory Schema update
is required, and a Group Policy Client Side Extension (CSE) must be installed on
each managed computer. When LAPS is installed, the file AdmPwd.dll must be present
in the following location and registered in Windows (the LAPS AdmPwd GPO
Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\
AdmPwd.dll"
compliance:
- cis: ["18.2.1"]
- cis_csc: ["16.9"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'

# 18.2.2 Ensure 'Do not allow password expiration time longer than required by
policy' is set to 'Enabled'
 - id: 16593
title: "Ensure 'Do not allow password expiration time longer than required by
policy' is set to 'Enabled'"
description: "In May 2015, Microsoft released the Local Administrator Password
Solution (LAPS) tool, which is free and supported software that allows an
organization to automatically set randomized and unique local Administrator account
passwords on domain-attached workstations and Member Servers. The passwords are
stored in a confidential attribute of the domain computer account and can be
retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool
requires a small Active Directory Schema update in order to implement, as well as
installation of a Group Policy Client Side Extension (CSE) on targeted computers.
Please see the LAPS documentation for details. LAPS supports Windows Vista or newer
workstation OSes, and Server 2003 or newer server OSes. LAPS does not support
standalone computers - they must be joined to a domain. The recommended state for
this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial
software to manage unique & complex local Administrator passwords on domain members
may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to
manage local Administrator passwords, and is therefore not recommended (or
supported) for use directly on Domain Controllers, which do not have a traditional
local Administrator account. We strongly encourage you to only deploy the LAPS CSE
and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only
designed to manage local Administrator passwords, and is therefore not recommended
(or supported) for use directly on Domain Controllers, which do not have a
traditional local Administrator account. We strongly encourage you to only deploy
the LAPS CSE and LAPS GPO settings to member servers and workstations."
rationale: "Due to the difficulty in managing local Administrator passwords,
many organizations choose to use the same password on all workstations and/or
Member Servers when deploying them. This creates a serious attack surface security
risk because if an attacker manages to compromise one system and learn the password
to its local Administrator account, then they can leverage that account to
instantly gain access to all other computers that also use that password for their
local Administrator account."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\LAPS\\Do not allow password expiration time longer than required by
policy Note: This Group Policy path does not exist by default. An additional Group
Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft
Local Administrator Password Solution (LAPS)."
compliance:
- cis: ["18.2.2"]
- cis_csc: ["16.2"]
- pci_dss: ["8.2.4"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd ->
PwdExpirationProtectionEnabled -> 1'

# 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'

- id: 16594
title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'"
description: "In May 2015, Microsoft released the Local Administrator Password
Solution (LAPS) tool, which is free and supported software that allows an
organization to automatically set randomized and unique local Administrator account
passwords on domain-attached workstations and Member Servers. The passwords are
stored in a confidential attribute of the domain computer account and can be
retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool
requires a small Active Directory Schema update in order to implement, as well as
installation of a Group Policy Client Side Extension (CSE) on targeted computers.
Please see the LAPS documentation for details. LAPS supports Windows Vista or newer
workstation OSes, and Server 2003 or newer server OSes. LAPS does not support
standalone computers - they must be joined to a domain. The recommended state for
this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial
software to manage unique & complex local Administrator passwords on domain members
may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to
manage local Administrator passwords, and is therefore not recommended (or
supported) for use directly on Domain Controllers, which do not have a traditional
local Administrator account. We strongly encourage you to only deploy the LAPS CSE
and LAPS GPO settings to member servers and workstations."
rationale: "Due to the difficulty in managing local Administrator passwords,
many organizations choose to use the same password on all workstations and/or
Member Servers when deploying them. This creates a serious attack surface security
risk because if an attacker manages to compromise one system and learn the password
to its local Administrator account, then they can leverage that account to
instantly gain access to all other computers that also use that password for their
local Administrator account."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy
path does not exist by default. An additional Group Policy template
(AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator
Password Solution (LAPS)."
compliance:
- cis: ["18.2.3"]
- cis_csc: ["16.9"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd ->
AdmPwdEnabled -> 1'

# 18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large

letters + small letters + numbers + special characters'
- id: 16595
title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled:
Large letters + small letters + numbers + special characters'"
description: "In May 2015, Microsoft released the Local Administrator Password
Solution (LAPS) tool, which is free and supported software that allows an
organization to automatically set randomized and unique local Administrator account
passwords on domain-attached workstations and Member Servers. The passwords are
stored in a confidential attribute of the domain computer account and can be
retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool
requires a small Active Directory Schema update in order to implement, as well as
installation of a Group Policy Client Side Extension (CSE) on targeted computers.
Please see the LAPS documentation for details. LAPS supports Windows Vista or newer
workstation OSes, and Server 2003 or newer server OSes. LAPS does not support
standalone computers - they must be joined to a domain. The recommended state for
this setting is: Enabled: Large letters + small letters + numbers + special
characters. Note: Organizations that utilize 3rd-party commercial software to
manage unique & complex local Administrator passwords on domain members may opt to
disregard these LAPS recommendations. Note #2: LAPS is only designed to manage
local Administrator passwords, and is therefore not recommended (or supported) for
use directly on Domain Controllers, which do not have a traditional local
Administrator account. We strongly encourage you to only deploy the LAPS CSE and
LAPS GPO settings to member servers and workstations."
rationale: "Due to the difficulty in managing local Administrator passwords,
many organizations choose to use the same password on all workstations and/or
Member Servers when deploying them. This creates a serious attack surface security
risk because if an attacker manages to compromise one system and learn the password
to its local Administrator account, then they can leverage that account to
instantly gain access to all other computers that also use that password for their
local Administrator account."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled, and configure the Password Complexity option to Large
letters + small letters + numbers + special characters: Computer Configuration\\
Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy
path does not exist by default. An additional Group Policy template
(AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator
Password Solution (LAPS)."
compliance:
- cis: ["18.2.4"]
- cis_csc: ["5.7"]
- pci_dss: ["8.2.3"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd ->
PasswordComplexity -> 4'

# 18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or

more'
- id: 16596
title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or
more'"
description: "In May 2015, Microsoft released the Local Administrator Password
Solution (LAPS) tool, which is free and supported software that allows an
organization to automatically set randomized and unique local Administrator account
passwords on domain-attached workstations and Member Servers. The passwords are
stored in a confidential attribute of the domain computer account and can be
retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool
requires a small Active Directory Schema update in order to implement, as well as
installation of a Group Policy Client Side Extension (CSE) on targeted computers.
Please see the LAPS documentation for details. LAPS supports Windows Vista or newer
workstation OSes, and Server 2003 or newer server OSes. LAPS does not support
standalone computers - they must be joined to a domain. The recommended state for
this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party
commercial software to manage unique & complex local Administrator passwords on
domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is
only designed to manage local Administrator passwords, and is therefore not
recommended (or supported) for use directly on Domain Controllers, which do not
have a traditional local Administrator account. We strongly encourage you to only
deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
rationale: "Due to the difficulty in managing local Administrator passwords,
many organizations choose to use the same password on all workstations and/or
Member Servers when deploying them. This creates a serious attack surface security
risk because if an attacker manages to compromise one system and learn the password
to its local Administrator account, then they can leverage that account to
instantly gain access to all other computers that also use that password for their
local Administrator account."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled, and configure the Password Length option to 15 or
more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password
Settings Note: This Group Policy path does not exist by default. An additional
Group Policy template (AdmPwd.admx/adml) is required - it is included with
Microsoft Local Administrator Password Solution (LAPS)."
compliance:
 - cis: ["18.2.5"]
- cis_csc: ["5.7"]
- pci_dss: ["8.2.3"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd ->
PasswordLength -> n:^(\d+) compare >= 15'

# 18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or

fewer'
- id: 16597
title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30
or fewer'"
description: "In May 2015, Microsoft released the Local Administrator Password
Solution (LAPS) tool, which is free and supported software that allows an
organization to automatically set randomized and unique local Administrator account
passwords on domain-attached workstations and Member Servers. The passwords are
stored in a confidential attribute of the domain computer account and can be
retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool
requires a small Active Directory Schema update in order to implement, as well as
installation of a Group Policy Client Side Extension (CSE) on targeted computers.
Please see the LAPS documentation for details. LAPS supports Windows Vista or newer
workstation OSes, and Server 2003 or newer server OSes. LAPS does not support
standalone computers - they must be joined to a domain. The recommended state for
this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party
commercial software to manage unique & complex local Administrator passwords on
domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is
only designed to manage local Administrator passwords, and is therefore not
recommended (or supported) for use directly on Domain Controllers, which do not
have a traditional local Administrator account. We strongly encourage you to only
deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
rationale: "Due to the difficulty in managing local Administrator passwords,
many organizations choose to use the same password on all workstations and/or
Member Servers when deploying them. This creates a serious attack surface security
risk because if an attacker manages to compromise one system and learn the password
to its local Administrator account, then they can leverage that account to
instantly gain access to all other computers that also use that password for their
local Administrator account."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled, and configure the Password Age (Days) option to 30 or
fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password
Settings Note: This Group Policy path does not exist by default. An additional
Group Policy template (AdmPwd.admx/adml) is required - it is included with
Microsoft Local Administrator Password Solution (LAPS)."
compliance:
- cis: ["18.2.6"]
- cis_csc: ["16.5"]
- pci_dss: ["8.2.4"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd ->
PasswordAgeDays -> n:^(\d+) compare <= 30'

###############################################
# Section 18.3 - MS Security Guide
###############################################
# 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set
to 'Enabled'
- id: 16598
title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is
set to 'Enabled'"
description: "This setting controls whether local accounts can be used for
remote administration via network logon (e.g., NET USE, connecting to C$, etc.).
Local accounts are at high risk for credential theft when the same account and
password is configured on multiple systems. Enabling this policy significantly
reduces that risk. Enabled: Applies UAC token-filtering to local accounts on
network logons. Membership in powerful group such as Administrators is disabled and
powerful privileges are removed from the resulting access token. This configures
the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior
for Windows. Disabled: Allows local accounts to have full administrative rights
when authenticating via network logon, by configuring the
LocalAccountTokenFilterPolicy registry value to 1. For more information about local
accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks
and Other Credential Theft Techniques' documents. For more information about
LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016:
Description of User Account Control and remote restrictions in Windows Vista. The
recommended state for this setting is: Enabled."
rationale: "Local accounts are at high risk for credential theft when the same
account and password is configured on multiple systems. Ensuring this policy is
Enabled significantly reduces that risk."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network
logons Note: This Group Policy path does not exist by default. An additional Group
Policy template (SecGuide.admx/adml) is required - it is available from Microsoft."
compliance:
- cis: ["18.3.1"]
- cis_csc: ["5.8"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- https://www.microsoft.com/en-us/download/details.aspx?id=36036
- https://support.microsoft.com/en-us/help/951016/description-of-user-
account-control-and-remote-restrictions-in-windows
- https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-
for-windows-10-creators-update-v1703-final/
- 'CCE-37069-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System -> LocalAccountTokenFilterPolicy -> 1'

# 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable
driver'
- id: 16599
title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable
driver'"
description: "This setting configures the start type for the Server Message
Block version 1 (SMBv1) client driver service ( MRxSmb10 ), which is recommended to
be disabled. The recommended state for this setting is: Enabled: Disable driver.
Note: Do not, under any circumstances, configure this overall setting as Disabled ,
as doing so will delete the underlying registry entry altogether, which will cause
serious problems."
rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1
be disabled and no longer used on modern networks, as it is a 30 year old design
that is much more vulnerable to attacks then much newer designs such as SMBv2 and
SMBv3."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Disable driver : Computer Configuration\\Policies\\
Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver Note:
This Group Policy path does not exist by default. An additional Group Policy
template ( SecGuide.admx/adml ) is required"
compliance:
- cis: ["18.3.2"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-
smb1/ba-p/425858'
- 'https://docs.microsoft.com/en-us/archive/blogs/staysafe/disable-smb-v1-in-
managed-environments-with-ad-group-policy'
- 'https://docs.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-
through-group-policy'
- 'https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-
for-windows-10-creators-update-v1703-final'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -
> 1'

# 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled' (Scored)

- id: 16600
title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'"
description: "This setting configures the server-side processing of the Server
Message Block version 1 (SMBv1) protocol. The recommended state for this setting
is: Disabled ."
rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1
be disabled and no longer used on modern networks, as it is a 30 year old design
that is much more vulnerable to attacks then much newer designs such as SMBv2 and
SMBv3."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\MS Security Guide\\Configure SMB v1 server Note: This Group Policy path
does not exist by default. An additional Group Policy template ( SecGuide.admx/adml
) is required"
compliance:
- cis: ["18.3.3"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-
smb1/ba-p/425858'
- 'https://docs.microsoft.com/en-us/archive/blogs/staysafe/disable-smb-v1-in-
managed-environments-with-ad-group-policy'
- 'https://docs.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-
through-group-policy'
- 'https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-
for-windows-10-creators-update-v1703-final'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\
Parameters -> SMB1 -> 0'
# 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)'
is set to 'Enabled'
- id: 16601
title: "Ensure 'Enable Structured Exception Handling Overwrite Protection
(SEHOP)' is set to 'Enabled'"
description: "Windows includes support for Structured Exception Handling
Overwrite Protection (SEHOP). We recommend enabling this feature to improve the
security profile of the computer. The recommended state for this setting is:
Enabled ."
rationale: "This feature is designed to block exploits that use the Structured
Exception Handler (SEH) overwrite technique. This protection mechanism is provided
at run-time. Therefore, it helps protect applications regardless of whether they
have been compiled with the latest improvements, such as the /SAFESEH option."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite
Protection (SEHOP) Note: This Group Policy path does not exist by default. An
additional Group Policy template ( SecGuide.admx/adml ) is required"
compliance:
- cis: ["18.3.4"]
- cis_csc: ["8.4"]
- pci_dss: ["6.2"]
- nist_800_53: ["SI.2","SA.11","SI.4"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2","CC6.8"]
references:
- 'https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-
for-windows-10-creators-update-v1703-final/'
- 'https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-
exception-handling-overwrite-protection-sehop'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
kernel -> DisableExceptionChainValidation -> 0'

# 18.3.5 (L1) Ensure 'Extended Protection for LDAP Authentication (Domain

Controllers only)' is set to 'Enabled: Enabled, always (recommended)' (DC Only)
(Scored)
- id: 16602
title: "Ensure 'Extended Protection for LDAP Authentication (Domain Controllers
only)' is set to 'Enabled: Enabled, always (recommended)'"
description: "This setting controls LDAP authentication over SSL/TLS to help
make it more secure. The recommended state for this setting is: Enabled: Enabled,
always (recommended) . Note: All LDAP clients must have the CVC-2017-8563 security
update to be compatible with Domain Controllers that have this setting enabled."
rationale: "Configuring the LdapEnforceChannelBinding registry value can help
to increase protection against 'man-in-the-middle attacks'. "
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Enabled, always (recommended) : Computer
Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Extended
Protection for LDAP Authentication (Domain Controllers only) Note: This Group
Policy path does not exist by default. An additional Group Policy template
( SecGuide.admx/adml ) is required"
compliance:
- cis: ["18.3.5"]
- cis_csc: ["16.5"]
 - pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CVC-2017-8563'
- 'https://support.microsoft.com/en-us/help/4034879/how-to-add-the-
ldapenforcechannelbinding-registry-entry'
- 'https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-
final-for-windows-10-v1809-and-windows-server-2019/'
- 'https://technet.microsoft.com/library/security/973811'
- 'https://support.microsoft.com/en-us/help/4034879/how-to-add-the-
ldapenforcechannelbinding-registry-entry'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters ->
LdapEnforceChannelBinding -> 2'

# 18.3.6 Ensure 'WDigest Authentication' is set to 'Disabled'

- id: 16603
title: "Ensure 'WDigest Authentication' is set to 'Disabled'"
description: "When WDigest authentication is enabled, Lsass.exe retains a copy
of the user's plaintext password in memory, where it can be at risk of theft. If
this setting is not configured, WDigest authentication is disabled in Windows 8.1
and in Windows Server 2012 R2; it is enabled by default in earlier versions of
Windows and Windows Server."
rationale: "Preventing the plaintext storage of credentials in memory may
reduce opportunity for credential theft."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\MS Security Guide\\WDigest Authentication (disabling may require
KB2871997) Note: This Group Policy path does not exist by default. An additional
Group Policy template ( SecGuide.admx/adml ) is required"
compliance:
- cis: ["18.3.6"]
- cis_csc: ["16.14"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'http://www.microsoft.com/en-us/download/details.aspx?id=36036'
- 'https://support.microsoft.com/en-us/kb/2871997'
- 'https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-
for-windows-10-creators-update-v1703-final/'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\
WDigest -> UseLogonCredential -> 0'

###############################################
# 18.4 MSS (Legacy)
###############################################
# 18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is
set to 'Disabled'
- id: 16604
title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)'
is set to 'Disabled'"
description: "This setting is separate from the Welcome screen feature in
Windows XP and Windows Vista; if that feature is disabled, this setting is not
disabled. If you configure a computer for automatic logon, anyone who can
physically gain access to the computer can also gain access to everything that is
on the computer, including any network or networks to which the computer is
connected. Also, if you enable automatic logon, the password is stored in the
registry in plaintext, and the specific registry key that stores this value is
remotely readable by the Authenticated Users group. The recommended state for this
setting is: Disabled."
rationale: "If you configure a computer for automatic logon, anyone who can
physically gain access to the computer can also gain access to everything that is
on the computer, including any network or networks that the computer is connected
to. Also, if you enable automatic logon, the password is stored in the registry in
plaintext. The specific registry key that stores this setting is remotely readable
by the Authenticated Users group. As a result, this entry is appropriate only if
the computer is physically secured and if you ensure that untrusted users cannot
remotely see the registry."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not
recommended) Note: This Group Policy path does not exist by default. An additional
Group Policy template (MSS-legacy.admx/adml) is required - it is available from
this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
compliance:
- cis: ["18.4.1"]
- cis_csc: ["16"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-
logon-in-windows
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-37067-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
-> AutoAdminLogon -> 0'

# 18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection

level (protects against packet spoofing)' is set to 'Enabled: Highest protection,
source routing is completely disabled'
- id: 16605
title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection
level (protects against packet spoofing)' is set to 'Enabled: Highest protection,
source routing is completely disabled'"
description: "IP source routing is a mechanism that allows the sender to
determine the IP route that a datagram should follow through the network. The
recommended state for this setting is: Enabled: Highest protection, source routing
is completely disabled."
rationale: "An attacker could use source routed packets to obscure their
identity and location. Source routing allows a computer that sends a packet to
specify the route that the packet takes."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Highest protection, source routing is completely
disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS
(Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level
(protects against packet spoofing) Note: This Group Policy path does not exist by
default. An additional Group Policy template (MSS-legacy.admx/adml) is required -
it is available from this TechNet blog post: The MSS settings - Microsoft Security
Guidance blog."
compliance:
- cis: ["18.4.2"]
- cis_csc: ["9"]
- pci_dss: ["1.3.3"]
 - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.6"]
references:
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-36871-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -
> DisableIPSourceRouting -> 2'

# 18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level

(protects against packet spoofing)' is set to 'Enabled: Highest protection, source
routing is completely disabled'
- id: 16606
title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection
level (protects against packet spoofing)' is set to 'Enabled: Highest protection,
source routing is completely disabled'"
description: "IP source routing is a mechanism that allows the sender to
determine the IP route that a datagram should take through the network. It is
recommended to configure this setting to Not Defined for enterprise environments
and to Highest Protection for high security environments to completely disable
source routing. The recommended state for this setting is: Enabled: Highest
protection, source routing is completely disabled."
rationale: "An attacker could use source routed packets to obscure their
identity and location. Source routing allows a computer that sends a packet to
specify the route that the packet takes."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Highest protection, source routing is completely
disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS
(Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level
(protects against packet spoofing) Note: This Group Policy path does not exist by
default. An additional Group Policy template (MSS-legacy.admx/adml) is required -
it is available from this TechNet blog post: The MSS settings - Microsoft Security
Guidance blog."
compliance:
- cis: ["18.4.3"]
- cis_csc: ["9"]
- pci_dss: ["1.3.3"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.6"]
references:
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-36535-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters ->
DisableIPSourceRouting -> 2'

# 18.4.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF

generated routes' is set to 'Disabled'
- id: 16607
title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF
generated routes' is set to 'Disabled'"
description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4
stack to plumb host routes. These routes override the Open Shortest Path First
(OSPF) generated routes. The recommended state for this setting is: Disabled."
rationale: "This behavior is expected. The problem is that the 10 minute time-
out period for the ICMP redirect-plumbed routes temporarily creates a network
situation in which traffic will no longer be routed properly for the affected host.
Ignoring such ICMP redirects will limit the system's exposure to attacks that will
impact its ability to participate on the network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override
OSPF generated routes Note: This Group Policy path does not exist by default. An
additional Group Policy template (MSS-legacy.admx/adml) is required - it is
available from this TechNet blog post: The MSS settings - Microsoft Security
Guidance blog."
compliance:
- cis: ["18.4.4"]
- cis_csc: ["9"]
- nist_800_53: ["SC.5"]
- pci_dss: ["1.3.3"]
- tsc: ["A1.1","CC6.1","CC7.2"]
references:
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-37988-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters ->
EnableICMPRedirect -> 0'

# 18.4.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in
milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
- id: 16608
title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in
milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'"
description: "This value controls how often TCP attempts to verify that an idle
connection is still intact by sending a keep-alive packet."
rationale: "An attacker who is able to connect to network applications could
establish numerous connections to cause a DoS condition."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer
Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:
(KeepAliveTime) How often keep-alive packets are sent in milliseconds."
compliance:
- cis: ["18.4.5"]
- cis_csc: ["9"]
- pci_dss: ["1.3.3"]
- tsc: ["A1.1","CC6.1","CC7.2"]
- nist_800_53: ["SC.5"]
references:
- 'CCE-36868-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters ->
KeepAliveTime -> 300000'

# 18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS

name release requests except from WINS servers' is set to 'Enabled'
- id: 16609
title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore
NetBIOS name release requests except from WINS servers' is set to 'Enabled'"
description: "NetBIOS over TCP/IP is a network protocol that among other things
provides a way to easily resolve NetBIOS names that are registered on Windows-based
systems to the IP addresses that are configured on those systems. This setting
determines whether the computer releases its NetBIOS name when it receives a name-
release request. The recommended state for this setting is: Enabled."
rationale: "The NetBT protocol is designed not to use authentication, and is
therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from
a user other than the user who performed the action. A malicious user could exploit
the unauthenticated nature of the protocol to send a name-conflict datagram to a
target computer, which would cause the computer to relinquish its name and not
respond to queries. An attacker could send a request over the network and query a
computer to release its NetBIOS name. As with any change that could affect
applications, it is recommended that you test this change in a non-production
environment before you change the production environment. The result of such an
attack could be to cause intermittent connectivity issues on the target computer,
or even to prevent the use of Network Neighborhood, domain logons, the NET SEND
command, or additional NetBIOS name resolution."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore
NetBIOS name release requests except from WINS servers Note: This Group Policy path
does not exist by default. An additional Group Policy template
(MSS-legacy.admx/adml) is required - it is available from this TechNet blog post:
The MSS settings - Microsoft Security Guidance blog."
compliance:
- cis: ["18.4.6"]
- cis_csc: ["9"]
- pci_dss: ["1.3.3"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.6"]
references:
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-36879-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters ->
NoNameReleaseOnDemand -> 1'

# 18.4.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure

Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
- id: 16610
title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and
configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'"
description: "This setting is used to enable or disable the Internet Router
Discovery Protocol (IRDP), which allows the system to detect and configure default
gateway addresses automatically as described in RFC 1256 on a per-interface basis."
rationale: "An attacker who has gained control of a computer on the same
network segment could configure a computer on the network to impersonate a router."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and
configure Default Gateway addresses (could lead to DoS)."
compliance:
- cis: ["18.4.7"]
- cis_csc: ["9"]
- pci_dss: ["1.3.3"]
- tsc: ["A1.1","CC6.1","CC7.2"]
- nist_800_53: ["SC.5"]
references:
- 'CCE-38065-9'
condition: all
 rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters ->
PerformRouterDiscovery -> 0'

# 18.4.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode

(recommended)' is set to 'Enabled'
- id: 16611
title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended)' is set to 'Enabled'"
description: "The DLL search order can be configured to search for DLLs that
are requested by running processes in one of two ways: -Search folders specified in
the system path first, and then search the current working folder. -Search current
working folder first, and then search the folders specified in the system path.
When enabled, the registry value is set to 1. With a setting of 1, the system first
searches the folders that are specified in the system path and then searches the
current working folder. When disabled the registry value is set to 0 and the system
first searches the current working folder and then searches the folders that are
specified in the system path. Applications will be forced to search for DLLs in the
system path first. For applications that require unique versions of these DLLs that
are included with the application, this entry could cause performance or stability
problems. The recommended state for this setting is: Enabled."
rationale: "If a user unknowingly executes hostile code that was packaged with
additional files that include modified versions of system DLLs, the hostile code
could load its own versions of those DLLs and potentially increase the type and
degree of damage the code can render."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended) Note: This Group Policy path does not exist by default. An additional
Group Policy template (MSS-legacy.admx/adml) is required - it is available from
this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
compliance:
- cis: ["18.4.8"]
- cis_csc: ["8"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-36351-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager ->
SafeDllSearchMode -> 1'

# 18.4.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the

screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer
seconds'
- id: 16612
title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the
screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer
seconds'"
description: "Windows includes a grace period between when the screen saver is
launched and when the console is actually locked automatically when screen saver
locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer
seconds."
 rationale: "The default grace period that is allowed for user movement before
the screen saver lock takes effect is five seconds. If you leave the default grace
period configuration, your computer is vulnerable to a potential attack from
someone who could approach the console and attempt to log on to the computer before
the lock takes effect. An entry to the registry can be made to adjust the length of
the grace period."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\
Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The
time in seconds before the screen saver grace period expires (0 recommended) Note:
This Group Policy path does not exist by default. An additional Group Policy
template (MSS-legacy.admx/adml) is required - it is available from this TechNet
blog post: The MSS settings - Microsoft Security Guidance blog."
compliance:
- cis: ["18.4.9"]
- cis_csc: ["16.5"]
- pci_dss: ["8.1.8"]
- tsc: ["CC6.1"]
references:
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-37993-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
-> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5'

# 18.4.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times

unacknowledged data is retransmitted' is set to 'Enabled: 3'
- id: 16613
title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times
unacknowledged data is retransmitted' is set to 'Enabled: 3'"
description: "This setting controls the number of times that TCP retransmits an
individual data segment (non-connect segment) before the connection is aborted."
rationale: "A malicious user could exhaust a target computer's resources if it
never sent any acknowledgment messages for data that was transmitted by the target
computer."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative
Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times
unacknowledged data is retransmitted."
compliance:
- cis: ["18.4.10"]
- cis_csc: ["9"]
- pci_dss: ["1.3.3"]
- tsc: ["A1.1","CC6.1","CC7.2"]
- nist_800_53: ["SC.5"]
references:
- 'CCE-37846-3'
- 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -
> TcpMaxDataRetransmissions -> 3'

# 18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged

data is retransmitted' is set to 'Enabled: 3'
- id: 16614
title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged
data is retransmitted' is set to 'Enabled: 3'"
description: "This setting controls the number of times that TCP retransmits an
individual data segment (non-connect segment) before the connection is aborted."
rationale: "A malicious user could exhaust a target computer's resources if it
never sent any acknowledgment messages for data that was transmitted by the target
computer."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative
Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times
unacknowledged data is retransmitted."
compliance:
- cis: ["18.4.11"]
- cis_csc: ["9"]
- pci_dss: ["1.3.3"]
- tsc: ["A1.1","CC6.1","CC7.2"]
- nist_800_53: ["SC.5"]
references:
- 'CCE-36051-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters ->
TcpMaxDataRetransmissions -> 3'

# 18.4.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event
log at which the system will generate a warning' is set to 'Enabled: 90% or less'
- id: 16615
title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event
log at which the system will generate a warning' is set to 'Enabled: 90% or less'"
description: "This setting can generate a security audit in the Security event
log when the log reaches a user-defined threshold. The recommended state for this
setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite
events as needed or Overwrite events older than x days, this event will not be
generated."
rationale: "If the Security log reaches 90 percent of its capacity and the
computer has not been configured to overwrite events as needed, more recent events
will not be written to the log. If the log reaches its capacity and the computer
has been configured to shut down when it can no longer record events to the
Security log, the computer will shut down and will no longer be available to
provide network services."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\
Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold
for the security event log at which the system will generate a warning Note: This
Group Policy path does not exist by default. An additional Group Policy template
(MSS-legacy.admx/adml) is required - it is available from this TechNet blog post:
The MSS settings - Microsoft Security Guidance blog."
compliance:
- cis: ["18.4.12"]
- cis_csc: ["6.3"]
- pci_dss: ["10.7"]
references:
- https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
- 'CCE-36880-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -
> WarningLevel -> n:^(\d+) compare <= 90'
###############################################
# 18.5 Network
###############################################
# 18.5.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType'
is set to '0x2 (2)')
- id: 16616
title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType'
is set to '0x2 (2)')"
description: "This parameter determines which method NetBIOS over TCP/IP
(NetBT) will use to register and resolve names. A B-node (broadcast) system only
uses broadcasts. A P-node (point-to-point) system uses only name queries to a name
server (WINS). An M-node (mixed) system broadcasts first, then queries the name
server (WINS). An H-node (hybrid) system queries the name server (WINS) first, then
broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node /
point-to-point)."
rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS)
poisoning attacks, setting the node type to P-node will prevent the system from
sending out NetBIOS broadcasts."
remediation: "To establish the recommended configuration, set the following
Registry value to 0x2 (2) (DWORD) : HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
Services\\NetBT\\Parameters:NodeType"
compliance:
- cis: ["18.5.4.1"]
- cis_csc: ["9"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters ->
NodeType -> 2'

# 18.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'

- id: 16617
title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'"
description: "LLMNR is a secondary name resolution protocol. With LLMNR,
queries are sent using multicast over a local network link on a single subnet from
a client computer to another client computer on the same subnet that also has LLMNR
enabled. LLMNR does not require a DNS server or DNS client configuration, and
provides name resolution in scenarios in which conventional DNS name resolution is
not possible. The recommended state for this setting is: Enabled ."
rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or
NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking
that it knows the location of the requested system. Note: To completely mitigate
local name resolution poisoning, in addition to this setting, the properties of
each installed NIC should also be set to Disable NetBIOS over TCP/IP (on the WINS
tab in the NIC properties). Unfortunately, there is no global setting to achieve
this that automatically applies to all NICs - it is a per-NIC setting that varies
with different NIC hardware installations."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Network\\DNS Client\\Turn off multicast name resolution ote: This Group
Policy path may not exist by default. It is provided by the Group Policy template
DnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012
(non-R2) Administrative Templates (or newer)."
 compliance:
- cis: ["18.5.4.2"]
- cis_csc: ["9"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37450-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient ->
EnableMulticast -> 0'

###############################################
# 18.5.5 Fonts
###############################################
# 18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled' (Scored)
- id: 16618
title: "Ensure 'Enable Font Providers' is set to 'Disabled'"
description: "This policy setting determines whether Windows is allowed to
download fonts and font catalog data from an online font provider.The recommended
state for this setting is: Disabled ."
rationale: "In an enterprise managed environment the IT department should be
managing the changes to the system configuration, to ensure all changes are tested
and approved."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may
not exist by default. It is provided by the Group Policy template
GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 &
Server 2016 Administrative Templates (or newer)."
compliance:
- cis: ["18.5.5.1"]
- cis_csc: ["3", "13"]
- pci_dss: ["6.4.5"]
- tsc: ["CC6.6","CC7.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
EnableFontProviders -> 0'

# 18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'

- id: 16619
title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'"
description: "This policy setting determines if the SMB client will allow
insecure guest logons to an SMB server. The recommended state for this setting is:
Disabled ."
rationale: "Insecure guest logons are used by file servers to allow
unauthenticated access to shared folders."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\LanmanWorkstation\\Enable insecure guest logons Note: This
Group Policy path may not exist by default. It is provided by the Group Policy
template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10
Release 1511 Administrative Templates (or newer)."
compliance:
- cis: ["18.5.8.1"]
- cis_csc: ["9.1"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
 - nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation
-> AllowInsecureGuestAuth -> 0'

# Section 18.5.9 - Link-Layer Topology Discovery

# 18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
- id: 16620
title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'"
description: "This policy setting changes the operational behavior of the
Mapper I/O network protocol driver."
rationale: "To help protect from potentially discovering and connecting to
unauthorized devices, this setting should be disabled to prevent responding to
network traffic for network topology discovery."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO)
driver."
compliance:
- cis: ["18.5.9.1"]
- cis_csc: ["9"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38170-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
AllowLLTDIOOnDomain -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
AllowLLTDIOOnPublicNet -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
EnableLLTDIO -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
ProhibitLLTDIOOnPrivateNet -> 0'

# 18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'

- id: 16621
title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'"
description: "This policy setting changes the operational behavior of the
Responder network protocol driver."
rationale: "To help protect from potentially discovering and connecting to
unauthorized devices, this setting should be disabled to prevent responding to
network traffic for network topology discovery."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR)
driver."
compliance:
- cis: ["18.5.9.2"]
- cis_csc: ["9"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37959-4'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
AllowRspndrOnDomain -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
AllowRspndrOnPublicNet -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
EnableRspndr -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD ->
ProhibitRspndrOnPrivateNet -> 0'

# Section 18.5.10 - Microsoft Peer-to-Peer Networking Services

- id: 16622
title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to
'Enabled'"
description: "The Peer Name Resolution Protocol (PNRP) allows for distributed
resolution of a name to an IPv6 address and port number."
rationale: "This setting enhances the security of the environment and reduces
the overall risk exposure related to peer-to-peer networking."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft
Peer-to-Peer Networking Services."
compliance:
- cis: ["18.5.10.2"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37699-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1'

# 18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge

on your DNS domain network' is set to 'Enabled' (Scored)
- id: 16623
title: "Ensure 'Prohibit installation and configuration of Network Bridge on
your DNS domain network' is set to 'Enabled'"
description: "You can use this procedure to controls user's ability to install
and configure a Network Bridge. The recommended state for this setting is:
Enabled."
rationale: "The Network Bridge setting, if enabled, allows users to create a
Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more
physical network segments together. A Network Bridge thus allows a computer that
has connections to two different networks to share data between those networks. In
an enterprise managed environment, where there is a need to control network traffic
to only authorized paths, allowing users to create a Network Bridge increases the
risk and attack surface from the bridged network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\Network Connections\\Prohibit installation and configuration of
Network Bridge on your DNS domain network Note: This Group Policy path is provided
by the Group Policy template NetworkConnections.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.5.11.2"]
- cis_csc: ["5.1"]
- pci_dss: ["1.3.5"]
- tsc: ["CC6.6"]
references:
 - 'CCE-38002-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network
Connections -> NC_AllowNetBridge_NLA -> 0'

# 18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS
domain network' is set to 'Enabled' (Scored)
- id: 16624
title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain
network' is set to 'Enabled'"
description: "Although this \"legacy\" setting traditionally applied to the use
of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003,
this setting now freshly applies to the Mobile Hotspot feature in Windows 10 &
Server 2016. The recommended state for this setting is: Enabled ."
rationale: "Non-administrators should not be able to turn on the Mobile Hotspot
feature and open their Internet connectivity up to nearby mobile devices."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Network\\Network Connections\\Prohibit use of Internet Connection
Sharing on your DNS domain network Note: This Group Policy path is provided by the
Group Policy template NetworkConnections.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.5.11.3"]
- cis_csc: ["9.1"]
- pci_dss: ["1.3.5"]
- tsc: ["CC6.6"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network
Connections -> NC_ShowSharedAccessUI -> 0'

# 18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's
location' is set to 'Enabled' (Scored)
- id: 16625
title: "Ensure 'Require domain users to elevate when setting a network's
location' is set to 'Enabled'"
description: "This policy setting determines whether to require domain users to
elevate when setting a network's location. The recommended state for this setting
is: Enabled ."
rationale: "Allowing regular users to set a network location increases the risk
and attack surface."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Network\\Network Connections\\Require domain users to elevate when
setting a network's location Note: This Group Policy path may not exist by default.
It is provided by the Group Policy template NetworkConnections.admx/adml that is
included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or
newer)."
compliance:
- cis: ["18.5.11.4"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-38188-9'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network
Connections -> NC_StdDomainUserSetLocation -> 1'

# 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual
Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'
- id: 16626
title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual
Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'"
description: "This policy setting configures secure access to UNC paths. The
recommended state for this setting is: Enabled, with \"Require Mutual
Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL
shares ."
rationale: "In February 2015, Microsoft released a new control mechanism to
mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483
security update. This mechanism requires both the installation of the new security
update and also the deployment of specific group policy settings to all computers
on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated
security patch to enable this feature was not released for Server 2003). A new
group policy template ( NetworkProvider.admx/adml ) was also provided with the
security update. Once the new GPO template is in place, the following are the
minimum requirements to remediate the Group Policy security risk: \\\\*\\NETLOGON
RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL
RequireMutualAuthentication=1, RequireIntegrity=1"
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled with the following paths configured, at a
minimum: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\
SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\
Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths
Note: This Group Policy path does not exist by default. An additional Group Policy
template ( NetworkProvider.admx/adml ) is required"
compliance:
- cis: ["18.5.14.1"]
- cis_csc: ["3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\
HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1 &&
r:RequireIntegrity=1'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\
HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1 &&
r:RequireIntegrity=1'

# Section 18.5.19.2 - Parameters

# 18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is
set to '0xff (255)') (Scored)
- id: 16627
title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to
'0xff (255)')"
rationale: "Since the vast majority of private enterprise managed networks have
no need to utilize IPv6 (because they have access to private IPv4 addressing),
disabling IPv6 components reduces a possible attack surface that is also harder to
monitor the traffic on."
remediation: "To establish the recommended configuration, set the following
Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\
CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents."
compliance:
- cis: ["18.5.19.2.1"]
- cis_csc: ["9"]
- pci_dss: ["2.2.2"]
 - nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -
> DisabledComponents -> 255'

# Section 18.5.20 - Windows Connect Now

# 18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect
Now' is set to 'Disabled' (Scored)
- id: 16628
title: "Ensure 'Configuration of wireless settings using Windows Connect Now'
is set to 'Disabled'"
description: "This policy setting allows the configuration of wireless settings
using Windows Connect Now (WCN)."
rationale: "This setting enhances the security of the environment and reduces
the overall risk exposure related to user configuration of wireless settings."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using
Windows Connect Now."
compliance:
- cis: ["18.5.20.1"]
- cis_csc: ["15.4"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37481-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars ->
EnableRegistrars -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars ->
DisableUPnPRegistrar -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars ->
DisableInBand802DOT11Registrar -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars ->
DisableFlashConfigRegistrar -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars ->
DisableWPDRegistrar -> 0'

# 18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set
to 'Enabled' (Scored)
- id: 16629
title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to
'Enabled'"
description: "This policy setting prohibits access to Windows Connect Now (WCN)
wizards."
rationale: "Allowing standard users to access the Windows Connect Now wizard
increases the risk and attack surface."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows
Connect Now wizards."
compliance:
- cis: ["18.5.20.2"]
- cis_csc: ["15.4"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
 references:
- 'CCE-36109-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI ->
DisableWcnUi -> 1'

# Section 18.5.21 - Windows Connection Manager

# 18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the
Internet or a Windows Domain' is set to 'Enabled' (Scored)
- id: 16630
title: "Ensure 'Minimize the number of simultaneous connections to the Internet
or a Windows Domain' is set to 'Enabled'"
description: "This policy setting prevents computers from connecting to both a
domain based network and a non-domain based network at the same time. The
recommended state for this setting is: Enabled."
rationale: "Blocking simultaneous connections can help prevent a user
unknowingly allowing network traffic to flow between the Internet and the
enterprise managed network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous
connections to the Internet or a Windows Domain Note: This Group Policy path may
not exist by default. It is provided by the Group Policy template WCM.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2)
Administrative Templates (or newer)."
compliance:
- cis: ["18.5.21.1"]
- cis_csc: ["12"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-38338-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\
GroupPolicy -> fMinimizeConnections'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\
GroupPolicy -> fMinimizeConnections -> n:(\d+) compare != 0'

# 18.5.21.2 (L2) Ensure 'Prohibit connection to non-domain networks when connected

to domain authenticated network' is set to 'Enabled' (MS only) (Scored)
- id: 16631
title: "Ensure 'Prohibit connection to non-domain networks when connected to
domain authenticated network' is set to 'Enabled'"
description: "This policy setting prevents computers from connecting to both a
domain based network and a non-domain based network at the same time."
rationale: "The potential concern is that a user would unknowingly allow
network traffic to flow between the insecure public network and the enterprise
managed network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain
networks when connected to domain authenticated network."
compliance:
- cis: ["18.5.21.2"]
- cis_csc: ["12"]
- pci_dss: ["1.3.4"]
 - tsc: ["CC6.6"]
references:
- 'CCE-37627-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\
GroupPolicy -> fBlockNonDomain -> 1'

###############################################
# 18.7 Start Menu and Taskbar
###############################################

# 18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'
(Scored)
- id: 16632
title: "Ensure 'Turn off notifications network usage' is set to 'Enabled'"
description: "This policy setting blocks applications from using the network to
send notifications to update tiles, tile badges, toast, or raw notifications. This
policy setting turns off the connection between Windows and the Windows Push
Notification Service (WNS). This policy setting also stops applications from being
able to poll application services to update tiles. The recommended state for this
setting is: Enabled ."
rationale: "Windows Push Notification Services (WNS) is a mechanism to receive
3rd-party notifications and updates from the cloud/Internet. In a high security
environment, external systems, especially those hosted outside the organization,
should be prevented from having an impact on the secure workstations."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Start Menu and Taskbar\\Turn off notifications network usage Note: This
Group Policy path may not exist by default. It is provided by the Group Policy
template WPN.admx/adml that is included with the Microsoft Windows 8.0 & Server
2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.7.1.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\
PushNotifications -> NoCloudApplicationNotification -> 1'

###############################################
# 18.8 System
###############################################
######################################
# 18.8.3 Audit Process Creation
######################################
- id: 16633
title: "Ensure 'Include command line in process creation events' is set to
'Disabled'"
description: "This policy setting determines what information is logged in
security audit events when a new process has been created. The recommended state
for this setting is: Disabled."
rationale: "When this policy setting is enabled, any user who has read access
to the security events can read the command-line arguments for any successfully
created process. Command-line arguments may contain sensitive or private
information such as passwords or user data."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Audit Process Creation\\Include command line in process creation
events Note: This Group Policy path may not exist by default. It is provided by the
Group Policy template AuditSettings.admx/adml that is included with the Microsoft
Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.8.3.1"]
- cis_csc: ["16.14"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-36925-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0'

######################################
# 18.8.4 Credentials Delegation
######################################
# 18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force
Updated Clients' (Scored)
- id: 16634
title: "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force
Updated Clients'"
description: "Some versions of the CredSSP protocol that is used by some
applications (such as Remote Desktop Connection) are vulnerable to an encryption
oracle attack against the client. This policy controls compatibility with
vulnerable clients and servers and allows you to set the level of protection
desired for the encryption oracle vulnerability. The recommended state for this
setting is: Enabled: Force Updated Clients ."
rationale: "This setting is important to mitigate the CredSSP encryption oracle
vulnerability, for which information was published by Microsoft on 03/13/2018 in
CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of
Windows Server from Server 2008 (non-R2) onwards are affected by this
vulnerability, and will be compatible with this recommendation provided that they
have been patched up through May 2018 (or later)."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Force Updated Clients : Computer Configuration\\
Policies\\Administrative Templates\\System\\Credentials Delegation\\Encryption
Oracle Remediation Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template CredSsp.admx/adml that is included with the
Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
compliance:
- cis: ["18.8.4.1"]
- cis_csc: ["16"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System\CredSSP\Parameters -> AllowEncryptionOracle -> 0'

# 18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable

credentials' is set to 'Enabled' (Scored)
- id: 16635
title: "Ensure 'Remote host allows delegation of non-exportable credentials' is
set to 'Enabled'"
description: "Remote host allows delegation of non-exportable credentials. When
using credential delegation, devices provide an exportable version of credentials
to the remote host. This exposes users to the risk of credential theft from
attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote
Credential Guard features are two options to help protect against this risk. The
recommended state for this setting is: Enabled ."
rationale: "Restricted Admin Mode was designed to help protect administrator
accounts by ensuring that reusable credentials are not stored in memory on remote
devices that could potentially be compromised. Windows Defender Remote Credential
Guard helps you protect your credentials over a Remote Desktop connection by
redirecting Kerberos requests back to the device that is requesting the connection.
Both features should be enabled and supported, as they reduce the chance of
credential theft."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-
exportable credentials Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template CredSsp.admx/adml that is included with the
Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
compliance:
- cis: ["18.8.4.2"]
- cis_csc: ["16"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'https://docs.microsoft.com/en-us/windows/access-protection/remote-
credential-guard'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
CredentialsDelegation -> AllowProtectedCreds -> 1'

##########################################
# 18.8.14 Early Launch Antimalware
##########################################
# 18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to
'Enabled: Good, unknown and bad but critical' (Scored)
- id: 16636
title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled:
Good, unknown and bad but critical'"
description: "This policy setting allows you to specify which boot-start
drivers are initialized based on a classification determined by an Early Launch
Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can
return the following classifications for each boot-start driver: - Good: The driver
has been signed and has not been tampered with. - Bad: The driver has been
identified as malware. It is recommended that you do not allow known bad drivers to
be initialized. - Bad, but required for boot: The driver has been identified as
malware, but the computer cannot successfully boot without loading this driver. -
Unknown: This driver has not been attested to by your malware detection application
and has not been classified by the Early Launch Antimalware boot-start driver. If
you enable this policy setting you will be able to choose which boot-start drivers
to initialize the next time the computer is started. If your malware detection
application does not include an Early Launch Antimalware boot- start driver or if
your Early Launch Antimalware boot-start driver has been disabled, this setting has
no effect and all boot-start drivers are initialized. The recommended state for
this setting is: Enabled: Good, unknown and bad but critical."
rationale: "This policy setting helps reduce the impact of malware that has
already infected your system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Good, unknown and bad but critical: Computer
Configuration\\Policies\\Administrative Templates\\System\\Early Launch
Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path
may not exist by default. It is provided by the Group Policy template
EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server
2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.14.1"]
- cis_csc: ["8"]
- pci_dss: ["5.1.1"]
- nist_800_53: ["SI.3"]
- tsc: ["CC6.8"]
references:
- 'CCE-37912-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch ->
DriverLoadPolicy -> 3'

# 18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during
periodic background processing' is set to 'Enabled: FALSE' (Scored)
- id: 16637
title: "Ensure 'Configure registry policy processing: Do not apply during
periodic background processing' is set to 'Enabled: FALSE'"
description: "The 'Do not apply during periodic background processing' option
prevents the system from updating affected policies in the background while the
computer is in use. When background updates are disabled, policy changes will not
take effect until the next user logon or system restart. The recommended state for
this setting is: Enabled: FALSE (unchecked)."
rationale: "Setting this option to false (unchecked) will ensure that domain
policy changes take effect more quickly, as compared to waiting until the next user
logon or system restart."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled, then set the Do not apply during periodic background
processing option to FALSE (unchecked): Computer Configuration\\Policies\\
Administrative Templates\\System\\Group Policy\\Configure registry policy
processing Note: This Group Policy path may not exist by default. It is provided by
the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft
Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.21.2"]
- cis_csc: ["3.7"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-36169-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\
{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0'

# 18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the
Group Policy objects have not changed' is set to 'Enabled: TRUE' (Scored)
- id: 16638
title: "Ensure 'Configure registry policy processing: Process even if the Group
Policy objects have not changed' is set to 'Enabled: TRUE'"
description: "The 'Process even if the Group Policy objects have not changed'
option updates and reapplies policies even if the policies have not changed. The
recommended state for this setting is: Enabled: TRUE (checked)."
 rationale: "Setting this option to true (checked) will ensure unauthorized
changes that might have been configured locally are forced to match the domain-
based Group Policy settings again."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled, then set the Process even if the Group Policy objects
have not changed option to TRUE (checked): Computer Configuration\\Policies\\
Administrative Templates\\System\\Group Policy\\Configure registry policy
processing Note: This Group Policy path may not exist by default. It is provided by
the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft
Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.21.3"]
- cis_csc: ["3.7"]
- pci_dss: ["11.5.1"]
- tsc: ["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
references:
- 'CCE-36169-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\
{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0'

# 18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'

(Scored)
- id: 16639
title: "Ensure 'Continue experiences on this device' is set to 'Disabled'"
description: "This policy setting determines whether the Windows device is
allowed to participate in cross-device experiences (continue experiences). The
recommended state for this setting is: Disabled ."
rationale: "A cross-device experience is when a system can access app and send
messages to other devices. In an enterprise managed environment only trusted
systems should be communicating within the network. Access to any other system
should be prohibited."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\System\\Group Policy\\Continue experiences on this device Note: This
Group Policy path may not exist by default. It is provided by the Group Policy
template GroupPolicy.admx/adml that is included with the Microsoft Windows 10
Release 1607 & Server 2016 Administrative Templates (or newer)."
compliance:
- cis: ["18.8.21.4"]
- cis_csc: ["9.1"]
- pci_dss: ["6.5.8"]
- nist_800_53: ["SA.11","AU.14","AC.7"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
EnableCdp -> 0'

# 18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to
'Disabled' (Scored)
- id: 16640
title: "Ensure 'Turn off background refresh of Group Policy' is set to
'Disabled'"
description: "This policy setting prevents Group Policy from being updated
while the computer is in use. This policy setting applies to Group Policy for
computers, users and Domain Controllers. The recommended state for this setting is:
Disabled."
rationale: "This setting ensures that group policy changes take effect more
quickly, as compared to waiting until the next user logon or system restart."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note:
This Group Policy path is provided by the Group Policy template
GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows
Administrative Templates."
compliance:
- cis: ["18.8.21.5"]
- cis_csc: ["3.7"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-37712-7'
condition: all
rules:
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\System -> DisableBkGndGroupPolicy'

# 18.8.22.1.1 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set
to 'Enabled' (Scored)
- id: 16641
title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to
'Enabled'"
description: "This policy setting controls whether the computer can download
print driver packages over HTTP. To set up HTTP printing, printer drivers that are
not available in the standard operating system installation might need to be
downloaded over HTTP. The recommended state for this setting is: Enabled."
rationale: "Users might download drivers that include malicious code."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy
path is provided by the Group Policy template ICM.admx/adml that is included with
all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.1"]
- cis_csc: ["2"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-36625-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers ->
DisableWebPnPDownload -> 1'

# 18.8.22.1.2 (L2) Ensure 'Turn off handwriting personalization data sharing' is

set to 'Enabled' (Scored)
- id: 16642
title: "Ensure 'Turn off handwriting personalization data sharing' is set to
'Enabled'"
description: "This setting turns off data sharing from the handwriting
recognition personalization tool. The handwriting recognition personalization tool
enables Tablet PC users to adapt handwriting recognition to their own writing style
by providing writing samples. The tool can optionally share user writing samples
with Microsoft to improve handwriting recognition in future versions of Windows.
The tool generates reports and transmits them to Microsoft over a secure
connection. The recommended state for this setting is: Enabled."
rationale: "A person's handwriting is Personally Identifiable Information
(PII), especially when it comes to your signature. As such, it is unacceptable in
many environments to automatically upload PII to a website without explicit
approval by the user."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off handwriting personalization data sharing. Note: This Group
Policy path may not exist by default. It is provided by the Group Policy template
ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server
2008 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.8.22.1.2"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37911-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC ->
PreventHandwritingDataSharing -> 1'

# 18.8.22.1.3 (L2) Ensure 'Turn off handwriting recognition error reporting' is set
to 'Enabled' (Scored)
- id: 16643
title: "Ensure 'Turn off handwriting recognition error reporting' is set to
'Enabled'"
description: "Turns off the handwriting recognition error reporting tool. The
handwriting recognition error reporting tool enables users to report errors
encountered in Tablet PC Input Panel. The tool generates error reports and
transmits them to Microsoft over a secure connection. Microsoft uses these error
reports to improve handwriting recognition in future versions of Windows. The
recommended state for this setting is: Enabled."
rationale: "A person's handwriting is Personally Identifiable Information
(PII), especially when it comes to your signature. As such, it is unacceptable in
many environments to automatically upload PII to a website without explicit
approval by the user."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off handwriting recognition error reporting. Note: This Group Policy
path is provided by the Group Policy template InkWatson.admx/adml that is included
with all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.3"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36203-8'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
HandwritingErrorReports -> PreventHandwritingErrorReports -> 1'

# 18.8.22.1.4 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is
referring to Microsoft.com' is set to 'Enabled' (Scored)
- id: 16644
title: "Ensure 'Turn off Internet Connection Wizard if URL connection is
referring to Microsoft.com' is set to 'Enabled'"
description: "This policy setting specifies whether the Internet Connection
Wizard can connect to Microsoft to download a list of Internet Service Providers
(ISPs). The recommended state for this setting is: Enabled."
rationale: "In an enterprise managed environment we want to lower the risk of a
user unknowingly exposing sensitive data."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off Internet Connection Wizard if URL connection is referring to
Microsoft.com. Note: This Group Policy path is provided by the Group Policy
template ICM.admx/adml that is included with all versions of the Microsoft Windows
Administrative Templates."
compliance:
- cis: ["18.8.22.1.4"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37163-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet
Connection Wizard -> ExitOnMSICW -> 1'

# 18.8.22.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online
ordering wizards' is set to 'Enabled' (Scored)
- id: 16645
title: "Ensure 'Turn off Internet download for Web publishing and online
ordering wizards' is set to 'Enabled'"
description: "This policy setting controls whether Windows will download a list
of providers for the Web publishing and online ordering wizards. The recommended
state for this setting is: Enabled."
rationale: "Although the risk is minimal, enabling this setting will reduce the
possibility of a user unknowingly downloading malicious content through this
feature."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off Internet download for Web publishing and online ordering wizards
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates."
compliance:
- cis: ["18.8.22.1.5"]
- cis_csc: ["7"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36096-6'
condition: all
 rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer -> NoWebServices -> 1'

# 18.8.22.1.6 (L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled'
(Scored)
- id: 16646
title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'"
description: "This policy setting allows you to disable the client computer's
ability to print over HTTP, which allows the computer to print to printers on the
intranet as well as the Internet. The recommended state for this setting is:
Enabled."
rationale: "Information that is transmitted over HTTP through this capability
is not protected and can be intercepted by malicious users. For this reason, it is
not often used in enterprise managed environments."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off printing over HTTP Note: This Group Policy path is provided by
the Group Policy template ICM.admx/adml that is included with all versions of the
Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.6"]
- cis_csc: ["13.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36920-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers ->
DisableHTTPPrinting -> 1'

# 18.8.22.1.7 (L2) Ensure 'Turn off Registration if URL connection is referring to

Microsoft.com' is set to 'Enabled' (Scored)
- id: 16647
title: "Ensure 'Turn off Registration if URL connection is referring to
Microsoft.com' is set to 'Enabled'"
description: "This policy setting specifies whether the Windows Registration
Wizard connects to Microsoft.com for online registration. The recommended state for
this setting is: Enabled."
rationale: "Users in an enterprise managed environment should not be
registering their own copies of Windows, providing their own PII in the process."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off Registration if URL connection is referring to Microsoft.com.
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates."
compliance:
- cis: ["18.8.22.1.7"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36352-3'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration
Wizard Control -> NoRegistration -> 1'

# 18.8.22.1.8 (L2) Ensure 'Turn off Search Companion content file updates' is set
to 'Enabled' (Scored)
- id: 16648
title: "Ensure 'Turn off Search Companion content file updates' is set to
'Enabled'"
description: "This policy setting specifies whether Search Companion should
automatically download content updates during local and Internet searches. The
recommended state for this setting is: Enabled."
rationale: "There is a small risk that users will unknowingly reveal sensitive
information because of the topics they are searching for. This risk is very low
because even if this setting is enabled users still must submit search queries to
the desired search engine in order to perform searches."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off Search Companion content file updates. Note: This Group Policy
path is provided by the Group Policy template ICM.admx/adml that is included with
all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.8"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36884-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion ->
DisableContentFileUpdates -> 1'

# 18.8.22.1.9 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to
'Enabled' (Scored)
- id: 16649
title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to
'Enabled'"
description: "This policy setting specifies whether the \"Order Prints Online\"
task is available from Picture Tasks in Windows folders. The Order Prints Online
Wizard is used to download a list of providers and allow users to order prints
online. The recommended state for this setting is: Enabled."
rationale: "In an enterprise managed environment we want to lower the risk of a
user unknowingly exposing sensitive data."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path
is provided by the Group Policy template ICM.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.9"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38275-4'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer -> NoOnlinePrintsWizard -> 1'

# 18.8.22.1.10 (L2) Ensure 'Turn off the "Publish to Web" task for files and
folders' is set to 'Enabled' (Scored)
- id: 16650
title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is
set to 'Enabled'"
description: "This policy setting specifies whether the tasks Publish this file
to the Web, Publish this folder to the Web, and Publish the selected items to the
Web are available from File and Folder Tasks in Windows folders. The Web Publishing
wizard is used to download a list of providers and allow users to publish content
to the Web. The recommended state for this setting is: Enabled."
rationale: "Users may publish confidential or sensitive information to a public
service outside of the control of the organization."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off the \"Publish to Web\" task for files and folders Note: This
Group Policy path is provided by the Group Policy template ICM.admx/adml that is
included with all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.10"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37090-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer -> NoPublishingWizard -> 1'

# 18.8.22.1.11 (L2) Ensure 'Turn off the Windows Messenger Customer Experience
Improvement Program' is set to 'Enabled' (Scored)
- id: 16651
title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement
Program' is set to 'Enabled'"
description: "This policy setting specifies whether Windows Messenger can
collect anonymous information about how the Windows Messenger software and service
is used. Microsoft uses information collected through the Customer Experience
Improvement Program to detect software flaws so that they can be corrected more
quickly, enabling this setting will reduce the amount of data Microsoft is able to
gather for this purpose. The recommended state for this setting is: Enabled."
rationale: "Large enterprise managed environments may not want to have
information collected by Microsoft from managed client computers."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off the Windows Messenger Customer Experience Improvement Program.
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates."
compliance:
- cis: ["18.8.22.1.11"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
 - 'CCE-36628-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP
-> 2'

# 18.8.22.1.12 (L2) Ensure 'Turn off Windows Customer Experience Improvement

Program' is set to 'Enabled' (Scored)
- id: 16652
title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is
set to 'Enabled'"
description: "This policy setting specifies whether Windows Messenger can
collect anonymous information about how the Windows Messenger software and service
is used. Microsoft uses information collected through the Windows Customer
Experience Improvement Program to detect software flaws so that they can be
corrected more quickly, enabling this setting will reduce the amount of data
Microsoft is able to gather for this purpose. The recommended state for this
setting is: Enabled."
rationale: "Large enterprise managed environments may not want to have
information collected by Microsoft from managed client computers."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off Windows Customer Experience Improvement Program. Note: This
Group Policy path is provided by the Group Policy template ICM.admx/adml that is
included with all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.12"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36174-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows ->
CEIPEnable -> 0'

# 18.8.22.1.13 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
(Scored)
- id: 16653
title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'"
description: "This policy setting controls whether or not errors are reported
to Microsoft. Error Reporting is used to report information about a system or
application that has failed or has stopped responding and is used to improve the
quality of the product. The recommended state for this setting is: Enabled."
rationale: "If a Windows Error occurs in a secure, enterprise managed
environment, the error should be reported directly to IT staff for troubleshooting
and remediation. There is no benefit to the corporation to report these errors
directly to Microsoft, and there is some risk of unknowingly exposing sensitive
data as part of the error."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Internet Communication Management\\Internet Communication
settings\\Turn off Windows Error Reporting. Note: This Group Policy path is
provided by the Group Policy template ICM.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.8.22.1.13"]
 - cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-35964-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error
Reporting -> Disabled -> 1'

######################################
# 18.8.25 Kerberos
######################################
# 18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to
'Enabled: Automatic' (Scored)
- id: 16654
title: "Ensure 'Support device authentication using certificate' is set to
'Enabled: Automatic'"
description: "This policy setting allows you to set support for Kerberos to
attempt authentication using the certificate for the device to the domain. Support
for device authentication using certificate will require connectivity to a DC in
the device account domain which supports certificate authentication for computer
accounts. The recommended state for this setting is: Enabled: Automatic ."
rationale: "Having stronger device authentication with the use of certificates
is strongly encouraged over standard username and password authentication. Having
this set to Automatic will allow certificate based authentication to be used
whenever possible."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Automatic : Computer Configuration\\Policies\\
Administrative Templates\\System\\Kerberos\\Support device authentication using
certificate Note: This Group Policy path may not exist by default. It is provided
by the Group Policy template Kerberos.admx/adml that is included with the Microsoft
Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.25.1"]
- cis_csc: ["1.6"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System\kerberos\parameters -> DevicePKInitBehavior -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System\kerberos\parameters -> DevicePKInitEnabled -> 1'

# 18.8.26.1 (L1) Ensure 'Enumeration policy for external devices incompatible with
Kernel DMA Protection' is set to 'Enabled: Block All' (Scored)
- id: 16655
title: "Ensure 'Enumeration policy for external devices incompatible with
Kernel DMA Protection' is set to 'Enabled: Block All'"
description: "This policy is intended to provide additional security against
external DMA-capable devices. It allows for more control over the enumeration of
external DMA-capable devices that are not compatible with DMA Remapping/device
memory isolation and sandboxing. The recommended state for this setting is:
Enabled: Block All . Note: This policy does not apply to 1394, PCMCIA or
ExpressCard devices. The protection also only applies to Windows 10 R1803 or
higher, and also requires a UEFI BIOS to function."
rationale: "Device memory sandboxing allows the OS to leverage the I/O Memory
Management Unit (IOMMU) of a device to block unpermitted I/O, or memory access, by
the peripheral."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Block All : Computer Configuration\\Policies\\
Administrative Templates\\System\\Kernel DMA Protection\\Enumeration policy for
external devices incompatible with Kernel DMA Protection Note: This Group Policy
path may not exist by default. It is provided by the Group Policy template
DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 &
Server 2019 Administrative Templates (or newer)."
compliance:
- cis: ["18.8.26.1"]
- cis_csc: ["13.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36920-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA
Protection -> DeviceEnumerationPolicy -> 0'

#######################################
# 18.8.27 Locale Services
#######################################
# 18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the system
account for sign-in' is set to 'Enabled' (Scored)
- id: 16656
title: "Ensure 'Disallow copying of user input methods to the system account
for sign-in' is set to 'Enabled'"
description: "This policy prevents automatic copying of user input methods to
the system account for use on the sign-in screen. The user is restricted to the set
of input methods that are enabled in the system account. The recommended state for
this setting is: Enabled."
rationale: "This is a way to increase the security of the system account."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Locale Services\\Disallow copying of user input methods to the
system account for sign-in. Note: This Group Policy path may not exist by default.
It is provided by the Group Policy template Globalization.admx/adml that is
included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative
Templates (or newer)."
compliance:
- cis: ["18.8.26.1"]
- cis_csc: ["16.5"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36343-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\
International -> BlockUserInputMethodsForSignIn -> 1'

################################################
# 18.8.28 Logon
################################################
# 18.8.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set
to 'Enabled' (Scored)
- id: 16657
title: "Ensure 'Block user from showing account details on sign-in' is set to
'Enabled'"
description: "This policy prevents the user from showing account details (email
address or user name) on the sign-in screen. The recommended state for this setting
is: Enabled ."
rationale: "An attacker with access to the console (for example, someone with
physical access or someone who is able to connect to the server through Remote
Desktop Services) could view the name of the last user who logged on to the server.
The attacker could then try to guess the password, use a dictionary, or use a
brute-force attack to try and log on."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\System\\Logon\\Block user from showing account details on sign-in Note:
This Group Policy path may not exist by default. It is provided by the Group Policy
template Logon.admx/adml that is included with the Microsoft Windows 10 Release
1607 & Server 2016 Administrative Templates (or newer)."
compliance:
- cis: ["18.8.28.1"]
- cis_csc: ["16.5"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
BlockUserFromShowingAccountDetailsOnSignin -> 1'

# 18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'
(Scored)
- id: 16658
title: "Ensure 'Do not display network selection UI' is set to 'Enabled'"
description: "This policy setting allows you to control whether anyone can
interact with available networks UI on the logon screen. The recommended state for
this setting is: Enabled."
rationale: "An unauthorized user could disconnect the PC from the network or
can connect the PC to other available networks without signing into Windows."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Logon\\Do not display network selection UI Note: This Group
Policy path may not exist by default. It is provided by the Group Policy template
Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2
Administrative Templates (or newer)."
compliance:
- cis: ["18.8.28.2"]
- cis_csc: ["5"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38353-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
DontDisplayNetworkSelectionUI -> 1'

# 18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined

computers' is set to 'Enabled' (Scored)
 - id: 16659
title: "Ensure 'Do not enumerate connected users on domain-joined computers' is
set to 'Enabled'"
description: "This policy setting prevents connected users from being
enumerated on domain-joined computers. The recommended state for this setting is:
Enabled."
rationale: "A malicious user could use this feature to gather account names of
other users, that information could then be used in conjunction with other types of
attacks such as guessing passwords or social engineering. The value of this
countermeasure is small because a user with domain credentials could gather the
same account information using other methods."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Logon\\Do not enumerate connected users on domain-joined
computers Note: This Group Policy path may not exist by default. It is provided by
the Group Policy template Logon.admx/adml that is included with the Microsoft
Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.28.3"]
- cis_csc: ["16.9"]
- pci_dss: ["2.2.5"]
references:
- 'CCE-37838-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
DontEnumerateConnectedUsers -> 1'

# 18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set

to 'Disabled' (MS only) (Scored)
- id: 16660
title: "Ensure 'Enumerate local users on domain-joined computers' is set to
'Disabled'"
description: "This policy setting allows local users to be enumerated on
domain-joined computers. The recommended state for this setting is: Disabled."
rationale: "A malicious user could use this feature to gather account names of
other users, that information could then be used in conjunction with other types of
attacks such as guessing passwords or social engineering. The value of this
countermeasure is small because a user with domain credentials could gather the
same account information using other methods."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note:
This Group Policy path may not exist by default. It is provided by the Group Policy
template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server
2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.28.4"]
- cis_csc: ["16.9"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-35894-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
EnumerateLocalUsers -> 0'

# 18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to
'Enabled' (Scored)
- id: 16661
title: "Ensure 'Turn off app notifications on the lock screen' is set to
'Enabled'"
description: "This policy setting allows you to prevent app notifications from
appearing on the lock screen. The recommended state for this setting is: Enabled."
rationale: "App notifications might display sensitive business or personal
data."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This
Group Policy path may not exist by default. It is provided by the Group Policy
template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server
2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.28.5"]
- cis_csc: ["16.5"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-35893-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
DisableLockScreenAppNotifications -> 1'

# 18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'
(Scored)
- id: 16662
title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'"
description: "This policy setting allows you to control whether a domain user
can sign in using a picture password. The recommended state for this setting is:
Enabled . Note: If the picture password feature is permitted, the user's domain
password is cached in the system vault when using it."
rationale: "Picture passwords bypass the requirement for a typed complex
password. In a shared work environment, a simple shoulder surf where someone
observed the on-screen gestures would allow that person to gain access to the
system without the need to know the complex password. Vertical monitor screens with
an image are much more visible at a distance than horizontal key strokes,
increasing the likelihood of a successful observation of the mouse gestures."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\System\\Logon\\Turn off picture password sign-in Note: This Group Policy
path may not exist by default. It is provided by the Group Policy template
CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 &
Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.28.6"]
- cis_csc: ["16.5"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
BlockDomainPicturePassword -> 1'

# 18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'

(Scored)
- id: 16663
 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'"
description: "This policy setting allows you to control whether a domain user
can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced
with Passport, which has stronger security properties. To configure Passport for
domain users, use the policies under Computer Configuration\\Administrative
Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain
password will be cached in the system vault when using this feature. The
recommended state for this setting is: Disabled."
rationale: "A PIN is created from a much smaller selection of characters than a
password, so in most cases a PIN will be much less robust than a password."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy
path may not exist by default. It is provided by the Group Policy template
CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 &
Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named Turn
on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511
Administrative Templates."
compliance:
- cis: ["18.8.28.7"]
- cis_csc: ["16.5"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
references:
- 'CCE-37528-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
AllowDomainPINLogon -> 0'

#######################################
# 18.8.31 OS Policies
#######################################
# 18.8.31.1 (L2) Ensure 'Allow Clipboard synchronization across devices' is set to
'Disabled' (Scored)
- id: 16664
title: "Ensure 'Allow Clipboard synchronization across devices' is set to
'Disabled'"
description: "This policy setting determines whether Clipboard contents can be
synchronized across devices. The recommended state for this setting is: Disabled ."
rationale: "Due to privacy concerns, clipboard data should stay local to the
system and not synced across devices."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\OS Policies\\Allow Clipboard synchronization across devices"
compliance:
- cis: ["18.8.31.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
AllowCrossDeviceClipboard -> 0'

# 18.8.31.2 (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'

(Scored)
- id: 16665
 title: "Ensure 'Allow upload of User Activities' is set to 'Disabled'"
description: "This policy setting determines whether published User Activities
can be uploaded to the cloud. The recommended state for this setting is:
Disabled ."
rationale: "Due to privacy concerns, data should never be sent to any 3rd party
since this data could contain sensitive information."
remediation: "TTo establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\System\\OS Policies\\Allow upload of User Activities"
compliance:
- cis: ["18.8.31.2"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
UploadUserActivities -> 0'

#######################################
# 18.8.34 Power Management
#######################################
#######################################
# 18.8.34.6 Sleep Settings
#######################################
# 18.8.34.6.1 (L2) Ensure 'Allow network connectivity during connected-standby (on
battery)' is set to 'Disabled' (Scored)
- id: 16666
title: "Ensure 'Allow network connectivity during connected-standby (on
battery)' is set to 'Disabled'"
description: "This policy setting allows you to control the network
connectivity state in standby on modern standby-capable systems. The recommended
state for this setting is: Disabled ."
rationale: "Disabling this setting ensures that the computer will not be
accessible to attackers over a WLAN network while left unattended, on battery and
in a sleep state."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity
during connected-standby (on battery) Note: This Group Policy path may not exist by
default. It is provided by the Group Policy template Power.admx/adml that is
included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative
Templates (or newer)."
compliance:
- cis: ["18.8.34.6.1"]
- cis_csc: ["9"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\
f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0'

# 18.8.34.6.2 (L2) Ensure 'Allow network connectivity during connected-standby

(plugged in)' is set to 'Disabled' (Scored)
- id: 16667
title: "Ensure 'Allow network connectivity during connected-standby (plugged
in)' is set to 'Disabled'"
 description: "This policy setting allows you to control the network
connectivity state in standby on modern standby-capable systems. The recommended
state for this setting is: Disabled ."
rationale: "Disabling this setting ensures that the computer will not be
accessible to attackers over a WLAN network while left unattended, plugged in and
in a sleep state."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity
during connected-standby (plugged in) Note: This Group Policy path may not exist by
default. It is provided by the Group Policy template Power.admx/adml that is
included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative
Templates (or newer)."
compliance:
- cis: ["18.8.34.6.2"]
- cis_csc: ["9"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\
f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0'

# 18.8.34.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)'
is set to 'Enabled' (Scored)
- id: 16668
title: "Ensure 'Require a password when a computer wakes (on battery)' is set
to 'Enabled'"
description: "Specifies whether or not the user is prompted for a password when
the system resumes from sleep. The recommended state for this setting is: Enabled."
rationale: "Enabling this setting ensures that anyone who wakes an unattended
computer from sleep state will have to provide logon credentials before they can
access the system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Power Management\\Sleep Settings\\Require a password when a
computer wakes (on battery) Note: This Group Policy path may not exist by default.
It is provided by the Group Policy template Power.admx/adml that is included with
the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or
newer)."
compliance:
- cis: ["18.8.33.6.3"]
- cis_csc: ["16.5"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
references:
- 'CCE-36881-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\
0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1'

# 18.8.34.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)'
is set to 'Enabled' (Scored)
- id: 16669
title: "Ensure 'Require a password when a computer wakes (plugged in)' is set
to 'Enabled'"
description: "Specifies whether or not the user is prompted for a password when
the system resumes from sleep. The recommended state for this setting is: Enabled."
rationale: "Enabling this setting ensures that anyone who wakes an unattended
computer from sleep state will have to provide logon credentials before they can
access the system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Power Management\\Sleep Settings\\Require a password when a
computer wakes (plugged in) Note: This Group Policy path may not exist by default.
It is provided by the Group Policy template Power.admx/adml that is included with
the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or
newer)."
compliance:
- cis: ["18.8.33.6.4"]
- cis_csc: ["16.5"]
- pci_dss: ["8.2"]
- tsc: ["CC6.1"]
references:
- 'CCE-37066-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\
0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1'

# 18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'

(Scored)
- id: 16670
title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'"
description: "This policy setting allows you to turn on or turn off Offer
(Unsolicited) Remote Assistance on this computer. Help desk and support personnel
will not be able to proactively offer assistance, although they can still respond
to user assistance requests. The recommended state for this setting is: Disabled."
rationale: "A user might be tricked and accept an unsolicited Remote Assistance
offer from a malicious user."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This
Group Policy path may not exist by default. It is provided by the Group Policy
template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0
& Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.35.1"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36388-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fAllowUnsolicited -> 0'

# # 18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to

'Disabled' (Scored)
- id: 16671
title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'"
description: "This policy setting allows you to turn on or turn off Solicited
(Ask for) Remote Assistance on this computer. The recommended state for this
setting is: Disabled."
 rationale: "There is slight risk that a rogue administrator will gain access to
another user's desktop session, however, they cannot connect to a user's computer
unannounced or control it without permission from the user. When an expert tries to
connect, the user can still choose to deny the connection or give the expert view-
only privileges. The user must explicitly click the Yes button to allow the expert
to remotely control the workstation."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note:
This Group Policy path may not exist by default. It is provided by the Group Policy
template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0
& Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.36.2"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37281-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fAllowToGetHelp -> 0'

# 18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set
to 'Enabled' (MS only) (Scored)
- id: 16672
title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to
'Enabled'"
description: "This policy setting controls whether RPC clients authenticate
with the Endpoint Mapper Service when the call they are making contains
authentication information. The Endpoint Mapper Service on computers running
Windows NT4 (all service packs) cannot process authentication information supplied
in this manner. This policy setting can cause a specific issue with 1-way forest
trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we
do not recommend applying it to Domain Controllers. Note: This policy will not be
in effect until the system is rebooted. The recommended state for this setting is:
Enabled."
rationale: "Anonymous access to RPC services could result in accidental
disclosure of information to unauthenticated users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client
Authentication Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template RPC.admx/adml that is included with the
Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.8.37.1"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-
client-authentication-prevents-users-and-groups-fr
- 'CCE-37346-4'
 condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc ->
EnableAuthEpResolution -> 1'

# 18.8.37.2 (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled:

Authenticated' (MS only) (Scored)
- id: 16673
title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled:
Authenticated'"
description: "This policy setting controls how the RPC server runtime handles
unauthenticated RPC clients connecting to RPC servers."
rationale: "Unauthenticated RPC communication can create a security
vulnerability."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\
Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated
RPC clients."
compliance:
- cis: ["18.8.37.2"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- 'CCE-36559-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc ->
RestrictRemoteClients -> 1'

# Section 18.8.45.5 - Microsoft Support Diagnostic Tool

# 18.8.45.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT
interactive communication with support provider' is set to 'Disabled' (Scored)
- id: 16674
title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive
communication with support provider' is set to 'Disabled'"
description: "This policy setting configures Microsoft Support Diagnostic Tool
(MSDT) interactive communication with the support provider."
rationale: "Due to privacy concerns, data should never be sent to any 3rd party
since this data could contain sensitive information."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic
Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication
with support provider."
compliance:
- cis: ["18.8.45.5.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38161-6'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0'

# Section 18.8.45.11 - Windows Performance PerfTrack

# 18.8.45.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' (Scored)
- id: 16675
title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'"
description: "This policy setting specifies whether to enable or disable
tracking of responsiveness events."
rationale: "When enabled the aggregated data of a given event will be
transmitted to Microsoft."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\
Enable/Disable PerfTrack."
compliance:
- cis: ["18.8.45.11.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36648-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-
b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0'

# Section 18.8.47 User Profiles

# 18.8.47.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' (Scored)
- id: 16676
title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'"
description: "This policy setting turns off the advertising ID, preventing apps
from using the ID for experiences across apps."
rationale: "Tracking user activity for advertising purposes, even anonymously,
may be a privacy concern."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\User Profiles\\Turn off the advertising ID."
compliance:
- cis: ["18.8.47.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36931-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -
> DisabledByGroupPolicy -> 1'

# Section 18.8.50.1 - Time Providers

# 18.8.50.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' (Scored)
- id: 16677
title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'"
description: "This policy setting specifies whether the Windows NTP Client is
enabled."
rationale: "A reliable and accurate account of time is important for a number
of services and security requirements, including but not limited to distributed
applications, authentication services, multi-user databases and logging services."
 remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP
Client."
compliance:
- cis: ["18.8.50.1.1"]
- cis_csc: ["6.1"]
- pci_dss: ["10.4"]
- nist_800_53: ["AU.8"]
- tsc: ["CC7.2"]
references:
- 'CCE-37843-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\
NtpClient -> Enabled -> 1'

# 18.8.50.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS
only) (Scored)
- id: 16678
title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'"
description: "This policy setting allows you to specify whether the Windows NTP
Server is enabled."
rationale: "The configuration of proper time synchronization is critically
important in an enterprise managed environment both due to the sensitivity of
Kerberos authentication timestamps and also to ensure accurate security logging."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP
Server."
compliance:
- cis: ["18.8.50.1.2"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- nist_800_53: ["AU.8"]
- tsc: ["CC6.3"]
references:
- 'CCE-37319-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\
NtpServer -> Enabled -> 0'

################################################
# 18.9 Windows Components
################################################

# 18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between
users' is set to 'Disabled' (Scored)
- id: 16679
title: "Ensure 'Allow a Windows app to share application data between users' is
set to 'Disabled'"
description: "Manages a Windows app's ability to share data between users who
have installed the app. Data is shared through the SharedLocal folder. This folder
is available through the Windows.Storage API. The recommended state for this
setting is: Disabled ."
rationale: "Users of a system could accidentally share sensitive data with
other users on the same system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share
application data between users Note: This Group Policy path may not exist by
default. It is provided by the Group Policy template AppxPackageManager.admx/adml
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative
Templates (or newer)."
compliance:
- cis: ["18.9.4.1"]
- cis_csc: ["14.4"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\
AppModel\StateManager -> AllowSharedLocalAppData -> 0'

# 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to

'Enabled' (Scored)
- id: 16680
title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'"
description: "This policy setting lets you control whether Microsoft accounts
are optional for Windows Store apps that require an account to sign in. This policy
only affects Windows Store apps that support it. The recommended state for this
setting is: Enabled."
rationale: "Enabling this setting allows an organization to use their
enterprise user accounts instead of using their Microsoft accounts when accessing
Windows store apps. This provides the organization with greater control over
relevant credentials. Microsoft accounts cannot be centrally managed and as such
enterprise credential security policies cannot be applied to them, which could put
any information accessed by using Microsoft accounts at risk."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional
Note: This Group Policy path may not exist by default. It is provided by the Group
Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows
8.1 & Server 2012 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.6.1"]
- cis_csc: ["16.9"]
- pci_dss: ["8.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-38354-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System -> MSAOptional -> 1'

# 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to

'Enabled' (Scored)
- id: 16681
title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'"
description: "This policy setting disallows AutoPlay for MTP devices like
cameras or phones. The recommended state for this setting is: Enabled."
rationale: "An attacker could use this feature to launch a program to damage a
client computer or data on the computer."
 remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume
devices Note: This Group Policy path may not exist by default. It is provided by
the Group Policy template AutoPlay.admx/adml that is included with the Microsoft
Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.9.8.1"]
- cis_csc: ["8.3"]
- pci_dss: ["2.2.4"]
- tsc: ["CC5.2"]
references:
- 'CCE-37636-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer ->
NoAutoplayfornonVolume -> 1'

# 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled:
Do not execute any autorun commands' (Scored)
- id: 16682
title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do
not execute any autorun commands'"
description: "This policy setting sets the default behavior for Autorun
commands. Autorun commands are generally stored in autorun.inf files. They often
launch the installation program or other routines. The recommended state for this
setting is: Enabled: Do not execute any autorun commands."
rationale: "Prior to Windows Vista, when media containing an autorun command is
inserted, the system will automatically execute the program without user
intervention. This creates a major security concern as code may be executed without
user's knowledge. The default behavior starting with Windows Vista is to prompt the
user whether autorun command is to be run. The autorun command is represented as a
handler in the Autoplay dialog."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Do not execute any autorun commands: Computer
Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay
Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not
exist by default. It is provided by the Group Policy template AutoPlay.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2)
Administrative Templates (or newer)."
compliance:
- cis: ["18.9.8.2"]
- cis_csc: ["8.3"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-38217-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer -> NoAutorun -> 1'

# 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' (Scored)
- id: 16683
title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'"
description: "Autoplay starts to read from a drive as soon as you insert media
in the drive, which causes the setup file for programs or audio media to start
immediately. An attacker could use this feature to launch a program to damage the
computer or data on the computer. Autoplay is disabled by default on some removable
drive types, such as floppy disk and network drives, but not on CD-ROM drives.
Note: You cannot use this policy setting to enable Autoplay on computer drives in
which it is disabled by default, such as floppy disk and network drives. The
recommended state for this setting is: Enabled: All drives."
rationale: "An attacker could use this feature to launch a program to damage a
client computer or data on the computer."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: All drives: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay
Note: This Group Policy path is provided by the Group Policy template
AutoPlay.admx/adml that is included with all versions of the Microsoft Windows
Administrative Templates."
compliance:
- cis: ["18.9.8.3"]
- cis_csc: ["8.3"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-36875-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer -> NoDriveTypeAutoRun -> 255'

# 18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'

(Scored)
- id: 16684
title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'"
description: "This policy setting determines whether enhanced anti-spoofing is
configured for devices which support it. The recommended state for this setting is:
Enabled ."
rationale: "Enterprise managed environments are now supporting a wider range of
mobile devices, increasing the security on these devices will help protect against
unauthorized access on your network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced
anti-spoofing Note: This Group Policy path may not exist by default. It is provided
by the Group Policy template Biometrics.admx/adml that is included with the
Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In
the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016
Administrative Templates, this setting was named Use enhanced anti-spoofing when
available. It was renamed to Configure enhanced anti-spoofing starting with the
Windows 10 Release 1703 Administrative Templates."
compliance:
- cis: ["18.9.10.1.1"]
- cis_csc: ["16"]
- pci_dss: ["8.1"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures
-> EnhancedAntiSpoofing -> 1'

# 18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' (Scored)

- id: 16685
title: "Ensure 'Allow Use of Camera' is set to 'Disabled'"
 description: "This policy setting controls whether the use of Camera devices on
the machine are permitted. The recommended state for this setting is: Disabled ."
rationale: "Cameras in a high security environment can pose serious privacy and
data exfiltration risks - they should be disabled to help mitigate that risk."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy
path may not exist by default. It is provided by the Group Policy template
Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 &
Server 2016 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.12.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera ->
0'

# 18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to

'Enabled' (Scored)
- id: 16686
title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'"
description: "This policy setting turns off experiences that help consumers
make the most of their devices and Microsoft account. The recommended state for
this setting is: Enabled . Note: Per Microsoft TechNet, this policy setting only
applies to Windows 10 Enterprise and Windows 10 Education editions."
rationale: "Having apps silently install in an enterprise managed environment
is not good security practice - especially if the apps send data back to a 3rd
party."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer
experiences Note: This Group Policy path may not exist by default. It is provided
by the Group Policy template CloudContent.admx/adml that is included with the
Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.13.1"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-
for-enterprise-and-education-editions'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent ->
DisableWindowsConsumerFeatures -> 1'

# 18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time'
OR 'Enabled: Always' (Scored)
- id: 16687
title: "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR
'Enabled: Always'"
description: "This policy setting controls whether or not a PIN is required for
pairing to a wireless display device. The recommended state for this setting is:
'Enabled: First Time' OR 'Enabled: Always'."
rationale: "If this setting is not configured or disabled then a PIN would not
be required when pairing wireless display devices to the system, increasing the
risk of unauthorized use."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 'Enabled: First Time' OR 'Enabled: Always' : Computer
Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\
Require pin for pairing Note: This Group Policy path may not exist by default. It
is provided by the Group Policy template WirelessDisplay.admx/adml that is included
with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
(or newer)."
compliance:
- cis: ["18.9.14.1"]
- cis_csc: ["15.8"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: any
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect ->
RequirePinForPairing -> 1'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect ->
RequirePinForPairing -> 2'

# 18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to
'Enabled' (Scored)
- id: 16688
title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'"
description: "This policy setting allows you to configure the display of the
password reveal button in password entry user experiences. The recommended state
for this setting is: Enabled."
rationale: "This is a useful feature when entering a long and complex password,
especially when using a touchscreen. The potential risk is that someone else may
see your password while surreptitiously observing your screen."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Credential User Interface\\Do not display the
password reveal button Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template CredUI.admx/adml that is included with the
Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.9.15.1"]
- cis_csc: ["16"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-37534-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI ->
DisablePasswordReveal -> 1'

# 18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to

'Disabled' (Scored)
- id: 16689
title: "Ensure 'Enumerate administrator accounts on elevation' is set to
'Disabled'"
description: "This policy setting controls whether administrator accounts are
displayed when a user attempts to elevate a running application. The recommended
state for this setting is: Disabled."
rationale: "Users could see the list of administrator accounts, making it
slightly easier for a malicious user who has logged onto a console session to try
to crack the passwords of those accounts."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Credential User Interface\\Enumerate administrator
accounts on elevation Note: This Group Policy path is provided by the Group Policy
template CredUI.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.15.2"]
- cis_csc: ["16"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-36512-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
CredUI -> EnumerateAdministrators -> 0'

# 18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security

[Enterprise Only]' or 'Enabled: 1 - Basic' (Scored)
- id: 16690
title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise
Only]' or 'Enabled: 1 - Basic'"
description: "This policy setting determines the amount of diagnostic and usage
data reported to Microsoft:A value of 0 - Security [Enterprise Only] will send
minimal data to Microsoft. This data includes Malicious Software Removal Tool
(MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting
a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a
value of 0 for other devices is equivalent to choosing a value of 1. A value of 1 -
Basic sends only a basic amount of diagnostic and usage data. Note that setting
values of 0 or 1 will degrade certain experiences on the device. A value of 2 -
Enhanced sends enhanced diagnostic and usage data. A value of 3 - Full sends the
same data as a value of 2, plus additional diagnostics data, including the files
and content that may have caused the problem. Windows 10 telemetry settings apply
to the Windows operating system and some first party apps. This setting does not
apply to third party apps running on Windows 10. The recommended state for this
setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic . Note:
If the Allow Telemetry setting is configured to 0 - Security [Enterprise Only] ,
then the options in Windows Update to defer upgrades and updates will have no
effect. Note #2: In the Microsoft Windows 10 RTM (Release 1507) Administrative
Templates, the zero value was named 0 - Off [Enterprise Only] , but it was renamed
to 0 - Security [Enterprise Only] starting with the Windows 10 Release 1511
Administrative Templates."
rationale: "Sending any data to a 3rd party vendor is a security concern and
should only be done on an as needed basis."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 -
Basic : Computer Configuration\\Policies\\Administrative Templates\\Windows
Components\\Data Collection and Preview Builds\\Allow Telemetry Note: This Group
Policy path may not exist by default. It is provided by the Group Policy template
DataCollection.admx/adml that is included with the Microsoft Windows 10 RTM
(Release 1507) Administrative Templates (or newer)."
compliance:
- cis: ["18.9.16.1"]
 - cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: any
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection ->
AllowTelemetry -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection ->
AllowTelemetry -> 1'

# 18.9.16.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy
usage' (Scored)
- id: 16691
title: "Ensure 'Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy
usage'"
description: "This policy setting controls whether the Connected User
Experience and Telemetry service can automatically use an authenticated proxy to
send data back to Microsoft. The recommended state for this setting is: Enabled:
Disable Authenticated Proxy usage ."
rationale: "Sending any data to a 3rd party vendor is a security concern and
should only be done on an as needed basis."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Disable Authenticated Proxy usage : Computer
Configuration\\Policies\\Administrative Templates\\Windows Components\\Data
Collection and Preview Builds\\Configure Authenticated Proxy usage for the
Connected User Experience and Telemetry service Note: This Group Policy path may
not exist by default. It is provided by the Group Policy template
DataCollection.admx/adml that is included with the Microsoft Windows 10 Release
1703 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.16.2"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection ->
DisableEnterpriseAuthProxy -> 1'

# 18.9.16.3 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'
(Scored)
- id: 16692
title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'"
description: "This policy setting allows an organization to prevent its devices
from showing feedback questions from Microsoft. The recommended state for this
setting is: Enabled ."
rationale: "Users should not be sending any feedback to 3rd party vendors in an
enterprise managed environment."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show
feedback notifications Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template FeedbackNotifications.admx/adml that is
included with the Microsoft Windows 10 Release 1511 Administrative Templates (or
newer)."
compliance:
- cis: ["18.9.16.3"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection ->
DoNotShowFeedbackNotifications -> 1'

# 18.9.16.4 (L1) Ensure 'Toggle user control over Insider builds' is set to
'Disabled' (Scored)
- id: 16693
title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'"
description: "This policy setting determines whether users can access the
Insider build controls in the Advanced Options for Windows Update. These controls
are located under \"Get Insider builds,\" and enable users to make their devices
available for downloading and installing Windows preview software. The recommended
state for this setting is: Disabled . Note: This policy setting applies only to
devices running Windows Server 2016, up until Release 1703. For Release 1709 or
newer, Microsoft encourages using the Manage preview builds setting (Rule
18.9.102.1.1). We have kept this setting in the benchmark to ensure that any older
builds of Windows Server 2016 in the environment are still enforced."
rationale: "It can be risky for experimental features to be allowed in an
enterprise managed environment because this can introduce bugs and security holes
into systems, making it easier for an attacker to gain access. It is generally
preferred to only use production-ready builds."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user
control over Insider builds Note: This Group Policy path may not exist by default.
It is provided by the Group Policy template AllowBuildPreview.admx/adml that is
included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates
(or newer)."
compliance:
- cis: ["18.9.16.4"]
- cis_csc: ["3"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds ->
AllowBuildPreview -> 0'

# 18.9.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log
file reaches its maximum size' is set to 'Disabled' (Scored)
- id: 16694
title: "Ensure 'Application: Control Event Log behavior when the log file
reaches its maximum size' is set to 'Disabled'"
description: "This policy setting controls Event Log behavior when the log file
reaches its maximum size. The recommended state for this setting is: Disabled.
Note: Old events may or may not be retained according to the Backup log
automatically when full policy setting."
 rationale: "If new events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log
behavior when the log file reaches its maximum size Note: This Group Policy path is
provided by the Group Policy template EventLog.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named Retain
old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2)
Administrative Templates."
compliance:
- cis: ["18.9.26.1.1"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37775-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\
Application -> Retention -> 0'

# 18.9.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is
set to 'Enabled: 32,768 or greater' (Scored)
- id: 16695
title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to
'Enabled: 32,768 or greater'"
description: "This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1 megabyte (1,024
kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The
recommended state for this setting is: Enabled: 32,768 or greater."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Event Log Service\\Application\\
Specify the maximum log file size (KB) Note: This Group Policy path is provided by
the Group Policy template EventLog.admx/adml that is included with all versions of
the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows
Administrative Templates, this setting was initially named Maximum Log Size (KB),
but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2)
Administrative Templates."
compliance:
- cis: ["18.9.26.1.2"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
 - 'CCE-37948-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\
Application -> MaxSize -> n:^(\d+) compare >= 32768'

# 18.9.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file
reaches its maximum size' is set to 'Disabled' (Scored)
- id: 16696
title: "Ensure 'Security: Control Event Log behavior when the log file reaches
its maximum size' is set to 'Disabled'"
description: "This policy setting controls Event Log behavior when the log file
reaches its maximum size. The recommended state for this setting is: Disabled.
Note: Old events may or may not be retained according to the Backup log
automatically when full policy setting."
rationale: "If new events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log
behavior when the log file reaches its maximum size Note: This Group Policy path is
provided by the Group Policy template EventLog.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named Retain
old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2)
Administrative Templates."
compliance:
- cis: ["18.9.26.2.1"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37145-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security
-> Retention -> 0'

# 18.9.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set
to 'Enabled: 196,608 or greater' (Scored)
- id: 16697
title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to
'Enabled: 196,608 or greater'"
description: "This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1 megabyte (1,024
kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The
recommended state for this setting is: Enabled: 196,608 or greater."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 196,608 or greater: Computer Configuration\\
Policies\\Administrative Templates\\Windows Components\\Event Log Service\\
Security\\Specify the maximum log file size (KB) Note: This Group Policy path is
provided by the Group Policy template EventLog.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named
Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server
2012 (non-R2) Administrative Templates."
compliance:
- cis: ["18.9.26.2.2"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37695-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security
-> MaxSize -> n:^(\d+) compare >= 196608'

# 18.9.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file
reaches its maximum size' is set to 'Disabled' (Scored)
- id: 16698
title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its
maximum size' is set to 'Disabled'"
description: "This policy setting controls Event Log behavior when the log file
reaches its maximum size. The recommended state for this setting is: Disabled.
Note: Old events may or may not be retained according to the Backup log
automatically when full policy setting."
rationale: "If new events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior
when the log file reaches its maximum size Note: This Group Policy path is provided
by the Group Policy template EventLog.admx/adml that is included with all versions
of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft
Windows Administrative Templates, this setting was initially named Retain old
events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2)
Administrative Templates."
compliance:
- cis: ["18.9.26.3.1"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-38276-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup ->
Retention -> 0'

# 18.9.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to
'Enabled: 32,768 or greater' (Scored)
- id: 16699
title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to
'Enabled: 32,768 or greater'"
description: "This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1 megabyte (1,024
kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The
recommended state for this setting is: Enabled: 32,768 or greater."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the
maximum log file size (KB) Note: This Group Policy path is provided by the Group
Policy template EventLog.admx/adml that is included with all versions of the
Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows
Administrative Templates, this setting was initially named Maximum Log Size (KB),
but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2)
Administrative Templates."
compliance:
- cis: ["18.9.26.3.2"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-37526-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup ->
MaxSize -> n:^(\d+) compare >= 32768'

# 18.9.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file
reaches its maximum size' is set to 'Disabled' (Scored)
- id: 16700
title: "Ensure 'System: Control Event Log behavior when the log file reaches
its maximum size' is set to 'Disabled'"
description: "This policy setting controls Event Log behavior when the log file
reaches its maximum size. The recommended state for this setting is: Disabled.
Note: Old events may or may not be retained according to the Backup log
automatically when full policy setting."
rationale: "If new events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Event Log Service\\System\\Control Event Log
behavior when the log file reaches its maximum size Note: This Group Policy path is
provided by the Group Policy template EventLog.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named Retain
old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2)
Administrative Templates."
compliance:
- cis: ["18.9.26.4.1"]
 - cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-36160-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -
> Retention -> 0'

# 18.9.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set
to 'Enabled: 32,768 or greater' (Scored)
- id: 16701
title: "Ensure 'System: Specify the maximum log file size (KB)' is set to
'Enabled: 32,768 or greater'"
description: "This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1 megabyte (1,024
kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The
recommended state for this setting is: Enabled: 32,768 or greater."
rationale: "If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the unauthorized activities of
malicious users."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify
the maximum log file size (KB) Note: This Group Policy path is provided by the
Group Policy template EventLog.admx/adml that is included with all versions of the
Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows
Administrative Templates, this setting was initially named Maximum Log Size (KB),
but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2)
Administrative Templates."
compliance:
- cis: ["18.9.26.4.2"]
- cis_csc: ["6.3"]
- pci_dss: ["10.6.1"]
- nist_800_53: ["AU.6"]
- gpg13: ["4.12"]
- gdpr_IV: [35.7.d]
- hipaa: ["164.312.b"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3"]
references:
- 'CCE-36092-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -
> MaxSize -> n:^(\d+) compare >= 32768'

# 18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to
'Disabled' (Scored)
- id: 16702
title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to
'Disabled'"
description: "Disabling Data Execution Prevention can allow certain legacy
plug-in applications to function without terminating Explorer. The recommended
state for this setting is: Disabled."
 rationale: "Data Execution Prevention is an important security feature
supported by Explorer that helps to limit the impact of certain types of malware."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention
for Explorer Note: This Group Policy path may not exist by default. It is provided
by the Group Policy template Explorer.admx/adml that is included with the Microsoft
Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.30.2"]
- cis_csc: ["8.4"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-37809-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer ->
NoDataExecutionPrevention -> 0'

# 18.9.30.3 (L1) Ensure 'Turn off heap termination on corruption' is set to

'Disabled' (Scored)
- id: 16703
title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'"
description: "This policy setting allows you to configure the amount of
functionality that the shell protocol can have. When using the full functionality
of this protocol, applications can open folders and launch files. The protected
mode reduces the functionality of this protocol allowing applications to only open
a limited set of folders. Applications are not able to open files with this
protocol when it is in the protected mode. It is recommended to leave this protocol
in the protected mode to increase the security of Windows. The recommended state
for this setting is: Disabled."
rationale: "Limiting the opening of files and folders to a limited set reduces
the attack surface of the system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected
mode Note: This Group Policy path is provided by the Group Policy template
WindowsExplorer.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.30.3"]
- cis_csc: ["8.4"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-36660-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer ->
NoHeapTerminationOnCorruption -> 0'

# 18.9.30.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to
'Disabled' (Scored)
- id: 16704
title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'"
description: "This policy setting allows you to configure the amount of
functionality that the shell protocol can have. When using the full functionality
of this protocol, applications can open folders and launch files. The protected
mode reduces the functionality of this protocol allowing applications to only open
a limited set of folders. Applications are not able to open files with this
protocol when it is in the protected mode. It is recommended to leave this protocol
in the protected mode to increase the security of Windows. The recommended state
for this setting is: Disabled."
rationale: "Limiting the opening of files and folders to a limited set reduces
the attack surface of the system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected
mode Note: This Group Policy path is provided by the Group Policy template
WindowsExplorer.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.30.4"]
- cis_csc: ["8.4"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-36809-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer -> PreXPSP2ShellProtocolBehavior -> 0'

# 18.9.39.2 Ensure 'Turn off location' is set to 'Enabled'

- id: 16705
title: "Ensure 'Turn off location' is set to 'Enabled'"
description: "This policy setting turns off the location feature for the
computer. The recommended state for this setting is: Enabled."
rationale: "This setting affects the location feature (e.g. GPS or other
location tracking). From a security perspective, it's not a good idea to reveal
your location to software in most cases, but there are legitimate uses, such as
mapping software. However, they should not be used in high security environments."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This
Group Policy path may not exist by default. It is provided by the Group Policy
template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server
2008 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.39.2"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-36886-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
LocationAndSensors -> DisableLocation -> 1'

# 18.9.43.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'
(Scored)
- id: 16706
title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'"
 description: "This policy setting allows backup and restore of cellular text
messages to Microsoft's cloud services. The recommended state for this setting is:
Disabled ."
rationale: "In a high security environment, data should never be sent to any
3rd party since this data could contain sensitive information."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note:
This Group Policy path may not exist by default. It is provided by the Group Policy
template Messaging.admx/adml that is included with the Microsoft Windows 10 Release
1709 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.43.1"]
- cis_csc: ["9.1", "13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging ->
AllowMessageSync -> 0'

# 18.9.44.1 (L1) Ensure 'Block all consumer Microsoft account user authentication'
is set to 'Enabled' (Scored)
- id: 16707
title: "Ensure 'Block all consumer Microsoft account user authentication' is
set to 'Enabled'"
description: "This setting determines whether applications and services on the
device can utilize new consumer Microsoft account authentication via the Windows
OnlineID and WebAccountManager APIs. The recommended state for this setting is:
Enabled ."
rationale: "Organizations that want to effectively implement identity
management policies and maintain firm control of what accounts are used on their
computers will probably want to block Microsoft accounts. Organizations may also
need to block Microsoft accounts in order to meet the requirements of compliance
standards that apply to their information systems."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft
account user authentication Note: This Group Policy path may not exist by default.
It is provided by the Group Policy template MSAPolicy.admx/adml that is included
with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.44.1"]
- cis_csc: ["16"]
- pci_dss: ["8.1"]
- tsc: ["CC6.1"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount ->
DisableUserAuth -> 1'

# 18.9.52.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to
'Enabled' (Scored)
- id: 16708
title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to
'Enabled'"
description: "This policy setting lets you prevent apps and features from
working with files on OneDrive using the Next Generation Sync Client. The
recommended state for this setting is: Enabled."
rationale: "Enabling this setting prevents users from accidentally uploading
confidential or sensitive corporate information to the OneDrive cloud service using
the Next Generation Sync Client."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file
storage Note: This Group Policy path may not exist by default. It is provided by
the Group Policy template SkyDrive.admx/adml that is included with the Microsoft
Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we
strongly recommend you only use the version included with the Microsoft Windows 10
Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of
the templates had conflicting settings in different template files for both
OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note
#2: In older Microsoft Windows Administrative Templates, this setting was named
Prevent the usage of SkyDrive for file storage, but it was renamed starting with
the Windows 10 RTM (Release 1507) Administrative Templates."
compliance:
- cis: ["18.9.52.1"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36939-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive ->
DisableFileSyncNGSC -> 1'

# 18.9.59.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
(Scored)
- id: 16709
title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'"
description: "This policy setting helps prevent Remote Desktop clients from
saving passwords on a computer. The recommended state for this setting is: Enabled.
Note: If this policy setting was previously configured as Disabled or Not
configured, any previously saved passwords will be deleted the first time a Remote
Desktop client disconnects from any server."
rationale: "An attacker with physical access to the computer may be able to
break the protection guarding saved passwords. An attacker who compromises a user's
account and connects to their computer could use saved passwords to gain access to
additional hosts."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection
Client\\Do not allow passwords to be saved Note: This Group Policy path is provided
by the Group Policy template TerminalServer.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.59.2.2"]
- cis_csc: ["16.4"]
- pci_dss: ["12.3.8"]
references:
- 'CCE-36223-6'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> DisablePasswordSaving -> 1'

# 18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote

Desktop Services session' is set to 'Enabled'
- id: 16710
title: "Ensure 'Restrict Remote Desktop Services users to a single Remote
Desktop Services session' is set to 'Enabled'"
description: "This policy setting allows you to restrict users to a single
Remote Desktop Services session. The recommended state for this setting is:
Enabled."
rationale: "This setting ensures that users & administrators who Remote Desktop
to a server will continue to use the same session - if they disconnect and
reconnect, they will go back to the same session they were using before, preventing
the creation of a second simultaneous session. This both prevents unnecessary
resource usage by having the server host unnecessary additional sessions (which
would put extra load on the server) and also ensures a consistency of experience
for the user."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Connections\\Restrict Remote Desktop Services users to a single Remote
Desktop Services session. Note: This Group Policy path is provided by the Group
Policy template TerminalServer.admx/adml that is included with all versions of the
Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows
Administrative Templates, this setting was named Restrict Terminal Services users
to a single remote session, but it was renamed starting with the Windows 7 & Server
2008 R2 Administrative Templates."
compliance:
- cis: ["18.9.59.3.2.1"]
- pci_dss: ["7.2"]
- tsc: ["CC6.4"]
references:
- 'CCE-37708-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fSingleSessionPerUser -> 1'

# 18.9.59.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
- id: 16711
title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'"
description: "This policy setting specifies whether to prevent the redirection
of data to client COM ports from the remote computer in a Remote Desktop Services
session. The recommended state for this setting is: Enabled."
rationale: "In a more security-sensitive environment, it is desirable to reduce
the possible attack surface. The need for COM port redirection within a Remote
Desktop session is very rare, so makes sense to reduce the number of unexpected
avenues for data exfiltration and/or malicious code transfer."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Device and Resource Redirection\\Do not allow COM port redirection. Note:
This Group Policy path is provided by the Group Policy template
TerminalServer.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.59.3.3.1"]
- cis_csc: ["9.1"]
 - pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37696-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fDisableCcm -> 1'

# 18.9.59.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'
(Scored)
- id: 16712
title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'"
description: "This policy setting prevents users from sharing the local drives
on their client computers to Remote Desktop Servers that they access. Mapped drives
appear in the session folder tree in Windows Explorer in the following format: \\\\
TSClient\\<driveletter>$ If local drives are shared they are left vulnerable to
intruders who want to exploit the data that is stored on them. The recommended
state for this setting is: Enabled."
rationale: "Data could be forwarded from the user's Remote Desktop Services
session to the user's local computer without any direct user interaction. Malicious
software already present on a compromised server would have direct and stealthy
disk access to the user's local computer during the Remote Desktop session."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This
Group Policy path is provided by the Group Policy template TerminalServer.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates."
compliance:
- cis: ["18.9.59.3.3.2"]
- cis_csc: ["13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36509-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fDisableCdm -> 1'

# 18.9.59.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
- id: 16713
title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
description: "This policy setting specifies whether to prevent the redirection
of data to client LPT ports during a Remote Desktop Services session. The
recommended state for this setting is: Enabled."
rationale: "In a more security-sensitive environment, it is desirable to reduce
the possible attack surface. The need for LPT port redirection within a Remote
Desktop session is very rare, so makes sense to reduce the number of unexpected
avenues for data exfiltration and/or malicious code transfer."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Device and Resource Redirection\\Do not allow LPT port redirection. Note:
This Group Policy path is provided by the Group Policy template
TerminalServer.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.59.3.3.3"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37778-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fDisableLPT -> 1'

# 18.9.59.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is
set to 'Enabled'
- id: 16714
title: "Ensure 'Do not allow supported Plug and Play device redirection' is set
to 'Enabled'"
description: "This policy setting allows you to control the redirection of
supported Plug and Play devices, such as Windows Portable Devices, to the remote
computer in a Remote Desktop Services session. The recommended state for this
setting is: Enabled."
rationale: "In a more security-sensitive environment, it is desirable to reduce
the possible attack surface. The need for Plug and Play device redirection within a
Remote Desktop session is very rare, so makes sense to reduce the number of
unexpected avenues for data exfiltration and/or malicious code transfer."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device
redirection. Note: This Group Policy path is provided by the Group Policy template
TerminalServer.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.59.3.3.4"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37477-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fDisablePNPRedir -> 1'

# 18.9.59.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to
'Enabled' (Scored)
- id: 16715
title: "Ensure 'Always prompt for password upon connection' is set to
'Enabled'"
description: "This policy setting specifies whether Remote Desktop Services
always prompts the client computer for a password upon connection. You can use this
policy setting to enforce a password prompt for users who log on to Remote Desktop
Services, even if they already provided the password in the Remote Desktop
Connection client. The recommended state for this setting is: Enabled."
rationale: "Users have the option to store both their username and password
when they create a new Remote Desktop Connection shortcut. If the server that runs
Remote Desktop Services allows users who have used this feature to log on to the
server but not enter their password, then it is possible that an attacker who has
gained physical access to the user's computer could connect to a Remote Desktop
Server through the Remote Desktop Connection shortcut, even though they may not
know the user's password."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Security\\Always prompt for password upon connection Note: This Group Policy
path is provided by the Group Policy template TerminalServer.admx/adml that is
included with all versions of the Microsoft Windows Administrative Templates. Note
#2: In the Microsoft Windows Vista Administrative Templates, this setting was named
Always prompt client for password upon connection, but it was renamed starting with
the Windows Server 2008 (non-R2) Administrative Templates."
compliance:
- cis: ["18.9.59.3.9.1"]
- cis_csc: ["16.14"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-37929-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fPromptForPassword -> 1'

# 18.9.59.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'

(Scored)
- id: 16716
title: "Ensure 'Require secure RPC communication' is set to 'Enabled'"
description: "This policy setting allows you to specify whether Remote Desktop
Services requires secure Remote Procedure Call (RPC) communication with all clients
or allows unsecured communication. You can use this policy setting to strengthen
the security of RPC communication with clients by allowing only authenticated and
encrypted requests. The recommended state for this setting is: Enabled."
rationale: "Allowing unsecure RPC communication can exposes the server to man
in the middle attacks and data disclosure attacks."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Security\\Require secure RPC communication Note: This Group Policy path is
provided by the Group Policy template TerminalServer.admx/adml that is included
with all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.59.3.9.2"]
- cis_csc: ["3.4"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-37567-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> fEncryptRPCTraffic -> 1'

# 18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote
(RDP) connections' is set to 'Enabled: SSL' (Scored)
- id: 16717
title: "Ensure 'Require use of specific security layer for remote (RDP)
connections' is set to 'Enabled: SSL'"
description: "This policy setting specifies whether to require the use of a
specific security layer to secure communications between clients and RD Session
Host servers during Remote Desktop Protocol (RDP) connections. The recommended
state for this setting is: Enabled: SSL. Note: In spite of this setting being
labeled SSL, it is actually enforcing Transport Layer Security (TLS) version 1.0,
not the older (and less secure) SSL protocol."
rationale: "The native Remote Desktop Protocol (RDP) encryption is now
considered a weak protocol, so enforcing the use of stronger Transport Layer
Security (TLS) encryption for all RDP communications between clients and RD Session
Host servers is preferred."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: High Level: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote
Desktop Session Host\\Security\\Require use of specific security layer for remote
(RDP) connections. Note: This Group Policy path is provided by the Group Policy
template TerminalServer.admx/adml that is included with all versions of the
Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.59.3.9.5.3"]
- cis_csc: ["3.4"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-CCE-36598-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> SecurityLayer -> 2'

# 18.9.59.3.9.4 (L1) Ensure 'Require user authentication for remote connections by

using Network Level Authentication' is set to 'Enabled' (Scored)
- id: 16718
title: "Ensure 'Require user authentication for remote connections by using
Network Level Authentication' is set to 'Enabled'"
description: "This policy setting allows you to specify whether to require user
authentication for remote connections to the RD Session Host server by using
Network Level Authentication. The recommended state for this setting is: Enabled."
rationale: "Requiring that user authentication occur earlier in the remote
connection process enhances security."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: High Level: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote
Desktop Session Host\\Security\\Set client connection encryption level Note: This
Group Policy path is provided by the Group Policy template TerminalServer.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates."
compliance:
- cis: ["18.9.59.3.9.4"]
- cis_csc: ["3.4"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-36598-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> UserAuthentication -> 1'
# 18.9.59.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to
'Enabled: High Level' (Scored)
- id: 16719
title: "Ensure 'Set client connection encryption level' is set to 'Enabled:
High Level'"
description: "This policy setting specifies whether to require the use of a
specific encryption level to secure communications between client computers and RD
Session Host servers during Remote Desktop Protocol (RDP) connections. This policy
only applies when you are using native RDP encryption. However, native RDP
encryption (as opposed to SSL encryption) is not recommended. This policy does not
apply to SSL encryption. The recommended state for this setting is: Enabled: High
Level."
rationale: "If Remote Desktop client connections that use low level encryption
are allowed, it is more likely that an attacker will be able to decrypt any
captured Remote Desktop Services network traffic."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: High Level: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote
Desktop Session Host\\Security\\Set client connection encryption level Note: This
Group Policy path is provided by the Group Policy template TerminalServer.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates."
compliance:
- cis: ["18.9.59.3.9.5"]
- cis_csc: ["3.4"]
- pci_dss: ["8.2.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-36627-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> MinEncryptionLevel -> 3'

# 18.9.59.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services
sessions' is set to 'Enabled: 15 minutes or less'
- id: 16720
title: "Ensure 'Set time limit for active but idle Remote Desktop Services
sessions' is set to 'Enabled: 15 minutes or less'"
description: "This policy setting allows you to specify the maximum amount of
time that an active Remote Desktop Services session can be idle (without user
input) before it is automatically disconnected. The recommended state for this
setting is: Enabled: 15 minutes or less."
rationale: "This setting helps to prevent active Remote Desktop sessions from
tying up the computer for long periods of time while not in use, preventing
computing resources from being consumed by large numbers of inactive sessions. In
addition, old, forgotten Remote Desktop sessions that are still active can cause
password lockouts if the user's password has changed but the old session is still
running. For systems that limit the number of connected users (e.g. servers in the
default Administrative mode - 2 sessions only), other users' old but still active
sessions can prevent another user from connecting, resulting in an effective denial
of service."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 15 minutes or less: Computer Configuration\\
Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\
Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but
idle Remote Desktop Services sessions. Note: This Group Policy path is provided by
the Group Policy template TerminalServer.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was named Set time limit
for active but idle Terminal Services sessions, but it was renamed starting with
the Windows 7 & Server 2008 R2 Administrative Templates."
compliance:
- cis: ["18.9.59.3.10.1"]
- cis_csc: ["16.5"]
- pci_dss: ["8.1.8"]
- tsc: ["CC6.1"]
references:
- 'CCE-37562-6'
- https://workbench.cisecurity.org/benchmarks/766
condition: any
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> MaxIdleTime -> n:^(\d+) compare <= 900000'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> MaxIdleTime -> n:^(\d+) compare != 0'

# 18.9.59.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to

'Enabled: 1 minute'
- id: 16721
title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1
minute'"
description: "This policy setting allows you to configure a time limit for
disconnected Remote Desktop Services sessions. The recommended state for this
setting is: Enabled: 1 minute."
rationale: "This setting helps to prevent active Remote Desktop sessions from
tying up the computer for long periods of time while not in use, preventing
computing resources from being consumed by large numbers of disconnected but still
active sessions. In addition, old, forgotten Remote Desktop sessions that are still
active can cause password lockouts if the user's password has changed but the old
session is still running. For systems that limit the number of connected users
(e.g. servers in the default Administrative mode - 2 sessions only), other users'
old but still active sessions can prevent another user from connecting, resulting
in an effective denial of service. This setting is important to ensure a
disconnected session is properly terminated."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote
Desktop Session Host\\Session Time Limits\\Set time limit for disconnected
sessions. Note: This Group Policy path is provided by the Group Policy template
TerminalServer.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.59.3.10.2"]
- cis_csc: ["16.5"]
- pci_dss: ["8.1"]
- tsc: ["CC6.1"]
references:
- 'CCE-37949-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> MaxDisconnectionTime -> 60000'

# 18.9.59.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to
'Disabled' (Scored)
- id: 16722
title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'"
 description: "This policy setting specifies whether Remote Desktop Services
retains a user's per-session temporary folders at logoff. The recommended state for
this setting is: Disabled."
rationale: "Sensitive information could be contained inside the temporary
folders and visible to other administrators that log into the system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group
Policy path is provided by the Group Policy template TerminalServer.admx/adml that
is included with all versions of the Microsoft Windows Administrative Templates.
Note #2: In older Microsoft Windows Administrative Templates, this setting was
named Do not delete temp folder upon exit, but it was renamed starting with the
Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
compliance:
- cis: ["18.9.59.3.11.1"]
- cis_csc: ["14.4"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-37946-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> DeleteTempDirsOnExit -> 1'

# 18.9.59.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to
'Disabled' (Scored)
- id: 16723
title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'"
description: "By default, Remote Desktop Services creates a separate temporary
folder on the RD Session Host server for each active session that a user maintains
on the RD Session Host server. The temporary folder is created on the RD Session
Host server in a Temp folder under the user's profile folder and is named with the
sessionid. This temporary folder is used to store individual temporary files. To
reclaim disk space, the temporary folder is deleted when the user logs off from a
session. The recommended state for this setting is: Disabled."
rationale: "Disabling this setting keeps the cached data independent for each
session, both reducing the chance of problems from shared cached data between
sessions, and keeping possibly sensitive data separate to each user session."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session
Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group
Policy path is provided by the Group Policy template TerminalServer.admx/adml that
is included with all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.59.3.11.2"]
- cis_csc: ["14.4"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-38180-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services -> PerSessionTempDir -> 1'

# 18.9.60.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'

 - id: 16724
title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'"
description: "This policy setting prevents the user from having enclosures
(file attachments) downloaded from an RSS feed to the user's computer. The
recommended state for this setting is: Enabled."
rationale: "Allowing attachments to be downloaded through the RSS feed can
introduce files that could have malicious intent."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note:
This Group Policy path is provided by the Group Policy template InetRes.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates. Note #2: In older Microsoft Windows Administrative Templates, this
setting was named Turn off downloading of enclosures, but it was renamed starting
with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
compliance:
- cis: ["18.9.60.1"]
- cis_csc: ["7.2"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-37126-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -
> DisableEnclosureDownload -> 1'

# 18.9.61.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud
Search' (Scored)
- id: 16725
title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'"
description: "This policy setting allows search and Cortana to search cloud
sources like OneDrive and SharePoint. The recommended state for this setting is:
Enabled: Disable Cloud Search ."
rationale: "Due to privacy concerns, data should never be sent to any 3rd party
since this data could contain sensitive information."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Disable Cloud Search : Computer Configuration\\
Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search
Note: This Group Policy path may not exist by default. It is provided by the Group
Policy template Search.admx/adml that is included with the Microsoft Windows 10
Release 1709 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.61.2"]
- cis_csc: ["9.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search ->
AllowCloudSearch -> 0'

# 18.9.61.3 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'

- id: 16726
title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'"
description: "This policy setting controls whether encrypted items are allowed
to be indexed. When this setting is changed, the index is rebuilt completely. Full
volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution)
must be used for the location of the index to maintain security for encrypted
files. The recommended state for this setting is: Disabled."
rationale: "Indexing and allowing users to search encrypted files could
potentially reveal confidential data stored within the encrypted files."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This
Group Policy path is provided by the Group Policy template Search.admx/adml that is
included with all versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.61.3"]
- cis_csc: ["13.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-38277-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search ->
AllowIndexingEncryptedStoresOrItems -> 0'

# 18.9.66.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
- id: 16727
title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'"
description: "The Key Management Service (KMS) is a Microsoft license
activation method that entails setting up a local server to store the software
licenses. The KMS server itself needs to connect to Microsoft to activate the KMS
service, but subsequent on-network clients can activate Microsoft Windows OS and/or
their Microsoft Office via the KMS server instead of connecting directly to
Microsoft. This policy setting lets you opt-out of sending KMS client activation
data to Microsoft automatically. The recommended state for this setting is:
Enabled."
rationale: "Even though the KMS licensing method does not require KMS clients
to connect to Microsoft, they still send KMS client activation state data to
Microsoft automatically. Preventing this information from being sent can help
reduce privacy concerns in high security environments."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client
Online AVS Validation. Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template AVSValidationGP.admx/adml that is included
with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or
newer)."
compliance:
- cis: ["18.9.66.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\
CurrentVersion\Software Protection Platform -> NoGenTicket -> 1'

# 18.9.77.3.1 (L1) Ensure 'Configure local setting override for reporting to

Microsoft MAPS' is set to 'Disabled' (Scored)
- id: 16728
title: "Ensure 'Configure local setting override for reporting to Microsoft
MAPS' is set to 'Disabled'"
description: "This policy setting configures a local override for the
configuration to join Microsoft Active Protection Service (MAPS), which Microsoft
has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". This
setting can only be set by Group Policy. The recommended state for this setting is:
Disabled ."
rationale: "The decision on whether or not to participate in Microsoft MAPS /
Windows Defender Antivirus Cloud Protection Service for malicious software
reporting should be made centrally in an enterprise managed environment, so that
all computers within it behave consistently in that regard. Configuring this
setting to Disabled ensures that the decision remains centrally managed."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local
setting override for reporting to Microsoft MAPS Note: This Group Policy path may
not exist by default. It is provided by the Group Policy template
WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server
2012 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.77.3.1"]
- cis_csc: ["8"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- 'CCE-36940-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -
> LocalSettingOverrideSpynetReporting -> 0'

# 18.9.77.3.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled'

- id: 16729
title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'"
description: "This policy setting allows you to join Microsoft Active
Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender
Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus
Cloud Protection Service is the online community that helps you choose how to
respond to potential threats. The community also helps stop the spread of new
malicious software infections. You can choose to send basic or additional
information about detected software. Additional information helps Microsoft create
new definitions and help it to protect your computer. Possible options are: - (0x0)
Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership Basic
membership will send basic information to Microsoft about software that has been
detected including where the software came from the actions that you apply or that
are applied automatically and whether the actions were successful. Advanced
membership in addition to basic information will send more information to Microsoft
about malicious software spyware and potentially unwanted software including the
location of the software file names how the software operates and how it has
impacted your computer. The recommended state for this setting is: Disabled."
rationale: "The information that would be sent can include things like location
of detected items on your computer if harmful software was removed. The information
would be automatically collected and sent. In some instances personal information
might unintentionally be sent to Microsoft. However, Microsoft states that it will
not use this information to identify you or contact you. For privacy reasons in
high security environments, it is best to prevent these data submissions
altogether."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft
MAPS. Note: This Group Policy path may not exist by default. It is provided by the
Group Policy template WindowsDefender.admx/adml that is included with the Microsoft
Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.77.3.2"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
Spynet -> SpynetReporting'

# 18.9.77.7.1 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'

(Scored)
- id: 16730
title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'"
description: "This policy setting allows you to configure behavior monitoring
for Windows Defender Antivirus. The recommended state for this setting is:
Enabled ."
rationale: "When running an antivirus solution such as Windows Defender
Antivirus, it is important to ensure that it is configured to heuristically monitor
in real-time for suspicious and known malicious activity."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\
Turn on behavior monitoring Note: This Group Policy path may not exist by default.
It is provided by the Group Policy template WindowsDefender.admx/adml that is
included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates
(or newer)."
compliance:
- cis: ["18.9.77.7.1"]
- cis_csc: ["8.1"]
- pci_dss: ["5.2"]
references:
- 'CCE-38389-3'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-
Time Protection -> DisableBehaviorMonitoring -> 0'

# Section - 18.9.77.9 - Reporting

- id: 16731
title: "Ensure 'Configure Watson events' is set to 'Disabled'"
description: "This policy setting allows you to configure whether or not Watson
events are sent."
rationale: "Watson events are the reports that get sent to Microsoft when a
program or service crashes or fails, including the possibility of automatic
submission."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure
Watson events."
compliance:
- cis: ["18.9.77.9.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
 references:
- 'CCE-36950-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
Reporting -> DisableGenericRePorts -> 1'

# 18.9.77.10.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' (Scored)

- id: 16732
title: "Ensure 'Scan removable drives' is set to 'Enabled'"
description: "This policy setting allows you to manage whether or not to scan
for malicious software and unwanted software in the contents of removable drives,
such as USB flash drives, when running a full scan. The recommended state for this
setting is: Enabled ."
rationale: "It is important to ensure that any present removable drives are
always included in any type of scan, as removable drives are more likely to contain
malicious software brought in to the enterprise managed environment from an
external, unmanaged computer."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable
drives Note: This Group Policy path may not exist by default. It is provided by the
Group Policy template WindowsDefender.admx/adml that is included with the Microsoft
Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.77.10.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- 'CCE-38409-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan ->
DisableRemovableDriveScanning -> 0'

# 18.9.77.10.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' (Scored)

- id: 16733
title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'"
description: "This policy setting allows you to configure e-mail scanning. When
e-mail scanning is enabled, the engine will parse the mailbox and mail files,
according to their specific format, in order to analyze the mail bodies and
attachments. Several e-mail formats are currently supported, for example: pst
(Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state
for this setting is: Enabled ."
rationale: "Incoming e-mails should be scanned by an antivirus solution such as
Windows Defender Antivirus, as email attachments are a commonly used attack vector
to infiltrate computers with malicious software."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail
scanning Note: This Group Policy path may not exist by default. It is provided by
the Group Policy template WindowsDefender.admx/adml that is included with the
Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
 compliance:
- cis: ["18.9.77.10.2"]
- cis_csc: ["13"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
references:
- 'CCE-36958-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan ->
DisableEmailScanning -> 0'

# 18.9.77.13.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous
websites' is set to 'Enabled: Block' (Scored)
- id: 16734
title: "Ensure 'Prevent users and apps from accessing dangerous websites' is
set to 'Enabled: Block'"
description: "This policy setting controls Windows Defender Exploit Guard
network protection. The recommended state for this setting is: Enabled: Block ."
rationale: "This setting can help prevent employees from using any application
to access dangerous domains that may host phishing scams, exploit-hosting sites,
and other malicious content on the Internet."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Block : Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows
Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing
dangerous websites Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template WindowsDefender.admx/adml that is included
with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.77.13.3.1"]
- cis_csc: ["7"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows
Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1'

# 18.9.77.14 (L1) Ensure 'Configure detection for potentially unwanted

applications' is set to 'Enabled: Block' (Scored)
- id: 16735
title: "Ensure 'Configure detection for potentially unwanted applications' is
set to 'Enabled: Block'"
description: "This policy setting controls detection and action for Potentially
Unwanted Applications (PUA), which are sneaky unwanted application bundlers or
their bundled applications, that can deliver adware or malware. The recommended
state for this setting is: Enabled: Block . For more information, see this link:
Block potentially unwanted applications with Windows Defender Antivirus | Microsoft
Docs"
 rationale: "Potentially unwanted applications can increase the risk of your
network being infected with malware, cause malware infections to be harder to
identify, and can waste IT resources in cleaning up the applications. They should
be blocked from installation."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Block : Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Configure
detection for potentially unwanted applications Note: This Group Policy path is
provided by the Group Policy template WindowsDefender.admx/adml that is included
with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates
(or newer)."
compliance:
- cis: ["18.9.77.14"]
- cis_csc: ["8"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender ->
PUAProtection -> 1'

# 18.9.77.15 (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'
(Scored)
- id: 16736
title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'"
description: "This policy setting turns off Windows Defender Antivirus. If the
setting is configured to Disabled, Windows Defender Antivirus runs and computers
are scanned for malware and other potentially unwanted software. The recommended
state for this setting is: Disabled ."
rationale: "It is important to ensure a current, updated antivirus product is
scanning each computer for malicious file activity. Microsoft provides a competent
solution out of the box in Windows Defender Antivirus. Organizations that choose to
purchase a reputable 3rd-party antivirus solution may choose to exempt themselves
from this recommendation in lieu of the commercial alternative."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows
Defender AntiVirus Note: This Group Policy path is provided by the Group Policy
template WindowsDefender.admx/adml that is included with all versions of the
Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows
Administrative Templates, this setting was initially named Turn off Windows
Defender, but it was renamed starting with the Windows 10 Release 1703
Administrative Templates."
compliance:
- cis: ["18.9.77.15"]
- cis_csc: ["8.1"]
- pci_dss: ["5.2"]
- tsc: ["CC6.8"]
references:
- 'CCE-36082-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender ->
DisableAntiSpyware -> 0'
# 18.9.80.1.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled:
Warn and prevent bypass'
- id: 16737
title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled:
Warn and prevent bypass'"
description: "This policy setting allows you to manage the behavior of Windows
SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before
running unrecognized programs downloaded from the Internet. Some information is
sent to Microsoft about files and programs run on PCs with this feature enabled.
The recommended state for this setting is: Enabled: Warn and prevent bypass."
rationale: "Windows SmartScreen helps keep PCs safer by warning users before
running unrecognized programs downloaded from the Internet. However, due to the
fact that some information is sent to Microsoft about files and programs run on PCs
some organizations may prefer to disable it."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\
Policies\\Administrative Templates\\Windows Components\\Windows Defender
SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group
Policy path may not exist by default. It is provided by the Group Policy template
WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server
2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft
Windows Administrative Templates, this setting was initially named Configure
Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703
Administrative Templates."
compliance:
- cis: ["18.9.80.1.1"]
- cis_csc: ["2"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- 'CCE-35859-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
EnableSmartScreen -> 1'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System ->
ShellSmartScreenLevel -> Block'

# 18.9.84.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to
'Disabled' (Scored)
- id: 16738
title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to
'Disabled'"
description: "This policy setting determines whether suggested apps in Windows
Ink Workspace are allowed. The recommended state for this setting is: Disabled ."
rationale: "This Microsoft feature is designed to collect data and suggest apps
based on that data collected. Disabling this setting will help ensure your data is
not shared with any third party."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled : Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in
Windows Ink Workspace Note: This Group Policy path may not exist by default. It is
provided by the Group Policy template WindowsInkWorkspace.admx/adml that is
included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative
Templates (or newer)."
compliance:
- cis: ["18.9.84.1"]
- cis_csc: ["13"]
 - pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace ->
AllowSuggestedAppsInWindowsInkWorkspace -> 0'

# 18.9.84.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but
disallow access above lock' OR 'Disabled' but not 'Enabled: On' (Scored)
- id: 16739
title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but
disallow access above lock' OR 'Disabled' but not 'Enabled: On'"
description: "This policy setting determines whether Windows Ink items are
allowed above the lock screen. The recommended state for this setting is: Enabled:
On, but disallow access above lock OR Disabled ."
rationale: "Allowing any apps to be accessed while system is locked is not
recommended. If this feature is permitted, it should only be accessible once a user
authenticates with the proper credentials."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: On, but disallow access above lock OR Disabled :
Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\
Windows Ink Workspace\\Allow Windows Ink Workspace Note: This Group Policy path may
not exist by default. It is provided by the Group Policy template
WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10
Release 1607 & Server 2016 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.84.2"]
- cis_csc: ["16.5"]
- pci_dss: ["8.6"]
- tsc: ["CC6.1"]
condition: any
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace ->
AllowWindowsInkWorkspace -> 0'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace ->
AllowWindowsInkWorkspace -> 1'

# 18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'

- id: 16740
title: "Ensure 'Allow user control over installs' is set to 'Disabled'"
description: "This setting controls whether users are permitted to change
installation options that typically are available only to system administrators.
The security features of Windows Installer normally prevent users from changing
installation options that are typically reserved for system administrators, such as
specifying the directory to which files are installed. If Windows Installer detects
that an installation package has permitted the user to change a protected option,
it stops the installation and displays a message. These security features operate
only when the installation program is running in a privileged security context in
which it has access to directories denied to the user. The recommended state for
this setting is: Disabled."
rationale: "In an enterprise managed environment, only IT staff with
administrative rights should be installing or changing software on a system.
Allowing users the ability to have any control over installs can risk unapproved
software from being installed or removed from a system, which could cause the
system to become vulnerable to compromise."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Installer\\Allow user control over installs
Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml
that is included with all versions of the Microsoft Windows Administrative
Templates. Note #2: In older Microsoft Windows Administrative Templates, this
setting was named Enable user control over installs, but it was renamed starting
with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
compliance:
- cis: ["18.9.85.1"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36400-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer ->
EnableUserControl -> 0'

# 18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'

- id: 16741
title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'"
description: "This setting controls whether or not Windows Installer should use
system permissions when it installs any program on the system. Note: This setting
appears both in the Computer Configuration and User Configuration folders. To make
this setting effective, you must enable the setting in both folders. Caution: If
enabled, skilled users can take advantage of the permissions this setting grants to
change their privileges and gain permanent access to restricted files and folders.
Note that the User Configuration version of this setting is not guaranteed to be
secure. The recommended state for this setting is: Disabled."
rationale: "Users with limited privileges can exploit this feature by creating
a Windows Installer installation package that creates a new local account that
belongs to the local built-in Administrators group, adds their current account to
the local built-in Administrators group, installs malicious software, or performs
other unauthorized activities."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Installer\\Always install with elevated
privileges Note: This Group Policy path is provided by the Group Policy template
MSI.admx/adml that is included with all versions of the Microsoft Windows
Administrative Templates."
compliance:
- cis: ["18.9.85.2"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
references:
- 'CCE-36919-9'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer ->
AlwaysInstallElevated -> 0'

# 18.9.85.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer
scripts' is set to 'Disabled'
- id: 16742
title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer
scripts' is set to 'Disabled'"
description: "This policy setting controls whether Web-based programs are
allowed to install software on the computer without notifying the user. The
recommended state for this setting is: Disabled."
rationale: "Suppressing the system warning can pose a security risk and
increase the attack surface on the system."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer
security prompt for Windows Installer scripts. Note: This Group Policy path is
provided by the Group Policy template MSI.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named
Disable IE security prompt for Windows Installer scripts, but it was renamed
starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
compliance:
- cis: ["18.9.85.3"]
- cis_csc: ["7"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
references:
- 'CCE-37524-6'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer ->
SafeForScripting -> 0'

# 18.9.86.1 Ensure 'Sign-in last interactive user automatically after a system-

initiated restart' is set to 'Disabled'
- id: 16743
title: "Ensure 'Sign-in last interactive user automatically after a system-
initiated restart' is set to 'Disabled'"
description: "This policy setting controls whether a device will automatically
sign-in the last interactive user after Windows Update restarts the system. The
recommended state for this setting is: Disabled."
rationale: "Disabling this feature will prevent the caching of user's
credentials and unauthorized use of the device, and also ensure the user is aware
of the restart."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user
automatically after a system-initiated restart Note: This Group Policy path may not
exist by default. It is provided by the Group Policy template WinLogon.admx/adml
that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative
Templates (or newer)."
compliance:
- cis: ["18.9.86.1"]
- cis_csc: ["16.5"]
- pci_dss: ["8.6"]
- tsc: ["CC6.1"]
references:
- 'CCE-36977-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System -> DisableAutomaticRestartSignOn -> 1'

# 18.9.95.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'

- id: 16744
title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'"
description: "This policy setting enables logging of all PowerShell script
input to the Microsoft-Windows- PowerShell/Operational event log. The recommended
state for this setting is: Disabled. Note: In Microsoft's own hardening guidance,
they recommend the opposite value, Enabled, because having this data logged
improves investigations of PowerShell attack incidents. However, the default ACL on
the PowerShell Operational log allows Interactive User (i.e. any logged on user) to
read it, and therefore possibly expose passwords or other sensitive information to
unauthorized users. If Microsoft locks down the default ACL on that log in the
future (e.g. to restrict it only to Administrators), then we will revisit this
recommendation in a future release."
rationale: "There are potential risks of capturing passwords in the PowerShell
logs. This setting should only be needed for debugging purposes, and not in normal
operation, it is important to ensure this is set to Disabled."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block
Logging Note: This Group Policy path may not exist by default. It is provided by
the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with
the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
compliance:
- cis: ["18.9.95.1"]
- cis_csc: ["16.4"]
- pci_dss: ["12.3.8"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\
ScriptBlockLogging -> EnableScriptBlockLogging -> 0'

# 18.9.95.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'

- id: 16745
title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'"
description: "This Policy setting lets you capture the input and output of
Windows PowerShell commands into text-based transcripts. The recommended state for
this setting is: Disabled."
rationale: "If this setting is enabled there is a risk that passwords could get
stored in plain text in the PowerShell_transcript output file."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription
Note: This Group Policy path may not exist by default. It is provided by the Group
Policy template PowerShellExecutionPolicy.admx/adml that is included with the
Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
compliance:
- cis: ["18.9.95.2"]
- cis_csc: ["16.4"]
- pci_dss: ["12.3.8"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\
Transcription -> EnableTranscripting -> 0'

# 18.9.97.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'

- id: 16746
title: "Ensure 'Allow Basic authentication' is set to 'Disabled'"
description: "This policy setting allows you to manage whether the Windows
Remote Management (WinRM) client uses Basic authentication. The recommended state
for this setting is: Disabled."
rationale: "Basic authentication is less robust than other authentication
methods available in WinRM because credentials including passwords are transmitted
in plain text. An attacker who is able to capture packets on the network where
WinRM is running may be able to determine the credentials used for accessing remote
hosts via WinRM."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\
Allow Basic authentication Note: This Group Policy path is provided by the Group
Policy template WindowsRemoteManagement.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.97.1.1"]
- cis_csc: ["16.13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36310-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client ->
AllowBasic -> 0'

# 18.9.97.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'

- id: 16747
title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
description: "This policy setting allows you to manage whether the Windows
Remote Management (WinRM) client sends and receives unencrypted messages over the
network. The recommended state for this setting is: Disabled."
rationale: "Encrypting WinRM network traffic reduces the risk of an attacker
viewing or modifying WinRM messages as they transit the network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\
Allow unencrypted traffic Note: This Group Policy path is provided by the Group
Policy template WindowsRemoteManagement.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.97.1.2"]
- cis_csc: ["16.13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37726-7'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client ->
AllowUnencryptedTraffic -> 0'

# 18.9.97.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'

- id: 16748
title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'"
description: "This policy setting allows you to manage whether the Windows
Remote Management (WinRM) client will not use Digest authentication. The
recommended state for this setting is: Enabled."
rationale: "Digest authentication is less robust than other authentication
methods available in WinRM, an attacker who is able to capture packets on the
network where WinRM is running may be able to determine the credentials used for
accessing remote hosts via WinRM."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\
Disallow Digest authentication Note: This Group Policy path is provided by the
Group Policy template WindowsRemoteManagement.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.97.1.3"]
- cis_csc: ["16.13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-38318-2'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client ->
AllowDigest -> 0'

# 18.9.97.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'

- id: 16749
title: "Ensure 'Allow Basic authentication' is set to 'Disabled'"
description: "This policy setting allows you to manage whether the Windows
Remote Management (WinRM) service accepts Basic authentication from a remote
client. The recommended state for this setting is: Disabled."
rationale: "Basic authentication is less robust than other authentication
methods available in WinRM because credentials including passwords are transmitted
in plain text. An attacker who is able to capture packets on the network where
WinRM is running may be able to determine the credentials used for accessing remote
hosts via WinRM."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\
Allow Basic authentication Note: This Group Policy path is provided by the Group
Policy template WindowsRemoteManagement.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.97.2.1"]
- cis_csc: ["16.13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36254-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service ->
AllowBasic -> 0'

# 18.9.97.2.2 Ensure 'Allow remote server management through WinRM' is set to

'Disabled'
- id: 16750
title: "Ensure 'Allow remote server management through WinRM' is set to
'Disabled'"
description: "This policy setting allows you to manage whether the Windows
Remote Management (WinRM) service automatically listens on the network for requests
on the HTTP transport over the default HTTP port. The recommended state for this
setting is: Disabled."
rationale: "Any feature is a potential avenue of attack, those that enable
inbound network connections are particularly risky. Only enable the use of the
Windows Remote Management (WinRM) service on trusted networks and when feasible
employ additional controls such as IPsec."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Administrative Templates\\
Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote
server management through WinRM. Note: This Group Policy path is provided by the
Group Policy template WindowsRemoteManagement.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named Allow
automatic configuration of listeners, but it was renamed starting with the Windows
8.0 & Server 2012 (non-R2) Administrative Templates."
compliance:
- cis: ["18.9.97.2.2"]
- cis_csc: ["3.4"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-37927-1'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service ->
AllowAutoConfig -> 0'

# 18.9.97.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'

- id: 16751
title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
description: "This policy setting allows you to manage whether the Windows
Remote Management (WinRM) service sends and receives unencrypted messages over the
network. The recommended state for this setting is: Disabled."
rationale: "Encrypting WinRM network traffic reduces the risk of an attacker
viewing or modifying WinRM messages as they transit the network."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\
Allow unencrypted traffic Note: This Group Policy path is provided by the Group
Policy template WindowsRemoteManagement.admx/adml that is included with all
versions of the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.97.2.3"]
- cis_csc: ["16.13"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-38223-4'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service ->
AllowUnencryptedTraffic -> 0'

# 18.9.97.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to

'Enabled'
- id: 16752
title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to
'Enabled'"
 description: "This policy setting allows you to manage whether the Windows
Remote Management (WinRM) service will allow RunAs credentials to be stored for any
plug-ins. The recommended state for this setting is: Enabled. Note: If you enable
and then disable this policy setting, any values that were previously configured
for RunAsPassword will need to be reset."
rationale: "Although the ability to store RunAs credentials is a convenient
feature it increases the risk of account compromise slightly. For example, if you
forget to lock your desktop before leaving it unattended for a few minutes another
person could access not only the desktop of your computer but also any hosts you
manage via WinRM with cached RunAs credentials."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\
Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not
exist by default. It is provided by the Group Policy template
WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 &
Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.9.97.2.4"]
- cis_csc: ["16.4"]
- pci_dss: ["12.3.8"]
references:
- 'CCE-36000-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service ->
DisableRunAs -> 1'

# 18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'

- id: 16753
title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'"
description: "This policy setting allows you to manage configuration of remote
access to all supported shells to execute scripts and commands. The recommended
state for this setting is: Disabled. Note: The GPME help text for this setting is
incorrectly worded, implying that configuring it to Enabled will reject new Remote
Shell connections, and setting it to Disabled will allow Remote Shell connections.
The opposite is true (and is consistent with the title of the setting). This is a
wording mistake by Microsoft in the Administrative Template."
rationale: "Any feature is a potential avenue of attack, those that enable
inbound network connections are particularly risky. Only enable the use of the
Windows Remote Shell on trusted networks and when feasible employ additional
controls such as IPsec."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Administrative Templates\\
Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This
Group Policy path is provided by the Group Policy template
WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft
Windows Administrative Templates."
compliance:
- cis: ["18.9.98.1"]
- cis_csc: ["3.4"]
- pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'CCE-36499-2'
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\
WinRS -> AllowRemoteShellAccess -> 0'

# 18.9.99.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to

'Enabled' (Scored)
- id: 16754
title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'"
description: "This policy setting prevent users from making changes to the
Exploit protection settings area in the Windows Security settings. The recommended
state for this setting is: Enabled ."
rationale: "Only authorized IT staff should be able to make changes to the
exploit protection settings in order to ensure the organizations specific
configuration is not modified."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Security\\App and browser protection\\
Prevent users from modifying settings Note: This Group Policy path may not exist by
default. It is provided by the Group Policy template
WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows
8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
compliance:
- cis: ["18.9.99.2.1"]
- cis_csc: ["8.4"]
- pci_dss: ["12.3.8"]
references:
- 'CCE-36000-8'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security
Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1'

# 18.9.102.1.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable

preview builds' (Scored)
- id: 16755
title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview
builds'"
description: "This policy setting determines whether users can access the
Windows Insider Program controls in Settings -> Update and Security. These controls
enable users to make their devices available for downloading and installing preview
(beta) builds of Windows software. The recommended state for this setting is:
Enabled: Disable preview builds ."
rationale: "It can be risky for experimental features to be allowed in an
enterprise managed environment because this can introduce bugs and security holes
into systems, making it easier for an attacker to gain access. It is generally
preferred to only use production-ready builds."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Disable preview builds : Computer Configuration\\
Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows
Update for Business\\Manage preview builds Note: This Group Policy path may not
exist by default. It is provided by the Group Policy template
WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709
Administrative Templates (or newer)."
compliance:
- cis: ["18.9.102.1.1"]
- cis_csc: ["3"]
- pci_dss: ["6.4.2"]
- tsc: ["CC6.6","CC7.1"]
condition: all
rules:
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ->
ManagePreviewBuilds -> 1'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ->
ManagePreviewBuildsPolicyValue -> 0'

# 18.9.102.1.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are
received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (Scored)
- id: 16756
title: "Ensure 'Select when Preview Builds and Feature Updates are received' is
set to 'Enabled: Semi-Annual Channel, 180 or more days'"
description: "This policy setting determines the level of Preview Build or
Feature Updates to receive, and when. The Windows readiness level for each new
Windows 10 Feature Update is classified in one of 5 categories, depending on your
organizations level of comfort with receiving them: Preview Build - Fast: Devices
set to this level will be the first to receive new builds of Windows with features
not yet available to the general public. Select Fast to participate in identifying
and reporting issues to Microsoft, and provide suggestions on new functionality.
Preview Build - Slow: Devices set to this level receive new builds of Windows
before they are available to the general public, but at a slower cadence than those
set to Fast, and with changes and fixes identified in earlier builds. Release
Preview: Receive builds of Windows just before Microsoft releases them to the
general public. Semi-Annual Channel (Targeted): Receive feature updates when they
are released to the general public. Semi-Annual Channel: Feature updates will
arrive when they are declared Semi-Annual Channel. This usually occurs about 4
months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent
Software Vendors (ISVs), partners and customer believe that the release is ready
for broad deployment. The recommended state for this setting is: Enabled: Semi-
Annual Channel, 180 or more days . Note: If the \"Allow Telemetry\" policy is set
to 0, this policy will have no effect. Note #2: Starting with Windows Server 2016
RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior
called Dual Scan, with an eye to cloud-based update management. In some cases, this
Dual Scan feature can interfere with Windows Updates from Windows Server Update
Services (WSUS) and/or manual WU updates. If you are using WSUS in your
environment, you may need to set the above setting to Not Configured or configure
the setting Do not allow update deferral policies to cause scans against Windows
Update (added in the Windows 10 Release 1709 Administrative Templates) in order to
prevent the Dual Scan feature from interfering. Note #3: Prior to Windows Server
2016 R1709, values above 180 days are not recognized by the OS. Starting with
Windows Server 2016 R1709, the maximum number of days you can defer is 365 days."
rationale: "Forcing new features without prior testing in your environment
could cause software incompatibilities as well as introducing new bugs into the
operating system. In an enterprise managed environment, it is generally preferred
to delay Feature Updates until thorough testing and a deployment plan is in place.
This recommendation delays the automatic installation of new features as long as
possible."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Semi-Annual Channel, 180 or more days : Computer
Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows
Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates
are received Note: This Group Policy path may not exist by default. It is provided
by the Group Policy template WindowsUpdate.admx/adml that is included with the
Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or
newer). Note #2: In older Microsoft Windows Administrative Templates, this setting
was initially named Select when Feature Updates are received, but it was renamed to
Select when Preview Builds and Feature Updates are received starting with the
Windows 10 Release 1709 Administrative Templates."
compliance:
- cis: ["18.9.102.1.2"]
- cis_csc: ["3"]
 - pci_dss: ["4.1"]
- hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
- nist_800_53: ["SC.8"]
- tsc: ["CC6.1","CC6.7","CC7.2"]
references:
- 'https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-
scan/'
- 'https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-
on-1607/'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ->
DeferFeatureUpdates -> 1'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ->
DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180'

# 18.9.102.1.3 (L1) Ensure 'Select when Quality Updates are received' is set to
'Enabled: 0 days' (Scored)
- id: 16757
title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0
days'"
description: "This settings controls when Quality Updates are received. The
recommended state for this setting is: Enabled: 0 days . Note: If the \"Allow
Telemetry\" policy is set to 0, this policy will have no effect. Note #2: Starting
with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows
Update (WU) client behavior called Dual Scan, with an eye to cloud-based update
management. In some cases, this Dual Scan feature can interfere with Windows
Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you
are using WSUS in your environment, you may need to set the above setting to Not
Configured or configure the setting Do not allow update deferral policies to cause
scans against Windows Update (added in the Windows 10 Release 1709 Administrative
Templates) in order to prevent the Dual Scan feature from interfering"
rationale: "Quality Updates can contain important bug fixes and/or security
patches, and should be installed as soon as possible."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled:0 days : Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Windows Update\\Windows Update for
Business\\Select when Quality Updates are received Note: This Group Policy path
does not exist by default. An updated Group Policy template (
WindowsUpdate.admx/adml ) is required - it is included with the Microsoft Windows
10 Release 1607 & Server 2016 Administrative Templates (or newer)."
compliance:
- cis: ["18.9.102.1.3"]
- cis_csc: ["4.5"]
- pci_dss: ["6.2"]
- nist_800_53: ["SI.2","SA.11","SI.4"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2","CC6.8"]
references:
- 'https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-
scan/'
- 'https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-
on-1607/'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ->
DeferQualityUpdates -> 1'
 - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ->
DeferQualityUpdatesPeriodInDays -> 0'

# 18.9.102.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'

- id: 16758
title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'"
description: "This policy setting specifies whether computers in your
environment will receive security updates from Windows Update or WSUS. If you
configure this policy setting to Enabled, the operating system will recognize when
a network connection is available and then use the network connection to search
Windows Update or your designated intranet site for updates that apply to them.
After you configure this policy setting to Enabled, select one of the following
three options in the Configure Automatic Updates Properties dialog box to specify
how the service will work: 2 - Notify for download and auto install (Notify before
downloading any updates) 3 - Auto download and notify for install (Download the
updates automatically and notify when they are ready to be installed.) (Default
setting) 4 - Auto download and schedule the install (Automatically download updates
and install them on the schedule specified below.)) 5 - Allow local admin to choose
setting (Leave decision on above choices up to the local Administrators (Not
Recommended)) The recommended state for this setting is: Enabled. Note: The sub-
setting 'Configure automatic updating:' has 4 possible values - all of them are
valid depending on specific organizational needs, however if feasible we suggest
using a value of 4 - Auto download and schedule the install. This suggestion is not
a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for
patching may choose to exempt themselves from this setting, and instead configure
it to Disabled so that the native Windows Update mechanism does not interfere with
the 3rd-party patching process."
rationale: "Although each version of Windows is thoroughly tested before
release, it is possible that problems will be discovered after the products are
shipped. The Configure Automatic Updates setting can help you ensure that the
computers in your environment will always have the most recent critical operating
system updates and service packs installed."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Enabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note:
This Group Policy path is provided by the Group Policy template
WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows
Administrative Templates."
compliance:
- cis: ["18.9.102.2"]
- cis_csc: ["4.5"]
- pci_dss: ["6.2"]
- nist_800_53: ["SI.2","SA.11","SI.4"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2","CC6.8"]
references:
- 'CCE-36172-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
-> NoAutoUpdate -> 0'

# 18.9.102.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to

'0 - Every day'
- id: 16759
title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to
'0 - Every day'"
description: "This policy setting specifies when computers in your environment
will receive security updates from Windows Update or WSUS. The recommended state
for this setting is: 0 - Every day. Note: This setting is only applicable if 4 -
Auto download and schedule the install is selected in Rule 18.9.102.2. It will have
no impact if any other option is selected."
rationale: "Although each version of Windows is thoroughly tested before
release, it is possible that problems will be discovered after the products are
shipped. The Configure Automatic Updates setting can help you ensure that the
computers in your environment will always have the most recent critical operating
system updates and service packs installed."
remediation: "To establish the recommended configuration via GP, set the
following UI path to 0 - Every day: Computer Configuration\\Policies\\
Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic
Updates: Scheduled install day Note: This Group Policy path is provided by the
Group Policy template WindowsUpdate.admx/adml that is included with all versions of
the Microsoft Windows Administrative Templates."
compliance:
- cis: ["18.9.102.3"]
- cis_csc: ["4.5"]
- pci_dss: ["6.2"]
- nist_800_53: ["SI.2","SA.11","SI.4"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2","CC6.8"]
references:
- 'CCE-36172-5'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
-> ScheduledInstallDay -> 0'

# 18.9.102.4 Ensure 'No auto-restart with logged on users for scheduled automatic
updates installations' is set to 'Disabled'
- id: 16760
title: "Ensure 'No auto-restart with logged on users for scheduled automatic
updates installations' is set to 'Disabled'"
description: "This policy setting specifies that Automatic Updates will wait
for computers to be restarted by the users who are logged on to them to complete a
scheduled installation. The recommended state for this setting is: Disabled. Note:
This setting applies only when you configure Automatic Updates to perform scheduled
update installations. If you configure the Configure Automatic Updates setting to
Disabled, this setting has no effect."
rationale: "Some security updates require that the computer be restarted to
complete an installation. If the computer cannot restart automatically, then the
most recent update will not completely install and no new updates will download to
the computer until it is restarted. Without the auto-restart functionality, users
who are not security-conscious may choose to indefinitely delay the restart,
therefore keeping the computer in a less secure state."
remediation: "To establish the recommended configuration via GP, set the
following UI path to Disabled: Computer Configuration\\Policies\\Administrative
Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users
for scheduled automatic updates installations Note: This Group Policy path is
provided by the Group Policy template WindowsUpdate.admx/adml that is included with
all versions of the Microsoft Windows Administrative Templates. Note #2: In older
Microsoft Windows Administrative Templates, this setting was initially named No
auto-restart for scheduled Automatic Updates installations, but it was renamed
starting with the Windows 7 & Server 2008 R2 Administrative Templates."
compliance:
- cis: ["18.9.102.4"]
- cis_csc: ["4.5"]
- pci_dss: ["6.2"]
- nist_800_53: ["SI.2","SA.11","SI.4"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2","CC6.8"]
references:
- 'CCE-37027-0'
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
-> NoAutoRebootWithLoggedOnUsers -> 0'