diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 16e4dc0..5589f97 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,7 +20,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: ${{ env.GO_VERSION }} + go-version: 1.24.5 - name: Checkout code uses: actions/checkout@v4 - name: Cached Go dependencies @@ -46,7 +46,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: 1.19.13 + go-version: 1.24.4 - name: Checkout code uses: actions/checkout@v4 - name: Run go mod tidy diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml index 9e36361..06112aa 100644 --- a/.github/workflows/release-snapshot.yml +++ b/.github/workflows/release-snapshot.yml @@ -11,7 +11,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: 1.19.13 + go-version: 1.24.5 - name: Checkout code uses: actions/checkout@v4 - name: Dry-run release snapshot diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f6280c..ebcda54 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: 1.19.13 + go-version: 1.24.5 - name: Checkout code uses: actions/checkout@v4 - name: Run go mod tidy diff --git a/cfg/CIS_Microsoft_Windows_Server_2019_Stand-alone_v2.0.0.yaml b/cfg/CIS_Microsoft_Windows_Server_2019_Stand-alone_v2.0.0.yaml index 0833039..4ec49a9 100644 --- a/cfg/CIS_Microsoft_Windows_Server_2019_Stand-alone_v2.0.0.yaml +++ b/cfg/CIS_Microsoft_Windows_Server_2019_Stand-alone_v2.0.0.yaml @@ -1,5 +1,5 @@ --- -version: 2.0.0 +version: "Windows Server 2019 Stand-Alone v2.0.0" id: 1 description: Account Policies type: server diff --git a/cfg/CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml b/cfg/CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml index ae2c108..fb2348c 100644 --- a/cfg/CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml +++ b/cfg/CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml @@ -1,5 +1,5 @@ --- -version: 2.0.0 +version: "Windows Server 2022 v2.0.0" id: 1 description: Account Policies type: domain-controller diff --git a/cfg/CIS_Microsoft_Windows_Server_2022_Stand-alone_v1.0.0.yaml b/cfg/CIS_Microsoft_Windows_Server_2022_Stand-alone_v1.0.0.yaml new file mode 100644 index 0000000..7a7b591 --- /dev/null +++ b/cfg/CIS_Microsoft_Windows_Server_2022_Stand-alone_v1.0.0.yaml @@ -0,0 +1,8533 @@ +--- +version: "Windows Server 2022 Stand-Alone v1.0.0" +id: 1 +description: Account Policies +type: server +groups: + - id: 1.1 + description: Password Policy + checks: + - id: 1.1.1 + description: Ensure 'Enforce password history' is set to '24 or more + password(s)' (Automated) + audittype: powershell + audit: + cmd: + Server: > + SecEdit /export /cfg seccfg /areas SECURITYPOLICY /quiet; + (Get-Content seccfg | Select-String -Pattern 'PasswordHistorySize') -replace '[a-zA-Z:()= ]+', ''; + Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: gte + value: 24 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history + scored: true + - id: 1.1.2 + description: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' (Automated) + audittype: powershell + audit: + cmd: + Server: > + SecEdit /export /cfg seccfg /areas SECURITYPOLICY /quiet; + (Get-Content seccfg | Select-String -Pattern '^MaximumPasswordAge') -replace '[a-zA-Z:()= ]+', ''; + Remove-Item seccfg + tests: + bin_op: and + test_items: + - flag: "" + compare: + op: lte + value: 365 + set: true + - flag: "" + compare: + op: noteq + value: 0 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age + scored: true + - id: 1.1.3 + description: Ensure 'Minimum password age' is set to '1 or more day(s)' (Automated) + audittype: powershell + audit: + cmd: + Server: > + SecEdit /export /cfg seccfg /areas SECURITYPOLICY /quiet; + (Get-Content seccfg | Select-String -Pattern '^MinimumPasswordAge') -replace '[a-zA-Z:()= ]+', ''; + Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: gte + value: 1 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 1 or more day(s): + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age + scored: true + - id: 1.1.4 + description: Ensure 'Minimum password length' is set to '14 or more + character(s)' (Automated) + audittype: powershell + audit: + cmd: + Server: "(net accounts | Select-String -Pattern 'Minimum password length') -replace '[a-zA-Z: ]+', ''" + tests: + test_items: + - flag: "" + compare: + op: gte + value: 14 + set: true + remediation: > + To establish the recommended configuration via GP, set the + following UI path to 14 or more character(s): + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length + scored: true + - id: 1.1.5 + description: Ensure 'Password must meet complexity requirements' is set to 'Enabled' (Automated) + audittype: powershell + audit: + cmd: + Server: > + SecEdit /export /cfg seccfg /areas SECURITYPOLICY /quiet; + (Get-Content seccfg | Select-String -Pattern "PasswordComplexity") -replace '[a-zA-Z:()= ]+', ''; + Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: has + value: 1 + set: true + remediation: > + To establish the recommended configuration via GP, set the + following UI path to 14 or more character(s): + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements + scored: true + - id: 1.1.6 + description: Ensure 'Relax minimum password length limits' is set to 'Enabled' (Automated) + audittype: powershell + audit: + cmd: + Server: > + Get-ItemPropertyValue "HKLM:\System\CurrentControlSet\Control\SAM" RelaxMinimumPasswordLengthLimits + tests: + test_items: + - flag: "" + compare: + op: eq + value: 1 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits + Note: This setting is only available within the built-in OS security template of Windows 10 Release 2004 and Server 2022 (or newer), and is not available via older versions of the OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you must use a Windows 10 Release 2004 or Server 2022 system (or newer) to view or edit this setting with the Group Policy Management Console (GPMC) or Group Policy Management Editor (GPME). + scored: true + - id: 1.1.7 + description: Ensure 'Store passwords using reversible encryption' is set to 'Disabled' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas SECURITYPOLICY /quiet ; (Get-Content seccfg | Select-String -Pattern "ClearTextPassword") -replace '[a-zA-Z:()= ]+', ''; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: 0 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption + scored: true + - id: 1.2 + description: Account Lockout Policy + checks: + - id: 1.2.1 + description: Ensure 'Account lockout duration' is set to '15 or more minute(s)' (Automated) + audittype: powershell + audit: + cmd: + Server: "(net accounts | Select-String -Pattern 'Lockout duration') -replace '[a-zA-Z(): ]+', ''" + tests: + test_items: + - flag: "" + compare: + op: gte + value: 15 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration + scored: true + - id: 1.2.2 + description: Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' (Automated) + audittype: powershell + audit: + cmd: + Server: "(net accounts | Select-String -Pattern 'Lockout threshold') -replace '[a-zA-Z: ]+', ''" + tests: + test_items: + - flag: "" + compare: + op: lte + value: 5 + set: true + - flag: "" + compare: + op: noteq + value: 0 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 5 or fewer invalid login attempt(s), but not 0: + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold + scored: true + - id: 1.2.3 + description: Ensure 'Allow Administrator account lockout' is set to 'Enabled' (Manual) + audittype: powershell + audit: + cmd: + Server: > + SecEdit /export /cfg seccfg /areas SECURITYPOLICY /quiet ; (Get-Content seccfg | Select-String -Pattern "AllowAdministratorLockout") -replace '[a-zA-Z= ]+' ; Remove-Item seccfg + type: manual + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow Administrator account lockout + scored: true + + - id: 1.2.4 + description: Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' (Automated) + audittype: powershell + audit: + cmd: + Server: "(net accounts | Select-String -Pattern 'Lockout observation window') -replace '[^\\d]', ''" + tests: + test_items: + - flag: "" + compare: + op: gte + value: 15 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): + Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after + scored: true + + - id: 2.1 + description: Audit Policy + - id: 2.2 + description: User Rights Assignment + checks: + - id: 2.2.1 + description: Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; Get-Content seccfg | Select-String -Pattern "SeTrustedCredManAccessPrivilege" ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to "No One": + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller + scored: true + - id: 2.2.2 + description: Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeNetworkLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-32-544,S-1-5-11" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network + scored: true + - id: 2.2.3 + description: Ensure 'Act as part of the operating system' is set to 'No One' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; Get-Content seccfg | Select-String -Pattern "SeTcbPrivilege" ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to "No One": + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system + scored: true + - id: 2.2.4 + description: Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeIncreaseQuotaPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-19,S-1-5-20,S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Administrators, LOCAL SERVICE, NETWORK SERVICE: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process + scored: true + - id: 2.2.5 + description: Ensure 'Allow log on locally' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeInteractiveLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally + scored: true + - id: 2.2.6 + description: Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeRemoteInteractiveLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-32-544,S-1-5-32-555" + bin_op: or + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services + scored: true + - id: 2.2.7 + description: Ensure 'Back up files and directories' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeBackupPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators. + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories + scored: true + - id: 2.2.8 + description: Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeSystemtimePrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-19,S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators, LOCAL SERVICE: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time + scored: true + - id: 2.2.9 + description: Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeTimeZonePrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-19,S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Administrators, LOCAL SERVICE: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone + scored: true + - id: 2.2.10 + description: Ensure 'Create a pagefile' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeCreatePagefilePrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile + scored: true + - id: 2.2.11 + description: Ensure 'Create a token object' is set to 'No One' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeCreateTokenPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No One: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object + scored: true + - id: 2.2.12 + description: Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (Automated) + audittype: powershell + audit: + cmd: + MemberServer: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeCreateGlobalPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeCreateGlobalPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-19,S-1-5-20,S-1-5-32-544,S-1-5-6" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects + scored: true + - id: 2.2.13 + description: Ensure 'Create permanent shared objects' is set to 'No One' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeCreatePermanentPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No One: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects + scored: true + - id: 2.2.14 + description: Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeCreateSymbolicLinkPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-83-0,S-1-5-32-544" + set: true + remediation: > + To implement the recommended configuration state, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links + scored: true + - id: 2.2.15 + description: Ensure 'Debug programs' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeDebugPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs + scored: true + - id: 2.2.16 + description: Ensure 'Deny access to this computer from the network' to include 'Guests' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeDenyNetworkLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: has + value: "S-1-5-32-546" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network + scored: true + - id: 2.2.17 + description: Ensure 'Deny log on as a batch job' to include 'Guests' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeDenyBatchLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: has + value: "S-1-5-32-546" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include Guests: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job + scored: true + - id: 2.2.18 + description: Ensure 'Deny log on as a service' to include 'Guests' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeDenyServiceLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: has + value: "S-1-5-32-546" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include Guests: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service + scored: true + - id: 2.2.19 + description: Ensure 'Deny log on locally' to include 'Guests' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeDenyInteractiveLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: has + value: "S-1-5-32-546" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include Guests: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally + scored: true + - id: 2.2.20 + description: Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeDenyRemoteInteractiveLogonRight") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: has + value: "S-1-5-32-546" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services + scored: true + - id: 2.2.21 + description: Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeEnableDelegationPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation + scored: true + - id: 2.2.22 + description: Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeRemoteShutdownPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system + scored: true + - id: 2.2.23 + description: Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeAuditPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-19,S-1-5-20" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK SERVICE: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits + scored: true + - id: 2.2.24 + description: Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeImpersonatePrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-19,S-1-5-20,S-1-5-32-544,S-1-5-6,S-1-5-32-568" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication + scored: true + - id: 2.2.25 + description: Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeIncreaseBasePriorityPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544,S-1-5-90-0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators, Window Manager\Window Manager Group: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority + scored: true + - id: 2.2.26 + description: Ensure 'Load and unload device drivers' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeLoadDriverPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers + scored: true + - id: 2.2.27 + description: Ensure 'Lock pages in memory' is set to 'No One' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeLockMemoryPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No One: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory + scored: true + - id: 2.2.28 + description: Ensure 'Manage auditing and security log' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeSecurityPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: valid_elements + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log + scored: true + - id: 2.2.29 + description: Ensure 'Modify an object label' is set to 'No One' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeRelabelPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No One: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label + scored: true + - id: 2.2.30 + description: Ensure 'Modify firmware environment values' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeSystemEnvironmentPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values + scored: true + - id: 2.2.31 + description: Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeManageVolumePrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks + scored: true + - id: 2.2.32 + description: Ensure 'Profile single process' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeProfileSingleProcessPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process + scored: true + - id: 2.2.33 + description: Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeSystemProfilePrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544,S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators, NT SERVICE\WdiServiceHost: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance + scored: true + - id: 2.2.34 + description: Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeAssignPrimaryTokenPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-19,S-1-5-20" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK SERVICE: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token + scored: true + - id: 2.2.35 + description: Ensure 'Restore files and directories' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeRestorePrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories + scored: true + - id: 2.2.36 + description: Ensure 'Shut down the system' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeShutdownPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system + scored: true + - id: 2.2.37 + description: Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas USER_RIGHTS /quiet ; (Get-Content seccfg | Select-String -Pattern "SeTakeOwnershipPrivilege") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "S-1-5-32-544" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects + scored: true + - id: 2.3 + description: Security Options + checks: + - id: 2.3.1 + description: "Accounts" + type: "skip" + checks: + - id: 2.3.1.1 + description: > + Ensure 'Accounts: Guest account status' is set to 'Disabled' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas SECURITYPOLICY /quiet ; (Get-Content seccfg | Select-String -Pattern "EnableGuestAccount") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status + scored: true + - id: 2.3.1.2 + description: | + Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' (Automated) + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa").LimitBlankPasswordUse + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only + scored: true + - id: 2.3.1.3 + description: > + Configure 'Accounts: Rename administrator account' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas SecurityPolicy /quiet ; (Get-Content seccfg | Select-String -Pattern "NewAdministratorName") -replace '.*"([^"]+)".*','$1' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: noteq + value: "Administrator" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account + scored: true + - id: 2.3.1.4 + description: > + Configure 'Accounts: Rename guest account' (Automated) + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas SecurityPolicy /quiet ; (Get-Content seccfg | Select-String -Pattern "NewGuestName") -replace '.*"([^"]+)".*','$1' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: noteq + value: "Guest" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account + scored: true + - id: 2.3.2 + description: "Audit" + type: "skip" + checks: + - id: 2.3.2.1 + description: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa").SCENoApplyLegacyAuditPolicy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings + scored: true + - id: 2.3.2.2 + description: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa").CrashOnAuditFail + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits + scored: true + - id: 2.3.3 + description: "DCOM" + type: "skip" + - id: 2.3.4 + description: "Devices" + type: "skip" + checks: + - id: 2.3.4.1 + description: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers').AddPrinterDrivers + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers + scored: true + - id: 2.3.5 + description: "Domain controller" + type: "skip" + - id: 2.3.6 + description: "Domain member" + type: "skip" + - id: 2.3.7 + description: "Interactive logon" + type: "skip" + checks: + - id: 2.3.7.1 + description: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').DisableCAD + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL + scored: true + - id: 2.3.7.2 + description: "Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').DontDisplayLastUserName + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in + scored: true + - id: 2.3.7.3 + description: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').InactivityTimeoutSecs -replace '^$', '0' + tests: + test_items: + - flag: "" + compare: + op: lte + value: 900 + set: true + - flag: "" + compare: + op: noteq + value: 0 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to '900 or fewer seconds, but not 0': + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit + scored: true + - id: 2.3.7.4 + description: "Configure 'Interactive logon: Message text for users attempting to log on' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' LegalNoticeText) -replace '\x00', "NA" + tests: + test_items: + - flag: "" + compare: + op: noteq + value: "NA" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on + scored: true + - id: 2.3.7.5 + description: "Configure 'Interactive logon: Message title for users attempting to log on' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').LegalNoticeCaption + tests: + test_items: + - flag: "" + compare: + op: noteq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on + scored: true + - id: 2.3.7.6 + description: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon').PasswordExpiryWarning -replace '^$', '0' + tests: + test_items: + - flag: "" + compare: + op: lte + value: 14 + set: true + - flag: "" + compare: + op: gte + value: 5 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to a value 'between 5 and 14 days': + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration + scored: true + - id: 2.3.7.7 + description: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: > + (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon').ScRemoveOption -replace '^$', '0' + tests: + test_items: + - flag: "" + compare: + op: gte + value: 1 + set: true + - flag: "" + compare: + op: lte + value: 3 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable, Force Logoff or Disconnect if a Remote Desktop Services session): + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior + scored: true + - id: 2.3.8 + description: "Microsoft network client" + type: "skip" + checks: + - id: 2.3.8.1 + description: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters').RequireSecuritySignature + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) + scored: true + - id: 2.3.8.2 + description: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters').EnableSecuritySignature + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees) + scored: true + - id: 2.3.8.3 + description: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters').EnablePlainTextPassword + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers + scored: true + - id: 2.3.9 + description: "Microsoft network server" + type: "skip" + checks: + - id: 2.3.9.1 + description: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').AutoDisconnect -replace '^$', '0' + tests: + test_items: + - flag: "" + compare: + op: lte + value: "15" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s): + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session + scored: true + - id: 2.3.9.2 + description: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').RequireSecuritySignature + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) + scored: true + - id: 2.3.9.3 + description: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').EnableSecuritySignature + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees) + scored: true + - id: 2.3.9.4 + description: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').enableforcedlogoff + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire + scored: true + - id: 2.3.9.5 + description: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').SMBServerNameHardeningLevel -replace '^$', '0' + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: 1 + - flag: "" + compare: + op: eq + value: 2 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Accept + if provided by client (configuring to Required from client also conforms to the benchmark): + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level + scored: true + - id: 2.3.10 + description: "Network access" + type: "skip" + checks: + - id: 2.3.10.1 + description: "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas SecurityPolicy /quiet ; (Get-Content seccfg | Select-String -Pattern "LSAAnonymousNameLookup") -replace '^.*= |[*]' ; Remove-Item seccfg + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation + scored: true + - id: 2.3.10.2 + description: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').RestrictAnonymousSAM + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts + scored: true + - id: 2.3.10.3 + description: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').RestrictAnonymous + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares + scored: true + - id: 2.3.10.4 + description: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').DisableDomainCreds + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication + scored: true + - id: 2.3.10.5 + description: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').EveryoneIncludesAnonymous + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users + scored: true + - id: 2.3.10.6 + description: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is configured (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').NullSessionPipes + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, configure the following UI path: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously + scored: true + - id: 2.3.10.7 + description: "Configure 'Network access: Remotely accessible registry paths' is configured (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths').Machine + tests: + test_items: + - flag: "" + compare: + op: eq + value: "System\\CurrentControlSet\\Control\\ProductOptions\r\nSystem\\CurrentControlSet\\Control\\Server Applications\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to: + System\CurrentControlSet\Control\ProductOptions + System\CurrentControlSet\Control\Server Applications + Software\Microsoft\Windows NT\CurrentVersion + + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths + scored: true + - id: 2.3.10.8 + description: "Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths').Machine + tests: + test_items: + - flag: "" + compare: + op: eq + value: "System\\CurrentControlSet\\Control\\Print\\Printers\r\nSystem\\CurrentControlSet\\Services\\Eventlog\r\nSoftware\\Microsoft\\OLAP Server\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Print\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\nSystem\\CurrentControlSet\\Control\\ContentIndex\r\nSystem\\CurrentControlSet\\Control\\Terminal Server\r\nSystem\\CurrentControlSet\\Control\\Terminal Server\\UserConfig\r\nSystem\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\r\nSystem\\CurrentControlSet\\Services\\SysmonLog" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to: + System\CurrentControlSet\Control\Print\Printers + System\CurrentControlSet\Services\Eventlog + Software\Microsoft\OLAP Server + Software\Microsoft\Windows NT\CurrentVersion\Print + Software\Microsoft\Windows NT\CurrentVersion\Windows + System\CurrentControlSet\Control\ContentIndex + System\CurrentControlSet\Control\Terminal Server + System\CurrentControlSet\Control\Terminal Server\UserConfig + System\CurrentControlSet\Control\Terminal + Server\DefaultUserConfiguration + Software\Microsoft\Windows NT\CurrentVersion\Perflib + System\CurrentControlSet\Services\SysmonLog + + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\CurrentControlSet\Services\CertSvc. + When a server has the WINS Server Feature installed, the above list should also include: System\CurrentControlSet\Services\WINS + scored: true + - id: 2.3.10.9 + description: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').RestrictNullSessAccess + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares + scored: true + - id: 2.3.10.10 + description: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').restrictremotesam + tests: + test_items: + - flag: "" + compare: + op: eq + value: "O:BAG:BAD:(A;;RC;;;BA)" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM + scored: true + - id: 2.3.10.11 + description: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').NullSessionShares + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to blank (i.e. None): + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously + scored: true + - id: 2.3.10.12 + description: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').ForceGuest + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Classic - local users authenticate as themselves: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts + scored: true + - id: 2.3.11 + description: "Network security" + type: "skip" + checks: + - id: 2.3.11.1 + description: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').UseMachineId + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM + scored: true + - id: 2.3.11.2 + description: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0').AllowNullSessionFallback + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback + scored: true + - id: 2.3.11.3 + description: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\pku2u').AllowOnlineID + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities + scored: true + - id: 2.3.11.4 + description: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters').SupportedEncryptionTypes + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2147483640" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption type allowed for Kerberos + scored: true + - id: 2.3.11.5 + description: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').NoLMHash + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change + scored: true + - id: 2.3.11.6 + description: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' (Manual)" + audittype: powershell + audit: + cmd: + Server: SecEdit /export /cfg seccfg /areas SecurityPolicy /quiet ; (Get-Content seccfg | Select-String -Pattern "ForceLogoffWhenHourExpire") -replace '^.*= |[*]' ; Remove-Item seccfg + type: manual + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled. + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire + scored: true + - id: 2.3.11.7 + description: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM and NTLM' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').LmCompatibilityLevel + tests: + test_items: + - flag: "" + compare: + op: eq + value: "5" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to: Send + NTLMv2 response only. Refuse LM and NTLM: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level + scored: true + - id: 2.3.11.8 + description: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LDAP').LDAPClientIntegrity + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Negotiate signing (configuring to Require signing also conforms to the benchmark): + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements + scored: true + - id: 2.3.11.9 + description: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0').NTLMMinClientSec + tests: + test_items: + - flag: "" + compare: + op: eq + value: "537395200" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Require NTLMv2 session security, Require 128-bit encryption: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + scored: true + - id: 2.3.11.10 + description: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0').NTLMMinServerSec + tests: + test_items: + - flag: "" + compare: + op: eq + value: "537395200" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Require NTLMv2 session security, Require 128-bit encryption: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers + scored: true + - id: 2.3.11.11 + description: "Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0').AuditReceivingNTLMTraffic + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enable + auditing for all accounts: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Audit Incoming NTLM Traffic + scored: true + - id: 2.3.11.12 + description: "Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0').RestrictSendingNTLMTraffic + tests: + test_items: + - flag: "" + compare: + op: gt + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Audit + all or higher: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Restrict NTLM: Outgoing NTLM traffic to remote servers + scored: true + - id: 2.3.12 + description: "Recovery console" + type: "skip" + - id: 2.3.13 + description: "Shutdown" + type: "skip" + checks: + - id: 2.3.13.1 + description: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').ShutdownWithoutLogon + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on + scored: true + - id: 2.3.14 + description: "System cryptography" + type: "skip" + - id: 2.3.15 + description: "System objects" + type: "skip" + checks: + - id: 2.3.15.1 + description: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel').ObCaseInsensitive + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-Windows subsystems + scored: true + - id: 2.3.15.2 + description: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager').ProtectionMode + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) + scored: true + - id: 2.3.16 + description: "System settings" + type: "skip" + - id: 2.3.17 + description: "User Account Control" + type: "skip" + checks: + - id: 2.3.17.1 + description: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System)').FilterAdministratorToken + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path t Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account + scored: true + - id: 2.3.17.2 + description: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').ConsentPromptBehaviorAdmin + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Prompt + for consent on the secure desktop or Prompt for credentials on the secure desktop: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode + scored: true + - id: 2.3.17.3 + description: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').ConsentPromptBehaviorUser + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Automatically deny elevation requests: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users + scored: true + - id: 2.3.17.4 + description: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').EnableInstallerDetection + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation + scored: true + - id: 2.3.17.5 + description: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').EnableSecureUIAPaths + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations + scored: true + - id: 2.3.17.6 + description: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').EnableLUA + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode + scored: true + - id: 2.3.17.7 + description: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').PromptOnSecureDesktop + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation + scored: true + - id: 2.3.17.8 + description: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').EnableVirtualization + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations + scored: true + - id: 3 + description: Event Log + - id: 4 + description: Restricted Groups + - id: 5 + description: System Services + checks: + - id: 5.1 + description: "Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Spooler').Start + tests: + test_items: + - flag: "" + compare: + op: eq + value: "4" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Print Spooler + scored: true + - id: 6 + description: Registry + - id: 7 + description: File System + - id: 8 + description: "Wired Network (IEEE 802.3) Policies" + - id: 9 + description: "Windows Defender Firewall with Advanced Security (formerly Windows Firewall with Advanced Security)" + checks: + - id: 9.1 + description: "Domain Profile" + - id: 9.2 + description: Private Profile + checks: + - id: 9.2.1 + description: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile').EnableFirewall + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'On (recommended)': + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Firewall state + scored: true + - id: 9.2.2 + description: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile').DefaultInboundAction + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Block (default): + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Inbound connections + scored: true + - id: 9.2.3 + description: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile').DisableNotifications + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No: + Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Settings Customize\Display a notification + scored: true + - id: 9.2.4 + description: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging').LogFilePath + tests: + test_items: + - flag: "" + compare: + op: eq + value: '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log' + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\System32\logfiles\firewall\privatefw.log: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Logging Customize\Name + scored: true + - id: 9.2.5 + description: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging').LogFileSize + tests: + test_items: + - flag: "" + compare: + op: gte + value: 16384 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Logging Customize\Size limit (KB) + scored: true + - id: 9.2.6 + description: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging').LogDroppedPackets + tests: + test_items: + - flag: "" + compare: + op: eq + value: 1 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Yes: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Logging Customize\Log dropped packets + scored: true + - id: 9.2.7 + description: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging').LogSuccessfulConnections + tests: + test_items: + - flag: "" + compare: + op: eq + value: 1 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Yes: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Logging Customize\Log successful connections + scored: true + - id: 9.3 + description: Public Profile + checks: + - id: 9.3.1 + description: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile').EnableFirewall + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'On (recommended)': + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Firewall state + scored: true + - id: 9.3.2 + description: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile').DefaultInboundAction + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Block (default): + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Inbound connections + scored: true + - id: 9.3.3 + description: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile').DisableNotifications + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No: + Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Settings Customize\Display a notification + scored: true + - id: 9.3.4 + description: | + Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' (Automated) + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging').LogFilePath + tests: + test_items: + - flag: "" + compare: + op: eq + value: "%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Settings Customize\Apply local firewall rules + scored: true + - id: 9.3.5 + description: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging').LogFileSize + tests: + test_items: + - flag: "" + compare: + op: gte + value: 16384 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to No: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Settings Customize\Apply local connection security rules + scored: true + - id: 9.3.6 + description: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging').LogDroppedPackets + tests: + test_items: + - flag: "" + compare: + op: eq + value: 1 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Yes: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Log dropped packets + scored: true + - id: 9.3.7 + description: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging').LogSuccessfulConnections + tests: + test_items: + - flag: "" + compare: + op: eq + value: 1 + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Yes: + Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Log successful connections + scored: true + - id: 10 + description: "Network List Manager Policies" + - id: 11 + description: "Wireless Network (IEEE 802.11) Policies" + - id: 12 + description: "Public Key Policies" + - id: 13 + description: "Software Restriction Policies" + - id: 14 + description: "Network Access Protection NAP Client Configuration" + - id: 15 + description: "Application Control Policies" + - id: 16 + description: "IP Security Policies" + - id: 17 + description: "Advanced Audit Policy Configuration" + - id: 17.1 + description: Account Logon + checks: + - id: 17.1.1 + description: "Ensure 'Audit Credential Validation' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce923f-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Credential Validation' ) -replace ".*Credential Validation\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Credential Validation + scored: true + - id: 17.2 + description: Account Management + checks: + - id: 17.2.1 + description: "Ensure 'Audit Application Group Management' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9239-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Application Group Management' ) -replace ".*Application Group Management\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Application Group Management + scored: true + - id: 17.2.2 + description: "Ensure 'Audit Security Group Management' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9237-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Security Group Management' ) -replace ".*Security Group Management\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Security Group Management + scored: true + - id: 17.2.3 + description: "Ensure 'Audit User Account Management' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9235-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'User Account Management' ) -replace ".*User Account Management\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management + scored: true + - id: 17.3 + description: Detailed Tracking + checks: + - id: 17.3.1 + description: "Ensure 'Audit PNP Activity' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9248-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Plug and Play Events' ) -replace ".*Plug and Play Events\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit PNP Activity + scored: true + - id: 17.3.2 + description: "Ensure 'Audit Process Creation' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce922b-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Process Creation' ) -replace ".*Process Creation\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation + scored: true + - id: 17.4 + description: DS Access + - id: 17.5 + description: Logon/Logoff + checks: + - id: 17.5.1 + description: "Ensure 'Audit Account Lockout' is set to include 'Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9217-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Account Lockout' ) -replace ".*Account Lockout\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Account Lockout + scored: true + - id: 17.5.2 + description: "Ensure 'Audit Group Membership' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9249-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Group Membership' ) -replace ".*Group Membership\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Group Membership + scored: true + - id: 17.5.3 + description: "Ensure 'Audit Logoff' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9216-69ae-11d9-bed3-505054503030}" | Select-String -Pattern ' Logoff' ) -replace ".*Logoff\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logoff + scored: true + - id: 17.5.4 + description: "Ensure 'Audit Logon' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9215-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Logon ' ) -replace ".*Logon\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logon + scored: true + - id: 17.5.5 + description: "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce921c-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Other Logon/Logoff Events' ) -replace ".*Other Logon/Logoff Events\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Other Logon/Logoff Events + scored: true + - id: 17.5.6 + description: "Ensure 'Audit Special Logon' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce921b-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Special Logon' ) -replace ".*Special Logon\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon + scored: true + - id: 17.6 + description: Object Access + checks: + - id: 17.6.1 + description: "Ensure 'Audit Detailed File Share' is set to include 'Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9244-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Detailed File Share' ) -replace ".*Detailed File Share\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share + scored: true + - id: 17.6.2 + description: "Ensure 'Audit File Share' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9224-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'File Share' ) -replace ".*File Share\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit File Share + scored: true + - id: 17.6.3 + description: "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9227-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Other Object Access Events' ) -replace ".*Other Object Access Events\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events + scored: true + - id: 17.6.4 + description: "Ensure 'Audit Removable Storage' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9245-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Removable Storage' ) -replace ".*Removable Storage\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Removable Storage + scored: true + - id: 17.7 + description: Policy Change + checks: + - id: 17.7.1 + description: "Ensure 'Audit Audit Policy Change' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce922f-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Audit Policy Change' ) -replace ".*Audit Policy Change\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change + scored: true + - id: 17.7.2 + description: "Ensure 'Audit Authentication Policy Change' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9230-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Authentication Policy Change' ) -replace ".*Authentication Policy Change\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authentication Policy Change + scored: true + - id: 17.7.3 + description: "Ensure 'Audit Authorization Policy Change' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9231-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Authorization Policy Change' ) -replace ".*Authorization Policy Change\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change + scored: true + - id: 17.7.4 + description: "Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9232-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'MPSSVC Rule-Level Policy Change' ) -replace ".*MPSSVC Rule-Level Policy Change\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC Rule-Level Policy Change + scored: true + - id: 17.7.5 + description: "Ensure 'Audit Other Policy Change Events' is set to include 'Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9234-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Other Policy Change Events' ) -replace ".*Other Policy Change Events\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Other Policy Change Events + scored: true + - id: 17.8 + description: Privilege Use + checks: + - id: 17.8.1 + description: "Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9228-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Sensitive Privilege Use' ) -replace ".*Sensitive Privilege Use\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Sensitive Privilege Use + scored: true + - id: 17.9 + description: System + checks: + - id: 17.9.1 + description: "Ensure 'Audit IPsec Driver' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9213-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'IPsec Driver' ) -replace ".*IPsec Driver\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit IPsec Driver + scored: true + - id: 17.9.2 + description: "Ensure 'Audit Other System Events' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9214-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Other System Events' ) -replace ".*Other System Events\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Other System Events + scored: true + - id: 17.9.3 + description: "Ensure 'Audit Security State Change' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9210-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Security State Change' ) -replace ".*Security State Change\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change + scored: true + - id: 17.9.4 + description: "Ensure 'Audit Security System Extension' is set to include 'Success' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9211-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'Security System Extension' ) -replace ".*Security System Extension\s+", "" + tests: + test_items: + - flag: "" + compare: + op: has + value: "Success" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to include 'Success': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security System Extension + scored: true + - id: 17.9.5 + description: "Ensure 'Audit System Integrity' is set to 'Success and Failure' (Automated)" + audittype: powershell + audit: + cmd: + Server: (auditpol.exe /get /subcategory:"{0cce9212-69ae-11d9-bed3-505054503030}" | Select-String -Pattern 'System Integrity' ) -replace ".*System Integrity\s+", "" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "Success and Failure" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Success' and 'Failure': + Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit System Integrity + scored: true + - id: 18 + description: "Administrative Templates" + - id: 18.1 + description: Control Panel + checks: + - id: 18.1.1 + description: Personalization + type: "skip" + checks: + - id: 18.1.1.1 + description: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization').NoLockScreenCamera + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen camera + scored: true + - id: 18.1.1.2 + description: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization').NoLockScreenSlideshow + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen slide show + scored: true + - id: 18.1.2 + description: Regional and Language Options + type: "skip" + checks: + - id: 18.1.2.1 + description: Handwriting personalization + type: "skip" + - id: 18.1.2.2 + description: "Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization').AllowInputPersonalization + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services + scored: true + - id: 18.1.3 + description: "Ensure 'Allow Online Tips' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer').AllowOnlineTips + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Control Panel\Allow Online Tips + scored: true + - id: 18.2 + description: Desktop + - id: 18.3 + description: LAPS (legacy) + - id: 18.4 + description: MS Security Guide + checks: + - id: 18.4.1 + description: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10').Start + tests: + test_items: + - flag: "" + compare: + op: eq + value: "4" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended): + Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 client driver + scored: true + - id: 18.4.2 + description: "Ensure 'Configure SMB v1 server' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters').SMB1 + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 server + scored: true + - id: 18.4.3 + description: "Ensure 'Enable Certificate Padding' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\HKLM\SOFTWARE\Microsoft\Cryptography\Wintrust\Config').EnableCertPaddingCheck + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Administrative Templates\MS Security Guide\Enable Certificate Padding + scored: true + - id: 18.4.4 + description: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel').DisableExceptionChainValidation + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\MS Security Guide\Enable Structured Exception Handling Overwrite Protection (SEHOP) + scored: true + - id: 18.4.5 + description: "Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters').NodeType + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: P-node (recommended)': + Computer Configuration\Policies\Administrative Templates\MS Security Guide\NetBT NodeType configuration + scored: true + - id: 18.4.6 + description: "Ensure 'WDigest Authentication' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest').UseLogonCredential + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require KB2871997) + scored: true + - id: 18.5 + description: Microsoft Solutions for Security (MSS) (Legacy) + checks: + - id: 18.5.1 + description: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon').AutoAdminLogon + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) + scored: true + - id: 18.5.2 + description: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters').DisableIPSourceRouting + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Highest protection, source routing is completely disabled': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) + scored: true + - id: 18.5.3 + description: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters').DisableIPSourceRouting + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Highest protection, source routing is completely disabled': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) + scored: true + - id: 18.5.4 + description: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters').EnableICMPRedirect + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes + scored: true + - id: 18.5.5 + description: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters').KeepAliveTime + tests: + test_items: + - flag: "" + compare: + op: eq + value: "300000" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 300,000 or 5 minutes (recommended)': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds + scored: true + - id: 18.5.6 + description: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters').NoNameReleaseOnDemand + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers + scored: true + - id: 18.5.7 + description: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters').PerformRouterDiscovery + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) + scored: true + - id: 18.5.8 + description: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager').SafeDllSearchMode + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) + scored: true + - id: 18.5.9 + description: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon').ScreenSaverGracePeriod + tests: + test_items: + - flag: "" + compare: + op: lte + value: "5" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 5 or fewer seconds': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) + scored: true + - id: 18.5.10 + description: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters').TcpMaxDataRetransmissions + tests: + test_items: + - flag: "" + compare: + op: eq + value: "3" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 3': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted + scored: true + - id: 18.5.11 + description: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters').TcpMaxDataRetransmissions + tests: + test_items: + - flag: "" + compare: + op: eq + value: "3" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 3': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted + scored: true + - id: 18.5.12 + description: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security').WarningLevel + tests: + test_items: + - flag: "" + compare: + op: lte + value: "90" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 90% or less': + Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning + scored: true + - id: 18.6 + description: Network + checks: + - id: 18.6.1 + description: "Background Intelligent Transfer Service (BITS)" + type: "skip" + - id: 18.6.2 + description: "BranchCache" + type: "skip" + - id: 18.6.3 + description: "DirectAccess Client Experience Settings" + type: "skip" + - id: 18.6.4 + description: "DNS Client" + type: "skip" + checks: + - id: 18.6.4.1 + description: "Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient').EnableMDNS + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Configure multicast DNS (mDNS) protocol + scored: true + - id: 18.6.4.2 + description: "Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient').DisableIPv6DefaultDnsServers + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off default IPv6 DNS Servers + scored: true + - id: 18.6.5 + description: "Fonts" + type: "skip" + checks: + - id: 18.6.5.1 + description: "Ensure 'Enable Font Providers' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System').EnableFontProviders + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Network\Fonts\Enable Font Providers + scored: true + - id: 18.6.6 + description: "Hotspot Authentication" + type: "skip" + - id: 18.6.7 + description: "Lanman Server" + type: "skip" + - id: 18.6.6 + description: "Lanman Workstation" + type: "skip" + checks: + - id: 18.6.8.1 + description: "Ensure 'Enable insecure guest logons' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation').AllowInsecureGuestAuth + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons + scored: true + - id: 18.6.8.2 + description: "Ensure 'Require Encryption' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation').RequireEncryption + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Require Encryption + scored: true + - id: 18.6.9 + description: "Link-Layer Topology Discovery" + type: "skip" + checks: + - id: 18.6.9.1 + description: Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Automated) + audittype: powershell + audit: + cmd: + Server: > + (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').AllowLLTDIOOnDomain;(Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').AllowLLTDIOOnPublicNet;(Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').EnableLLTDIO;(Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').ProhibitLLTDIOOnPrivateNet + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0\r\n0\r\n0\r\n0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver + scored: true + - id: 18.6.9.2 + description: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: > + (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').AllowRspndrOnDomain;(Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').AllowRspndrOnPublicNet;(Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').EnableRspndr;(Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD').ProhibitRspndrOnPrivateNet + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0\r\n0\r\n0\r\n0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver + scored: true + - id: 18.6.10 + description: "Microsoft Peer-to-Peer Networking Services" + type: "skip" + checks: + - id: 18.6.10.1 + description: "Peer Name Resolution Protocol" + type: "skip" + - id: 18.6.10.2 + description: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Peernet').Disabled + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services + scored: true + - id: 18.6.11 + description: "Network Connections" + type: "skip" + checks: + - id: 18.6.11.1 + description: "Windows Defender Firewall (formerly Windows Firewall)" + type: "skip" + - id: 18.6.11.2 + description: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections').NC_AllowNetBridge_NLA + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network + scored: true + - id: 18.6.11.3 + description: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections').NC_ShowSharedAccessUI + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network + scored: true + - id: 18.6.12 + description: "Network Connectivity Status Indicator" + type: "skip" + - id: 18.6.13 + description: "Network Isolation" + type: "skip" + - id: 18.6.14 + description: "Network Provider" + type: "skip" + checks: + - id: 18.6.14.1 + description: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication', 'Require Integrity', and 'Require Privacy' set for all NETLOGON and SYSVOL shares' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' '\\*\NETLOGON';Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' '\\*\SYSVOL' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1\r\nRequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled' with the following paths configured, at a minimum: + '\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1' + '\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1' + Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths + scored: true + - id: 18.6.15 + description: "Offline Files" + type: "skip" + - id: 18.6.16 + description: "QoS Packet Scheduler" + type: "skip" + - id: 18.6.17 + description: "SNMP" + type: "skip" + - id: 18.6.18 + description: "SSL Configuration Settings" + type: "skip" + - id: 18.6.19 + description: "TCPIP Settings" + type: "skip" + checks: + - id: 18.6.19.1 + description: "IPv6 Transition Technologies" + type: "skip" + - id: 18.6.19.2 + description: "Parameters" + type: "skip" + checks: + - id: 18.6.19.2.1 + description: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters').DisabledComponents + tests: + test_items: + - flag: "" + compare: + op: eq + value: "255" + set: true + remediation: > + To establish the recommended configuration, set the following Registry value to '0xff (255) (DWORD)': + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:DisabledComponents + scored: true + - id: 18.6.20 + description: "Windows Connect Now" + type: "skip" + checks: + - id: 18.6.20.1 + description: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' EnableRegistrars; Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' DisableUPnPRegistrar; Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' DisableInBand802DOT11Registrar; Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' DisableFlashConfigRegistrar; Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' DisableWPDRegistrar + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0\r\n0\r\n0\r\n0\r\n0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now + scored: true + - id: 18.6.20.2 + description: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI').DisableWcnUi + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Prohibit access of the Windows Connect Now wizards + scored: true + - id: 18.6.21 + description: "Windows Connection Manager" + type: "skip" + checks: + - id: 18.6.21.1 + description: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy').fMinimizeConnections + tests: + test_items: + - flag: "" + compare: + op: eq + value: "3" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet': + Computer Configuration\Policies\Administrative Templates\Network\Windows Connection Manager\Minimize the number of simultaneous connections to the Internet or a Windows Domain + scored: true + - id: 18.7 + description: Printers + checks: + - id: 18.7.1 + description: "Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers').RegisterSpoolerRemoteRpcEndPoint + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Printers:Allow Print Spooler to accept client connections + scored: true + - id: 18.7.2 + description: "Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers').RedirectionguardPolicy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Redirection Guard Enabled': + Computer Configuration\Policies\Administrative Templates\Printers\Configure Redirection Guard + scored: true + - id: 18.7.3 + description: "Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC').RpcUseNamedPipeProtocol + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: RPC over TCP': + Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC connection settings: Protocol to use for outgoing RPC connections + scored: true + - id: 18.7.4 + description: "Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC').RpcAuthentication + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Default': + Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC connection settings: Protocol to use for outgoing RPC connections + scored: true + - id: 18.7.5 + description: "Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC').RpcProtocols + tests: + test_items: + - flag: "" + compare: + op: eq + value: "5" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: RCP over TCP': + Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC listener settings: Configure protocol options for incoming RPC connections + scored: true + - id: 18.7.6 + description: "Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC').ForceKerberosForRpc + tests: + test_items: + - flag: "" + compare: + op: lte + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Negotiate' or higher: + Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC listener settings: Configure protocol options for incoming RPC connections + scored: true + - id: 18.7.7 + description: "Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC').RpcTcpPort + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 0': + Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC over TCP port + scored: true + - id: 18.7.8 + description: "Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Control\Print').RpcAuthnLevelPrivacyEnabled + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure RPC packet level privacy setting for incoming connections + scored: true + - id: 18.7.9 + description: "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint').RestrictDriverInstallationToAdministrators + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 0': + Computer Configuration\Policies\Administrative Templates\Printers\Limits print driver installation to Administrators + scored: true + - id: 18.7.10 + description: "Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers').CopyFilesPolicy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Limit Queue-specific files to Color profiles': + Computer Configuration\Policies\Administrative Templates\Printers\Manage processing of Queue-specific files + scored: true + - id: 18.7.11 + description: "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint').NoWarningNoElevationOnInstall + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Show warning and elevation prompt': + Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions: When installing drivers for a new connection + scored: true + - id: 18.7.12 + description: "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint').UpdatePromptSettings + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Show warning and elevation prompt': + Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions: When updating drivers for an existing connection + scored: true + - id: 18.8 + description: Start Menu and Taskbar + checks: + - id: 18.8.1 + description: "Notification" + type: "skip" + checks: + - id: 18.8.1.1 + description: "Ensure 'Turn off notifications network usage' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications').NoCloudApplicationNotification + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Turn off notifications network usage + scored: true + - id: 18.9 + description: System + checks: + - id: 18.9.1 + description: "Access-Denied Assistance" + type: "skip" + - id: 18.9.2 + description: "App-V" + type: "skip" + - id: 18.9.3 + description: "Audit Process Creation" + type: "skip" + checks: + - id: 18.9.3.1 + description: "Ensure 'Include command line in process creation events' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit').ProcessCreationIncludeCmdLine_Enabled + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation\Include command line in process creation events + scored: true + - id: 18.9.4 + description: Credentials Delegation + type: "skip" + checks: + - id: 18.9.4.1 + description: "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters').AllowEncryptionOracle + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Force Updated Clients': + Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Encryption Oracle Remediation + scored: true + - id: 18.9.4.2 + description: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation').AllowProtectedCreds + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Remote host allows delegation of non-exportable credentials + scored: true + - id: 18.9.5 + description: Device Guard + type: "skip" + checks: + - id: 18.9.5.1 + description: "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard').EnableVirtualizationBasedSecurity + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security + scored: true + - id: 18.9.5.2 + description: "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard').RequirePlatformSecurityFeatures + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + - flag: "" + compare: + op: eq + value: "3" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Secure Boot' or 'Secure Boot and DMA Protection': + Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Select Platform Security Level + scored: true + - id: 18.9.5.3 + description: "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard').HypervisorEnforcedCodeIntegrity + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled with UEFI lock': + Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity + scored: true + - id: 18.9.5.4 + description: "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard').HVCIMATRequired + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'TRUE': + Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table + scored: true + - id: 18.9.5.5 + description: "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard').LsaCfgFlags + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled with UEFI lock' (on Member Servers only):': + Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Credential Guard Configuration + scored: true + - id: 18.9.5.6 + description: "NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard').ConfigureSystemGuardLaunch + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Secure Launch Configuration + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 + Release 1809 and Server 2019 Administrative Templates (or newer). + scored: true + - id: 18.9.6 + description: Device Health Attestation Service + type: "skip" + - id: 18.9.7 + description: Device Installation + type: "skip" + checks: + - id: 18.9.7.1 + description: Device Installation Restrictions + type: "skip" + - id: 18.9.7.2 + description: "Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata').PreventDeviceMetadataFromNetwork + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Device Installation\Prevent device metadata retrieval from the Internet + scored: true + - id: 18.9.8 + description: Disk NV Cache + type: "skip" + - id: 18.9.9 + description: Disk Quotas + type: "skip" + - id: 18.9.10 + description: Display + type: "skip" + - id: 18.9.11 + description: Distributed COM + type: "skip" + - id: 18.9.12 + description: Driver Installation + type: "skip" + - id: 18.9.13 + description: Early Launch Antimalware + type: "skip" + checks: + - id: 18.9.13.1 + description: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch').DriverLoadPolicy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "3" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Good, unknown and bad but critical': + Computer Configuration\Policies\Administrative Templates\System\Early Launch Antimalware\Boot-Start Driver Initialization Policy + scored: true + - id: 18.9.14 + description: Enhanced Storage Access + type: "skip" + - id: 18.9.15 + description: File Classification Infrastructure + type: "skip" + - id: 18.9.16 + description: File Share Shadow Copy Provider + type: "skip" + - id: 18.9.17 + description: Filesystem (formerly NTFS Filesystem) + type: "skip" + - id: 18.9.18 + description: Folder Redirection + type: "skip" + - id: 18.9.19 + description: Group Policy + type: "skip" + checks: + - id: 18.9.19.1 + description: Logging and tracing + type: "skip" + - id: 18.9.19.2 + description: "Ensure 'Continue experiences on this device' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System').EnableCdp + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 + Release 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 18.9.20 + description: Internet Communication Management + type: "skip" + checks: + - id: 18.9.20.1 + description: Internet Communication settings + type: "skip" + checks: + - id: 18.9.20.1.1 + description: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers').DisableWebPnPDownload + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.2 + description: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC').PreventHandwritingDataSharing + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting personalization data sharing + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 and + Server 2008 R2 Administrative Templates (or newer). + scored: true + - id: 18.9.20.1.3 + description: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports').PreventHandwritingErrorReports + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting recognition error reporting + Note: This Group Policy path is provided by the Group Policy template + InkWatson.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.9.20.1.4 + description: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard').ExitOnMSICW + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.5 + description: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer').NoWebServices + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.6 + description: "Ensure 'Turn off printing over HTTP' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers').DisableHTTPPrinting + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.7 + description: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control').NoRegistration + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Registration if URL connection is referring to Microsoft.com + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.8 + description: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion').DisableContentFileUpdates + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.9 + description: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer').NoOnlinePrintsWizard + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.10 + description: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer').NoPublishingWizard + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.11 + description: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Messenger\Client').CEIP + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.12 + description: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows').CEIPEnable + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.9.20.1.13 + description: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' Disabled; Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' DoReport + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "1\r\n0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Error Reporting + + Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 10.9.21 + description: iSCSI + type: "skip" + - id: 18.9.22 + description: KDC + type: "skip" + - id: 18.9.23 + description: Kerberos + type: "skip" + checks: + - id: 18.9.23.1 + description: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' DevicePKInitBehavior; Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' DevicePKInitEnabled + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0\r\n1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Automatic': + Computer Configuration\Policies\Administrative Templates\System\Kerberos\Support device authentication using certificate + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM + (Release 1507) Administrative Templates (or newer). + scored: true + - id: 18.9.24 + description: Kernel DMA Protection + type: "skip" + checks: + - id: 18.9.24.1 + description: "Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection').DeviceEnumerationPolicy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Block All': + Computer Configuration\Policies\Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release + 1809 and Server 2019 Administrative Templates (or newer). + scored: true + - id: 18.9.25 + description: LAPS + type: "skip" + - id: 18.9.26 + description: Local Security Authority (LSA) + type: "skip" + checks: + - id: 18.9.26.1 + description: "Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System').AllowCustomSSPsAPs + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Disabled: + Computer Configuration\Policies\Administrative Templates\System\Local Security Authority\Allow Custom SSPs and APs to be loaded into LSASS + scored: true + - id: 18.9.26.2 + description: "Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System').RunAsPPL + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled with UEFI Lock: + Computer Configuration\Policies\Administrative Templates\System\Local Security Authority\Configures LSASS to run as a protected process + scored: true + - id: 18.9.27 + description: Locale Services + type: "skip" + checks: + - id: 18.9.27.1 + description: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: (Get-ItemProperty -PATH 'HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International').BlockUserInputMethodsForSignIn + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: + Computer Configuration\Policies\Administrative Templates\System\Locale Services\Disallow copying of user input methods to the system account for sign-in + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Globalization.admx/adml that is included with the Microsoft Windows 8.0 and + Server 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.28 + description: Logon + type: "skip" + checks: + - id: 18.9.28.1 + description: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' BlockUserFromShowingAccountDetailsOnSignin + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Logon.admx/adml that is included with the Microsoft Windows 10 Release + 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 18.9.28.2 + description: "Ensure 'Do not display network selection UI' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' DontDisplayNetworkSelectionUI + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Logon\Do not display network selection UI + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Logon.admx/adml that is included with the Microsoft Windows 8.1 and Server + 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.9.28.3 + description: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' DisableLockScreenAppNotifications + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off app notifications on the lock screen + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Logon.admx/adml that is included with the Microsoft Windows 8.1 and Server + 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.9.28.4 + description: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' AllowDomainPINLogon + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off picture password sign-in + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CredentialProviders.admx/adml that is included with the Microsoft + Windows 8.0 and Server 2012 (non-R2) Administrative Templates (or newer). + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release + 1511 Administrative Templates. + scored: true + - id: 18.9.29 + description: Mitigation Options + type: "skip" + - id: 18.9.30 + description: Net Logon + type: "skip" + - id: 18.9.31 + description: OS Policies + type: "skip" + checks: + - id: 18.9.31.1 + description: "Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' AllowCrossDeviceClipboard + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\OS Policies\Allow Clipboard synchronization across devices + + Note: This Group Policy path is provided by the Group Policy template + OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1809 and + Server 2019 Administrative Templates (or newer). + scored: true + - id: 18.9.31.2 + description: "Ensure 'Allow upload of User Activities' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' UploadUserActivities + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\OS Policies\Allow upload of User Activities + + Note: This Group Policy path is provided by the Group Policy template + OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1809 and + Server 2019 Administrative Templates (or newer). + scored: true + - id: 18.9.32 + description: PIN Complexity + type: "skip" + - id: 18.9.33 + description: Power Management + type: "skip" + checks: + - id: 18.9.33.1 + description: Button Settings + type: "skip" + - id: 18.9.33.2 + description: Energy Saver Settings + type: "skip" + - id: 18.9.33.3 + description: Hard Disk Settings + type: "skip" + - id: 18.9.33.4 + description: Notification Settings + type: "skip" + - id: 18.9.33.5 + description: Power Throttling Settings + type: "skip" + - id: 18.9.33.6 + description: Sleep Settings + type: "skip" + - id: 18.9.33.6.1 + description: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' DCSettingIndex + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow network connectivity during connected-standby (on battery) + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Power.admx/adml that is included with the Microsoft Windows 10 Release + 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 18.9.33.6.2 + description: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' ACSettingIndex + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow network connectivity during connected-standby (plugged in) + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Power.admx/adml that is included with the Microsoft Windows 10 Release + 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 18.9.33.6.3 + description: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' DCSettingIndex + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Require a password when a computer wakes (on battery) + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Power.admx/adml that is included with the Microsoft Windows 8.0 and Server + 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.33.6.4 + description: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' ACSettingIndex + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Require a password when a computer wakes (plugged in) + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Power.admx/adml that is included with the Microsoft Windows 8.0 and Server + 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.34 + description: Recovery + type: "skip" + - id: 18.9.35 + description: Remote Assistance + type: "skip" + checks: + - id: 18.9.35.1 + description: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowUnsolicited + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Offer Remote Assistance + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template RemoteAssistance.admx/adml that is included with the Microsoft Windows + 8.0 and Server 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.35.2 + description: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Solicited Remote Assistance + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template RemoteAssistance.admx/adml that is included with the Microsoft Windows + 8.0 and Server 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.36 + description: Remote Procedure Call (RPC) + type: "skip" + checks: + - id: 18.9.36.1 + description: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' EnableAuthEpResolution + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Remote Procedure Call\Enable RPC Endpoint Mapper Client Authentication + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template RPC.admx/adml that is included with the Microsoft Windows 8.0 and Server 2012 + (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.36.2 + description: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only) (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' RestrictRemoteClients + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Authenticated': + Computer Configuration\Policies\Administrative Templates\System\Remote Procedure Call\Restrict Unauthenticated RPC clients + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template RPC.admx/adml that is included with the Microsoft Windows 8.0 and Server 2012 + (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.37 + description: Removable Storage Access + type: "skip" + - id: 18.9.38 + description: Scripts + type: "skip" + - id: 18.9.39 + description: Security Account Manager (SAM) + type: "skip" + - id: 18.9.40 + description: Server Manager + type: "skip" + - id: 18.9.41 + description: Service Control Manager (SCM) Settings + type: "skip" + - id: 18.9.42 + description: Shutdown + type: "skip" + - id: 18.9.43 + description: Shutdown Options + type: "skip" + - id: 18.9.44 + description: Storage Health + type: "skip" + - id: 18.9.45 + description: Storage Sense + type: "skip" + - id: 18.9.46 + description: System Restore + type: "skip" + - id: 18.9.47 + description: Troubleshooting and Diagnostics + type: "skip" + checks: + - id: 18.9.47.1 + description: Application Compatibility Diagnostics + type: "skip" + - id: 18.9.47.2 + description: Corrupted File Recovery + type: "skip" + - id: 18.9.47.3 + description: Disk Diagnostics + type: "skip" + - id: 18.9.47.4 + description: Fault Tolerant Heap + type: "skip" + - id: 18.9.47.5 + description: Microsoft Support Diagnostic Tool (MSDT) + type: "skip" + checks: + - id: 18.9.47.5.1 + description: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' DisableQueryRemoteServer + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template MSDT.admx/adml that is included with the Microsoft Windows 8.0 and Server + 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.9.47.6 + description: MSI Corrupted File Recovery + type: "skip" + - id: 18.9.47.7 + description: Scheduled Maintenance + type: "skip" + - id: 18.9.47.8 + description: Scripted Diagnostics + type: "skip" + - id: 18.9.47.9 + description: Windows Boot Performance Diagnostics + type: "skip" + - id: 18.9.47.10 + description: Windows Memory Leak Diagnosis + type: "skip" + - id: 18.9.47.11 + description: Windows Performance PerfTrack + type: "skip" + checks: + - id: 18.9.47.11.1 + description: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' ScenarioExecutionEnabled + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Performance PerfTrack\Enable/Disable PerfTrack + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template PerformancePerftrack.admx/adml that is included with the Microsoft + Windows 7 and Server 2008 R2 Administrative Templates (or newer). + scored: true + - id: 18.9.48 + description: Trusted Platform Module (TPM) Services + type: "skip" + - id: 18.9.49 + description: User Profiles + type: "skip" + checks: + - id: 18.9.49.1 + description: "Ensure 'Turn off the advertising ID' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' DisabledByGroupPolicy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\User Profiles\Turn off the advertising ID + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 and + Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.9.50 + description: Windows File Protection (WFP) + type: "skip" + - id: 18.9.51 + description: Windows Time Service + type: "skip" + checks: + - id: 18.9.51.1 + description: Time Providers + type: "skip" + checks: + - id: 18.9.51.1.1 + description: "Ensure 'Enable Windows NTP Client' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' Enabled + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client + + Note: This Group Policy path is provided by the Group Policy template + W32Time.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10 + description: Windows Components + checks: + - id: 18.10.1 + description: ActiveX Installer Service + type: "skip" + - id: 18.10.2 + description: Add features to Windows 10 (formerly Windows Anytime Upgrade) + type: "skip" + - id: 18.10.3 + description: App and Device Inventory + type: "skip" + - id: 18.10.4 + description: App Package Deployment + type: "skip" + checks: + - id: 18.10.4.1 + description: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' AllowSharedLocalAppData + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\App Package Deployment\Allow a Windows app to share application data between users + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template AppxPackageManager.admx/adml that is included with the Microsoft Windows + 10 RTM (Release 1507) Administrative Templates (or newer). + scored: true + - id: 18.10.5 + description: App Privacy + type: "skip" + - id: 18.10.6 + description: App runtime + type: "skip" + checks: + - id: 18.10.6.1 + description: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' MSAOptional + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\App runtime\Allow Microsoft accounts to be optional + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 and + Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.7 + description: Application Compatibility + type: "skip" + - id: 18.10.8 + description: AutoPlay Policies + type: "skip" + checks: + - id: 18.10.8.1 + description: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' NoAutoplayfornonVolume + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Disallow Autoplay for non-volume devices + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 and + Server 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.10.8.2 + description: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' NoAutorun + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Do not execute any autorun commands': + Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Set the default behavior for AutoRun + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 and + Server 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.10.8.3 + description: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' NoDriveTypeAutoRun + tests: + test_items: + - flag: "" + compare: + op: eq + value: "255" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: All drives': + Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay + + Note: This Group Policy path is provided by the Group Policy template + AutoPlay.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.9 + description: Biometrics + type: "skip" + checks: + - id: 18.10.9.1 + description: Facial Features + type: "skip" + checks: + - id: 18.10.9.1.1 + description: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' EnhancedAntiSpoofing + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features\Configure enhanced anti-spoofing + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Biometrics.admx/adml that is included with the Microsoft Windows 10 + Release 1511 Administrative Templates (or newer). + + Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 and Server + 2016 Administrative Templates, this setting was initially named Use enhanced anti- + spoofing when available. It was renamed to Configure enhanced anti-spoofing starting + with the Windows 10 Release 1703 Administrative Templates. + scored: true + - id: 18.10.10 + description: BitLocker Drive Encryption + type: "skip" + - id: 18.10.11 + description: Camera + type: "skip" + checks: + - id: 18.10.11.1 + description: "Ensure 'Allow Use of Camera' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Camera' AllowCamera + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Camera\Allow Use of Camera + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Camera.admx/adml that is included with the Microsoft Windows 10 Release + 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 18.10.12 + description: Chat + type: "skip" + - id: 18.10.13 + description: Cloud Content + type: "skip" + checks: + - id: 18.10.13.1 + description: "Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' DisableConsumerAccountStateContent + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer account state content + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CloudContent.admx/adml that is included with the Microsoft Windows 11 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.13.2 + description: "Ensure 'Turn off cloud optimized content' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' DisableCloudOptimizedContent + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud optimized content. + scored: true + - id: 18.10.13.3 + description: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' DisableWindowsConsumerFeatures + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Window Components\Cloud Content\Turn off Microsoft consumer experiences + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CloudContent.admx/adml that is included with the Microsoft Windows 10 + Release 1511 Administrative Templates (or newer). + scored: true + - id: 18.10.14 + description: Connect + type: "skip" + checks: + - id: 18.10.14.1 + description: "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect' RequirePinForPairing + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: First Time' OR 'Enabled: Always': + Computer Configuration\Policies\Administrative Templates\Windows Components\Connect\Require pin for pairing + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 + Release 1607 and Server 2016 Administrative Templates (or newer). The new Choose + one of the following actions sub-option was later added as of the Windows 10 + Release 1809 Administrative Templates. Choosing Enabled in the older templates is + the equivalent of choosing 'Enabled: First Time' in the newer templates. + scored: true + - id: 18.10.15 + description: Credential User Interface + type: "skip" + checks: + - id: 18.10.15.1 + description: "Ensure 'Do not display the password reveal button' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredUI' DisablePasswordReveal + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Do not display the password reveal button + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CredUI.admx/adml that is included with the Microsoft Windows 8.0 and Server + 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.10.15.2 + description: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' EnumerateAdministrators + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation + + Note: This Group Policy path is provided by the Group Policy template + CredUI.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.16 + description: Data Collection and Preview Builds + type: "skip" + checks: + - id: 18.10.16.1 + description: "Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' AllowTelemetry + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + 'Enabled: Diagnostic data off (not recommended)'' or 'Enabled: Send required diagnostic data': + Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Diagnostic Data + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DataCollection.admx/adml that is included with the Microsoft Windows 10 + RTM (Release 1507) Administrative Templates (or newer). + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Allow Telemetry, but it was renamed to Allow Diagnostic Data starting with the + Windows 11 Release 21H2 Administrative Templates. + scored: true + - id: 18.10.16.2 + description: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' DisableEnterpriseAuthProxy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + 'Enabled: Disable Authenticated Proxy usage': + Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DataCollection.admx/adml that is included with the Microsoft Windows 10 + Release 1703 Administrative Templates (or newer). + scored: true + - id: 18.10.16.3 + description: "Ensure 'Disable OneSettings Downloads' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' DisableOneSettingsDownloads + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Disable OneSettings Downloads + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DataCollection.admx/adml that is included with the Microsoft Windows 11 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.16.4 + description: "Ensure 'Do not show feedback notifications' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' DoNotShowFeedbackNotifications + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Do not show feedback notifications + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template FeedbackNotifications.admx/adml that is included with the Microsoft + Windows 10 Release 1511 Administrative Templates (or newer). + scored: true + - id: 18.10.16.5 + description: "Ensure 'Enable OneSettings Auditing' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' EnableOneSettingsAuditing + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Enable OneSettings Auditing + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DataCollection.admx/adml that is included with the Microsoft Windows 11 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.16.6 + description: "Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' LimitDiagnosticLogCollection + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Diagnostic Log Collection + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DataCollection.admx/adml that is included with the Microsoft Windows 11 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.16.7 + description: "Ensure 'Limit Dump Collection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' LimitDumpCollection + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled'. + Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Dump Collection + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DataCollection.admx/adml that is included with the Microsoft Windows 11 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.17 + description: Delivery Optimization + type: "skip" + - id: 18.10.18 + description: Desktop App Installer + type: "skip" + checks: + - id: 18.10.18.1 + description: "Ensure 'Enable App Installer' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller' EnableAppInstaller + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DesktopAppInstaller.admx/adml that is included with the Microsoft + Windows 11 Release 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.18.2 + description: "Ensure 'Enable App Installer Experimental' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller' EnableExperimentalFeatures + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer Experimental Features + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DesktopAppInstaller.admx/adml that is included with the Microsoft + Windows 11 Release 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.18.3 + description: "Ensure 'Enable App Installer Hash Override' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller' EnableHashOverride + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer Hash Override + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DesktopAppInstaller.admx/adml that is included with the Microsoft + Windows 11 Release 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.18.4 + description: "Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller' EnableLocalArchiveMalwareScanOverride + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer Local Archive Malware Scan Override + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DesktopAppInstaller.admx/adml that is included with the Microsoft + Windows 11 Release 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.18.5 + description: "Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller' EnableMSAppInstallerProtocol + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer ms-appinstaller protocol + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DesktopAppInstaller.admx/adml that is included with the Microsoft + Windows 11 Release 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.18.6 + description: "Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller' EnableBypassCertificatePinningForMicrosoftStore + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer Microsoft Store Source Certificate Validation Bypass + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DesktopAppInstaller.admx/adml that is included with the Microsoft + Windows 11 Release 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.18.7 + description: "Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller' EnableWindowsPackageManagerCommandLineInterfaces + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer Microsoft Store Source Certificate Validation Bypass + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template DesktopAppInstaller.admx/adml that is included with the Microsoft + Windows 11 Release 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.19 + description: Desktop Gadgets + type: "skip" + - id: 18.10.20 + description: Desktop Window Manager + type: "skip" + - id: 18.10.21 + description: Device and Driver Compatibility + type: "skip" + - id: 18.10.22 + description: Device Registration (formerly Workplace Join) + type: "skip" + - id: 18.10.23 + description: Digital Locker + type: "skip" + - id: 18.10.24 + description: Edge UI + type: "skip" + - id: 18.10.25 + description: Event Forwarding + type: "skip" + - id: 18.10.26 + description: Event Log Service + type: "skip" + checks: + - id: 18.10.26.1 + description: Application + type: "skip" + checks: + - id: 18.10.26.1.1 + description: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' Retention + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Application\Control Event Log behavior when the log file reaches its maximum size + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Retain old events, but it was renamed starting with the Windows 8.0 and Server + 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.26.1.2 + description: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' MaxSize + tests: + test_items: + - flag: "" + compare: + op: gte + value: "32768" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 32,768 or greater': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Application\Specify the maximum log file size (KB) + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 and + Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.26.2 + description: Security + type: "skip" + checks: + - id: 18.10.26.2.1 + description: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' Retention + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Control Event Log behavior when the log file reaches its maximum size + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Retain old events, but it was renamed starting with the Windows 8.0 and Server + 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.26.2.2 + description: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' MaxSize + tests: + test_items: + - flag: "" + compare: + op: gte + value: "196608" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 196,608 or greater': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Specify the maximum log file size (KB) + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 and + Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.26.3 + description: Setup + type: "skip" + checks: + - id: 18.10.26.3.1 + description: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' Retention + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Setup\Control Event Log behavior when the log file reaches its maximum size + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Retain old events, but it was renamed starting with the Windows 8.0 and Server + 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.26.3.2 + description: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' MaxSize + tests: + test_items: + - flag: "" + compare: + op: gte + value: "32768" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 32,768 or greater': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Setup\Specify the maximum log file size (KB) + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 and + Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.26.4 + description: System + type: "skip" + checks: + - id: 18.10.26.4.1 + description: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' Retention + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Control Event Log behavior when the log file reaches its maximum size + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Retain old events, but it was renamed starting with the Windows 8.0 and Server + 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.26.4.2 + description: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' MaxSize + tests: + test_items: + - flag: "" + compare: + op: gte + value: "32768" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 32,768 or greater': + Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Specify the maximum log file size (KB) + + Note: This Group Policy path is provided by the Group Policy template + EventLog.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 and + Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.27 + description: Event Logging + type: "skip" + - id: 18.10.28 + description: Event Viewer + type: "skip" + - id: 18.10.29 + description: File Explorer(formerly Windows Explorer) + type: "skip" + checks: + - id: 18.10.29.1 + description: Previous Versions + type: "skip" + - id: 18.10.29.2 + description: "Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' DisableMotWOnInsecurePathCopy + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Do not apply the Mark of the Web tag to files copied from insecure sources + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Explorer.admx/adml that is included with the Microsoft Windows 11 Release 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.29.3 + description: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' NoDataExecutionPrevention + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off Data Execution Prevention for Explorer + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Explorer.admx/adml that is included with the Microsoft Windows 7 and Server + 2008 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.29.4 + description: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' NoHeapTerminationOnCorruption + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off heap termination on corruption + + Note: This Group Policy path is provided by the Group Policy template + Explorer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.29.5 + description: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' PreXPSP2ShellProtocolBehavior + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off shell protocol protected mode + + Note: This Group Policy path is provided by the Group Policy template + WindowsExplorer.admx/adml that is included with all versions of the Microsoft + Windows Administrative Templates. + scored: true + - id: 18.10.30 + description: File History + type: "skip" + - id: 18.10.31 + description: Find My Device + type: "skip" + - id: 18.10.32 + description: Handwriting + type: "skip" + - id: 18.10.33 + description: HomeGroup + type: "skip" + - id: 18.10.34 + description: Human Presence + type: "skip" + - id: 18.10.35 + description: Internet Explorer + type: "skip" + - id: 18.10.36 + description: Internet Information Services + type: "skip" + - id: 18.10.37 + description: Location and Sensors + type: "skip" + checks: + - id: 18.10.37.1 + description: "Ensure 'Turn off location' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' DisableLocation + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Location and Sensors\Turn off location + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Sensors.admx/adml that is included with the Microsoft Windows 7 and Server + 2008 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.38 + description: Maintenance Scheduler + type: "skip" + - id: 18.10.39 + description: Maps + type: "skip" + - id: 18.10.40 + description: MDM + type: "skip" + - id: 18.10.41 + description: Messaging + type: "skip" + checks: + - id: 18.10.41.1 + description: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging' AllowMessageSync + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Messaging.admx/adml that is included with the Microsoft Windows 10 + Release 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.42 + description: Microsoft account + type: "skip" + checks: + - id: 18.10.42.1 + description: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount' DisableUserAuth + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft accounts\Block all consumer Microsoft account user authentication + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 + Release 1703 Administrative Templates (or newer). + scored: true + - id: 18.10.43 + description: Microsoft Defender Antivirus (formerly Windows Defender and Windows Defender Antivirus) + type: "skip" + checks: + - id: 18.10.43.1 + description: Client Interface + type: "skip" + - id: 18.10.43.2 + description: Device Control + type: "skip" + - id: 18.10.43.3 + description: Exclusions + type: "skip" + - id: 18.10.43.4 + description: Features + type: "skip" + checks: + - id: 18.10.43.4.1 + description: "Ensure 'Enable EDR in block mode' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Features' PassiveRemediation + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Features\Enable EDR in block mode + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release 24H2 + Administrative Templates (or newer). + scored: true + - id: 18.10.43.5 + description: MAPS + type: "skip" + checks: + - id: 18.10.43.5.1 + description: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' LocalSettingOverrideSpynetReporting + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure local setting override for reporting to Microsoft MAPS + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.5.2 + description: "Ensure 'Join Microsoft MAPS' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' SpynetReporting + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.6 + description: Microsoft Defender Exploit Guard (formerly Windows Defender Exploit Guard) + type: "skip" + checks: + - id: 18.10.43.6.1 + description: Attack Surface Reduction + type: "skip" + checks: + - id: 18.10.43.6.1.1 + description: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender ExploitGuard\ASR' ExploitGuard_ASR_Rules + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 + Release 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.43.6.1.2 + description: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Automated)" + audittype: powershell + audit: + cmd: + Server: > + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' 26190899-1602-49e8-8b27-eb1d0a1ce869; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' 3b576869-a4ec-4529-8536-b80a7769e899; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' 56a863a9-875e-4185-98a7-b882c64b5ce5; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' 5beb7efe-fd9a-4556-801d-275e5ffc04cc; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' be9ba2d9-53ea-4cdc-84e5-9b1eeee46550; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' d3e037e1-3eb8-44c8-a917-57927947596d; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' d4f940ab-401b-4efc-aadc-ad5f3c50688a; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' e6db77e5-3df2-4cf1-b95a-636979351e5b + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1\r\n1\r\n1\r\n1\r\n1\r\n1\r\n1\r\n1\r\n1\r\n1\r\n1\r\n1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path so that + '26190899-1602-49e8-8b27-eb1d0a1ce869', '3b576869-a4ec-4529-8536- + b80a7769e899', '56a863a9-875e-4185-98a7-b882c64b5ce5', '5beb7efe-fd9a-4556- + 801d-275e5ffc04cc', '75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84', '7674ba52-37eb- + 4a4f-a9a1-f0f9a1619a2c', '9e6c4e1f- + 7d60-472f-ba1a-a39ef669e4b2', 'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4', + 'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550', 'd3e037e1-3eb8-44c8-a917- + 57927947596d', 'd4f940ab-401b-4efc-aadc-ad5f3c50688a', and 'e6db77e5-3df2- + 4cf1-b95a-636979351e5b' are each set to a value of 1: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 + Release 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.43.6.2 + description: Controlled Folder Access + type: "skip" + - id: 18.10.43.6.3 + description: Network Protection + type: "skip" + checks: + - id: 18.10.43.6.3.1 + description: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' EnableNetworkProtection + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Block': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 + Release 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.43.7 + description: MpEngine + type: "skip" + checks: + - id: 18.10.43.7.1 + description: "Ensure 'Enable file hash computation feature' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine' EnableFileHashComputation + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 + Release 2004 Administrative Templates (or newer). + scored: true + - id: 18.10.43.8 + description: Network Inspection System + type: "skip" + checks: + - id: 18.10.43.8.1 + description: "Ensure 'Convert warn verdict to block' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\NTS' EnableConvertWarnToBlock + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Network Inspection System\Convert warn verdict to block + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 11 + Release 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.9 + description: Quarantine + type: "skip" + - id: 18.10.43.10 + description: Real-Time Protection + type: "skip" + checks: + - id: 18.10.43.10.1 + description: "Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' OobeEnableRtpAndSigUpdate + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Configure real-time protection and Security Intelligence Updates during OOBE + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.10.2 + description: "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableIOAVProtection + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Scan all downloaded files and attachments + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.10.3 + description: "Ensure 'Turn off real-time protection' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableRealtimeMonitoring + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn off real- time protection + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.10.4 + description: "Ensure 'Turn on behavior monitoring' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableBehaviorMonitoring + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on behavior monitoring + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.10.5 + description: "Ensure 'Turn on script scanning' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableScriptScanning + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on script scanning + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 11 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.11 + description: Remediation + type: "skip" + checks: + - id: 18.10.43.11.1 + description: Behavioral Network Blocks + type: "skip" + checks: + - id: 18.10.43.11.1.1 + description: Brute-Force Protection + type: "skip" + checks: + - id: 18.10.43.11.1.1.1 + description: "Ensure 'Configure Brute-Force Protection aggressiveness' is set to 'Enabled: Medium' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Brute Force Protection' BruteForceProtectionAggressiveness + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Enabled: Medium or higher: + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Brute-Force Protection\Configure Brute-Force Protection aggressiveness + Note: This Group Policy path is provided by the Group Policy template + WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release + 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.11.1.1.2 + description: "Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Brute Force Protection' BruteForceProtectionConfiguredState + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Enabled: Audit or higher: + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Brute-Force Protection\Configure Remote Encryption Protection Mode + Note: This Group Policy path is provided by the Group Policy template + WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release + 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.11.1.2 + description: Remote Encryption Protection + type: "skip" + checks: + - id: 18.10.43.11.1.2.1 + description: "Ensure 'Configure how aggressively Remote Encryption Protection blocks threats' is set to 'Enabled: Medium' or higher (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Remote Encryption Protection' RemoteEncryptionProtectionAggressiveness + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + Enabled: Audit or higher: + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Remote Encryption Protection\Configure how aggressively Remote Encryption Protection blocks threats + Note: This Group Policy path is provided by the Group Policy template + WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release + 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.12 + description: Reporting + type: "skip" + checks: + - id: 18.10.43.12.1 + description: "Ensure 'Configure Watson events' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' DisableGenericRePorts + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Reporting\Configure Watson events + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.13 + description: Scan + type: "skip" + checks: + - id: 18.10.43.13.1 + description: "Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' QuickScanIncludeExclusions + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 1': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan excluded files and directories during quick scans + + Note: This Group Policy path is provided by the Group Policy template + WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.13.2 + description: "Ensure 'Scan packed executables' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' DisablePackedExeScanning + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan packed executables + + Note: This Group Policy path is provided by the Group Policy template + WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and + Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.13.3 + description: "Ensure 'Scan removable drives' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' DisableRemovableDriveScanning + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan removable drives + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.13.4 + description: "Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' DaysUntilAggressiveCatchupQuickScan + tests: + test_items: + - flag: "" + compare: + op: eq + value: "7" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to Enabled: 7 days:: + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Trigger a quick scan after X days without any scans + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.13.5 + description: "Ensure 'Turn on e-mail scanning' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' DisableEmailScanning + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Turn on e-mail scanning + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 + and Server 2012 R2 Administrative Templates (or newer). + scored: true + - id: 18.10.43.14 + description: Security Intelligence Updates (formerly Signature Updates) + type: "skip" + - id: 18.10.43.15 + description: Threats + type: "skip" + - id: 18.10.43.16 + description: "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' PUAProtection + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Block': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Configure detection for potentially unwanted applications + + Note: This Group Policy path is provided by the Group Policy template + WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release + 1809 and Server 2019 Administrative Templates (or newer). + scored: true + - id: 18.10.43.17 + description: "Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' HideExclusionsFromLocalUsers + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Control whether exclusions are visible to local users + + Note: This Group Policy path is provided by the Group Policy template + WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release 24H2 Administrative Templates (or newer). + scored: true + - id: 18.10.44 + description: Microsoft Defender Application Guard (formerly Windows Defender Application Guard) + type: "skip" + - id: 18.10.45 + description: Microsoft Defender Exploit Guard (formerly Windows Defender Exploit Guard) + type: "skip" + - id: 18.10.46 + description: Microsoft Edge + type: "skip" + - id: 18.10.47 + description: Microsoft Secondary Authentication Factor + type: "skip" + - id: 18.10.48 + description: Microsoft User Experience Virtualization (UE-V) + type: "skip" + - id: 18.10.49 + description: NetMeeting + type: "skip" + - id: 18.10.50 + description: News and interests + type: "skip" + - id: 18.10.51 + description: OneDrive (formerly SkyDrive) + type: "skip" + checks: + - id: 18.10.51.1 + description: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive' DisableFileSyncNGSC + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\OneDrive\Prevent the usage of OneDrive for file storage + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 and + Server 2012 R2 Administrative Templates (or newer). However, we strongly + recommend you only use the version included with the Microsoft Windows 10 Release + 1607 and Server 2016 Administrative Templates (or newer). Older versions of the + templates had conflicting settings in different template files for both OneDrive and + SkyDrive, until it was cleaned up properly in the above version. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was named + Prevent the usage of SkyDrive for file storage, but it was renamed starting with the + Windows 10 RTM (Release 1507) Administrative Templates. + scored: true + - id: 18.10.52 + description: Online Assistance + type: "skip" + - id: 18.10.53 + description: OOBE + type: "skip" + - id: 18.10.54 + description: Portable Operating System (POS) + type: "skip" + - id: 18.10.55 + description: Presentation Settings + type: "skip" + - id: 18.10.56 + description: Push To Install + type: "skip" + - id: 18.10.55.1 + description: "Ensure 'Turn off Push To Install service' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall' DisablePushToInstall + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Push to Install\Turn off Push To Install service + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template PushToInstall.admx/adml that is included with the Microsoft Windows 10 + Release 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.57 + description: Remote Desktop Services (formerly Terminal Services) + type: "skip" + checks: + - id: 18.10.57.1 + description: RD Licensing (formerly TS Licensing) + type: "skip" + - id: 18.10.57.2 + description: Remote Desktop Connection Client + type: "skip" + checks: + - id: 18.10.57.2.1 + description: RemoteFX USB Device Redirection + type: "skip" + - id: 18.10.57.2.2 + description: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' DisablePasswordSaving + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Do not allow passwords to be saved + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3 + description: Remote Desktop Session Host (formerly Terminal Server) + type: "skip" + checks: + - id: 18.10.57.3.1 + description: Application Compatibility + type: "skip" + - id: 18.10.57.3.2 + description: Connections + type: "skip" + checks: + - id: 18.10.57.3.2.1 + description: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fSingleSessionPerUser + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Restrict Remote Desktop Services users to a single Remote Desktop Services session + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was named + Restrict Terminal Services users to a single remote session, but it was renamed starting + with the Windows 7 and Server 2008 R2 Administrative Templates. + scored: true + - id: 18.10.57.3.3 + description: Device and Resource Redirection + type: "skip" + - id: 18.10.57.3.3.1 + description: "Ensure 'Allow UI Automation redirection' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' EnableUiaRedirection + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow UI Automation redirection + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template TerminalServer.admx/adml that is included with the Microsoft Windows 10 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.57.3.3.2 + description: "Ensure 'Do not allow COM port redirection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fDisableCcm + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow COM port redirection + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.3.3 + description: "Ensure 'Do not allow drive redirection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fDisableCdm + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.3.4 + description: "Ensure 'Do not allow location redirection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fDisableLocationRedir + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow location redirection + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template TerminalServer.admx/adml that is included with the Microsoft Windows 10 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.57.3.3.5 + description: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fDisableLPT + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow LPT port redirection + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.3.6 + description: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fDisablePNPRedir + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow supported Plug and Play device redirection + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.3.7 + description: "Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fDisableWebAuthn + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow WebAuthn redirection + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with the Microsoft Windows 11 Release + 22H2 Administrative Templates v1.0 (or newer). + scored: true + - id: 18.10.57.3.4 + description: Licensing + type: "skip" + - id: 18.10.57.3.5 + description: Printer Redirection + type: "skip" + - id: 18.10.57.3.6 + description: Profiles + type: "skip" + - id: 18.10.57.3.7 + description: RD Connection Broker (formerly TS Connection Broker) + type: "skip" + - id: 18.10.57.3.8 + description: Remote Session Environment + type: "skip" + - id: 18.10.57.3.9 + description: Security + type: "skip" + checks: + - id: 18.10.57.3.9.1 + description: "Ensure 'Always prompt for password upon connection' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fPromptForPassword + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Always prompt for password upon connection + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.9.2 + description: "Ensure 'Require secure RPC communication' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fEncryptRPCTraffic + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require secure RPC communication + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.9.3 + description: "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' SecurityLayer + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: SSL': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.9.4 + description: "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' UserAuthentication + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.9.5 + description: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' MinEncryptionLevel + tests: + test_items: + - flag: "" + compare: + op: eq + value: "3" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: High Level': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.10 + description: Session Time Limits + type: "skip" + checks: + - id: 18.10.57.3.10.1 + description: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' MaxIdleTime + tests: + bin_op: and + test_items: + - flag: "" + compare: + op: lte + value: "900000" + set: true + - flag: "" + compare: + op: gt + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 15 minutes or less, but not Never (0)': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for active but idle Remote Desktop Services sessions + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was named + Set time limit for active but idle Terminal Services sessions, but it was renamed starting + with the Windows 7 and Server 2008 R2 Administrative Templates. + scored: true + - id: 18.10.57.3.10.2 + description: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' MaxDisconnectionTime + tests: + test_items: + - flag: "" + compare: + op: eq + value: "60000" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: 1 minute': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for disconnected sessions + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.57.3.11 + description: Temporary Folders + type: "skip" + checks: + - id: 18.10.57.3.11.1 + description: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' DeleteTempDirsOnExit + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not delete temp folders upon exit + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was named + Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 and + Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.57.3.11.2 + description: "Ensure 'Do not use temporary folders per session' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' PerSessionTempDir + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows + Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not use temporary folders per session + + Note: This Group Policy path is provided by the Group Policy template + TerminalServer.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.58 + description: RSS Feeds + type: "skip" + checks: + - id: 18.10.58.1 + description: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' DisableEnclosureDownload + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\RSS Feeds\Prevent downloading of enclosures + + Note: This Group Policy path is provided by the Group Policy template + InetRes.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was named + Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 and + Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.58.2 + description: "Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' AllowBasicAuthInClear + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\RSS Feeds\Turn on Basic feed authentication over HTTP + + Note: This Group Policy path is provided by the Group Policy template + InetRes.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 + Administrative Templates (or newer) + scored: true + - id: 18.10.59 + description: Search + type: "skip" + checks: + - id: 18.10.59.1 + description: OCR + type: "skip" + - id: 18.10.59.2 + description: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' AllowCloudSearch + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Disable Cloud Search': + Computer Configuration\Policies\Administrative Templates\Windows Components\Search\Allow Cloud Search + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Search.admx/adml that is included with the Microsoft Windows 10 Release + 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.59.3 + description: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' AllowIndexingEncryptedStoresOrItems + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Search\Allow indexing of encrypted files + + Note: This Group Policy path is provided by the Group Policy template + Search.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.59.4 + description: "Ensure 'Allow search highlights' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' EnableDynamicContentInWSB + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Search\Allow search highlights + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template Search.admx/adml that is included with the Microsoft Windows 10 Release + 21H2 Administrative Templates (or newer). + scored: true + - id: 18.10.60 + description: Security Center + type: "skip" + - id: 18.10.61 + description: Shutdown Options + type: "skip" + - id: 18.10.62 + description: Smart Card + type: "skip" + - id: 18.10.63 + description: Software Protection Platform (SPP) + type: "skip" + - id: 18.10.63.1 + description: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' NoGenTicket + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Software Protection Platform\Turn off KMS Client Online AVS Validation + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 + RTM (Release 1507) Administrative Templates (or newer). + scored: true + - id: 18.10.64 + description: Sound Recorder + type: "skip" + - id: 18.10.65 + description: Speech + type: "skip" + - id: 18.10.66 + description: Store + type: "skip" + - id: 18.10.67 + description: Sync your settings + type: "skip" + - id: 18.10.68 + description: Tablet PC + type: "skip" + - id: 18.10.69 + description: Task Scheduler + type: "skip" + - id: 18.10.70 + description: Tenant Restrictions + type: "skip" + - id: 18.10.71 + description: Text Input + type: "skip" + - id: 18.10.72 + description: Widgets + type: "skip" + - id: 18.10.73 + description: Windows Calendar + type: "skip" + - id: 18.10.74 + description: Windows Color System + type: "skip" + - id: 18.10.75 + description: Windows Customer Experience Improvement Program + type: "skip" + - id: 18.10.76 + description: Windows Defender SmartScreen + type: "skip" + checks: + - id: 18.10.76.1 + description: Enhance Phishing Protection + type: "skip" + - id: 18.10.76.2 + description: Explorer + type: "skip" + checks: + - id: 18.10.76.2.1 + description: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' ShellSmartScreenLevel + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1\r\nBlock" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + 'Enabled: Warn and prevent bypass': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 + and Server 2012 (non-R2) Administrative Templates (or newer). + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Configure Windows SmartScreen, but it was renamed starting with the Windows + 10 Release 1703 Administrative Templates. + scored: true + - id: 18.10.77 + description: Windows Error Reporting + type: "skip" + - id: 18.10.78 + description: Windows Game Recording and Broadcasting + type: "skip" + - id: 18.10.79 + description: Windows Hello for Business (formerly Microsoft Passport for Work) + type: "skip" + - id: 18.10.80 + description: Windows Ink Workspace + type: "skip" + checks: + - id: 18.10.80.1 + description: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' AllowSuggestedAppsInWindowsInkWorkspace + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Ink Workspace\Allow suggested apps in Windows Ink Workspace + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsInkWorkspace.admx/adml that is included with the Microsoft + Windows 10 Release 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 18.10.80.2 + description: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' AllowWindowsInkWorkspace + tests: + bin_op: or + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Ink Workspace\Allow Windows Ink Workspace + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsInkWorkspace.admx/adml that is included with the Microsoft + Windows 10 Release 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 18.10.81 + description: Windows Installer + type: "skip" + checks: + - id: 18.10.81.1 + description: "Ensure 'Allow user control over installs' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' EnableUserControl + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Allow user control over installs + + Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was named + Enable user control over installs, but it was renamed starting with the Windows 8.0 and + Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.81.2 + description: "Ensure 'Always install with elevated privileges' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' AlwaysInstallElevated + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges + + Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 18.10.81.3 + description: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' SafeForScripting + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Prevent Internet Explorer security prompt for Windows Installer scripts + + Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Disable IE security prompt for Windows Installer scripts, but it was renamed + starting with the Windows 8.0 and Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.82 + description: Windows Logon Options + type: "skip" + - id: 18.10.82.1 + description: "Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' EnableMPR + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Configure the transmission of the user's password in the content of MPR notifications sent by winlogon. + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WinLogon.admx/adml that is included with the Microsoft Windows 11 Release + 22H2 Administrative Templates v1.0 (or newer). + Note #2: This setting was initially released with the Windows 11 Release 22H2 + Administrative Templates, named Enable MPR notifications for the system. It was + renamed starting with the Windows 11 Release 24H2 Administrative Templates. + scored: true + - id: 18.10.82.2 + description: "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' DisableAutomaticRestartSignOn + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Sign-in and lock last interactive user automatically after a restart + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 and + Server 2012 R2 Administrative Templates (or newer). + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Sign-in last interactive user automatically after a system-initiated restart, but it + was renamed starting with the Windows 10 Release 1903 Administrative Templates. + scored: true + - id: 18.10.83 + description: Windows Media Digital Rights Management + type: "skip" + - id: 18.10.84 + description: Windows Media Player + type: "skip" + - id: 18.10.85 + description: Windows Messenger + type: "skip" + - id: 18.10.86 + description: Windows Mobility Center + type: "skip" + - id: 18.10.87 + description: Windows PowerShell + type: "skip" + - id: 18.10.87.1 + description: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' EnableScriptBlockLogging + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Script Block Logging + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft + Windows 10 RTM (Release 1507) Administrative Templates (or newer). + scored: true + - id: 18.10.87.2 + description: "Ensure 'Turn on PowerShell Transcription' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' EnableTranscripting + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Transcription + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft + Windows 10 RTM (Release 1507) Administrative Templates (or newer). + scored: true + - id: 18.10.88 + description: Windows Reliability Analysis + type: "skip" + - id: 18.10.89 + description: Windows Remote Management (WinRM) + type: "skip" + checks: + - id: 18.10.89.1 + description: WinRM Client + type: "skip" + checks: + - id: 18.10.89.1.1 + description: "Ensure 'Allow Basic authentication' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' AllowBasic + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow Basic authentication + + Note: This Group Policy path is provided by the Group Policy template + WindowsRemoteManagement.admx/adml that is included with all versions of the + Microsoft Windows Administrative Templates. + scored: true + - id: 18.10.89.1.2 + description: "Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' AllowUnencryptedTraffic + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow unencrypted traffic + + Note: This Group Policy path is provided by the Group Policy template + WindowsRemoteManagement.admx/adml that is included with all versions of the + Microsoft Windows Administrative Templates. + scored: true + - id: 18.10.89.1.3 + description: "Ensure 'Disallow Digest authentication' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' AllowDigest + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Disallow Digest authentication + + Note: This Group Policy path is provided by the Group Policy template + WindowsRemoteManagement.admx/adml that is included with all versions of the + Microsoft Windows Administrative Templates. + scored: true + - id: 18.10.89.2 + description: WinRM Service + type: "skip" + checks: + - id: 18.10.89.2.1 + description: "Ensure 'Allow Basic authentication' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' AllowBasic + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow Basic authentication + + Note: This Group Policy path is provided by the Group Policy template + WindowsRemoteManagement.admx/adml that is included with all versions of the + Microsoft Windows Administrative Templates. + scored: true + - id: 18.10.89.2.2 + description: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' AllowAutoConfig + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow remote server management through WinRM + + Note: This Group Policy path is provided by the Group Policy template + WindowsRemoteManagement.admx/adml that is included with all versions of the + Microsoft Windows Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Allow automatic configuration of listeners, but it was renamed starting with the + Windows 8.0 and Server 2012 (non-R2) Administrative Templates. + scored: true + - id: 18.10.89.2.3 + description: "Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' AllowUnencryptedTraffic + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow unencrypted traffic + + Note: This Group Policy path is provided by the Group Policy template + WindowsRemoteManagement.admx/adml that is included with all versions of the + Microsoft Windows Administrative Templates. + scored: true + - id: 18.10.89.2.4 + description: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' DisableRunAs + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Disallow WinRM from storing RunAs credentials + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsRemoteManagement.admx/adml that is included with the Microsoft + Windows 8.0 and Server 2012 (non-R2) Administrative Templates (or newer). + scored: true + - id: 18.10.90 + description: Windows Remote Shell (WinRS) + type: "skip" + checks: + - id: 18.10.90.1 + description: "Ensure 'Allow Remote Shell Access' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' AllowRemoteShellAccess + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Shell\Allow Remote Shell Access + + Note: This Group Policy path is provided by the Group Policy template + WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft + Windows Administrative Templates. + scored: true + - id: 18.10.91 + description: Windows Sandbox + type: "skip" + - id: 18.10.92 + description: Windows Security (formerly Windows Defender Security Center) + type: "skip" + checks: + - id: 18.10.92.1 + description: Account protection + type: "skip" + - id: 18.10.92.2 + description: App and browser protection + type: "skip" + checks: + - id: 18.10.92.2.1 + description: "Ensure 'Prevent users from modifying settings' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' DisallowExploitProtectionOverride + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Security\App and browser protection\Prevent users from modifying settings + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsDefenderSecurityCenter.admx/adml that is included with the + Microsoft Windows 10 Release 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.93 + description: Windows Update + type: "skip" + checks: + - id: 18.10.93.1 + description: Legacy Policies + type: "skip" + checks: + - id: 18.10.93.1.1 + description: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' NoAutoRebootWithLoggedOnUsers + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Legacy Policies\No auto-restart with logged on users for scheduled automatic updates installations + + Note: This Group Policy path is provided by the Group Policy template + WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named No auto-restart for scheduled Automatic Updates installations, but it was + renamed starting with the Windows 7 and Server 2008 R2 Administrative Templates. + scored: true + - id: 18.10.93.2 + description: Manage end user experience + type: "skip" + checks: + - id: 18.10.93.2.1 + description: "Ensure 'Configure Automatic Updates' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' NoAutoUpdate + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Configure Automatic Updates + + Note: This Group Policy path is provided by the Group Policy template + WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.93.2.2 + description: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' ScheduledInstallDay + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to '0 - Every day': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Configure Automatic Updates: Scheduled install day + + Note: This Group Policy path is provided by the Group Policy template + WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 18.10.93.3 + description: Manage updates offered from Windows Server Update Services (WSUS) + type: "skip" + - id: 18.10.93.4 + description: Manage updates offered from Windows Update (formerly Defer Windows Updates and Windows Update for Business) + type: "skip" + checks: + - id: 18.10.93.4.1 + description: "Ensure 'Manage preview builds' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' ManagePreviewBuildsPolicyValue + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update\Manage preview builds + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 + Release 1709 Administrative Templates (or newer). + scored: true + - id: 18.10.93.4.2 + description: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' DeferFeatureUpdates; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' DeferFeatureUpdatesPeriodInDays + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1\r\n180" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + 'Enabled: 180 or more days': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update\Select when Preview Builds and Feature Updates are received + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 + Release 1607 and Server 2016 Administrative Templates (or newer). + + Note #2: In older Microsoft Windows Administrative Templates, this setting was initially + named Select when Feature Updates are received, but it was renamed to Select when + Preview Builds and Feature Updates are received starting with the Windows 10 Release + 1709 Administrative Templates. + scored: true + - id: 18.10.93.4.3 + description: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' DeferQualityUpdates; + Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' DeferQualityUpdatesPeriodInDays + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1\r\n0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to + 'Enabled:0 days': + Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update\Select when Quality Updates are received + + Note: This Group Policy path does not exist by default. An updated Group Policy + template (WindowsUpdate.admx/adml) is required - it is included with the Microsoft + Windows 10 Release 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 19 + description: Admininistrative Templates (User) + checks: + - id: 19.1 + description: Control Panel + - id: 19.2 + description: Network + - id: 19.4 + description: Shared Folders + - id: 19.5 + description: Start Menu and Taskbar + checks: + - id: 19.5.1 + description: Notifications + type: "skip" + checks: + - id: 19.5.1.1 + description: "Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" NoToastApplicationNotificationOnLockScreen; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off Help Experience Improvement Program + + Note: This Group Policy path is provided by the Group Policy template + HelpAndSupport.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 19.6 + description: Systems + checks: + - id: 19.6.1 + description: Ctrl+Alt+Del Options + type: "skip" + - id: 19.6.2 + description: Display + type: "skip" + - id: 19.6.3 + description: Driver Installation + type: "skip" + - id: 19.6.4 + description: Folder Redirection + type: "skip" + - id: 19.6.5 + description: Group Policy + type: "skip" + - id: 19.6.6 + description: Internet Communication Management + type: "skip" + checks: + - id: 19.6.6.1 + description: Internet Communication Settings + type: "skip" + checks: + - id: 19.6.6.1.1 + description: "Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\Assistance\Client\1.0" NoImplicitFeedback; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off Help Experience Improvement Program + + Note: This Group Policy path is provided by the Group Policy template + HelpAndSupport.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 19.7 + description: Windows Components + checks: + - id: 19.7.1 + description: Account Notifications + type: "skip" + - id: 19.7.2 + description: Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) + type: "skip" + - id: 19.7.3 + description: App runtime + type: "skip" + - id: 19.7.4 + description: Application Compatibility + type: "skip" + - id: 19.7.5 + description: Attachment Manager + type: "skip" + checks: + - id: 19.7.5.1 + description: "Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" SaveZoneInformation; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\Do not preserve zone information in file attachments + + Note: This Group Policy path is provided by the Group Policy template + AttachmentManager.admx/adml that is included with all versions of the Microsoft + Windows Administrative Templates. + scored: true + - id: 19.7.5.2 + description: "Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ScanWithAntiVirus; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "3" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\Notify antivirus programs when opening attachments + + Note: This Group Policy path is provided by the Group Policy template + AttachmentManager.admx/adml that is included with all versions of the Microsoft + Windows Administrative Templates. + scored: true + - id: 19.7.6 + description: Autoplay Policies + type: "skip" + - id: 19.7.7 + description: Calculator + type: "skip" + - id: 19.7.8 + description: Cloud Content + type: "skip" + checks: + - id: 19.7.8.1 + description: "Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\Windows\CloudContent" ConfigureWindowsSpotlight; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "2" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Configure Windows spotlight on lock screen + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CloudContent.admx/adml that is included with the Microsoft Windows 10 + Release 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 19.7.8.2 + description: "Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\Windows\CloudContent" DisableThirdPartySuggestions; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CloudContent.admx/adml that is included with the Microsoft Windows 10 + Release 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 19.7.8.3 + description: "Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\Windows\CloudContent" DisableTailoredExperiencesWithDiagnosticData; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Do not use diagnostic data for tailored experiences + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CloudContent.admx/adml that is included with the Microsoft Windows 10 + Release 1703 Administrative Templates (or newer). + scored: true + - id: 19.7.8.4 + description: "Ensure 'Turn off all Windows spotlight features' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\Windows\CloudContent" DisableWindowsSpotlightFeatures; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows spotlight features + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CloudContent.admx/adml that is included with the Microsoft Windows 10 + Release 1607 and Server 2016 Administrative Templates (or newer). + scored: true + - id: 19.7.8.5 + description: "Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\SOFTWARE\Policies\Microsoft\Windows\CloudContent" DisableSpotlightCollectionOnDesktop; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Spotlight collection on Desktop + + Note: This Group Policy path may not exist by default. It is provided by the Group Policy + template CloudContent.admx/adml that is included with the Microsoft Windows 11 + Release 21H2 Administrative Templates (or newer). + scored: true + - id: 19.7.9 + description: Credential User Interface + type: "skip" + - id: 19.7.10 + description: Data Collection and Preview Builds + type: "skip" + - id: 19.7.11 + description: Desktop Gadgets + type: "skip" + - id: 19.7.12 + description: Desktop Windows Manager + type: "skip" + - id: 19.7.13 + description: Digital Locker + type: "skip" + - id: 19.7.14 + description: Edge UI + type: "skip" + - id: 19.7.15 + description: File Explorer (formerly Windows Explorer) + type: "skip" + - id: 19.7.16 + description: File Revocation + type: "skip" + - id: 19.7.17 + description: IME + type: "skip" + - id: 19.7.18 + description: Instant Search + type: "skip" + - id: 19.7.19 + description: Internet Explorer + type: "skip" + - id: 19.7.20 + description: Location and Sensors + type: "skip" + - id: 19.7.21 + description: Microsoft Edge + type: "skip" + - id: 19.7.22 + description: Microsoft Management Console (MMC) + type: "skip" + - id: 19.7.23 + description: Microsoft User Experience Virtualization (UE-V) + type: "skip" + - id: 19.7.24 + description: Multitasking + type: "skip" + - id: 19.7.25 + description: NetMeeting + type: "skip" + - id: 19.7.26 + description: Network Sharing + type: "skip" + checks: + - id: 19.7.26.1 + description: "Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" NoInplaceSharing; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profile. + + Note: This Group Policy path is provided by the Group Policy template + Sharing.admx/adml that is included with all versions of the Microsoft Windows + Administrative Templates. + scored: true + - id: 19.7.27 + description: OOBE + type: "skip" + - id: 19.7.28 + description: Presentation Settings + type: "skip" + - id: 19.7.29 + description: Remote Desktop Services (formerly Terminal Services) + type: "skip" + - id: 19.7.30 + description: RSS Feeds + type: "skip" + - id: 19.7.31 + description: Search + type: "skip" + - id: 19.7.32 + description: Snipping Tool + type: "skip" + - id: 19.7.33 + description: Sound Recorder + type: "skip" + - id: 19.7.34 + description: Store + type: "skip" + - id: 19.7.35 + description: Tablet PC + type: "skip" + - id: 19.7.36 + description: Task Scheduler + type: "skip" + - id: 19.7.37 + description: Windows AI + type: "skip" + - id: 19.7.38 + description: Windows Calender + type: "skip" + - id: 19.7.39 + description: Windows Color System + type: "skip" + - id: 19.7.40 + description: Windows Copilot + type: "skip" + - id: 19.7.41 + description: Windows Defender SmartScreen + type: "skip" + - id: 19.7.42 + description: Windows Error Reporting + type: "skip" + - id: 19.7.43 + description: Windows Hello fro Business (formerly Microsoft Passport for Work) + type: "skip" + - id: 19.7.44 + description: Windows Installer + type: "skip" + - id: 19.7.44.1 + description: "Ensure 'Always install with elevated privileges' is set to 'Disabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\Windows\Installer" AlwaysInstallElevated; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "0" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + User Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges + + Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml + that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true + - id: 19.7.45 + description: Windows Logon Options + type: "skip" + - id: 19.7.46 + description: Windows Media Player + type: "skip" + checks: + - id: 19.7.46.1 + description: Networking + type: "skip" + - id: 19.7.46.2 + description: Playback + type: "skip" + checks: + - id: 19.7.46.2.1 + description: "Ensure 'Prevent Codec Download' is set to 'Enabled' (Automated)" + audittype: powershell + audit: + cmd: + Server: >- + $User=New-Object System.Security.Principal.NTAccount($env:UserName); + $sid=$User.Translate([System.Security.Principal.SecurityIdentifier]).value; + New-PSDrive HKU Registry HKEY_USERS | Out-Null; + Get-ItemPropertyValue -PATH "HKU:\${sid}\Software\Policies\Microsoft\WindowsMediaPlayer" PreventCodecDownload; + Remove-PSDrive -Name HKU + tests: + test_items: + - flag: "" + compare: + op: eq + value: "1" + set: true + remediation: > + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + User Configuration\Policies\Administrative Templates\Windows Components\Windows Media Player\Playback\Prevent Codec Download + Note: This Group Policy path is provided by the Group Policy template + WindowsMediaPlayer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. + scored: true diff --git a/cfg/version_map.yaml b/cfg/version_map.yaml index c08b161..a92556d 100644 --- a/cfg/version_map.yaml +++ b/cfg/version_map.yaml @@ -6,6 +6,7 @@ # serverVesion = 2019|2022|... # serverType = DomainController|MemberServer|Server + # Microsoft Windows Server 2019 Benchmarks 2019_DomainController_2.0.0: 'CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml' 2019_MemberServer_2.0.0: 'CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml' @@ -14,3 +15,4 @@ # Microsoft Windows Server 2022 Benchmarks 2022_DomainController_2.0.0: 'CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml' 2022_MemberServer_2.0.0: 'CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0.yaml' +2022_Server_1.0.0: 'CIS_Microsoft_Windows_Server_2022_Stand-alone_v1.0.0.yaml' diff --git a/cmd/util.go b/cmd/util.go index 69e23a6..5b8615a 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -44,6 +44,9 @@ func runChecks(b commonCheck.Bench, serverType, serverCaption string) error { return fmt.Errorf("Invalid Microsoft Windows Server caption: %s.\nAre you running windows-bench on a Microsoft Windows Server?", serverCaption) } serverVersion := match[1] + if serverVersion == "2022" && serverType == "Server" { + cisVersion = "1.0.0" + } cfgFile, err = loadConfig(cisVersion, serverVersion, serverType) if err != nil { diff --git a/go.mod b/go.mod index 37d9432..c9589fa 100644 --- a/go.mod +++ b/go.mod @@ -1,9 +1,9 @@ module github.com/aquasecurity/windows-bench -go 1.19 +go 1.24.5 require ( - github.com/aquasecurity/bench-common v0.4.8 + github.com/aquasecurity/bench-common v0.4.9-0.20250714075640-1dbae7d8053a github.com/aquasecurity/go-powershell v0.0.0-20190807165005-070591d67847 github.com/golang/glog v1.2.0 github.com/pkg/errors v0.9.1 @@ -13,6 +13,9 @@ require ( require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/jinzhu/gorm v1.9.16 // indirect + github.com/jinzhu/inflection v1.0.0 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect diff --git a/go.sum b/go.sum index f243415..d31883c 100644 --- a/go.sum +++ b/go.sum @@ -1,21 +1,29 @@ -github.com/aquasecurity/bench-common v0.4.8 h1:KtZYPZ9G4tooSOdzDxfiZin02Sa3iOYjPQN223+qzHg= -github.com/aquasecurity/bench-common v0.4.8/go.mod h1:AOo70Re/p5o+07y1ctVZ7uEpj1ATIujXqrU8ak3F+fI= +github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= +github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= +github.com/aquasecurity/bench-common v0.4.9-0.20250714075640-1dbae7d8053a h1:vfOh1Q/JjBuptiJ3XRTfpyqzBmxbAsrXlCOVUHjcENY= +github.com/aquasecurity/bench-common v0.4.9-0.20250714075640-1dbae7d8053a/go.mod h1:7UvaeNRS2HLZuDqv8OwWqbZQ7yHjjUZIMCBSXVziqOE= github.com/aquasecurity/go-powershell v0.0.0-20190807165005-070591d67847 h1:e1w2q4MqhHsmBDe5WavHKdGqXbmlvd3f6tH8Qrgn5KA= github.com/aquasecurity/go-powershell v0.0.0-20190807165005-070591d67847/go.mod h1:uTcLN1HYZA/abvodzFT8Sx0HupFF7sfsYPCFHFSSgF8= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= +github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0= github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w= github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68= github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -29,16 +37,25 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jinzhu/gorm v1.9.16 h1:+IyIjPEABKRpsu/F8OvDPy9fyQlgsg2luMV2ZIH5i5o= +github.com/jinzhu/gorm v1.9.16/go.mod h1:G3LB3wezTOWM2ITLzPxEXgSkOXAntiLHS7UdBefADcs= +github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E= +github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= +github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= github.com/juju/errors v0.0.0-20190806202954-0232dcc7464d/go.mod h1:W54LbzXuIE0boCoNJfwqpmkKJ1O4TCTZMetAt6jGk7Q= github.com/juju/errors v1.0.0 h1:yiq7kjCLll1BiaRuNY53MGI0+EQ3rF6GB+wvboZDefM= github.com/juju/errors v1.0.0/go.mod h1:B5x9thDqx0wIMH3+aLIMP9HjItInYWObRovoCFM5Qe8= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= @@ -46,6 +63,9 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= @@ -66,6 +86,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= @@ -99,22 +120,29 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI= +go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI= go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -142,6 +170,7 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -150,6 +179,7 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=