STEP 7: Configure OS baseline and Vulnerability Assessment Solution
This step is optional.
Enabling Auto Provisioning of Azure Security Center monitoring agent and connect VMs to OMS workspace allows Cloudneeti application to collect data of OS baselines security policies as available in CIS listed here.
Vulnerability Assessment Integrations: Enabling deployment of a 3rd party partner vulnerability assessment solution using Azure Security Center allows Cloudneeti to collect all the VA findings reported by partner solutions and associate them to each of the cloud assets.
| Steps | Prerequisite for VM Baseline Policies | Prerequisite for vulnerability assessment |
|---|---|---|
| 7.1 Connect VMs to OMS workspace | Yes | Yes |
| 7.2 Install vulnerability solution on VMs | NA | Yes |
| 7.3 Verify instance status | NA | Yes |
| 7.4 Verify data on Cloudneeti | Yes | Yes |
7.1 Connect VMs to Azure Log Analytics workspace
Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.
-
Navigate to Log Analytics Workspaces
-
Create or use existing log analytics workspace
-
Select Windows VMs for connecting the Log Analytics workspace
-
Click Connect to add log analytics workspace
-
Enable Auto Provisioning of Azure Security Center monitoring agent.
-
Verify extension is added
-
Check Recommendation, it may take some time.
7.2 Install vulnerability solution on VMs
Vulnerability assessment solutions that are integrated with Azure Security center are supported, with the initial Cloudneeti integrations for Qualys and Rapid7. Other VA integrations will be rolled out in future releases
Deploy a partner Vulnerability Assessment Solution solution on VMs
-
Navigate to Compute & apps in Security Center
-
Choose recommendation
-
Install solution on selected VMs
-
Add details for installing agent
- Qualys
- Rapid7
-
Verify the extension status Qualys or Rapid7 agent should be Provisioning succeeded
7.3 Verify instance status is healthy
-
Navigate to Compute & apps(2) in Security Center(1)
-
Select VMs and Servers (3)
-
Select VM to be verified (4)
-
Select recommendation Vulnerability assessment solution should be installed on your virtual machines
7.4 Verify data on Cloudneeti (to be done post Cloud Account Onboarding)
After successful scan, Azure Windows VM vulnerability assessment will appear on Vulnerability tab on Asset Security dashboard
-
Qualys
-
Rapid7
Azure OS baseline policies
Windows 12 R2
| Category | Policy Title |
|---|---|
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Account Logon: Credential Validation |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Ensure 'Audit Application Group Management' is set |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Account Management: Other Account Management Events |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Account Management: Security Group Management |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Account Management: User Account Management |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Detailed Tracking: Process Creation |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Logon-Logoff: Account Lockout |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Logon-Logoff: Logoff |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Logon-Logoff: Logon |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Logon-Logoff: Special Logon |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Ensure 'Audit Removable Storage' is set to 'Success and Failure' |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Policy Change: Audit Policy Change' |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Policy Change: Authentication Policy Change |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Ensure 'Audit Authorization Policy Change' is set to 'Success' |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Privilege Use: Sensitive Privilege Use |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: System: IPsec Driver |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: System: Other System Events |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: System: Security State Change |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: System: Security System Extension |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: System: System Integrity |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Central Access Policy Staging |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Handle Manipulation |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Kernel Object |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit File System |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Detailed File Share |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Filtering Platform Packet Drop |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Non Sensitive Privilege Use |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit MPSSVC Rule-Level Policy Change |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Network Policy Server |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit File Share |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit IPsec Main Mode |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit IPsec Quick Mode |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Filtering Platform Policy Change |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Filtering Platform Connection |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Application Generated |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit IPsec Extended Mode |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit DPAPI Activity |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Other Privilege Use Events |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Other Object Access Events |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Other Account Logon Events |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Detailed Tracking: Process Termination |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit RPC Events |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Registry |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit User/Device Claims |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Policy: Logon-Logoff: IPsec Main Mode |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Other Policy Change Events |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit Process Termination |
| Win OS-12R2 - Audit Policy | Windows 2012R2 - Audit SAM |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Allow Basic authentication' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Do not allow passwords to be saved' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network access: Do not allow anonymous enumeration of SAM accounts |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network access: Do not allow anonymous enumeration of SAM accounts and shares |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Microsoft network server: Idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Do not display network selection UI' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Configure 'Network access: Remotely accessible registry paths' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Always install with elevated privileges' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Allow unencrypted traffic' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Allow user control over installs' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Always prompt for password upon connection' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Configure 'Network access: Remotely accessible registry paths and sub-paths' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Disallow Digest authentication' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn off heap termination on corruption' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Do not display the password reveal button' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Configure Default consent' is set to 'Enabled: Send all data' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Include command line in process creation events' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Prevent downloading of enclosures' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Require secure RPC communication' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Do not use temporary folders per session' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network access: Sharing and security model for local accounts |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - System objects: Require case insensitivity for non-Windows subsystems |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network access: Let Everyone permissions apply to anonymous users |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network security: LDAP client signing requirements |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network access: Restrict anonymous access to Named Pipes and Shares |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Admin Approval Mode for the Built-in Administrator account |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network security: Do not store LAN Manager hash value on next password change |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Network security: Allow LocalSystem NULL session fallback |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Public: Display a notification |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Public: Outbound connections |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Run all administrators in Admin Approval Mode |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Domain: Display a notification |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Private: Display a notification |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Behavior of the elevation prompt for standard users |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Only elevate UIAccess applications that are installed in secure locations |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Detect application installations and prompt for elevation |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Virtualize file and registry write failures to per-user locations |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - User Account Control: Switch to the secure desktop when prompting for elevation |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Domain: Outbound connections |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Private: Outbound connections |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Devices: Allow undock without having to log on |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Enable Windows NTP Client' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Disable SMB v1 server |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Always use classic logon' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Detect change from default RDP port |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Disable Windows Search Service |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Require user authentication for remote connections by using Network Level Authentication |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Recovery console: Allow floppy copy and access to all drives and all folders |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Specify the interval to check for definition updates |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Private: Allow unicast response |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Domain: Allow unicast response |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Shutdown: Clear virtual memory pagefile |
| Win OS-12R2 - Registry Policy | Windows 2012R2 - Windows Firewall: Public: Allow unicast response |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Enforce password history' is set to '24 or more password(s)' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Maximum password age' is set to '70 or fewer days, but not 0' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Minimum password age' is set to '1 or more day(s)' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Minimum password length' is set to '14 or more character(s)' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Password must meet complexity requirements' is set to 'Enabled' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Store passwords using reversible encryption' is set to 'Disabled' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Configure 'Access this computer from the network' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Act as part of the operating system' is set to 'No One' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Allow log on locally' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Configure 'Allow log on through Remote Desktop Services' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Back up files and directories' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Create a pagefile' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Create a token object' is set to 'No One' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Create permanent shared objects' is set to 'No One' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Configure 'Create symbolic links' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Configure 'Deny access to this computer from the network' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Deny log on as a batch job' to include 'Guests' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Deny log on as a service' to include 'Guests' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Deny log on locally' to include 'Guests' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Configure 'Deny log on through Remote Desktop Services' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Configure 'Enable computer and user accounts to be trusted for delegation' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Force shutdown from a remote system' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Increase scheduling priority' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Load and unload device drivers' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Lock pages in memory' is set to 'No One' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Configure 'Manage auditing and security log' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Modify an object label' is set to 'No One' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Modify firmware environment values' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Perform volume maintenance tasks' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Profile single process' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Restore files and directories' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Shut down the system' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Take ownership of files or other objects' is set to 'Administrators' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE-WdiServiceHost' |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Increase a process working set |
| Win OS-12R2 - Security Policy | Windows 2012R2 - Bypass traverse checking |
Windows 16
| Category | Policy Title |
|---|---|
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Application Group Management' is set |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Authentication Policy Change' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Logoff' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Security State Change' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Logon' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Security Group Management' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Policy Change' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit User Account Management' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit IPsec Driver' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Other System Events' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Removable Storage' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Credential Validation' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Security System Extension' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Account Lockout' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Authorization Policy Change' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit System Integrity' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Special Logon' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Process Creation' is set to 'Success and Failure' |
| Win OS-16 - Audit Policy | Windows 2016 - Audit IPsec Extended Mode |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Detailed File Share |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Filtering Platform Packet Drop |
| Win OS-16 - Audit Policy | Windows 2016 - Audit MPSSVC Rule-Level Policy Change |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Kernel Object |
| Win OS-16 - Audit Policy | Windows 2016 - Audit IPsec Main Mode |
| Win OS-16 - Audit Policy | Windows 2016 - Audit File Share |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Other Object Access Events |
| Win OS-16 - Audit Policy | Windows 2016 - Audit IPsec Quick Mode |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Filtering Platform Policy Change |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Handle Manipulation |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Network Policy Server |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Central Access Policy Staging |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Other Account Logon Events |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Non Sensitive Privilege Use |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Filtering Platform Connection |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Application Generated |
| Win OS-16 - Audit Policy | Windows 2016 - Audit DPAPI Activity |
| Win OS-16 - Audit Policy | Windows 2016 - Audit File System |
| Win OS-16 - Audit Policy | Windows 2016 - Audit User/Device Claims |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Policy: Detailed Tracking: Process Termination |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Policy: Logon-Logoff: IPsec Main Mode |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Process Termination |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit PNP Activity' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Audit SAM |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Registry |
| Win OS-16 - Audit Policy | Windows 2016 - Ensure 'Audit Group Membership' is set to 'Success' |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Other Policy Change Events |
| Win OS-16 - Audit Policy | Windows 2016 - Audit Other Privilege Use Events |
| Win OS-16 - Audit Policy | Windows 2016 - Audit RPC Events |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Do not display network selection UI' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Shut down the system' is set to 'Administrators' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Disallow Digest authentication' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow indexing of encrypted files' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow unencrypted traffic' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Do not use temporary folders per session' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Microsoft network server: Idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Devices: Prevent users from installing printer drivers'is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Always prompt for password upon connection' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Include command line in process creation events' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Configure 'Network access: Remotely accessible registry paths' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Configure Windows SmartScreen' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow Basic authentication' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Prevent downloading of enclosures' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow user control over installs' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Do not display the password reveal button' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' |
| Win OS-16 - Registry Policy | Windows 2016 - Configure 'Network access: Remotely accessible registry paths and sub-paths' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Do not allow passwords to be saved' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Always install with elevated privileges' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Require secure RPC communication' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off heap termination on corruption' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'UAC: Elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'UAC: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Application: Specify the maximum log file size(KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow search and Cortana to use location' is set to 'Disabled |
| Win OS-16 - Registry Policy | Windows 2016 - Disable 'Configure local setting override for reporting to Microsoft MAPS' |
| Win OS-16 - Registry Policy | Windows 2016 - Disable SMB v1 server |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow Cortana above lock screen' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow Cortana' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow Input Personalization' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Do not show feedback notifications' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Enable Windows NTP Client' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Enable insecure guest logons' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Enable 'Scan removable drives' by setting DisableRemovableDriveScanning (REG_DWORD) to 0 |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Continue experiences on this device' is set to 'Disabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Enable 'Send file samples when further analysis is required' for 'Send Safe Samples' |
| Win OS-16 - Registry Policy | Windows 2016 - Enable 'Turn on behavior monitoring' |
| Win OS-16 - Registry Policy | Windows 2016 - Disable Windows Search Service |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Devices: Allow undock without having to log on |
| Win OS-16 - Registry Policy | Windows 2016 - Detect change from default RDP port |
| Win OS-16 - Registry Policy | Windows 2016 - Windows Firewall: Domain: Allow unicast response |
| Win OS-16 - Registry Policy | Windows 2016 - Shutdown: Clear virtual memory pagefile |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' |
| Win OS-16 - Registry Policy | Windows 2016 - Windows Firewall: Public: Allow unicast response |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off multicast name resolution' is set to 'Enabled' (MS Only) |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)' |
| Win OS-16 - Registry Policy | Windows 2016 - Recovery console: Allow floppy copy and access to all drives and all folders |
| Win OS-16 - Registry Policy | Windows 2016 - Windows Firewall: Private: Allow unicast response |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)' |
| Win OS-16 - Registry Policy | Windows 2016 - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' |
| Win OS-16 - Registry Policy | Windows 2016 - Require user authentication for remote connections by using Network Level Authentication |
| Win OS-16 - Registry Policy | Windows 2016 - System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Increase scheduling priority' is set to 'Administrators' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Take ownership of files or other objects' is set to 'Administrators' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Modify firmware environment values' is set to 'Administrators' |
| Win OS-16 - Security Policy | Windows 2016 - Configure 'Deny access to this computer from the network' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Force shutdown from a remote system' is set to 'Administrators' |
| Win OS-16 - Security Policy | Windows 2016 - Configure 'Allow log on locally' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Deny log on locally' is configured |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' |
| Win OS-16 - Security Policy | Windows 2016 - Configure 'Enable computer and user accounts to be trusted for delegation' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Load and unload device drivers' is configured |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Deny log on as a service' is configured |
| Win OS-16 - Security Policy | Windows 2016 - Configure 'Access this computer from the network' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Minimum password length' is set to '14 or more character(s)' |
| Win OS-16 - Security Policy | Windows 2016 - Configure 'Create symbolic links' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Deny log on through Remote Desktop Services' is configured |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Lock pages in memory' is set to 'No One' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Create a token object' is set to 'No One' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Create a pagefile' is set to 'Administrators' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Store passwords using reversible encryption' is set to 'Disabled' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Password must meet complexity requirements' is set to 'Enabled' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Change the system time' is configured |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Perform volume maintenance tasks' is set to 'Administrators' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Deny log on as a batch job' is configured |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Back up files and directories' is configured |
| Win OS-16 - Security Policy | Windows 2016 - Configure 'Allow log on through Remote Desktop Services' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Minimum password age' is set to '1 or more day(s)' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Profile single process' is set to 'Administrators' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Maximum password age' is set to '70 or fewer days, but not 0' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Create permanent shared objects' is set to 'No One' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Act as part of the operating system' is set to 'No One' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' |
| Win OS-16 - Security Policy | Windows 2016 - Configure 'Manage auditing and security log' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Enforce password history' is set to '24 or more password(s)' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Modify an object label' is set to 'No One' |
| Win OS-16 - Security Policy | Windows 2016 - Ensure 'Accounts: Guest account status' is set to 'Disabled' |
| Win OS-16 - Security Policy | Windows 2016 - Specify the interval to check for definition updates |
| Win OS-16 - Security Policy | Windows 2016 - Bypass traverse checking |
| Win OS-16 - Security Policy | Windows 2016 - Increase a process working set |
Ubuntu 18.04
| Category | Policy Title |
|---|---|
| Ubuntu 18.04 - Initial Setup | Ubuntu 18.04 - Ensure nodev option set on removable media partitions |
| Ubuntu 18.04 - Initial Setup | Ubuntu 18.04 - Ensure nosuid option set on removable media partitions |
| Ubuntu 18.04 - Initial Setup | Ubuntu 18.04 - Ensure noexec option set on removable media partitions |
| Ubuntu 18.04 - Initial Setup | Ubuntu 18.04 - Ensure XD/NX support is enabled |
| Ubuntu 18.04 - Initial Setup | Ubuntu 18.04 - Ensure address space layout randomization (ASLR) is enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure xinetd is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure rsh server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure telnet server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure tftp server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure IMAP and POP3 server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure Avahi Server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure CUPS is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure DHCP Server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure LDAP server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure DNS Server is not enabled |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure NIS Client is not installed |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure rsh client is not installed |
| Ubuntu 18.04 - Services | Ubuntu 18.04 - Ensure telnet client is not installed |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure IP forwarding is disabled |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure source routed packets are not accepted |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure broadcast ICMP requests are ignored |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure bogus ICMP responses are ignored |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure Reverse Path Filtering is enabled |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure TCP SYN Cookies is enabled |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure RDS is disabled |
| Ubuntu 18.04 - Network Configuration | Ubuntu 18.04 - Ensure wireless interfaces are disabled |
| Ubuntu 18.04 - Logging and Auditing | Ubuntu 18.04 - Ensure rsyslog Service is enabled |
| Ubuntu 18.04 - Logging and Auditing | Ubuntu 18.04 - Ensure rsyslog default file permissions configured |
| Ubuntu 18.04 - Logging and Auditing | Ubuntu 18.04 - Ensure remote rsyslog messages are only accepted on designated log hosts |
| Ubuntu 18.04 - Logging and Auditing | Ubuntu 18.04 - Ensure rsyslog or syslog-ng is installed |
| Ubuntu 18.04 - Logging and Auditing | Ubuntu 18.04 - Ensure logrotate is configured |
| Ubuntu 18.04 - Access, Authentication and Authorization | Ubuntu 18.04 - Ensure cron daemon is enabled |
| Ubuntu 18.04 - Access, Authentication and Authorization | Ubuntu 18.04 - Ensure SSH PermitUserEnvironment is disabled |
| Ubuntu 18.04 - Access, Authentication and Authorization | Ubuntu 18.04 - Ensure SSH Protocol is set to 2 |
| Ubuntu 18.04 - Access, Authentication and Authorization | Ubuntu 18.04 - Ensure SSH IgnoreRhosts is enabled |
| Ubuntu 18.04 - Access, Authentication and Authorization | Ubuntu 18.04 - Ensure SSH HostbasedAuthentication is disabled |
| Ubuntu 18.04 - Access, Authentication and Authorization | Ubuntu 18.04 - Ensure SSH PermitEmptyPasswords is disabled |
| Ubuntu 18.04 - System Maintenance | Ubuntu 18.04 - Ensure permissions on /etc/passwd are configured |
| Ubuntu 18.04 - System Maintenance | Ubuntu 18.04 - Ensure permissions on /etc/group are configured |
| Ubuntu 18.04 - System Maintenance | Ubuntu 18.04 - Ensure root is the only UID 0 account |
CentOS
| Category | Policy Title |
|---|---|
| CentOS 7 - Network Configuration | CentOS 7 - Ensure wireless interfaces are disabled |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure IP forwarding is disabled |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure source routed packets are not accepted |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure broadcast ICMP requests are ignored |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure bogus ICMP responses are ignored |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure Reverse Path Filtering is enabled |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure TCP SYN Cookies is enabled |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure RDS is disabled |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure logrotate is configured |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure rsyslog Service is enabled |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure rsyslog default file permissions configured |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure remote rsyslog messages are only accepted on designated log hosts. |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure rsyslog or syslog-ng is installed |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure nodev option set on removable media partitions |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure nosuid option set on removable media partitions |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure noexec option set on removable media partitions |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure XD/NX support is enabled |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure address space layout randomization (ASLR) is enabled |
| CentOS 7 - Services | CentOS 7 - Ensure rsh server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure telnet server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure Avahi Server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure CUPS is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure DHCP Server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure rsh client is not installed |
| CentOS 7 - Services | CentOS 7 - Ensure telnet client is not installed |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure cron daemon is enabled |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure SSH PermitUserEnvironment is disabled |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure SSH Protocol is set to 2 |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure SSH IgnoreRhosts is enabled |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure SSH HostbasedAuthentication is disabled |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure SSH PermitEmptyPasswords is disabled |
| CentOS 7 - System Maintenance | CentOS 7 - Ensure permissions on /etc/passwd are configured |
| CentOS 7 - System Maintenance | CentOS 7 - Ensure permissions on /etc/group are configured |
| CentOS 7 - System Maintenance | CentOS 7 - Ensure root is the only UID 0 account |