Windows Server 2019 VM Baseline Hardening
A collection of scripts that will help to harden operating system baseline configuration supported by Cloudneeti as defined in CIS Microsoft Windows Server 2019 benchmark v1.0.0. This remediates policies, compliance status can be validated for below policies listed here.
Note: The scripts are designed to harden the operating system baseline configurations, Please test it on the test/staging system before applying to the production system.
| Hardening script | Number of policies remediated | Cloud Account Type |
|---|---|---|
| Windows Server 2019 VM baseline policies for Cloud Security Best Practices | 198 | Azure |
| Windows Server 2019 VM baseline policies for CIS Benchmark Windows Server 2019 Version 1.0.0 | 198 | Azure, AWS |
Prerequisites
The below steps are required for executing script to harden operating system baseline configuration.
| Activity | Description |
|---|---|
| 1. Download and review PowerShell script to harden operating system baseline configuration | The PowerShell script is used to harden operating system baseline configuration: Azure - Windows Server 2019 VM baseline policies for CSBP Azure - Windows Server 2016 VM baseline policies for CIS Benchmark Windows Server 2019 Version 1.0.0 |
| 2. Virtual Machine: Ensure you have the latest PowerShell version (v5 and above) | Verify PowerShell version by running the following command$PSVersionTable.PSVersionon the Virtual Machine where you will run the script to harden operating system baseline configuration. If PowerShell version is lower than 5, then follow this link for installation of a later version: Download Link. |
| 3. Virtual Machine: Before executing the script, make sure there are no restrictions in running the PowerShell script | Use this PowerShell command:Set-ExecutionPolicy `-Scope Process `-ExecutionPolicy BypassPowerShell contains built-in execution policies that limit its use as an attack vector. By default, the execution policy is set to Restricted, which is the primary policy for script execution. The bypass allows for running scripts and keeps the lowered permissions isolated to just the current running process. |
| 4. Virtual Machine: Install DSC modules to execute PowerShell commands within quick wins script | DSC modules to be isnatlled: AuditPolicyDsc SecurityPolicyDsc NetworkingDsc PSDesiredStateConfiguration Check module present or not Get-InstalledModule -Name <ModuleName> `Install the required modules by executing the below command Install-Module -Name <ModuleName> |
Execute OS Baseline Hardening script
Windows Server 2019 VM baseline policies for Cloud Security Best Practices
Below steps are performed on Virtual Machine using RDP, as a system admninistrator
-
Download script
wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/WindowsServer2019/CSBP_WindowsServer2019.ps1 -O CSBP_WindowsServer2019.ps1 -
Run PowerShell script to compile DSC
.\CSBP_WindowsServer2019.ps1 -
Script will generate MOF files in the directory.
-
Run below command to apply baseline configuration
Start-DscConfiguration -Path .\CSBP_WindowsServer2019 -Force -Verbose -Wait -
Scan related Cloud Account in Cloudneeti or wait for scheduled scan
-
Verify policy results in CSBP Benchmark
Windows Server 2019 VM baseline policies for CIS Benchmark Windows Server 2019 Version 1.0.0
Below steps are performed on Virtual Machine using RDP, as a system admninistrator
-
Download script
wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/WindowsServer2019/CIS_Benchmark_WindowsServer2019_v100.ps1 -O CIS_Benchmark_WindowsServer2019_v100.ps1 -
Run PowerShell script to compile DSC
.\CIS_Benchmark_WindowsServer2019_v100.ps1 -
Script will generate MOF files in the directory.
-
Run below command to apply baseline configuration
Start-DscConfiguration -Path .\CIS_Benchmark_WindowsServer2019_v100 -Force -Verbose -Wait -
Scan related Cloud Account in Cloudneeti or wait for scheduled scan
-
Verify policy results in CIS Benchmark Windows Server 2019 Version 1.0.0
Remediation policy list
CIS Benchmark Windows Server 2019 Version 1.0.0
| Category Name | Policy Title |
|---|---|
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Authentication Policy Change' is set to 'Success' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Group Membership' is set to 'Success' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Logon' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Account Lockout' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit System Integrity' is set to 'Success and Failure |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Credential Validation' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit PNP Activity' is set to 'Success' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Special Logon' is set to 'Success' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Logoff' is set to 'Success' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit User Account Management' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Security State Change' is set to 'Success' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Security System Extension' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Removable Storage' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Security Group Management' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Audit Process Creation' is set to 'Success' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Include command line in process creation events' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Disallow Digest authentication' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Require secure RPC communication' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Always prompt for password upon connection' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow indexing of encrypted files' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow input personalization' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow Cortana above lock screen' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow Cortana' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Enable 'Turn on behavior monitoring' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Do not display the password reveal button' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Enable 'Send file samples when further analysis is required' for 'Send Safe Samples' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Search Service' is configured |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Scan removable drives' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Configure SMB v1 server' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Detect change from default RDP port' is configured |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Devices: Allow undock without having to log on' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Configure 'Network access: Remotely accessible registry paths' |
| Win OS-19 - Registry Policy | Windows 2019 - Configure 'Network access: Remotely accessible registry paths and sub-paths' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Enable insecure guest logons' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Do not show feedback notifications' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Do not use temporary folders per session' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Do not display network selection UI' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Do not allow passwords to be saved' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Prevent downloading of enclosures' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow Basic authentication' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Continue experiences on this device' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Enable Windows NTP Client' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow user control over installs' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Always install with elevated privileges' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow unencrypted traffic' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Allow search and Cortana to use location' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Domain: Allow unicast response' is set to 'No' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Private: Allow unicast response' is set to 'No' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Shutdown: Clear virtual memory pagefile' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Public: Allow unicast response' is set to 'No' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Recovery console: Allow floppy copy and access to all drives and all folders' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'Yes' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Specify the interval to check for definition updates' is set to 'Enabled:1' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off multicast name resolution' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off heap termination on corruption' is set to 'Disabled' |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Password must meet complexity requirements' is set to 'Enabled' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Modify an object label' is set to 'No One' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Create permanent shared objects' is set to 'No One' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Shut down the system' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Maximum password age' is set to '70 or fewer days, but not 0' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Deny log on as a batch job' to include 'Guests' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Load and unload device drivers' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Minimum password length' is set to '14 or more character(s)' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only) |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Allow log on locally' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Store passwords using reversible encryption' is set to 'Disabled' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Take ownership of files or other objects' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Create a pagefile' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Create a token object' is set to 'No One' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Increase a process working set' is set to 'Users' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Deny log on as a service' to include 'Guests' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Deny log on locally' to include 'Guests' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Enforce password history' is set to '24 or more password(s)' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Force shutdown from a remote system' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Minimum password age' is set to '1 or more day(s)' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Lock pages in memory' is set to 'No One' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Back up files and directories' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Perform volume maintenance tasks' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Profile single process' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Restore files and directories' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Modify firmware environment values' is set to 'Administrators' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only) |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Act as part of the operating system' is set to 'No One' |
| Win OS-19 - Security Policy | Windows 2019 - Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only) |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only) |
| Win OS-19 - Audit Policy | Windows 2019 - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) |
| Win OS-19 - Registry Policy | Windows 2019 - Ensure 'Deny access to this computer from the network' is set to 'Guests' (DC only) |