FINAL

GOVERNMENTAL_AUTHORITY

Microsoft Internet Explorer 7

cpe:/a:microsoft:ie:7.0

Web Browser

The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software. While not addressed specifically as the "Federal Desktop Core Configuration," the FDCC was originally called for in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO). This checklist represents the FDCC guidance for Microsoft Internet Explorer 7.

Web Browser

FDCC

08/06/2009 - OVAL 5.3 Patch Content Updated 04/08/2009 - Major Version 1.2 released 10/31/2008 - Major Version 1.1.1.0 released 06/20/2008 - Major Version 1.0 released

The link to the FDCC home page.

FDCC FAQ

FDCC primary download page

FDCC individual file listings and download page

true

false

true

OVAL 5.3

9E3C08C585D0B64836FD821AA4D6410C8C9AC011

951C03ABF54ADA35FA25162743AAF02EF519417D4B47CE9D61EC3C277DB3C058

The FDCC IE7 SCAP Content using OVAL version 5.3. SCAP_CONTENT

OVAL 5.4

AE21DA41BAE747F6F21DEB62B341B6035CF46AE5

2FDFEA8C9DFC84CBE7F3B9BE26B4A5C71EC1AE734010FB537B9F2FBE6CA1F848

FDCC Windows IE7 SCAP content using OVAL version 5.3. SCAP_CONTENT

OVAL 5.3

9E3C08C585D0B64836FD821AA4D6410C8C9AC011

951C03ABF54ADA35FA25162743AAF02EF519417D4B47CE9D61EC3C277DB3C058

The FDCC IE7 SCAP Content using OVAL version 5.3. SCAP Content

OVAL 5.4

AE21DA41BAE747F6F21DEB62B341B6035CF46AE5

2FDFEA8C9DFC84CBE7F3B9BE26B4A5C71EC1AE734010FB537B9F2FBE6CA1F848

FDCC Windows IE7 SCAP content using OVAL version 5.3. SCAP Content

7DD0E04CEE71F16BBAA6366C358B740C1041834C

53664841150B753339A32B7C3A3A4EA4F7CB760D77023A6ECC0B147AE4B02F73

FDCC Windows Vista Firewall GPOs GPOs

1C4962660C0CEB4CA530DFFE7A56C81463C78F50

37FC8ECB0A95AB31B56463A5D83E6206DC4964D6A1FA0E4AF710BBD246BEB0F6

This is the human readable version of the FDCC settings. Prose

CCE-3201-1

2009-07-30T19:30:14.640Z

The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.

CCE-3204-5

2009-07-30T19:30:14.797Z

The "Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting should be configured correctly.

CCE-3207-8

2009-07-30T19:30:14.890Z

The "Prevent performance of First Run Customize settings" setting should be configured correctly.

CCE-3216-9

2009-07-30T19:30:15.360Z

The "Scripting of Java applets" setting should be configured correctly for the Restricted Sites Zone.

CCE-3249-0

2009-07-30T19:30:15.000Z

The "Allow status bar updates via script" setting should be configured correctly for the Internet Zone.

CCE-3264-9

2009-07-30T19:30:15.407Z

The "Display mixed content" setting should be configured correctly for the Restricted Sites Zone.

AC-3

SC-1

CCE-3275-5

2009-07-30T19:30:15.500Z

The "Configure Outlook Express" setting should be configured correctly

CM-6

CCE-3337-3

2009-07-30T19:30:15.170Z

The "Drag and drop or copy and paste files" setting should be configured correctly for the Restricted Sites Zone.

SI-3

CCE-3338-1

2009-07-30T19:30:14.610Z

The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly.

CM-6

CCE-3378-7

2009-07-30T19:30:14.717Z

The "Turn Off First- Run Opt-In" setting should be configured correctly for the Internet Zone.

CM-6

CCE-3400-9

2009-07-30T19:30:15.327Z

The "Run components not signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.

CM-5

CM-6

CCE-3477-7

2009-07-30T19:30:55.767Z

The "Turn off downloading of enclosures" setting should be configured correctly.

CM-6

CCE-3518-8

2009-07-30T19:30:14.640Z

The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.

CM-5

SI-3

SI-7

SI-8

CCE-3553-5

2009-07-30T19:30:15.077Z

The "Software channel permissions" setting should be configured correctly for the Internet Zone.

CM-5

CCE-3564-2

2009-07-30T19:30:15.250Z

The "Download unsigned ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.

SC-1

SI-3

CCE-3570-9

2009-07-30T19:30:15.110Z

The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Internet Zone.

CM-6

CM-7

CCE-3576-6

2009-07-30T19:30:14.577Z

The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.

CM-6

SC-1

SI-2

CCE-3584-0

2009-07-30T19:30:14.937Z

The "Automatically Check for Internet Explorer Updates" setting should be configured correctly.

CM-2

CM-6

CCE-3590-7

2009-07-30T19:30:15.297Z

The "Loose XAML" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CCE-3601-2

2009-07-30T19:30:14.983Z

The "Allow Scriptlets" setting should be configured correctly for the Internet Zone.

SC-1

SI-3

CCE-3615-2

2009-07-30T19:30:14.907Z

The "Turn off "Delete Browsing History" functionality" setting should be configured correctly.

AU-9

CM-6

CCE-3619-4

2009-07-30T19:30:15.093Z

The "Use Pop-up Blocker" setting should be configured correctly for the Internet Zone.

SI-8

CCE-3623-6

2009-07-30T19:30:15.047Z

The "Logon" setting should be configured correctly for the Internet Zone.

CM-6

IA-2

CCE-3647-5

2009-07-30T19:30:15.437Z

The "Turn on the auto-complete feature for user names and passwords on form" setting should be configured correctly.

CM-6

IA-5

CCE-3677-2

2009-07-30T19:30:15.453Z

The "Allow Install On Demand (Internet Explorer)" setting should be configured correctly.

CM-5

SI-7

CCE-3696-2

2009-07-30T19:30:15.280Z

The "Logon" setting should be configured correctly for the Restricted Sites Zone.

CM-6

IA-2

CCE-3706-9

2009-07-30T19:30:14.860Z

The "Disable Showing the Splash Screen" setting should be configured correctly.

CM-5

CM-6

CCE-3744-0

2009-07-30T19:30:14.657Z

The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly.

CM-5

CM-7

CCE-3751-5

2009-07-30T19:30:15.063Z

The "Loose XAML" setting should be configured correctly for the Internet Zone.

CM-6

CCE-3754-9

2009-07-30T19:30:15.627Z

The "Java permissions" setting should be configured correctly for the Locked Down Intranet Zone.

SC-1

CCE-3825-7

2009-07-30T19:30:15.517Z

The "Disable Internet Connection wizard" setting should be configured correctly.

CM-6

CCE-3853-9

2009-07-30T19:30:14.953Z

The "Access data sources across domains" setting should be configured correctly for the Internet Zone.

AC-4

CCE-3855-4

2009-07-30T19:30:15.360Z

The "Software channel permissions" setting should be configured correctly for the Restricted Sites Zone.

CM-5

CCE-3866-1

2009-07-30T19:30:14.907Z

The "Turn off Managing Phishing Filter" setting should be configured correctly.

SC-1

SI-3

SI-8

CCE-3875-2

2009-07-30T19:30:14.920Z

The "Turn off the Security Settings Check feature" setting should be configured correctly.

SI-6

CCE-3888-5

2009-07-30T19:30:14.967Z

The "Font download" setting should be configured correctly for the Internet Zone.

SI-3

CCE-3891-9

2009-07-30T19:30:15.627Z

The "Java permissions" setting should be configured correctly for the Local Machine Zone.

SC-1

CCE-3894-3

2009-07-30T19:30:14.670Z

The "Turn Off Crash Detection" setting should be configured correctly.

CM-4

CCE-3902-4

2009-07-30T19:30:15.703Z

The "Java permissions" setting should be configured correctly for the Locked Down Restricted Sites Zone.

SC-1

CCE-3905-7

2009-07-30T19:30:15.157Z

The "Access data sources across domains" setting should be configured correctly for the Restricted Sites Zone.

AC-4

CCE-3906-5

2009-07-30T19:30:14.967Z

The "Installation of desktop items" setting should be configured correctly for the Internet Zone.

SI-3

CCE-3909-9

2009-07-30T19:30:15.733Z

The "Turn on Protected Mode" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CM-7

CCE-3914-9

2009-07-30T19:30:15.093Z

The "Userdata persistence" setting should be configured correctly for the Internet Zone.

SC-4

CCE-3924-8

2009-07-30T19:30:14.563Z

Internet Explorer Processes (Restrict ActiveX Install)

CM-6

CCE-3927-1

2009-07-30T19:30:15.017Z

The "Download signed ActiveX controls" setting should be configured correctly for the Internet Zone.

SC-1

SI-3

CCE-3929-7

2009-07-30T19:30:14.577Z

The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.

AC-3

AC-6

CM-5

CCE-3933-9

2009-07-30T19:30:14.687Z

The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.

AC-3

AC-6

CM-5

CCE-3941-2

2009-07-30T19:30:14.610Z

The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly.

CM-5

SI-7

CCE-3945-3

2009-07-30T19:30:15.017Z

The "Download unsigned ActiveX controls" setting should be configured correctly for the Internet Zone.

SC-1

SI-3

CCE-3963-6

2009-07-30T19:30:15.030Z

The "Java permissions" setting should be configured correctly for the Internet Zone.

SC-1

CCE-3976-8

2009-07-30T19:30:14.953Z

The "Check for Server Certificate Revocation" setting should be configured correctly.

IA-5

SC-1

CCE-3984-2

2009-07-30T19:30:15.110Z

The "Display mixed content" setting should be configured correctly for the Internet Zone.

AC-3

SC-1

CCE-3989-1

2009-07-30T19:30:15.127Z

The "Display mixed content" setting should be configured correctly for the Intranet Zone.

AC-3

SC-1

CCE-3993-3

2009-07-30T19:30:14.877Z

The "Prevent participation in the Customer Experience Improvement Programs" setting should be configured correctly.

AC-4

CCE-3996-6

2009-07-30T19:30:15.267Z

The "Java permissions" setting should be configured correctly for the Restricted Sites Zone.

SC-1

CCE-3998-2

2009-07-30T19:30:14.953Z

The "Drag and drop or copy and paste files" setting should be configured correctly for the Internet Zone.

SI-3

CCE-4001-4

2009-07-30T19:30:14.843Z

The "Disable "Configuring History"" setting should be configured correctly.

CM-6

CCE-4013-9

2009-07-30T19:30:14.733Z

The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Restricted Sites Zone.

SI-3

CCE-4017-0

2009-07-30T19:30:14.563Z

The "Security Zones: Use Only Machine Settings" setting should be configured correctly.

CM-2

CM-6

CCE-4018-8

2009-07-30T19:30:15.377Z

The "Use Pop-up Blocker" setting should be configured correctly for the Restricted Sites Zone.

SI-8

CCE-4026-1

2009-07-30T19:30:14.703Z

The "Check for Signature on Downloaded Programs" setting should be configured correctly.

IA-5

SC-1

CCE-4028-7

2009-07-30T19:30:15.140Z

The "Display mixed content" setting should be configured correctly for the Locked Down Local Machine Zone.

AC-3

SC-1

CCE-4031-1

2009-07-30T19:30:15.233Z

The "Allow status bar updates via script" setting should be configured correctly for the Restricted Sites Zone.

SC-8

SI-3

CCE-4036-0

2009-07-30T19:30:15.517Z

The "Turn on the Internet Connection Wizard Auto Detect" setting should be configured correctly.

CM-6

CCE-4040-2

2009-07-30T19:30:15.377Z

The "Userdata persistence" setting should be configured correctly for the Restricted Sites Zone.

SC-4

CCE-4043-6

2009-07-30T19:30:14.593Z

Internet Explorer Processes (Zone Elevation Protection)

CM-6

CCE-4047-7

2009-07-30T19:30:14.593Z

The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly.

CM-6

CCE-4050-1

2009-07-30T19:30:15.157Z

The "Active scripting" setting should be configured correctly for the Restricted Sites Zone.

SC-1

SI-3

CCE-4052-7

2009-07-30T19:30:14.750Z

The "Web Browser Applications" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CM-7

CCE-4053-5

2009-07-30T19:30:15.233Z

The "Automatic prompting for file downloads" setting should be configured correctly for the Restricted Sites Zone.

SC-1

SI-3

CCE-4056-8

2009-07-30T19:30:15.453Z

The "Turn off page transitions" setting should be configured correctly.

CM-6

CCE-4057-6

2009-07-30T19:30:15.250Z

The "Download signed ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.

SC-1

SI-3

CCE-4062-6

2009-07-30T19:30:15.187Z

The "Font download" setting should be configured correctly for the Restricted Sites Zone.

SI-3

CCE-4066-7

2009-07-30T19:30:15.280Z

The "Launching programs and files in an IFRAME" setting should be configured correctly for the Restricted Sites Zone.

SC-1

SI-3

CCE-4068-3

2009-07-30T19:30:15.030Z

The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Internet Zone.

SC-1

CCE-4079-0

2009-07-30T19:30:15.203Z

The "Installation of desktop items" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CCE-4084-0

2009-07-30T19:30:15.203Z

The "Allow META REFRESH" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CCE-4087-3

2009-07-30T19:30:15.420Z

The "Display mixed content" setting should be configured correctly for the Trusted Sites Zone.

AC-3

SC-1

CCE-4098-0

2009-07-30T19:30:14.813Z

The "Turn Off Configuring the Update Check Interval (In Days)" setting should be configured correctly.

CM-6

SI-2

CCE-4099-8

2009-07-30T19:30:14.983Z

The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Internet Zone.

SC-1

SI-3

CCE-4101-2

2009-07-30T19:30:15.267Z

The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Restricted Sites Zone.

SC-1

CCE-4104-6

2009-07-30T19:30:15.047Z

The "Launching programs and files in an IFRAME" setting should be configured correctly for the Internet Zone.

SC-1

SI-3

CCE-4109-5

2009-07-30T19:30:14.717Z

The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Internet Zone.

SI-3

CCE-4110-3

2009-07-30T19:30:15.297Z

The "Navigate sub-frames across different domains" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CCE-4118-6

2009-07-30T19:30:14.627Z

The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.

CM-5

CM-6

CCE-4119-4

2009-07-30T19:30:15.217Z

The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Restricted Sites Zone.

SC-1

SI-3

CCE-4121-0

2009-07-30T19:30:15.127Z

The "Display mixed content" setting should be configured correctly for the Locked Down Intranet Zone.

AC-3

SC-1

CCE-4122-8

2009-07-30T19:30:14.627Z

The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly.

CM-6

CCE-4131-9

2009-07-30T19:30:14.733Z

The "Web Browser Applications" setting should be configured correctly for the Internet Zone.

CM-6

CM-7

CCE-4132-7

2009-07-30T19:30:15.313Z

The "Open files based on content, not file extension" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CCE-4138-4

2009-07-30T19:30:15.140Z

The "Display mixed content" setting should be configured correctly for the Local Machine Zone.

AC-3

SC-1

CCE-4139-2

2009-07-30T19:30:15.000Z

The "Automatic prompting for file downloads" setting should be configured correctly for the Internet Zone.

SC-1

SI-3

CCE-4143-4

2009-07-30T19:30:15.063Z

The "Navigate sub-frames across different domains" setting should be configured correctly for the Internet Zone.

CM-6

CCE-4147-5

2009-07-30T19:30:14.843Z

The "Disable Changing Automatic Configuration Settings" setting should be configured correctly.

CM-5

CCE-4149-1

2009-07-30T19:30:14.687Z

The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly.

CM-6

CCE-4150-9

2009-07-30T19:30:15.187Z

The "File download" setting should be configured correctly for the Restricted Sites Zone.

SI-3

CCE-4153-3

2009-07-30T19:30:14.733Z

The "Turn Off First- Run Opt-In" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CCE-4158-2

2009-07-30T19:30:15.327Z

The "Run components signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.

CM-5

CM-6

CCE-4160-8

2009-07-30T19:30:15.640Z

The "Java permissions" setting should be configured correctly for the Locked Down Local Machine Zone.

SC-1

CCE-4161-6

2009-07-30T19:30:15.077Z

The "Open files based on content, not file extension" setting should be configured correctly for the Internet Zone.

CM-6

CCE-4162-4

2009-07-30T19:30:14.670Z

The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly.

CM-6

CCE-4163-2

2009-07-30T19:30:15.343Z

The "Run ActiveX controls and plugins" setting should be configured correctly for the Restricted Sites Zone.

SC-1

CCE-4171-5

2009-07-30T19:30:14.703Z

The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly.

CM-5

CCE-4174-9

2009-07-30T19:30:14.920Z

The "Allow Active Content from CD's to Run on User Machine" setting should be configured correctly.

CM-5

SI-7

CCE-4175-6

2009-07-30T19:30:14.767Z

The "Intranet Sites: Include all network paths (UNCs)" setting should be configured correctly.

AC-4

CCE-4192-1

2009-07-30T19:30:14.937Z

The "Enable third-party browser extensions" setting should be configured correctly.

CM-5

SI-3

CCE-4196-2

2009-07-30T19:30:15.170Z

The "Binary and script behaviors" setting should be configured correctly for the Restricted Sites Zone.

SC-1

SI-3

CCE-4199-6

2009-07-30T19:30:14.797Z

The "Prevent Ignoing Certificate Errors" setting should be configured correctly.

SI-6

CCE-4202-8

2009-07-30T19:30:15.343Z

The "Script ActiveX controls marked safe for scripting" setting should be configured correctly for the Restricted Sites Zone.

SC-1

CCE-4215-0

2009-07-30T19:30:15.390Z

The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Restricted Sites Zone.

CM-6

CM-7

CCE-4226-7

2009-07-30T19:30:15.530Z

The "Disable the Reset Web Settings feature" should be configured correctly.

CM-5

CM-6

CCE-4232-5

2009-07-30T19:30:15.420Z

The "Display mixed content" setting should be configured correctly for the Locked Down Trusted Sites Zone.

AC-3

SC-1

CCE-4237-4

2009-07-30T19:30:15.500Z

The "Disable external branding of Internet Explorer" setting should be configured correctly.

CM-6

CCE-4246-5

2009-07-30T19:30:15.467Z

The "Disable AutoComplete for forms" setting should be configured correctly.

CM-5

CCE-4259-8

2009-07-30T19:30:15.437Z

The "Enable Native XMLHttp Support" setting should be configured correctly.

SC-1

CCE-4546-8

2009-07-30T19:30:15.717Z

The "Allow status bar updates via script" setting should be configured correctly for the Locked-Down Trusted Sites Zone.

SC-1

CCE-4564-1

2009-07-30T19:30:15.717Z

The "Java permissions" setting should be configured correctly for the Locked Down Trusted Sites Zone.

SC-1

CCE-4581-5

2009-07-30T19:31:58.670Z

The "Turn off downloading of enclosures" setting should be configured correctly.

CM-6

CCE-4643-3

2009-07-30T19:30:15.657Z

The "Turn on Protected Mode" setting should be configured correctly for the Internet Zone.

CM-6

CM-7

CCE-4652-4

2009-07-30T19:30:15.670Z

The "Java permissions" setting should be configured correctly for the Intranet Zone.

SC-1

CCE-4692-0

2009-07-30T19:30:15.687Z

The "Java permissions" setting should be configured correctly for the Locked Down Internet Zone.

SC-1

CCE-4763-9

2009-07-30T19:30:15.657Z

Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate.

AC-4

CCE-4793-6

2009-07-30T19:30:15.670Z

The "Download signed ActiveX controls" setting should be configured correctly for the Locked-Down Internet Zone.

SC-1

SI-3

CCE-4845-4

2009-07-30T19:30:15.733Z

The "Java permissions" setting should be configured correctly for the Trusted Sites Zone.

SC-1

FINAL

GOVERNMENTAL_AUTHORITY

Microsoft Windows Vista

cpe:/o:microsoft:windows_vista

Operating System

Desktop Client

US Federal Agencies.

FDCC

The recommendations are consistent with the security control baselines advocated in SP 800-53 (NIST FISMA implementation project publication).

fdcc@nist.gov

09/16/2009 - OVAL 5.3 Patch Content Updated 08/06/2009 - OVAL 5.3 Patch Content Updated 04/08/2009 - Major Version 1.2 released 10/31/2008 - Major Version 1.1.1.0 released 06/20/2008 - Major Version 1.0 released

The link to the FDCC home page.

FDCC FAQ

FDCC primary download page

FDCC individual file listings and download page

true

false

true

OVAL 5.3

FDB0967B3AAF3A2A64A0D0FF8431D3C947CEB405

6F1849BAFCBEA80D0836CA0FF76DACC99212CDB9CAA2B1C81A6C318A705F2D09

FDCC Windows Vista SCAP Content using OVAL version 5.3. SCAP_CONTENT

OVAL 5.4

8429CECC24D77AB508E8C56D82E0677CA09D2ECB

379780A40E39A8AA2590934440DCA4934DDF295032B86C7F1E048F14D55C14F1

FDCC Windows Vista SCAP content using OVAL version 5.4. SCAP_CONTENT

OVAL 5.3

FDB0967B3AAF3A2A64A0D0FF8431D3C947CEB405

6F1849BAFCBEA80D0836CA0FF76DACC99212CDB9CAA2B1C81A6C318A705F2D09

FDCC Windows Vista SCAP Content using OVAL version 5.3. SCAP Content

OVAL 5.4

8429CECC24D77AB508E8C56D82E0677CA09D2ECB

379780A40E39A8AA2590934440DCA4934DDF295032B86C7F1E048F14D55C14F1

FDCC Windows Vista SCAP content using OVAL version 5.4. SCAP Content

7DD0E04CEE71F16BBAA6366C358B740C1041834C

53664841150B753339A32B7C3A3A4EA4F7CB760D77023A6ECC0B147AE4B02F73

FDCC Windows Vista Firewall GPOs GPOs

1C4962660C0CEB4CA530DFFE7A56C81463C78F50

37FC8ECB0A95AB31B56463A5D83E6206DC4964D6A1FA0E4AF710BBD246BEB0F6

This is the human readable version of the FDCC settings. Prose

CCE-2322-6

2009-07-30T19:30:51.077Z

Auditing of "privilege use" events on success should be enabled or disabled as appropriate..

AC-6

AU-2

CCE-2323-4

2009-07-30T19:30:51.500Z

The "enforce password history" policy should meet minimum requirements.

CCE-2339-0

2009-07-30T19:30:51.640Z

The behavior surrounding Anonymous SID/Name translation should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-2359-8

2009-07-30T19:30:52.110Z

The built-in Guest account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-2363-0

2009-07-30T19:30:50.767Z

The "account lockout duration" policy should meet minimum requirements.

AC-7

CM-6

CCE-2376-2

2009-07-30T19:30:52.500Z

The "Number of Previous Logons to Cache" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2380-4

2009-07-30T19:30:52.420Z

The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2398-6

2009-07-30T19:30:52.670Z

The "Limit local account user of blank passwords to console logon only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2457-0

2009-07-30T19:30:52.813Z

The "Let Everyone permissions apply to anonymous users" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2467-9

2009-07-30T19:30:52.577Z

The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.

CCE-2471-1

2009-07-30T19:30:54.717Z

Enumerate administrator accounts on elevation

AC-6

CCE-2477-8

2009-07-30T19:30:55.420Z

The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.

CM-6

CCE-2519-7

2009-07-30T19:30:52.140Z

The amount of idle time required before disconnecting a session should be set correctly.

AC-1

AC-3

CM-6

CM-7

CCE-2521-3

2009-07-30T19:30:56.000Z

The "Turn off the communitication features" setting should be configured correctly.

CM-6

CCE-2525-4

2009-07-30T19:30:56.030Z

The "Turn off Windows Mail application" setting should be configured correctly.

CM-6

CCE-2557-7

2009-07-30T19:30:56.077Z

The "Turn off Windows Meeting Space" setting should be configured correctly.

CM-6

CCE-2653-4

2009-07-30T19:30:51.047Z

Auditing of "policy change" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2679-9

2009-07-30T19:30:52.030Z

TCP/IP SYN Flood Attack Protection should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2697-1

2009-07-30T19:30:55.343Z

The "Turn Off Internet File Association Service" setting should be configured correctly.

CM-6

CCE-2714-4

2009-07-30T19:30:52.093Z

The built-in Administrator account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-2715-1

2009-07-30T19:30:50.750Z

The "reset account lockout counter after" policy should meet minimum requirements.

AC-7

CM-6

CCE-2719-3

2009-07-30T19:30:51.797Z

Autoplay on all Drive Types should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2724-3

2009-07-30T19:30:50.983Z

Auditing of "object access" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2746-6

2009-07-30T19:30:51.030Z

Auditing of "policy change" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2754-0

2009-07-30T19:30:54.670Z

Turn off downloading of print drivers over HTTP

CM-6

CCE-2755-7

2009-07-30T19:30:56.217Z

The "Turn Off Downloading of Game Information" setting should be configured correctly.

CM-6

CCE-2778-9

2009-07-30T19:30:54.627Z

Turn off Search Companion content file updates

CM-6

CCE-2781-3

2009-07-30T19:30:55.517Z

The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.

CM-6

CCE-2785-4

2009-07-30T19:30:52.000Z

TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2820-9

2009-07-30T19:30:50.813Z

Auditing of "account logon" events on success should be enabled or disabled as appropriate..

AC-6

AU-2

CCE-2821-7

2009-07-30T19:30:55.563Z

The "Require a Password when a Computer Wakes (On Battery)" setting should be configured correctly.

AC-3

CCE-2825-8

2009-07-30T19:30:52.860Z

The "Remotely accessible registry paths" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2838-1

2009-07-30T19:30:52.327Z

The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2858-9

2009-07-30T19:30:52.267Z

The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2868-8

2009-07-30T19:30:55.267Z

The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.

CM-6

CCE-2883-7

2009-07-30T19:30:51.453Z

The "minimum password length" policy should meet minimum requirements.

CM-6

IA-5

CCE-2927-2

2009-07-30T19:30:51.140Z

Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2953-8

2009-07-30T19:30:51.170Z

Auditing of "system" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2962-9

2009-07-30T19:30:55.907Z

The "Turn off Heap termination on corruption" setting should be configured correctly.

CM-6

CCE-2967-8

2009-07-30T19:30:51.407Z

The "maximum password age" policy should meet minimum requirements.

AC-3

CM-6

CM-7

IA-5

SC-5

CCE-2970-2

2009-07-30T19:30:50.967Z

Auditing of "logon" events on failure should be enabled or disabled as appropriate..

AC-7

AU-2

CCE-2975-1

2009-07-30T19:30:54.797Z

The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

IA-2

IA-5

CCE-2979-3

2009-07-30T19:30:54.920Z

Hide mechanisms to remove zone information is set correcly.

CM-6

CCE-3001-5

2009-07-30T19:30:52.377Z

The "Shut Down system immediately if unable to log security audits" policy should be set correctly.

AC-3

AU-5

CM-6

CM-7

SC-5

CCE-3015-5

2009-07-30T19:30:51.233Z

The application log maximum size should be configured correctly..

AU-4

AU-5

CM-6

CCE-3023-9

2009-07-30T19:30:52.453Z

The "Digitally Sign Server Communication (Always)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3024-7

2009-07-30T19:30:51.127Z

Auditing of "process tracking" events on success should be enabled or disabled as appropriate..

AU-2

CCE-3032-0

2009-07-30T19:30:51.687Z

Use of the built-in Administrator account should be enabled or disabled as appropriate.

AC-3

CM-6

CM-7

SC-5

CCE-3033-8

2009-07-30T19:30:51.483Z

The "password must meet complexity requirments" policy should be set correctly.

CM-6

IA-5

CCE-3041-1

2009-07-30T19:30:50.890Z

Auditing of "directory service access" events on success should be enabled or disabled as appropriate..

CCE-3045-2

2009-07-30T19:30:55.093Z

The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.

CCE-3046-0

2009-07-30T19:30:55.750Z

The "Turn off Untrusted Content" setting should be configured correctly.

CCE-3050-2

2009-07-30T19:30:52.983Z

The "Screen Saver Timeout" setting should be configured correctly for the current user.

CCE-3072-6

2009-07-30T19:30:51.767Z

Automatic Logon should be properly configured.

CCE-3075-9

2009-07-30T19:30:52.703Z

The "Maximum machine account password age" policy should be set correctly.

CCE-3076-7

2009-07-30T19:30:50.937Z

Auditing of "logon" events on success should be enabled or disabled as appropriate..

CCE-3082-5

2009-07-30T19:30:51.563Z

The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

CCE-3089-0

2009-07-30T19:30:50.827Z

Auditing of "account logon" events on failure should be enabled or disabled as appropriate..

CCE-3093-2

2009-07-30T19:30:55.377Z

The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CCE-3115-3

2009-07-30T19:30:55.407Z

The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

CCE-3120-3

2009-07-30T19:30:51.953Z

TCP/IP Dead Gateway Detection should be properly configured.

CCE-3125-2

2009-07-30T19:30:55.937Z

The "Turn off shell protocol protected mode" setting should be configured correctly.

CCE-3138-5

2009-07-30T19:30:52.937Z

The "Do not store LAN Manager hash value on next password change" policy should be set correctly.

CCE-3142-7

2009-07-30T19:30:51.967Z

The TCP/IP KeepAlive Time should be set correctly .

CCE-3143-5

2009-07-30T19:30:55.813Z

The "Prevent indexing uncached Exchange folders" setting should be configured correctly.

CCE-3160-9

2009-07-30T19:30:53.437Z

Restrictions for Unauthenticated RPC clients (SP2 only)

CCE-3164-1

2009-07-30T19:30:52.467Z

The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.

CCE-3165-8

2009-07-30T19:30:51.377Z

The system log maximum size should be configured correctly.

CCE-3168-2

2009-07-30T19:30:52.280Z

The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.

CCE-3169-0

2009-07-30T19:30:54.877Z

Prompt for password on resume from hibernate/suspend is set correctly.

CCE-3173-2

2009-07-30T19:30:51.890Z

Display Last User Name in Logon Screen should be properly configured.

CCE-3177-3

2009-07-30T19:30:50.797Z

The "account lockout threshold" policy should meet minimum requirements.

CCE-3181-5

2009-07-30T19:30:52.047Z

Security Audit log warning level should be properly configured.

CCE-3199-7

2009-07-30T19:30:52.077Z

Safe DLL Search Mode should be properly configured.

CCE-3212-8

2009-07-30T19:30:52.313Z

The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.

CCE-3214-4

2009-07-30T19:30:56.140Z

The "Override the More Gadgets Link" setting should be configured correctly.

CCE-3217-7

2009-07-30T19:30:53.063Z

The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.

CCE-3220-1

2009-07-30T19:30:52.733Z

The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.

CCE-3222-7

2009-07-30T19:30:51.187Z

Auditing of "system" events on failure should be enabled or disabled as appropriate..

CCE-3225-0

2009-07-30T19:30:52.530Z

The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.

CCE-3230-0

2009-07-30T19:30:52.360Z

The "Users Prompted to Change Password Before Expiration" policy should be set correctly.

CCE-3232-6

2009-07-30T19:30:51.593Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.

CCE-3233-4

2009-07-30T19:30:52.593Z

The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.

CCE-3234-2

2009-07-30T19:30:50.860Z

Auditing of "account management" events on success should be enabled or disabled as appropriate..

CCE-3239-1

2009-07-30T19:30:51.813Z

ICMP Redirects should be properly configured.

CCE-3240-9

2009-07-30T19:30:51.437Z

The "minimum password age" policy should meet minimum requirements.

CCE-3243-3

2009-07-30T19:30:51.000Z

Auditing of "object access" events on failure should be enabled or disabled as appropriate..

CCE-3244-1

2009-07-30T19:30:53.377Z

The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate.

CCE-3248-2

2009-07-30T19:30:51.670Z

Use of the built-in Guest account should be enabled or disabled as appropriate.

CCE-3251-6

2009-07-30T19:30:52.627Z

The "Smart Card Removal Behavior" policy should be set correctly.

CCE-3252-4

2009-07-30T19:30:52.407Z

The "Digitally Sign Client Communication (Always)" policy should be set correctly.

CCE-3255-7

2009-07-30T19:30:52.640Z

The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3257-3

2009-07-30T19:30:51.093Z

Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..

AC-6

AU-2

CCE-3259-9

2009-07-30T19:30:54.610Z

Turn off the Windows Messenger Customer Experience Improvement Program

CM-6

CCE-3261-5

2009-07-30T19:30:51.843Z

IP Source Routing should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3270-6

2009-07-30T19:30:55.063Z

The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

CM-6

CM-7

CCE-3271-4

2009-07-30T19:30:55.670Z

The "Turn on session logging" setting should be configured correctly.

AU-2

CCE-3272-2

2009-07-30T19:30:51.627Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-3278-9

2009-07-30T19:30:54.703Z

Turn off Windows Update device driver searching

CM-6

CCE-3279-7

2009-07-30T19:30:51.860Z

IRDP should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3283-9

2009-07-30T19:30:52.953Z

The "Force logoff when logon hours expire" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3285-4

2009-07-30T19:30:52.157Z

The "Audit the access of global system objects" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3287-0

2009-07-30T19:30:50.877Z

Auditing of "account management" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-3288-8

2009-07-30T19:30:55.703Z

The "Prevent IIS Installation" setting should be configured correctly.

AC-6

CCE-3292-0

2009-07-30T19:30:53.313Z

The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.

AC-3

CM-6

CCE-3297-9

2009-07-30T19:30:55.467Z

The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.

CM-6

CCE-3300-1

2009-07-30T19:30:54.937Z

Notify antivirus programs when opening attachments is set correcly.

SI-3

CCE-3302-7

2009-07-30T19:30:51.297Z

The security log maximum size should be configured correctly..

AU-4

AU-6

AU-9

CCE-3303-5

2009-07-30T19:30:52.187Z

The "Audit the use of backup and restore privilege" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3307-6

2009-07-30T19:30:52.217Z

The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3309-2

2009-07-30T19:30:50.920Z

Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-3311-8

2009-07-30T19:30:51.517Z

The "store password using reversible encryption for all users in the domain" policy should be set correctly.

CM-6

IA-5

CCE-3314-2

2009-07-30T19:30:51.717Z

The "Message title for users attempting to log on" policy should be set correctly.

AC-8

CM-6

CM-7

SC-5

CCE-3316-7

2009-07-30T19:30:51.547Z

The startup type of the Messenger service should be correct.

CM-6

CM-7

CCE-3323-3

2009-07-30T19:30:53.030Z

The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.

CM-6

CCE-3325-8

2009-07-30T19:30:52.233Z

The "Prevent Users from Installing Printer Drivers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3330-8

2009-07-30T19:30:52.547Z

The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.

CM-6

SC-2

CCE-3331-6

2009-07-30T19:30:55.127Z

The "Allow remote access to the PnP interface" setting should be configured correctly.

AC-1

CCE-3336-5

2009-07-30T19:30:51.733Z

The "Message text for users attempting to log on" policy should be set correctly.

AC-8

CM-6

CM-7

SC-5

CCE-3341-5

2009-07-30T19:30:55.983Z

The "Report Logon Server Not Available During User logon" setting should be configured correctly.

CM-6

CCE-3348-0

2009-07-30T19:30:55.233Z

The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.

CM-6

CCE-3349-8

2009-07-30T19:30:52.890Z

The "Shares that can be accessed anonymously" policy should be set correctly.

AC-3

CM-6

CM-7

CCE-3361-3

2009-07-30T19:30:52.750Z

The "Disconnect clients when logon hours expire" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3364-7

2009-07-30T19:30:54.577Z

Turn off Internet download for Web publishing and online ordering wizards

CM-6

CCE-3367-0

2009-07-30T19:30:52.907Z

The "Sharing and security model for local accounts" policy should be set correctly.

AC-3

CM-6

CM-7

CCE-3376-1

2009-07-30T19:30:55.797Z

The "Allow indexing of encrypted files" setting should be configured correctly.

CM-6

CCE-3379-5

2009-07-30T19:30:52.780Z

The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3380-3

2009-07-30T19:30:52.843Z

The "Named Pipes that can be accessed anonymously" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3385-2

2009-07-30T19:30:55.500Z

The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.

CM-6

CCE-3394-4

2009-07-30T19:30:53.407Z

RPC Endpiont Mapper Client Authentication (SP2 only)

IA-2

CCE-3398-5

2009-07-30T19:30:55.953Z

The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

AC-6

CM-5

CCE-3403-3

2009-07-30T19:30:55.453Z

The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.

CM-6

CCE-3421-5

2009-07-30T19:30:54.657Z

Turn off printing over HTTP

CM-6

CCE-3429-8

2009-07-30T19:30:53.017Z

The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.

IA-2

CCE-3432-2

2009-07-30T19:30:55.327Z

The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CM-6

CCE-3437-1

2009-07-30T19:30:54.890Z

Do not preserve zone information in file attachments is set correcly.

CM-6

CCE-3450-4

2009-07-30T19:30:55.000Z

Audit: Force audit policy subcategory settings are set correcly.

AC-3

CM-6

CM-7

SC-5

CCE-3452-0

2009-07-30T19:30:54.563Z

Group Policy - Registry policy processing

CM-6

CCE-3454-6

2009-07-30T19:30:55.217Z

The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.

CM-6

CCE-3456-1

2009-07-30T19:30:56.127Z

The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.

CM-5

CM-6

CCE-3459-5

2009-07-30T19:30:53.327Z

MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged

AC-3

CM-6

CM-7

SC-5

CCE-3460-3

2009-07-30T19:30:53.360Z

MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted

AC-3

CM-6

CM-7

SC-5

CCE-3464-5

2009-07-30T19:30:55.140Z

The "Do not create system restore point when new device driver installed" setting should be configured correctly.

CM-6

CCE-3468-6

2009-07-30T19:30:55.170Z

The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.

SI-1

CCE-3469-4

2009-07-30T19:30:55.577Z

The "Require a Password when a Computer Wakes (Plugged)" setting should be configured correctly.

AC-3

CCE-3482-7

2009-07-30T19:30:56.187Z

The "Do not allow Digital Locker to run" setting should be configured correctly.

CM-6

CCE-3486-8

2009-07-30T19:30:56.047Z

The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.

AC-4

CCE-3500-6

2009-07-30T19:30:56.170Z

The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.

CM-6

CCE-3953-7

2009-07-30T19:30:56.627Z

The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3954-5

2009-07-30T19:30:56.657Z

The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3969-3

2009-07-30T19:30:56.670Z

The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4011-3

2009-07-30T19:30:56.750Z

The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.

AC-3

CM-6

CCE-4016-2

2009-07-30T19:30:56.797Z

The "Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.

AC-3

AC-6

CCE-4020-4

2009-07-30T19:30:56.890Z

The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.

AC-3

AC-6

CCE-4034-5

2009-07-30T19:30:57.547Z

The "load and unload device drivers" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4038-6

2009-07-30T19:30:57.627Z

The "log on as a service" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4046-9

2009-07-30T19:30:57.640Z

The "manage auditing and security log" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4048-5

2009-07-30T19:30:57.687Z

The "modify firmware environment values" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4071-7

2009-07-30T19:30:57.717Z

The "perform volume maintenance tasks" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4077-4

2009-07-30T19:30:58.000Z

The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the domain profile.

CM-6

CCE-4078-2

2009-07-30T19:30:58.063Z

The startup type of the Internet Connection Sharing service should be correct.

SC-7

CCE-4083-2

2009-07-30T19:30:57.593Z

The "log on as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4086-5

2009-07-30T19:30:58.217Z

The setup log maximum size should be configured correctly.

AU-4

CCE-4088-1

2009-07-30T19:30:57.000Z

The "act as part of the operating system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4089-9

2009-07-30T19:30:58.453Z

The "Do not send additional data" setting should be configured correctly.

CM-6

CCE-4093-1

2009-07-30T19:30:58.733Z

Auditing of "Account Management: Computer Account Management" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4107-9

2009-07-30T19:30:56.610Z

The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4115-2

2009-07-30T19:30:58.780Z

Auditing of "Account Management: Distribution Group Management" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4140-0

2009-07-30T19:30:58.797Z

Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4142-6

2009-07-30T19:30:58.907Z

Auditing of "Account Management: Security Group Management" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4152-5

2009-07-30T19:30:58.017Z

Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

CM-7

CCE-4166-5

2009-07-30T19:30:59.017Z

Auditing of "Detailed Tracking: Process Creation" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4176-4

2009-07-30T19:30:59.343Z

Auditing of "DS Access: Directory Service Replication" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4183-0

2009-07-30T19:30:59.593Z

Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4184-8

2009-07-30T19:30:57.267Z

The "create permanent shared objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4194-7

2009-07-30T19:30:56.953Z

The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.

AC-3

AC-6

CCE-4200-2

2009-07-30T19:30:59.877Z

Auditing of "Object Access: File Share" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4201-0

2009-07-30T19:31:00.313Z

Auditing of "Policy Change: Audit Policy Change" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4204-4

2009-07-30T19:31:00.530Z

Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4205-1

2009-07-30T19:31:00.687Z

Auditing of "Privilege Use: Privilege Use: Other Privilege Use Events" events on failure should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-4213-5

2009-07-30T19:30:56.577Z

The "Minimum session security for NTLM SSP based servers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4228-3

2009-07-30T19:30:58.750Z

Auditing of "Account Management: Computer Account Management" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4264-8

2009-07-30T19:30:57.077Z

The "allow logon through Terminal Services" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4267-1

2009-07-30T19:30:58.327Z

The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

AC-1

AC-3

CM-6

CM-7

CCE-4285-3

2009-07-30T19:30:57.670Z

The "Modify an object label" user right should be assigned to the appropriate accounts.

AC-3

CM-6

CCE-4290-3

2009-07-30T19:30:58.627Z

The "Password protect the screen saver" setting should be configured correctly for the current user.

AC-1

CM-6

IA-5

CCE-4300-0

2009-07-30T19:31:00.703Z

Auditing of "Privilege Use: Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-4317-4

2009-07-30T19:30:57.577Z

The "lock pages in memory" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4334-9

2009-07-30T19:30:56.983Z

The "access this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4335-6

2009-07-30T19:31:00.047Z

Auditing of "Object Access: Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4342-2

2009-07-30T19:30:59.377Z

Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4363-8

2009-07-30T19:30:59.093Z

Auditing of "Detailed Tracking: Process Termination" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4372-9

2009-07-30T19:30:57.813Z

The "replace a process-level token" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4382-8

2009-07-30T19:30:57.483Z

The "Impersonate a client after authentication" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4405-7

2009-07-30T19:30:58.530Z

The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

CM-6

CCE-4423-0

2009-07-30T19:30:59.657Z

Auditing of "Logon/Logoff: Logon" events on failure should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4479-2

2009-07-30T19:31:00.563Z

Auditing of "Policy Change: Other Policy Change Events" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4488-3

2009-07-30T19:30:57.453Z

The "generate security audits" user right should be assigned to the correct accounts.

AC-3

AU-9

CM-6

CCE-4493-3

2009-07-30T19:30:59.000Z

Auditing of "Detailed Tracking: DPAPI Activity" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4501-3

2009-07-30T19:30:58.250Z

The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.

CM-6

CCE-4505-4

2009-07-30T19:30:59.437Z

Auditing of "Logon/Logoff: IPsec Extended Mode" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4516-1

2009-07-30T19:31:00.390Z

Auditing of "Policy Change: Authentication Policy Change" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4535-1

2009-07-30T19:31:00.877Z

Auditing of "System: Security State Change" events on success should be enabled or disabled as appropriate.

SI-6

CCE-4568-2

2009-07-30T19:30:59.967Z

Auditing of "Object Access: Filtering Platform Connection" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4569-0

2009-07-30T19:30:57.860Z

The "shut down the system" user right should be assigned to the correct accounts.

AC-3

CM-6

CM-7

CCE-4583-1

2009-07-30T19:30:56.547Z

The "Minimum session security for NTLM SSP based clients" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4594-8

2009-07-30T19:31:00.217Z

Auditing of "Object Access: Registry" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4612-8

2009-07-30T19:30:56.843Z

The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.

AC-3

AC-6

CCE-4616-9

2009-07-30T19:31:00.267Z

Auditing of "Object Access: SAM" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4618-5

2009-07-30T19:30:57.767Z

The "profile system performance" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4627-6

2009-07-30T19:30:57.937Z

The required permissions for the WLAN AutoConfig service should be assigned.

AC-1

CCE-4629-2

2009-07-30T19:30:58.500Z

The "Enable User Control Over Installs" policy should be set correctly.

AC-6

CCE-4650-8

2009-07-30T19:30:59.500Z

Auditing of "Logon/Logoff: IPsec Main Mode" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4651-6

2009-07-30T19:30:57.500Z

The "Increase a Process Working Set" setting should be configured correctly.

AC-3

CM-6

CCE-4656-5

2009-07-30T19:30:57.407Z

The "deny logon through Terminal Services" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4658-1

2009-07-30T19:30:59.203Z

Auditing of "DS Access: Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4673-0

2009-07-30T19:30:57.437Z

The "force shutdown from a remote system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4687-0

2009-07-30T19:30:57.297Z

The "debug programs" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4691-2

2009-07-30T19:31:00.187Z

Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4694-6

2009-07-30T19:30:58.157Z

The "Enable Error Reporting" policy should be set correctly.

CM-6

CCE-4700-1

2009-07-30T19:30:58.703Z

Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4703-5

2009-07-30T19:30:59.577Z

Auditing of "Logon/Logoff: Logoff" events on success should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4704-3

2009-07-30T19:30:57.313Z

The "deny access to this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4714-2

2009-07-30T19:30:59.827Z

Auditing of "Object Access: Certification Services" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4722-5

2009-07-30T19:30:57.343Z

The "deny logon as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4734-0

2009-07-30T19:31:00.733Z

Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-4757-1

2009-07-30T19:30:57.187Z

The "create a pagefile" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4759-7

2009-07-30T19:30:59.157Z

Auditing of "Detailed Tracking: RPC Events" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4761-3

2009-07-30T19:30:58.360Z

Computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender should be enabled or disabled as appropriate.

CM-6

CCE-4774-6

2009-07-30T19:30:56.703Z

The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.

IA-5

IA-7

SC-2

SC-9

CCE-4781-1

2009-07-30T19:30:56.467Z

The "Remotely accessible registry paths and subpaths" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4783-7

2009-07-30T19:30:58.843Z

Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4792-8

2009-07-30T19:30:57.250Z

The "Create global objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4796-9

2009-07-30T19:30:57.530Z

The "increase scheduling priority" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4797-7

2009-07-30T19:30:58.610Z

The "Do Not Automatically Start Windows Messenger" policy should be set correctly.

CM-6

CCE-4808-2

2009-07-30T19:30:59.297Z

Auditing of "DS Access: Directory Service Changes" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4813-2

2009-07-30T19:30:58.170Z

Use Classic Logon should be properly configured.

CM-6

CCE-4822-3

2009-07-30T19:31:01.000Z

Auditing of "System: System Integrity" events on failure should be enabled or disabled as appropriate.

SI-7

CCE-4824-9

2009-07-30T19:30:59.750Z

Auditing of "Logon/Logoff: Special Logon" events on failure should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4827-2

2009-07-30T19:30:57.093Z

The "back up files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4828-0

2009-07-30T19:31:00.063Z

Auditing of "Object Access: Handle Manipulation" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4829-8

2009-07-30T19:30:59.797Z

Auditing of "Object Access: Application Generated" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4833-0

2009-07-30T19:30:58.920Z

Auditing of "Account Management: User Account Management" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4841-3

2009-07-30T19:30:56.717Z

The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4851-2

2009-07-30T19:31:01.360Z

The "Turn off Help Ratings" setting should be configured correctly.

CM-6

CCE-4854-6

2009-07-30T19:30:57.030Z

The "adjust memory quotas for a process" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4857-9

2009-07-30T19:30:59.390Z

Auditing of "Logon/Logoff: Account Lockout" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4861-1

2009-07-30T19:30:57.797Z

The "remove computer from docking station" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4863-7

2009-07-30T19:30:57.140Z

The "change the system time" user right should be assigned to the correct accounts.

AU-8

CM-7

CCE-4866-0

2009-07-30T19:30:58.280Z

The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.

SC-1

CCE-4867-8

2009-07-30T19:30:57.360Z

The "deny logon as a service" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4868-6

2009-07-30T19:30:59.843Z

Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4869-4

2009-07-30T19:30:59.077Z

Auditing of "Detailed Tracking: Process Termination" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4872-8

2009-07-30T19:30:57.047Z

The "log on locally" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4877-7

2009-07-30T19:31:00.360Z

Auditing of "Policy Change: Authentication Policy Change" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4879-3

2009-07-30T19:31:00.797Z

Auditing of "System: Ipsec Driver" events on failure should be enabled or disabled as appropriate.

SC-8

CCE-4883-5

2009-07-30T19:31:00.843Z

Auditing of "System: Other System Events" events on failure should be enabled or disabled as appropriate.

CM-6

CCE-4885-0

2009-07-30T19:31:00.140Z

Auditing of "Object Access: Kernel Object" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4889-2

2009-07-30T19:30:57.390Z

The "deny logon locally" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4891-8

2009-07-30T19:30:59.127Z

Auditing of "Detailed Tracking: RPC Events" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4898-3

2009-07-30T19:30:58.563Z

The "Disable Media Player for automatic updates" policy should be set correctly.

SI-2

CCE-4902-3

2009-07-30T19:30:57.217Z

The "Create a token object" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4904-9

2009-07-30T19:30:56.453Z

Kerberos and RSVP Traffic Protected by IPSec should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-4907-2

2009-07-30T19:30:56.907Z

The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.

AC-3

AC-6

CCE-4910-6

2009-07-30T19:31:00.953Z

Auditing of "System: Security System Extension" events on failure should be enabled or disabled as appropriate.

SI-6

CCE-4915-5

2009-07-30T19:30:58.377Z

The "Disable Logging" setting should be configured correctly.

AU-2

CCE-4916-3

2009-07-30T19:30:58.827Z

Auditing of "Account Management: Other Account Management Events" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4919-7

2009-07-30T19:30:58.420Z

The "Display Error Notification" setting should be configured correctly.

CM-6

CCE-4921-3

2009-07-30T19:30:59.920Z

Auditing of "Object Access: File System" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4922-1

2009-07-30T19:30:56.500Z

The "LAN Manager Authentication Level" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4925-4

2009-07-30T19:30:56.937Z

The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.

AC-3

AC-6

CCE-4928-8

2009-07-30T19:30:59.547Z

Auditing of "Logon/Logoff: IPsec Quick Mode" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4931-2

2009-07-30T19:30:59.250Z

Auditing of "DS Access: Directory Service Access" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4938-7

2009-07-30T19:30:58.687Z

Auditing of "Account Management: Application Group Management" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4939-5

2009-07-30T19:31:00.483Z

Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4940-3

2009-07-30T19:30:56.517Z

The "LDAP client signing requirements" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4947-8

2009-07-30T19:31:00.017Z

Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4948-6

2009-07-30T19:30:57.843Z

The "restore files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4955-1

2009-07-30T19:30:56.767Z

The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.

AC-3

AC-6

CCE-4956-9

2009-07-30T19:30:59.717Z

Auditing of "Logon/Logoff: Special Logon" events on success should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4962-7

2009-07-30T19:30:57.733Z

The "profile single process" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4965-0

2009-07-30T19:31:00.093Z

Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4969-2

2009-07-30T19:30:56.813Z

The "Behavior of the elevation prompt for standard users" setting should be configured correctly.

AC-3

AC-6

CCE-4970-0

2009-07-30T19:30:57.890Z

The "synchronize directory service data" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4973-4

2009-07-30T19:30:57.127Z

The "bypass traverse checking" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4976-7

2009-07-30T19:31:00.767Z

Auditing of "System: Ipsec Driver" events on success should be enabled or disabled as appropriate.

SC-8

CCE-4982-5

2009-07-30T19:31:00.297Z

Auditing of "Object Access: SAM" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4988-2

2009-07-30T19:30:57.920Z

The "take ownership of files or other objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4990-8

2009-07-30T19:31:00.640Z

Auditing of "Privilege Use: Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-4991-6

2009-07-30T19:30:58.483Z

The "Set Safe for Scripting" policy should be set correctly.

CM-6

CCE-4992-4

2009-07-30T19:30:57.967Z

Internet Explorer Processes (Zone Elevation Protection)

CM-6

CCE-4995-7

2009-07-30T19:31:00.593Z

Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4996-5

2009-07-30T19:31:00.110Z

Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4998-1

2009-07-30T19:31:00.813Z

Auditing of "System: Other System Events" events on success should be enabled or disabled as appropriate.

CM-6

CCE-5000-5

2009-07-30T19:30:58.967Z

Auditing of "Detailed Tracking: DPAPI Activity" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5004-7

2009-07-30T19:30:56.860Z

The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.

AC-3

AC-6

CCE-5007-0

2009-07-30T19:30:58.297Z

The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

AC-1

AC-3

CM-6

CM-7

CCE-5008-8

2009-07-30T19:30:57.170Z

The "Change the time zone" user right should be assigned to the appropriate accounts.

AU-8

CM-7

CCE-5011-2

2009-07-30T19:30:59.420Z

Auditing of "Logon/Logoff: IPsec Extended Mode" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5016-1

2009-07-30T19:30:59.467Z

Auditing of "Logon/Logoff: IPsec Main Mode" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5018-7

2009-07-30T19:30:59.627Z

Auditing of "Logon/Logoff: Logon" events on success should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-5020-3

2009-07-30T19:30:58.047Z

The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.

SC-7

CCE-5023-7

2009-07-30T19:30:59.170Z

Auditing of "DS Access: Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5028-6

2009-07-30T19:30:59.217Z

Auditing of "DS Access: Directory Service Access" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5034-4

2009-07-30T19:30:58.407Z

The "Disable Windows Error Reporting" setting should be configured correctly.

SI-2

CCE-5038-5

2009-07-30T19:30:59.517Z

Auditing of "Logon/Logoff: IPsec Quick Mode" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5039-3

2009-07-30T19:30:59.937Z

Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5047-6

2009-07-30T19:31:00.967Z

Auditing of "System: System Integrity" events on success should be enabled or disabled as appropriate.

SI-7

CCE-5048-4

2009-07-30T19:30:58.877Z

Auditing of "Account Management: Security Group Management" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5058-3

2009-07-30T19:31:00.437Z

Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5061-7

2009-07-30T19:30:58.093Z

The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet (UPnP).

CM-6

CCE-5066-6

2009-07-30T19:30:59.703Z

Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-5067-4

2009-07-30T19:30:59.267Z

Auditing of "DS Access: Directory Service Changes" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5070-8

2009-07-30T19:30:58.657Z

The "Prevent users from sharing files within their profile" setting should be configured correctly.

AC-6

CCE-5079-9

2009-07-30T19:30:59.983Z

Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5084-9

2009-07-30T19:30:59.780Z

Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5087-2

2009-07-30T19:31:00.233Z

Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5089-8

2009-07-30T19:30:59.313Z

Auditing of "DS Access: Directory Service Replication" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5094-8

2009-07-30T19:30:59.047Z

Auditing of "Detailed Tracking: Process Creation" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5097-1

2009-07-30T19:30:58.953Z

Auditing of "Account Management: User Account Management" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5114-4

2009-07-30T19:31:00.610Z

Auditing of "Privilege Use: Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-5131-8

2009-07-30T19:31:00.657Z

Auditing of "Privilege Use: Other Privilege Use Events" events on success should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-5132-6

2009-07-30T19:31:00.170Z

Auditing of "Object Access: Other Object Access Events" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5137-5

2009-07-30T19:31:00.343Z

Auditing of "Policy Change: Audit Policy Change" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5145-8

2009-07-30T19:30:59.890Z

Auditing of "Object Access: File Share" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5157-3

2009-07-30T19:31:00.890Z

Auditing of "System: Security State Change" events on failure should be enabled or disabled as appropriate.

SI-6

CCE-5163-1

2009-07-30T19:30:59.670Z

Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-5170-6

2009-07-30T19:31:00.920Z

Auditing of "System: Security System Extension" events on success should be enabled or disabled as appropriate.

SI-6

CCE-5172-2

2009-07-30T19:31:00.420Z

Auditing of "Policy Change: Authorization Policy Change" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5177-1

2009-07-30T19:31:00.467Z

Auditing of "Policy Change: Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5181-3

2009-07-30T19:31:00.517Z

Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate.

AU-2

CCE-5239-9

2009-07-30T19:31:01.343Z

The "Turn off Help Experience Improvement Program" setting should be configured correctly.

CM-6

FINAL

GOVERNMENTAL_AUTHORITY

Microsoft Windows Vista

cpe:/o:microsoft:windows_vista

Operating System

Firewall

FDCC

fdcc@nist.gov

04/08/2009 - Major Version 1.2 released 10/31/2008 - Major Version 1.1.1.0 released 06/20/2008 - Major Version 1.0 released

The link to the FDCC home page.

FDCC FAQ

FDCC primary download page

FDCC individual file listings and download page

true

false

true

OVAL 5.3

634019D5437F986C42BEE250D4A5EE29D92BDA76

03E8A0675C33A50FDD608A0BA2D5884FA857E935 7069E7D356DA02B786021ECB

FDCC Vista Firewall SCAP Content using OVAL version 5.3. SCAP_CONTENT

OVAL 5.4

684FA8F301E71DACF833B93D8C97182A03BE21BE

6601A41E96A00DA92500FD960B4946C86676D1B11A0D7E61E84D8E622F7E8E1A

FDCC Windows Vista Firewall SCAP content using OVAL version 5.4. SCAP_CONTENT

OVAL 5.3

634019D5437F986C42BEE250D4A5EE29D92BDA76

03E8A0675C33A50FDD608A0BA2D5884FA857E935 7069E7D356DA02B786021ECB

FDCC Vista Firewall SCAP Content using OVAL version 5.3. SCAP Content

OVAL 5.4

684FA8F301E71DACF833B93D8C97182A03BE21BE

6601A41E96A00DA92500FD960B4946C86676D1B11A0D7E61E84D8E622F7E8E1A

FDCC Windows Vista Firewall SCAP content using OVAL version 5.4. SCAP Content

7DD0E04CEE71F16BBAA6366C358B740C1041834C

53664841150B753339A32B7C3A3A4EA4F7CB760D77023A6ECC0B147AE4B02F73

FDCC Windows Vista Firewall GPOs GPOs

1C4962660C0CEB4CA530DFFE7A56C81463C78F50

37FC8ECB0A95AB31B56463A5D83E6206DC4964D6A1FA0E4AF710BBD246BEB0F6

This is the human readable version of the FDCC settings. Prose

CCE-2533-8

2009-07-30T19:30:53.670Z

The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.

AU-2

AU-3

AU-4

AU-8

SC-7

CCE-2641-9

2009-07-30T19:30:54.437Z

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile.

CCE-2650-0

2009-07-30T19:30:54.467Z

Public Profile - Apply Local Firewall Rules

CCE-2854-8

2009-07-30T19:30:54.313Z

Private Profile - Apply Local Connection Security Rules

SC-7

CCE-2865-4

2009-07-30T19:30:56.233Z

The "IPv6 Block of Protocols 41" setting should be configured correctly.

SC-7

CCE-2924-9

2009-07-30T19:30:54.267Z

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile.

SC-5

SC-7

CCE-2977-7

2009-07-30T19:30:54.157Z

Domain Profile - Apply Local Connection Security Rules

SC-7

CCE-2998-3

2009-07-30T19:30:54.407Z

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Public Profile.

AC-8

CCE-2999-1

2009-07-30T19:30:54.077Z

Domain Profile - Inbound Connections

CM-6

CCE-3054-4

2009-07-30T19:30:53.453Z

Domain Profile: Protect all network connections (SP2 only)

CCE-3166-6

2009-07-30T19:30:54.217Z

Private Profile - Outbound Connections

CCE-3246-6

2009-07-30T19:30:54.343Z

Public Profile- Firewall State

CCE-3260-7

2009-07-30T19:30:53.657Z

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.

AU-2

SC-7

CCE-3263-1

2009-07-30T19:30:54.360Z

Public Profile - Inbound Connections

SC-7

CCE-3299-5

2009-07-30T19:30:53.703Z

The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.

AU-2

AU-3

AU-4

AU-8

SC-7

CCE-3351-4

2009-07-30T19:30:54.390Z

Public Profile - Outbound Connections

SC-7

CCE-3360-5

2009-07-30T19:30:54.297Z

Private Profile - Apply Local Firewall Rules

SC-7

CCE-3373-8

2009-07-30T19:30:54.170Z

Private Profile- Firewall State

SC-7

CCE-3395-1

2009-07-30T19:30:54.203Z

Private Profile - Inbound Connections

SC-7

CCE-3414-0

2009-07-30T19:30:53.717Z

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.

AU-2

SC-7

CCE-3417-3

2009-07-30T19:30:54.250Z

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Private Profile.

AC-8

CCE-3426-4

2009-07-30T19:30:54.483Z

Public Profile - Apply Local Connection Security Rules

SC-7

CCE-3436-3

2009-07-30T19:30:53.750Z

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.

SC-5

SC-7

CCE-3439-7

2009-07-30T19:30:54.110Z

Domain Profile - Outbound Connections

SC-7

CCE-3457-9

2009-07-30T19:30:54.127Z

Domain Profile - Apply Local Firewall Rules

SC-7

CCE-3508-9

2009-07-30T19:30:56.267Z

The "IPv6 Block of UDP 3544" setting should be configured correctly.

SC-7

CCE-4206-9

2009-07-30T19:31:01.110Z

The log file path and name for the Windows Firewall should be configured correctly for the Private Profile.

AU-2

AU-3

AU-4

AU-8

SC-7

CCE-4207-7

2009-07-30T19:31:01.140Z

The log file size limit for the Windows Firewall should be configured correctly for the Private Profile.

AU-2

AU-3

AU-4

AU-8

SC-7

CCE-4278-8

2009-07-30T19:31:01.233Z

The log file size limit for the Windows Firewall should be configured correctly for the Public Profile.

AU-2

AU-3

AU-4

AU-8

SC-7

CCE-4507-0

2009-07-30T19:31:01.170Z

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile.

AU-2

SC-7

CCE-4597-1

2009-07-30T19:31:01.047Z

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile.

AU-2

SC-7

CCE-4639-1

2009-07-30T19:31:01.217Z

The log file path and name for the Windows Firewall should be configured correctly for the Public Profile.

AU-2

AU-3

AU-4

AU-8

SC-7

CCE-4941-1

2009-07-30T19:31:01.030Z

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Domain Profile.

AC-8

SC-7

CCE-4963-5

2009-07-30T19:31:01.077Z

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile.

AU-2

SC-7

CCE-5128-4

2009-07-30T19:31:01.187Z

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile.

AU-2

SC-7

FINAL

GOVERNMENTAL_AUTHORITY

Microsoft Windows XP

cpe:/o:microsoft:windows_xp

Operating System

NIST Special Publication 800-68 has been created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional SP2 systems. It discusses Windows XP and various application security settings in technical detail. The guide provides insight into the threats and security controls that are relevant for various operational environments, such as for a large enterprise or a home office. It describes the need to document, implement, and test security controls, as well as to monitor and maintain systems on an ongoing basis. It presents an overview of the security components offered by Windows XP and provides guidance on installing, backing up, and patching Windows XP systems. It discusses security policy configuration, provides an overview of the settings in the accompanying NIST security templates, and discusses how to apply additional security settings that are not included in the NIST security templates. It demonstrates securing popular office productivity applications, Web browsers, e-mail clients, personal firewalls, antivirus software, and spyware detection and removal utilities on Windows XP systems to provide protection against viruses, worms, Trojan horses, and other types of malicious code. This list is not intended to be a complete list of applications to install on Windows XP system, nor does it imply NISTs endorsement of particular commercial off-the-shelf (COTS) products.

Client desktop and mobile host

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. These recommendations should be applied only to the Windows XP Professional SP2 Systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003. The security templates have been tested on WinXP Professional SP2 systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003. The Specialized Security-Limited Functionality template should not be used by home users and should be used with caution since it will restrict the functionality and reduce the usability of the system.

This checklist has been created for IT professionals, particularly Windows XP system administrators and information security personnel. The document assumes that the reader has experience installing and administering Windows-based systems in domain or standalone configurations.

STANDALONE

MANAGED

SSLF

LEGACY

The security templates have been tested on Windows XP Professional SP2 systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003.

The recommendations are consistent with the security control baselines advocated in SP 800-53 (NIST FISMA implementation project publication).

Refer to Known Issues.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used.

Microsoft will provide best efforts support, in line with the customerÃ??????Ã?????Ã????Ã???Ã??Ã?Â¢??s support contract, to assist in removing the worst results of such file permissions, but Microsoft can only guarantee returning to the recommended out-of-the-box settings by reformatting and reinstalling the operating system.

itsec@nist.gov

Chase Carpenter and Kurt Dillard, Microsoft Corporation This document was developed at the National Institute of Standards and Technology, which collaborated with NSA, DISA, USAF, CIS, and Microsoft to produce the Windows XP security templates. Pursuant to title 17 Section 105 of the United States Code this document and template are not subject to copyright protection and is in the public domain.

SCAP Content 2009-08-10 - SCAP content replaced with current FDCC content, the FDCC content implements a subset of 800-68 settings. 2007-07-30 - Draft Release Security Templates (.inf files) 2005-11-02 - Release 1.2.0 2004-08-24 - Draft Update R1.0.2 2004-07-04 - Draft Update R1.0.1 2004-06-24 - Draft Release R1.0 Guidance for Securing Microsoft Windows XP Systems for IT Professionals document 2005-11-02 - Final Release 2004-08-24 - Draft Update 2004-07-04 - Draft Update 2004-06-24 - Draft Release

true

false

true

OVAL 5.3

172D50760C036339C2D839BDF11056FCABCF27E9

9E2AB983D6AB358C369DF8E3B5BD50E7578D194F90191624F3E1D7A21885BFF0

FDCC Windows XP SCAP content using OVAL version 5.3. SCAP_CONTENT

OVAL 5.4

AA756F431B8FF82B4F73E512DE05392A328BC063

CFE1DC3E0B0065B6237DC5BA3544E2135F0DC17C2182B3DAB709C953441AB829

FDCC Windows XP SCAP content using OVAL version 5.4. SCAP_CONTENT

OVAL 5.3

172D50760C036339C2D839BDF11056FCABCF27E9

9E2AB983D6AB358C369DF8E3B5BD50E7578D194F90191624F3E1D7A21885BFF0

FDCC Windows XP SCAP content using OVAL version 5.3. SCAP Content

OVAL 5.4

AA756F431B8FF82B4F73E512DE05392A328BC063

CFE1DC3E0B0065B6237DC5BA3544E2135F0DC17C2182B3DAB709C953441AB829

FDCC Windows XP SCAP content using OVAL version 5.4. SCAP Content

0C4020ADF1B066858F910FB3A627EF8D29F3D989

1F618FD4C63A784C849B467D6402AD2E8D67BF61EC438489EC9A1A336FC427BC

NIST Prose Guidance for Windows XP. Prose

CCE-1909-1

2009-07-30T19:31:40.000Z

The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.

AC-3

CM-6

CCE-1916-6

2009-07-30T19:31:40.483Z

The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.

AC-3

CM-6

CCE-1937-2

2009-07-30T19:31:41.500Z

The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.

AC-3

CM-6

CCE-1969-5

2009-07-30T19:31:43.627Z

The "create permanent shared objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-1978-6

2009-07-30T19:31:43.327Z

The "deny access to this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2021-4

2009-07-30T19:31:44.313Z

The "take ownership of files or other objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2052-9

2009-07-30T19:31:39.420Z

The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.

AC-3

CM-6

CCE-2100-6

2009-07-30T19:31:45.000Z

Auditing of "logon" events on success should be enabled or disabled as appropriate..

AC-7

AU-2

CCE-2116-2

2009-07-30T19:31:45.437Z

The "restrict guest access to application log" policy should be set correctly.

CCE-2145-1

2009-07-30T19:31:40.030Z

The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.

AC-3

CM-6

CCE-2147-7

2009-07-30T19:31:48.250Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-2167-5

2009-07-30T19:31:43.390Z

The "act as part of the operating system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2173-3

2009-07-30T19:31:49.750Z

Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

CCE-2175-8

2009-07-30T19:31:39.157Z

The required permissions for the file %SystemRoot%\regedit.exe should be assigned.

AC-3

CM-6

CCE-2176-6

2009-07-30T19:31:41.127Z

The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.

AC-3

CM-6

CCE-2178-2

2009-07-30T19:31:40.407Z

The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.

AC-3

CM-6

CCE-2184-0

2009-07-30T19:31:39.453Z

The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.

AC-3

CM-6

CCE-2198-0

2009-07-30T19:31:41.157Z

The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.

AC-3

CM-6

CCE-2206-1

2009-07-30T19:31:44.967Z

Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2213-7

2009-07-30T19:31:54.030Z

MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged

AC-3

CM-6

CM-7

SC-5

CCE-2220-2

2009-07-30T19:31:40.797Z

The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.

AC-3

CM-6

CCE-2239-2

2009-07-30T19:31:54.063Z

MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted

AC-3

CM-6

CM-7

SC-5

CCE-2247-5

2009-07-30T19:31:44.030Z

The "manage auditing and security log" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2259-0

2009-07-30T19:31:45.063Z

Auditing of "object access" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2299-6

2009-07-30T19:31:43.437Z

The "back up files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2312-7

2009-07-30T19:31:39.483Z

The required permissions for the file %SystemRoot%\System32\attrib.exe should be assigned.

AC-3

CM-6

CCE-2313-5

2009-07-30T19:31:51.000Z

The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2326-7

2009-07-30T19:31:47.077Z

The startup type of the Telnet service should be correct.

CCE-2335-8

2009-07-30T19:31:44.170Z

The "remove computer from docking station" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2336-6

2009-07-30T19:31:45.657Z

The "when maximum log size is reached" property should be set correctly for the Security log.

CCE-2343-2

2009-07-30T19:31:45.030Z

Auditing of "logon" events on failure should be enabled or disabled as appropriate..

AC-7

AU-2

CCE-2344-0

2009-07-30T19:31:51.157Z

The "Limit local account user of blank passwords to console logon only" policy should be set correctly.