.NET Framework Security Checklist

Version 1, Release 2.3 Not provided. GOVERNMENTAL_AUTHORITY Not provided. .NET Framework Security Checklist

968DDAD914D3811B1EF1CCD76501F593C6D8179D

2A753750D0F81106F27A64FDE75790C27C899A0DF497C25B375ADA22FFBA9929

Prose

Microsoft .NET Framework 1.0

cpe:/a:microsoft:.net_framework:1.0

Application Server

Microsoft .NET Framework 1.1

cpe:/a:microsoft:.net_framework:1.1

Application Server

Microsoft .NET Framework 2.0

cpe:/a:microsoft:.net_framework:2.0

Application Server

Microsoft .NET Framework 3.0

cpe:/a:microsoft:.net_framework:3.0

Application Server

Microsoft .NET Framework 3.5

cpe:/a:microsoft:.net_framework:3.5

Application Server

The .NET Framework Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Additionally, the review ensures the site has properly installed and implemented the .NET environment and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on Department of Defense (DOD) policy and the NSA guide, Guide to Microsoft .NET Framework Security.

Application Server

Not provided.

IAVM alerts, bulletins, and advisories were instituted to provide positive control of vulnerability notification and corresponding corrective action within DOD. All DOD program managers and system administrators, andor other personnel responsible for system networks shall comply with the IAVM process.

MANAGED

The .NET SRR is made of manual check procedures that use the Microsoft .NET Framework Configuration Tool, CASPOL.EXE, SETREG.EXE, and SN.EXE. With the exception of SN.EXE, these tools are provided and installed with the Microsoft .NET Framework or, in the case of SETREG.EXE are installed with the Windows server software. The procedures indicate exact title, selection, or option names with the use of italics. Instructions for use the tools are listed under the Reviewer Interfaces section. The checks reference the results of the tool commands from the Reviewer Interfaces section.

Not provided.

Security patches required that address .NET vulnerabilities are reviewed during an operating system security review and are not included in this checklist.

Not provided.

FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

Guide to Microsoft .NET Framework 2.0 Security

2009-02-18T05:00:00.000Z

FINAL

2011-03-18T20:09:20.297Z

false

General Desktop Application STIG

Version 4, Release 3 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Desktop Applications General, Version 4, Release 3

861C75B3396BBD9BB29EE91A3EA377F510F3B0BE

4F8128F2DA49A99EF71FAD0E9D2A0D3D5F504E33CC887917FDCE45C3F6EB16B3

Standalone XCCDF

Microsoft Internet Explorer

cpe:/a:microsoft:ie

Web Browser

Netscape Navigator

cpe:/a:netscape:navigator

Web Browser

Microsoft Office 2000

cpe:/a:microsoft:office:2000

Office Suite

Microsoft Office 2003

cpe:/a:microsoft:office:2003

Office Suite

Microsoft Office XP

cpe:/a:microsoft:office:xp

Office Suite

Microsoft Outlook 2000

cpe:/a:microsoft:outlook:2000

Office Suite

Microsoft Outlook 2002

cpe:/a:microsoft:outlook:2002

Office Suite

Symantec Norton Antivirus 10.0

cpe:/a:symantec:norton_antivirus:10.0

Antivirus Software

Symantec Norton Antivirus 9.0

cpe:/a:symantec:norton_antivirus:9.0

Antivirus Software

Mcafee VirusScan 7.0

cpe:/a:mcafee:virusscan:7.0

Antivirus Software

Microsoft Frontpage 2003

cpe:/a:microsoft:frontpage:2003

Office Suite

Microsoft Frontpage 2002

cpe:/a:microsoft:frontpage:2002

Office Suite

Microsoft Outlook 2007

cpe:/a:microsoft:outlook:2007

Desktop Application

Microsoft Word 2007

cpe:/a:microsoft:word:2007

Desktop Application

Microsoft Office 2007 SP1

cpe:/a:microsoft:office:2007:sp1

Office Suite

Microsoft Office 2007

cpe:/a:microsoft:office:2007

Office Suite

This Desktop Application Security Checklist provides the procedures for conducting a Security Readiness Review (SRR) to determine compliance with the requirements in the Desktop Application Security Technical Implementation Guide (STIG). This Checklist document must be used together with the corresponding version of the STIG document. This SRR guide focuses strictly on Symantec Antivirus Corporate Edition v9.x and v10.x, McAfee VirusScan v7.x and v8.x, Netscape Navigator, Internet Explorer, Outlook 2000, XP, 2003 and MS Office 2000, XP, 2003. Additionally, this checklist ensures the site has properly installed and implemented specific desktop applications and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and the Database Security Technical Implementation Guide. The procedures in this document are part of the effort to ensure that the security configuration guidelines required by Department of Defense (DOD) Directive 8500.1, Information Assurance, and other relevant guidance have been properly implemented.

Desktop Client

- The user account from which Desktop Application Gold Disk is run must have Administrator privileges and have the User Right: Manage Auditing and Security Log. - Only the configuration checks that are included in the Desktop Application Gold Disk (Internet Explorer and Microsoft Office) will be evaluated as part of the formal review process. The IAVMs and security patches included on the Desktop Gold Disk are not evaluated as part of the Desktop Application review because they are already covered in either the appropriate Windows Operating System Gold Disk or the appropriate Post Gold Disk Scripts. These will remain in the Desktop Application Gold Disk for the SAs use.

Developped for the DOD. This checklist has been created for IT professionals, particularly Windows system administrators and information security personnel. The document assumes that the reader has experience installing and administering applications on Windows-based systems in domain or standalone configurations.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Please refer to the Checklist or the README.TXT files provided with the scripts for any comments, warnings, or detailed instructions

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

Desktop Application Memo

2009-12-03T05:00:00.000Z

2012-10-26T04:00:00.000Z

FINAL

2013-05-06T17:23:32.330Z

false

CIS SQL Server 2000 Benchmark

v1.0.0 Not provided. THIRD_PARTY Not provided. CIS SQL Server 2000 Benchmark v1.0.0

9B5A2021137AF3C72E410FF5DFE08FF87C6A85F5

B7E23118FEA2DD2637119A9C1AF71C862B518F48CE456937EECC2003E535D5FC

Prose

Microsoft SQL Server 2000

cpe:/a:microsoft:sql_server:2000

Database Management System

This document is derived from research conducted utilizing the SQL Server 2000 environment on Windows 2000 servers and desktops and Windows 2003 servers. This document provides the necessary settings and procedures for the secure installation, setup, configuration, and operation of an MS SQL Server 2000 system. With the use of the settings and procedures in this document, an SQL Server 2000 database may be secured from conventional Ã?Â¢??out of the boxÃ?Â¢?Ã¯Â¿Â½ threats. Recognizing the nature of security cannot and should not be limited to only the application the scope of this document is not limited to only SQL Server 2000 specific settings or configurations, but also addresses backups, archive logs, Ã?Â¢??best practicesÃ?Â¢?Ã¯Â¿Â½ processes and procedures that are applicable to general software and hardware security.

Database Server

Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a quick fix for anyoneÃ?Â¢??s information security needs. It is extremely important to conduct testing of security configurations on non-production systems prior to implementing them on production systems.

Database System Administrators

MANAGED

Not provided.

Refer to Known Issues.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

windows-feedback@lists.cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located athttp://www.cisecurity.org/sub_form.html

2005-11-30T05:00:00.000Z

FINAL

2011-05-11T01:39:00.367Z

false

CIS Oracle Database 8i Benchmark

v1.2.0 Not provided. THIRD_PARTY Not provided. CIS Oracle Database 8i Benchmark v1.2.0

3BAC4763A91876046C6E90B2AFA8F6A2C6F84DEA

358F5819FC4FF33D13CAE8959219DA30B0A3F75BDCBECD4EF969D5492790686B

Prose

Oracle Database 8i

cpe:/a:oracle:database_server:8

Database Management System

This guide provides high-level recommendations to secure an Oracle database. By configuring the database to the new benchmark, a secure baseline configuration is introduced to protect the system from the common out of the box vulnerabilities. The guide presents steps that can be adopted to securely install, setup, configure, and operate an Oracle database. The guide also contains many specific security recommendations, which are divided into three categories: Level 1, Level 2, and Appendix. Level 1 recommendations represent a minimum baseline that is suggested for most environments, are easily implemented by someone with minimal background and are not likely to break database or application functionality, and can be scored with a tool provided by the Center for Internet Security. Level 2 recommendations provide greater security but may require an advanced level DBA to implement andor break database or application functionality. Appendix items are suggestions rather than recommendations for further hardening of the database environment. They are likely not applicable to most environments or may not be strictly within the realm of database security.

Database Server

This guide provides high-level recommendations to secure an Oracle database. By configuring the database to the benchmark, a secure baseline configuration is introduced to protect the system from the common out of the box vulnerabilities. It is strongly recommended that these settings be reviewed to comply with local policy and tested on non-production systems before being deployed. The recommendations should be implemented with consideration to the particular database and application environment. Some of the suggested security settings may be overridden by local policy. It is important to note that the parameters and their values need to be spelled correctly to ensure the desired policy has been implemented. Many of the parameters and settings, if misspelled, will not cause an error or warning message to be generated. Level 2 recommendations may require an advanced level DBA to implement andor may break database or application functionality.

This checklist has been created for IT professionals, information security and database personnel. The document assumes that the reader has experience installing and administering Oracle Server databases.

MANAGED

Not provided.

Refer to Known Issues.

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Not provided.

oracle-feedback@cisecurity.org

Not provided. Not provided.

www.petefinnigan.com

Oracle Metalink

2003-01-01T05:00:00.000Z

FINAL

2011-05-11T00:43:00.003Z

false

CIS Oracle Database 9i/10g Benchmark

v2.0.1 Not provided. THIRD_PARTY Not provided. CIS Oracle Database 9i/10g Benchmark v2.0.1

3BE8A559630333659DD373E1996A407B2B75D7B5

DFAE98BBEA89087C123B963F42ADAE73EE0B9BCD08913637775B1B3CB54A1ED8

Prose

Oracle Database 10g

cpe:/a:oracle:database_server:10

Database Management System

Oracle Database 9i

cpe:/a:oracle:database_server:9

Database Management System

Database Server

Not provided.

MANAGED

Not provided.

Refer to Known Issues.

Not provided.

oracle-feedback@cisecurity.org

Not provided. Not provided.

2005-04-01T05:00:00.000Z

FINAL

2011-05-11T00:45:37.407Z

false

Guide to Securing Windows 2000 DHCP

v1.3 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Securing Windows 2000 DHCP

DEA327F48D69D85229B2C4EE00B17CAD108E069F

7E1C3E7EC798A1DFF0F9D8439C49AE4AD7E35FA5939FBE7AC8CCD2036DD80EF0

Prose

Microsoft Windows Server 2000

cpe:/o:microsoft:windows_2000:::server

Operating System

The purpose of this guide is to inform the reader about the available security settings for Windows 2000 DHCP server and clients in order to safeguard the DHCP client and server during normal operations, and how to properly implement these security settings. The DHCP server service automatically allocates IP addresses and related TCPIP configuration settings to DHCP-enabled clients. The DHCP client service automatically queries the DHCP server for an IP address to assign to the client machine. In addition, this guide documents sources for the reader to obtain additional guidance for Windows 2000 DHCP settings.

DHCP Server

This checklist has been created for IT professionals. This document is intended for Windows 2000 network administrators, but should be read by anyone involved or interested in Windows 2000 security. Knowledge of Microsofts DHCP server is assumed this includes installation, configuration, and administration.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Prior to manipulating DHCP settings, ensure that the latest Windows 2000 service pack and hotfixes have been installed.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. Security configuration guides are provided for the Department of Defense and other government agencies requiring security configuration guidelines. The guides contain recommended security settings. They are not intended to replace well-structured policy or sound judgment. The guides do not address site-specific configuration issues. Care must be taken when implementing the guides to address local operational and policy concerns. All security changes described in the guides are applicable only to specifically identified operating systems or architecture components and should not be applied to any other operating system or architecture components.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm?Address= /snac/os/win2k/w2k_dhcp.pdf

2002-07-18T04:00:00.000Z

FINAL

2009-07-23T18:54:57.547Z

false

CIS Novell eDirectory 8.7 Benchmark

v1.0.0 Not provided. THIRD_PARTY Not provided. CIS Novell eDirectory 8.7 Benchmark v1.0.0

4F0BA44890D1636DDE07146C89B04087DA76C5DA

6D4E90F23D10694A7D24B9CB82DD769DC34B05ACEA0C5325C38CE3ECA0A20A08

Prose

Novell eDirectory 8.7

cpe:/a:novell:edirectory:8.7

Directory Service

Not Available

Server

Not provided.

This benchmark is intended for anyone who is utilizing eDirectory and is responsible for the security of the system. It requires a basic understanding of eDirectory as well as organizational authorization and the administrative rights to effect the changes required.

STANDALONE

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2006-05-26T04:00:00.000Z

FINAL

2011-05-11T00:38:50.520Z

false

CIS Novell NetWare Benchmark

v1.0.0 Not provided. THIRD_PARTY Not provided. CIS Novell NetWare Benchmark v1.0.0

B585C85F5159E1A6912F1103620DC45DC8A7289A

244EA30FA4B275B008659C828EA85CF189B88EBADE73380E4229B3B8DF6757C6

Prose

Novell OES

cpe:/a:novell:open_enterprise_server

Directory Service

This document describes recommendations for the secure configuration of Novell OES: NetWare systems.

Client / Server

Please note that there is a separate, but integral, part of this benchmark that is the CIS benchmark for eDirectory. As NetWare uses eDirectory as the core part of its security infrastructure and for user and server configuration manage

This benchmark is intended for anyone who is utilizing NetWare and is responsible for the security of the system.

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2006-08-03T04:00:00.000Z

FINAL

2011-05-11T00:36:48.320Z

false

Guide to Securing Microsoft Windows 2000 Active Directory

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Securing Microsoft Windows 2000 Active Directory

32F58A36F200D6150F462E44423A51C44D1BFA3B

9FA501806A4E7B75D988CB09E42300DE29F4C1CAAAA23A7F0C203DE67ED61D6C

Prose

Microsoft Windows 2000 Active Directory

cpe:/o:microsoft:windows_2000:::server

Directory Service

The purpose of this document is to provide Active Directory security configuration guidance and recommendations. This document gives an overview of Active Directory in relation to Windows 2000 to the reader. This document provides detailed information on the configuration of multiple Active Directory areas. This document provides the methods that the system administrators can use to implement configuration and security settings within Active Directory. In addition, this guide documents procedures in order to backup and restore the Active Directory data. This document is meant to be a starting point for Windows 2000 Active Directory security and does not include numerous Windows 2000 functions and applications associated with Active Directory. This document is a companion to the Guide to Securing Microsoft Windows 2000: Security Configuration Tool Set and other documents that comprise the overall NSA Windows 2000 guidance.

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security configurations. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide while using products such as Microsoft Exchange, IIS, and SMS. The security changes described in this document only apply to Microsoft Windows 2000 Service Pack 1 systems and should not be applied to any other Windows versions or operating systems. You can severely impair or disable a Windows 2000 system with incorrect changes or accidental deletions when using programs (examples: Security Configuration Tool Set, Regedt32.exe, and Regedit.exe) to change the system configuration. Therefore, it is extremely important to test all settings recommended in this guide before installing them on an operational network. Currently, no Undo function exists for deletions made within the Windows 2000 registry. The registry editor (Regedt32.exe or Regedit.exe) prompts you to confirm the deletions if Confirm On Delete is selected from the options menu. When you delete a registry key, the message does not include the name of the key you are deleting. Therefore, check your selection carefully before proceeding with any deletion.

This checklist has been created for IT professionals. It is intended for the reader who is already familiar with Active Directory but needs to understand more on how to make it more secure. The document assumes that the reader has experience administering Windows-based systems in domain or standalone configurations.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Prior to loading Windows 2000 Active Directory, it is recommended to verify that the current operating system of the system is Windows 2000 Service Pack 1. The security changes described in this document should not be applied to any other Windows 2000 or Windows NT versions or operating systems. In order for Active Directory to properly use DNS, Active Directory requires DNS Service Resource Record (SRV RR) support and BIND 8.1.2 or higher. The Microsoft Management Console is used to customize and apply some of the security settings to Windows systems. A Registry editor (Regedt32.exe or Regedit.exe) can be used for manipulation of registry keys.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided found in the download package. http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_active_dir.pdf

2000-11-30T05:00:00.000Z

FINAL

2009-07-24T01:58:56.483Z

false

Guide to Securing Microsoft Windows 2000 Schema

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Securing Microsoft Windows 2000 Schema

2DE61105C8D015E6C91891B1FFA9A23B95E26BC5

75EA74D1B163A3319895B17D523E303C93E066535377987B8D71E269D4C3DBB3

Prose

Microsoft Windows Server 2000

cpe:/o:microsoft:windows_2000:::server

Operating System

The purpose of this guide is to inform the reader about the available security settings for the Windows 2000 Schema. This guide provides information pertaining to the default security settings protecting the Schema in a network environment, but does not contain step-by-step instructions usually found in the Security Configuration Guide Series. The Schema is guarded by a number of different mechanisms that should not be altered or changed in any way. Because most organizations will be able to use the Schema as-is, only those organizations wishing to alter the schema should be concerned. In short, do not touch the Schema unless you must absolutely do so. In addition to recommending security settings for the Windows 2000 Schema, this guide provides a description and overview of the Schema, as well as discusses its importance.

Active Directory Server

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document only apply to Microsoft Windows 2000 systems and should not be applied to any other Windows versions or operating systems. Any effort to modify the Schema should be heavily weighed and well thought out before being implemented, as schema modifications cannot be reversed. Inconsistencies in the Schema can cause significant problems that will impair or disable Active Directory. In order to recover if failure occurs, perform a complete backup of your system if this is not a new installation. Valid changes to the Active Directory Schema may occur when loading third party applications. This is to be expected, as Microsoft made great efforts to enable independent software vendors' access to the power of Active Directory. However, Administrators should be aware when and how third party applications make changes to the Schema. It is imperative the Schema Update Allowed value located in the registry is set back to 0 (disable write-access) after any changes have been made to the Schema.

This document is intended for Windows 2000 network administrators, but should be read by anyone involved or interested in Windows 2000 or network security.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Prior to implementing any Windows 2000 Schema changes, administrators should perform a complete backup of the system before implementing any of the recommendations in this guide, because any changes made to the system are irreversible.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_schema.pdf

2001-03-05T05:00:00.000Z

FINAL

2009-07-24T01:56:18.390Z

false

Domain Name System Security Checklist

Version 4 Release 1.13 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Domain Name System Security Checklist Version 4 Release 1.13

DB283122D2B6927C778F613DF135F8E8338EA2AF

DC5BEEDD11F854AAE965CEDB7C0D3DBCA0F81974342C63BECAA39A9CDCC816C2

Standalone XCCDF

Microsoft Windows Server 2003

cpe:/o:microsoft:windows_2003_server

Operating System

ISC Bind 9.3.1

cpe:/a:isc:bind:9.3.1

DNS Server

ISC Bind 9.3.2

cpe:/a:isc:bind:9.3.2

DNS Server

Microsoft Windows Server 2000

cpe:/o:microsoft:windows_2000:::server

Operating System

Microsoft Windows XP

cpe:/o:microsoft:windows_xp

Operating System

Microsoft Windows 2000

cpe:/o:microsoft:windows_2000

Operating System

Cisco Content Services Switch

cpe:/h:cisco:content_services_switch

Network Switch

This document contains procedures that enable qualified personnel to conduct a Domain Name System (DNS) Security Readiness Review (SRR). The DNS SRR assesses an organization's compliance with the Defense Information Systems Agency (DISA) DNS Security Technical Implementation Guidance (STIG). DISA Field Security Operations (FSO) conducts SRRs to provide DISA, Joint Commands, and other Department of Defense (DOD) organizations with a level of confidence that their DNS is secure and can adequately support their mission. This document provides step by step instructions to verify Domain Name Systems are securely configured. This checklist is arranged by asset posture. The first section is dedicated to the Non-Computing Asset posture of DNS Policy. These checks/requirements need only be performed once for the site as they apply to all DNS servers and the DNS architecture, regardless of platform or function. The finding status should be updated if a change takes place on the system, during a yearly accreditation visit if vulnerabilities are identified, or during a self assessment. The remaining sections focus on the computing asset posture of the type of DNS software running on the platform: All DNS servers, BIND, Windows DNS, or CISCO CSS. - Section 2: Non-Computing DNS Policy - Section 3: All DNS servers - Section 4: BIND servers, both UNIX and Windows operating system platforms - Section 5: Windows DNS Server - Section 6: CISCO CSS DNS

Domain Name Server

The reviewer must examine the IAVM notices carefully when there are potential issues. In future releases of the checklist, additional guidance will be provided on how to check for these scenarios.

Developed for the DOD. This checklist has been created for IT professionals, particularly network system administrators and information security personnel. The document assumes that the reader has experience installing and administering DNS Servers.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2011-04-29T04:00:00.000Z

2013-01-25T05:00:00.000Z

UNDER_REVIEW

2013-04-04T15:11:51.657Z

false

CIS BIND Benchmark

v2.0.0 Not provided. THIRD_PARTY Not provided. CIS BIND Benchmark v2.0.0

4D0EF0568D4F0FFC4E8413E945DD4C96F08D87AF

8C96F5870439D8DE4F900B3D2E24DD1369319AF355ED257B6D6F691FE3E4EF0C

Prose

ISC Bind 9.3.1

cpe:/a:isc:bind:9.3.1

DNS Server

ISC Bind 9.2.4

cpe:/a:isc:bind:9.2.4

DNS Server

This benchmark is intended to assist administrators in securing the BIND (Berkeley Internet Name Domain) an openly redistributable implementation of the Domain Name Service (DNS) protocols. While the majority of the recommendations and steps outlined in this document apply to most Unix systems, it should be noted that specific syntax for some commands will vary for some Unix platforms so the reader is encouraged to be familiar with the differences specific to their individual platforms. The provided excerpts have been tested using BIND 9.3.1 on Red Hat Fedora Core 4 and BIND 9.2.4 on Solaris 10. The configuration and security controls provided have been developed through a consensus effort of best practices recommended by a majority of participating security experts.

Domain Name Server

Not provided.

The audience for the document is at the level of an experienced system administrator, with some specific experience in administering the BIND software.

MANAGED

The provided excerpts have been tested using BIND 9.3.1 on Red Hat Fedora Core 4 and BIND 9.2.4 on Solaris 10 03/2005.

Not provided.

Refer to Known Issues.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

http://www.cisecurity.org/

Not provided.

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at http://www.cisecurity.org/sub_form.html

2009-05-04T04:00:00.000Z

FINAL

2011-05-10T23:05:53.357Z

false

Guide to Securing Microsoft Windows 2000 DNS

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Securing Microsoft Windows 2000 DNS

E0DE22CD8513431F990B8CF9C8B1BA4FAFB0D23C

2178AEB4046A39A024E0E40C6FDABB6A78129B7ED2EBD34B4F395F7924119B94

Prose

Microsoft Windows 2000

cpe:/o:microsoft:windows_2000

Operating System

The purpose of this guide is to inform the reader about the available security settings for the Windows 2000 Domain Name System (DNS) Server Service, how to design a secure implementation of the Windows 2000 DNS, and how to properly implement that design. This guide provides step-by-step instructions to perform many of the tasks recommended to secure this service. This document recommends security settings for individual DNS servers and describes how to use the Microsoft Management Console to implement these settings for the DNS service. Because DNS implementations will vary, this document is designed to provide system administrators and network managers the ability to choose appropriate security settings for their environment. This guide presents detailed information on how to secure this service in a network environment by recommending security settings for individual DNS servers and describes how to use the Microsoft Management Console to implement these settings for the DNS service. In addition, this document contains a checklist and flowchart to use when configuring a Windows 2000 DNS Server Service while following the recommendations in this guide. Although this document assumes the reader will be implementing Windows 2000 DNS, the network planning sections of this guide hold true for all domain name servers that have the capability for dynamic updates and server records.

DNS Server

This checklist has been created for IT professionals.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Prior to loading Windows 2000 DNS, administrators should perform a complete backup of the system before implementing any of the recommendations in this guide. Windows 2000 system administrators should ensure that the latest Windows 2000 service pack and hotfixes have been installed. Administrators should configure routers and firewalls to allow the appropriate traffic for the DNS Server. Also, administrators should install the Microsoft Windows 2000 DNS Server Service, if not already installed.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_dns.pdf

2001-04-08T04:00:00.000Z

FINAL

2010-10-05T15:12:10.813Z

false

CIS Cisco ASA, FWSM, and PIX Benchmark

v2.0.0 Not provided. THIRD_PARTY Not provided. CIS Cisco ASA, FWSM, and PIX Benchmark v2.0.0

8CB5A2ACDFA79D124F7D943DF6A48608C674C33B

21223A85589384D861E06EB2502514ED457CA175939EFBB77AE9F0E2FB3D9F81

Prose

Cisco PIX Firewall 535

cpe:/h:cisco:pix_firewall_535

Firewall

Cisco Firewall Services Module

cpe:/h:cisco:firewall_services_module

Firewall

Cisco PIX 500 Security Appliance

cpe:/h:cisco:pix_500

Firewall

Cisco PIX ASA

cpe:/h:cisco:pix_asa

Firewall

Cisco PIX Firewall 501

cpe:/h:cisco:pix_firewall_501

Firewall

Cisco PIX Firewall 506

cpe:/h:cisco:pix_firewall_506

Firewall

Cisco PIX 506E Firewall Security Appliance

cpe:/h:cisco:pix_firewall_506

Firewall

Cisco PIX Firewall 515

cpe:/h:cisco:pix_firewall_515

Firewall

Cisco PIX 515E Firewall Security Appliance

cpe:/h:cisco:pix_firewall_515e

Firewall

Cisco PIX Firewall 520

cpe:/h:cisco:pix_firewall_520

Firewall

Cisco PIX Firewall 525

cpe:/h:cisco:pix_firewall_525

Firewall

This document defines a set of benchmarks or standards for securing Cisco PIX firewalls. The benchmark is an industry consensus of current best practices. It lists actions to be taken as well as reasons for those actions. It is intended to provide step-by-step guidance to front line system and network administrators. It may be used manually by itself or in conjunction with automated scoring tools. It contains Level-I and Level-II benchmark settings/actions. Level-I Benchmarks specify the prudent level of minimum due care, and are unlikely to cause an interruption of service to the operating system or the applications that run on it. Level-II Benchmarks provide prudent security beyond the minimum level, and are of the greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments.

Enterprise Firewall

Sections 2 and 3 contain warnings and explanations of the possible effects of particular settings. Readers should study this information, as well as completing the Audit Checklist in section D, before implementing any of the actions in sections 2 and 3. Many security actions can disable or otherwise interfere with the function or performance of software on your system, particularly applications. Note also that many of the actions in sections 2 and 3 are conditional. They only apply in certain situations.

This benchmark assumes that the person applying the recommendations o May or may not be an expert in networking or configuring the device. o Is authorized to log in to the device and enable administrative privileges. o Is able to enter basic configuration commands. o Understands the business critical functions of the systems being secured. o Understands local policies. o Is capable of evaluating the potential impact of recommended changes on both function and policy.

MANAGED

Not provided.

Refer to Known Issues.

Not provided.

rat-feedback@cisecurity.org

Not provided. Not provided.

2010-12-30T05:00:00.000Z

FINAL

2011-11-17T18:02:58.183Z

false

Guide to Secure Configuration and Administration of Microsoft ISA Server 2000

v1.5 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Secure Configuration and Administration of Microsoft ISA Server 2000

7894A1BB2BB289F60F75A86BB4F6351CAFEE8886

45E92029E00619F78D75F5E38B5BA0ACE1B37B3E30ED12C0D1810C9959EE8A8B

Prose

Microsoft ISA Server 2000

cpe:/a:microsoft:isa_server:2000

Firewall

The purpose of this guide is to inform the reader about the available security settings for the Enterprise version of Microsoft ISA Server 2000. The chapters are presented in an order that follows the same sequence of events that an administrator might use in setting up ISA Server. It starts with an important notice about operating system security and then proceeds to ISA Server installation, configuring access controls within ISA Server, setting up the packet filter and intrusion detection features, working with ISA Server extensions, enabling the publishing features to allow information from inside the ISA server to be published on the external network (if desired), and finally monitoring the ISA server. The document also details client setup issues. Each section is formatted to provide a narrative introduction followed by a checklist that summarizes the narrative. This is intended to provide both a level of detail for those who may not be familiar with a certain aspect of ISA Server, while also offering a more concise checklist for those who do not need the background material

Enterprise Firewall

It is also assumed that the reader is a knowledgeable Windows 2000 administrator. A knowledgeable Windows 2000 administrator is defined as someone who can create and manage accounts and groups, understands how Windows 2000 performs access control, understands how to set policies, is familiar with how to set up auditing and read audit logs, etc. This document does not provide step-by-step instructions on how to perform these basic Windows 2000 administrative functions it is assumed that the reader is capable of implementing basic instructions regarding Windows 2000 administration without the need for highly detailed instructions.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Refer to Known Issues.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/isa_server_2k.pdf

2002-08-07T04:00:00.000Z

FINAL

2009-07-24T02:02:00.827Z

false

CIS Exchange Server 2003 Benchmark

v1.0.0 Not provided. THIRD_PARTY Not provided. CIS Exchange Server 2003 Benchmark v1.0.0

00915E0F58566D7AB20ECEBF1F92423440E68D15

4A57BFCEC8552637440148F310DFA6E771C07CFE396388CD6AAD1D5DB500FC0F

Prose

Microsoft Exchange Server 2003

cpe:/a:microsoft:exchange_server:2003

Email Server

The purpose of this guide is to provide the reader with security configuration guidance for Microsoftâ??s Exchange Server 2003. Furthermore, it is assumed that the underlying operating system is Microsoftâ??s Windows Server 2003. The recommendations contained herein have been tested on a Windows Server 2003-based platform. Although most of the recommendations will apply even if Exchange is loaded over a different Windows OS, no statements regarding security or operability can be made for other platform configurations.

Enterprise Email Server

This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. The security changes described in this document only apply to Microsoft Windows NT 4.0 Service Pack 6a systems and should not be applied to any other Windows NT versions or operating systems. You can severely impair or disable a Windows NT system with incorrect changes or accidental deletions when using programs (examples: Security Configuration Manager, Regedt32.exe, and Regedit.exe) to change the system configuration. Therefore, it is extremely important to test all settings recommended in this guide before installing them on an operational network.

This document is intended for system administrators, but should be read by anyone involved with or interested in installing and/or configuring Exchange. We assume that the reader is a knowledgeable system administrator. In the context of this document, a knowledgeable system administrator is defined as someone who can create and manage accounts and groups, understands how operating systems perform access control, understands how to set account policies and user rights, is familiar with how to set up auditing and read audit logs, and can configure other similar system-related functionality. Additionally, it is assumed that the reader is a competent Exchange administrator.

SSLF

Not provided.

Refer to Known Issues.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

http://www.cisecurity.org/

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2007-12-01T05:00:00.000Z

FINAL

2011-05-10T23:26:36.513Z

false

Kyocera KM-6030 Security Checklist

1.1 Not provided. SOFTWARE_VENDOR Not provided. Kyocera KM-6030 Security Checklist

B65D72124E9FA7B51CD41A077DE8C8F56938524A

C96B45A3E30ACA52547092DB9B195DB33DA36AADA7EE8DF6E479B5EFA6AE8C77

Prose

Kyocera KM-6030

cpe:/h:kyocera:km-6030

Multi-Functional Peripheral

The KM-6030 Security Checklist provides instructions and configuration recommendations for connectivity in a secure network infrastructure. The checklist relies on the KM-Net Viewer, KM-Net Viewer Web Edition or KM Command Center to implement most of the security settings. The checklist will cover most of the settings that can be made using KM Command Center that is embedded in the KM-6030 print system. Please note only those individuals who are certified or trained in the standard practice of computer network administration should attempt these setting changes.

Multi-Functional Peripherals

The KM-6030 MFP Security Checklist Troubleshooting section covers most of the common issues you may encounter.

This checklist is intended for IT administrators who have a clear understanding of network connectivity and network protocols and know the security measure that are already in place in their network.

MANAGED

Kyocera tested the KM-6030 MFP Security Checklist on the KM-6030 MFP with the firmware and software versions mentioned in the checklist

TBD

The KM-6030 MFP Security Checklist provides instructions to configure KM-6030 MFP on SOHO or Enterprise networks. Administrators should be qualified and trained IT professionals who understand the implications of these settings and configure their networks accordingly

Kyocera does not claim that using the KM-6030 MFP Security Checklist will prevent or inhibit misuse or attacks on the network or on any Kyocera products. Use this checklist at your own risk as a reference toward best practices for security.

Using the KM-6030 MFP Security Checklist will not void the products warranty, however Kyocera will not assume responsible for any network issue that are not a direct result of using the Kyocera product . For any additional support with the KM-6030 MFP please contact your local authorized Kyocera dealer or visit our web-site at www.kyoceramita.com .

Victor Moro: victor_moro@kyoceramita.com

Not provided. The KM-6030 MFP Security Checklist is the property of Kyocera Mita America Incorporated Copyrighted 2007. It is distributed through the NIST checklist program free of charge. No person are authorized to alter, publish or change any part of this checklist without express written permission from Kyocera Mita America Incorporated.

2008-03-31T04:00:00.000Z

FINAL

2009-07-23T18:07:57.170Z

false

Network Other Devices

Version 8, Release 14 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Network Other Devices - Version 8, Release 14

A124E986CF573C4FC66156F5AA949909A2BE25D7

DA90B401037252933996B8B756049144B1CE1A7328296CFAEAA99526215EA94C

Standalone XCCDF

Microsoft Windows Server 2003

cpe:/o:microsoft:windows_2003_server

Operating System

ISC Bind 9.3.1

cpe:/a:isc:bind:9.3.1

DNS Server

ISC Bind 9.3.2

cpe:/a:isc:bind:9.3.2

DNS Server

Microsoft Windows Server 2000

cpe:/o:microsoft:windows_2000:::server

Operating System

Microsoft Windows XP

cpe:/o:microsoft:windows_xp

Operating System

Microsoft Windows 2000

cpe:/o:microsoft:windows_2000

Operating System

Cisco Content Services Switch

cpe:/h:cisco:content_services_switch

Network Switch

This Network Infrastructure Security Checklist provides the procedures for conducting a Security Readiness Review (SRR) to determine compliance with the requirements in the Network Infrastructure Security Technical Implementation Guide (STIG). This Checklist document must be used together with the corresponding version of the STIG document. This guide focuses strictly on perimeter network components and concepts which protect a DoD private LAN. This checklist ensures the site has properly installed and implemented specific network components and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and the Network Infrastructure Security Technical Implementation Guide. The procedures in this document are part of the effort to ensure that the security configuration guidelines required by Department of Defense (DOD) Directive 8500.1, Information Assurance, and other relevant guidance have been properly implemented.

Router

Not provided.

This checklist has been created for IT professionals, particularly network system administrators and information security personnel. The document assumes that the reader has experience installing and administering various network security devices.

MANAGED

SSLF

Not provided.

Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

Not provided. Not provided.

2011-04-29T04:00:00.000Z

2013-04-26T04:00:00.000Z

UNDER_REVIEW

2013-05-09T14:41:41.133Z

false

CIS Cisco IOS Benchmark

v2.4.0 Not provided. THIRD_PARTY Not provided. CIS Cisco IOS Benchmark v2.4.0

7B155A7CC33495C09F41FA22933D35CC8FC20EC5

A58CDFBC89843217EAD6BBAD849374ABE95947C6230F17775DE37B1D6BBA7B1A

Prose

Cisco IOS

cpe:/o:cisco:ios

Network Router

This document defines a set of benchmarks or standards for securing Cisco IOS routers. The benchmark is an industry consensus of current best practices. It lists actions to be taken as well as reasons for those actions. It is intended to provide step-by-step guidance to front line system and network administrators. It may be used manually by itself or in conjunction with automated scoring tools. It contains Level-I and Level-II benchmark settings/actions. Level-I benchmarks specify the prudent level of minimum due care, and are unlikely to cause an interruption of service to the operating system or the applications that run on it. Level-II benchmarks provide prudent security beyond the minimum level, and are of the greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments.

Router

Sections 3.2 and 4.2 contain warnings and explanations of the possible effects of particular settings. Readers should study this information, as well as completing the Audit Checklist in section 2, before implementing any of the actions in sections 3.1 and 4.1. Many security actions can disable or otherwise interfere with the function or performance of software on your system, particularly applications. Note also that many of the actions in sections 3.1 and 4.1 are conditional. They only apply in certain situations.

This benchmark assumes that the person applying the recommendations: o May or may not be an IOS/network expert. o Is able to log in to the router and enable. o Is able to enter basic IOS commands. o Understands the business critical functions of the routers being secured. o Understands local policies. o Is capable of evaluating the potential impact of recommended changes on both function and policy.

MANAGED

Not provided.

The PDF file for this checklist is included in the Cisco Router Tools zip archive. The specific file name is cisco-ios-router-benchmark.pdf. This is a different checklist than the Cisco IOS Benchmark Version 2.2.

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Not provided.

rat-feedback@cisecurity.org

Not provided. Not provided.

2010-12-31T05:00:00.000Z

FINAL

2011-05-10T23:10:37.340Z

false

Router Security Configuration Guide

v1.1c Not provided. GOVERNMENTAL_AUTHORITY Not provided. Prose guidance for Router Security Configuration Guide.

16A66F3F249A1E765EF267E47EAC8882C4DC32D1

117E1B7B793FB422C25A2FA3F145514234762389CAA8E4891FAFED7967FDD715

Prose

Cisco IOS 12.0

cpe:/o:cisco:ios:12.0

Network Router

Cisco IOS 11.3

cpe:/o:cisco:ios:11.3

Network Router

Cisco IOS 12.3

cpe:/o:cisco:ios:12.3

Network Router

Cisco IOS 12.1

cpe:/o:cisco:ios:12.1

Network Router

Cisco IOS 12.2

cpe:/o:cisco:ios:12.2

Network Router

This guide provides technical guidance intended to help network administrators and security officers improve the security of their networks. Using the information presented here, administrators can configure their routers to control access, resist attacks, shield other network components, and protect the integrity and confidentiality of network traffic. This guide gives an in-depth view on securing Cisco-based routers. After security has been implemented on the routers itself, a section within this guide gives guidance to administrators on how to test and validate the security measures. This guide is broken into three main sections: 1) a high-level view of router security, 2) detailed instructions for locking down a router, and 3) detailed advice and direction for trying to improve the security posture of a network. This guide was developed in response to numerous questions and requests for assistance received by the NSA Systems and Network Attack Center (SNAC). The topics covered in the guide were selected on the basis of customer interest, community consensus, and the SNAC's background in securing networks. The goal for this guide is a simple one: improve the security provided by routers in U.S. Government operational networks.

Border and Gateway Router

Network administrators and network security officers are the primary audience for this configuration guide throughout the text the familiar pronoun you is used for guidance directed specifically to them. Most network administrators are responsible for managing the connections within their networks, and between their network and various other networks. Network security officers are usually responsible for selecting and deploying the assurance measures applied to their networks. For this audience, this guide provides security goals and guidance, along with specific examples of configuring Cisco routers to meet those goals. Firewall administrators are another intended audience for this guide. Often, firewalls are employed in conjunction with filtering routers the overall perimeter security of an enclave benefits when the configurations of the firewall and router are complementary. While this guide does not discuss general firewall topics in any depth, it does provide information that firewall administrators need to configure their routers to actively support their perimeter security policies. Section 5 includes information on using the firewall features of the Cisco Integrated Security facility. Information System Security Engineers (ISSEs) may also find this guide useful. Using it, an ISSE can gain greater familiarity with security services that routers can provide, and use that knowledge to incorporate routers more effectively into the secure network configurations that they design. Sections 4, 5, and 6 of this guide are designed for use with routers made by Cisco Systems, and running Cisco's IOS software. The descriptions and examples in those sections were written with the assumption that the reader is familiar with basic Cisco router operations and command syntax.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

This document is only a guide to recommended security settings for Internet Protocol (IP) routers, particularly routers running Cisco Systems Internetwork Operating System (IOS) versions 11.3 through 12.3.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm?Address= /snac/routers/cisco_scg-1.1b.pdf

The Carnegie Mellon University Computer Emergency Response Team (CERT) maintains a web site about network vulnerabilities.

Microsoft Corporation Support homepage

At the web site of Cisco's publishing arm, you can order a wide variety of books about Cisco routers and related networking technologies.

2005-12-14T05:00:00.000Z

FINAL

2011-06-27T15:42:27.283Z

false

Router Security Configuration Guide Supplement - Security for IPv6 Routers

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Router Security Configuration Guide Supplement – Security for IPv6 Routers

A50A2F4C2DB9327484E8663DBC678DD37C5C328C

0DD51D9E70E99419199F6F3789E1828B1B09156804846432538595819B09D814

Prose

Cisco IOS 12.4

cpe:/o:cisco:ios:12.4

Network Router

Cisco IOS 12.4t

cpe:/o:cisco:ios:12.4t

Network Router

Cisco IOS 12.3

cpe:/o:cisco:ios:12.3

Network Router

Cisco IOS 12.3t

cpe:/o:cisco:ios:12.3t

Network Router

This document is a supplement to the NSA Router Security Configuration Guide (RSCG) version 1.1c. It provides background information about IP version 6, discusses threats and threat mitigation for IPv6, and provides specific directions and rationale for configuring Cisco IOS routers for secure IPv6 operation. Specific topic areas covered include basic IPv6 configuration, IPv6 packet filtering, IPv6 routing security, protection IPv6 traffic with IPSec, simple IPv6 rate limiting, and basic IPv6 firewall protections.

IPv6 Border or Gateway Router

1. This document should not be applied by itself for best results, apply the full NSA RSCG first, then apply the guidance in this document. 2. This document does not address security for IPv6 multicast. 3. Some of the security features described in this checklist are available only in particular releases of IOS. 4. Community consensus best practices have not yet emerged in some areas of IPv6 security

Network administrators and network security officers are the primary audience for this configuration guide. Throughout the text the familiar pronoun Ã¢??youÃ¢?ï¿½ is used for guidance directed specifically to them. Most network administrators are responsible for managing the connections within their networks, and between their network and various other networks. Network security officers are usually responsible for selecting and deploying the assurance measures applied to their networks. For this audience, this guide provides security goals and guidance, along with specific examples of configuring Cisco IOS routers to meet those goals. In particular, this supplement is designed for managers of networks that support both IPv4 and IPv6.

MANAGED

The guidance in this document has undergone extensive lab testing, but only cursory operational testing. IOS versions used in testing included many releases of IOS 12.3, 12.3T, 12.4, and 12.4T. The most testing was performed on version 12.4. Hardware platforms used in testing: C3620, C3640, and C3725

This document is only a guide to recommended security settings for Internet Protocol version 6 (IPv6) routers, particularly routers running Cisco Systems Internet Operating System (IOS) versions 12.3 through 12.4 and 12.4T. It does not provide comprehensive guidance the directions in this document should be used in conjunction with the NSA Router Security Configuration Guide 1.1c or later. The advice in this document cannot replace well-designed policy or sound judgment. This supplement does not address site-specific configuration issues. Care must be taken when implementing the security steps specified in this document. Ensure that all security steps and procedures chosen from this guide are thoroughly tested and reviewed prior to imposing them on an operational network.

SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE, DATA, OR PROFITS OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement posted at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/routers/I33-002R-06.pdf

The Carnegie Mellon University Computer Emergency Response Team (CERT) maintains a web site about network vulnerabilities.

Microsoft Corporation Support homepage

At the web site of Cisco's publishing arm, you can order a wide variety of books about Cisco routers and related networking technologies.

2006-05-22T04:00:00.000Z

2011-04-12T04:00:00.000Z

FINAL

2011-06-27T15:42:38.597Z

false

Microsoft Windows 2000 Router Configuration Guide

v1.02 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Microsoft Windows 2000 Router Configuration Guide

C871C4D8B33EA7B25E22C4B422326C88947A7329

2536A15534A678E8323051EEACBBC062851909DE9187F4D60EE4F1000F10949E

Prose

Microsoft Windows Server 2000

cpe:/o:microsoft:windows_2000:::server

Operating System

The purpose of this guide is to provide technical guidance to network administrators of small to medium size networks in the configuration and integration of Microsoft Windows 2000 Server Router features. This guide also informs the reader about additional security features that are available in the Microsoft Windows 2000 Server Router environment. This guide is not intended to provide individual security settings for the network devices. Instead, it is designed to provide the reader an idea of what functionality is recommended in the integration of the Windows 2000 router within a TCP/IP network. The Microsoft Windows 2000 Router Configuration Guide presents a general overview of the routing features, recommended routing protocol, and filtering services. This overview is designed to show the recommended functionality in various locations within a network. The author intends for this guide to be used to help the planning phase of a small to medium sized network with typically less than 50 LAN segments. This guide should not be used on its own as an all-encompassing blueprint for router configuration.

Enterprise Router

This document is intended for Microsoft Windows 2000 network administrators and network designers. However, it should be useful for anyone involved with designing a routable network that includes Microsoft Windows 2000 hosts and/or servers.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Perform a complete backup of your system before implementing any of the recommendations in this guide.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided found in the download package. http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_router.pdf

2001-04-30T04:00:00.000Z

FINAL

2009-07-21T19:47:54.750Z

false

Cisco IOS Switch Security Configuration Guide

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Cisco IOS Switch Security Configuration Guide

CC8F70DC3E474A96B582F65D32BC1B38CFD140A5

C18285997E0BCA83D6D44167D725B348E2CBCC81CFC39FF96858B0D31CCF1B44

Prose

Cisco IOS

cpe:/o:cisco:ios

Network Router

Cisco Catalyst

cpe:/h:cisco:catalyst

Network Switch

This guide provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented here, administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks. This guide was developed in response to numerous questions and requests for assistance received by the Systems and Network Attack Center (SNAC). The topics covered in the guide were selected on the basis of customer interest and on the SNAC's background in securing networks. A major goal for this guide is to improve the security of the switches used on Department of Defense operational networks. This guide presents network security at Layer 2 (Data Link) of the Open Systems Interconnection Reference Model (OSI RM). A network hierarchy is introduced that explains the types of switches used in a computer network. Then vulnerabilities and corresponding countermeasures are described for the following topics: operating systems passwords management ports network services port security system availability Virtual Local Area Networks Spanning Tree Protocol access control lists logging and debugging and authentication, authorization and accounting. Advanced topics are identified for future work for this guide. A combined section of acronyms and glossary for terms used throughout this guide and a reference section are provided. Sample configuration files for two different models of Cisco switches are included that combine most of the countermeasures in this guide. Finally, a security checklist for Cisco switches summarizes the countermeasures.

Ethernet LAN Switch

Not provided.

The intended audience for this guide is those individuals who administer these switches in their organization's networks. The guide presumes that these administrators have at least a basic knowledge of these switches. The administrators should be familiar with configuring the switches with the command line interface, including using commands in the User Exec mode and in the Privileged Exec mode. The authors also assume that the administrator provides physical security for each switch and allows only authorized personnel to access the switch.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Refer to Known Issues.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: switch-guide-version1_01.pdf

2004-06-20T04:00:00.000Z

FINAL

2009-07-24T13:44:51.407Z

false

CIS IBM AIX 4.3.2/4.3.3/5L/5.1 Benchmark

v1.0.1 Not provided. THIRD_PARTY Not provided. CIS IBM AIX 4.3.2/4.3.3/5L/5.1 Benchmark v1.0.1

0EBE4F064F997875163BF22E151CD1DB427EE1C3

753961B0ACD60C3A37926A0D2DAE67EC7D3EECD22D7E267EA0451E7C081F1D92

Prose

IBM AIX 4.3.2

cpe:/o:ibm:aix:4.3.2

Operating System

IBM AIX 4.3.3

cpe:/o:ibm:aix:4.3.3

Operating System

IBM AIX 5.1

cpe:/o:ibm:aix:5.1

Operating System

IBM AIX 5L

cpe:/o:ibm:aix:5l

Operating System

This benchmark described recommendations for the secure configuration of AIX operating systems.

Operating System

Not provided.

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2005-10-19T04:00:00.000Z

FINAL

2013-04-15T14:37:17.767Z

false

CIS FreeBSD 4.10 Benchmark

v1.0.5 Not provided. THIRD_PARTY Not provided. CIS FreeBSD 4.10 Benchmark v1.0.5

7F69347DE51C558182B4E404FF8CBBB0793FC72F

EC44630E83B8468260DC8F7458947CEBA5954B7ED6BD6821313B4E7D5A556AA4

Prose

FreeBSD 4.10

cpe:/o:freebsd:freebsd:4.10

Operating System

This document provides recommendations for securing FreeBSD operating systems. This benchmark document covers FreeBSD version 4.8 and later for both servers and desktops. Desktop systems typically have different security expectations than server-class systems. In an effort to facilitate use of this benchmark on these different classes of machines, shaded text has been used to indicate questions and/or actions that are typically not applicable to desktop systems in a large enterprise environment. These shaded items may be skipped on these desktop platforms.

Desktop and Server Operating System

Unix system and network administrators

MANAGED

Not provided.

Refer to Known Issues.

Not provided.

Freebsd-feedback@lists.cisecurity.org

Not provided. Not provided.

2005-08-30T04:00:00.000Z

FINAL

2011-05-10T23:43:06.330Z

false

CIS HP-UX 11i Benchmark

v1.5.0 Not provided. THIRD_PARTY Not provided. CIS HP-UX 11i Benchmark v1.5.0

5834ED52D29BC7DB3682C114B55EBCC7DDDE70C9

875230F7EF7319B5678D2EAC814BF4AF8C65992E41109881C85E05E96C637841

Prose

HP HP-UX 11

cpe:/o:hp:hp-ux:11

Operating System

This document provides recommendations for securing HP-UX operating systems. This benchmark document covers HP-UX version 11.x for both servers and desktops. It also provides some guidance for earlier versions of HP-UX, but instructs administrators to strongly consider upgrading to HP-UX version 11i. Desktop systems typically have different security expectations than server-class systems. In an effort to facilitate use of this benchmark on these different classes of machines, shaded text has been used to indicate questions and/or actions that are typically not applicable to desktop systems in a large enterprise environment. These shaded items may be skipped on these desktop platforms.

Server Operating System

The actions listed in this document are written with the assumption that they will be executed in the order presented here. Some actions may need to be modified if the order is changed. Actions are written so that they may be copied directly from this document into a root shell window with a cut-and-paste operation. The actions listed in this document are written with the assumption that they will be executed by the root user running the /sbin/sh shell, using a umask of 077 ('umask 077'), and without noclobber set ('set +o noclobber'). Before performing the steps of this benchmark it is strongly recommended that administrators make backup copies of critical configuration files that may get modified by various benchmark items. The script provided in Appendix A of this document will automatically back up all files that may be modified by the actions. If this step is not performed, then the site may have no reasonable back-out strategy for reversing system modifications made as a result of this document.

Unix system and network administrators

MANAGED

Not provided.

Refer to Known Issues.

Not provided.

hpux-bench@cisecurity.org

Not provided. Not provided.

2009-09-17T04:00:00.000Z

FINAL

2011-05-10T23:52:09.103Z

false

CIS Mac OSX 10.5 (Leopard) Benchmark

Version v1.0.0 Not provided. THIRD_PARTY Not provided. CIS Mac OSX 10.5 (Leopard) Benchmark v1.0.0

E84459410BE7791859CB4BAD893DFC857290EA9B

2371C6EB569F30ABEC99033CB8D3B4D7B0D3501587680F9076E077544CE825E4

Prose

Apple Mac OS X 10.5

cpe:/o:apple:mac_os_x:10.5

Operating System

This CIS Benchmark document is designed to provide novice and above level users with clear guidance for securing Mac OS X Panther. The benchmark guides a user or administrator, from the point of installation (after updates), through the process of securing a Mac OS X workstation. This benchmark implements best practices and techniques through a combination of scripting and user interface security steps to achieve the strict end goal of a secure, functional end-user device (rather than a server).

Desktop Operating System

Not provided.

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2008-05-09T04:00:00.000Z

FINAL

2011-05-11T02:15:21.573Z

false

Apple Mac OS X v10.3.x Panther Security Configuration Guide

Version 1.1 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Apple Mac OS X v10.3.x Panther Security Configuration Guide

FF9FB35BD30C0C2E663E0B1463BB953740A1634C

A75C66AC075963A9E3A87E3915DCA6DB36D3939B26DC5C49A53245A87DD80EF1

Prose

Apple Mac OS X 10.3

cpe:/o:apple:mac_os_x:10.3

Operating System

The purpose of this guide is to provide an overview of Mac OS X v10.3.x Ã¢??PantherÃ¢?ï¿½ operating system security and recommendations for configuring the security features. This guide provides recommended settings to secure systems using this operating system, and points out problems that could cause security concerns in systems using this operating system. This document consists of six chapters and two appendices: Chapter 1, Ã¢??Scope of Guidance,Ã¢?ï¿½ contains an overview of the type of system for which this guidance is intended. Chapter 2, Ã¢??Introduction to Mac OS X Security,Ã¢?ï¿½ contains a brief overview of some of the key security features found in the Mac OS X operating system. Chapter 3, Ã¢??Initial InstallationÃ¢?ï¿½ contains step-by-step guidance for installing a new Mac OS X system. Chapter 4, Ã¢??Configuring System Settings,Ã¢?ï¿½ contains information on how to securely configure a Mac OS X system once it has been installed. Chapter 5, Ã¢??Configuring User Accounts,Ã¢?ï¿½ contains guidance on how to create new user accounts, how to give an account administrative access, how to limit account capabilities, how to configure each type of account to make it secure, and information that should be passed on to users about using their accounts securely. Chapter 6, Ã¢??Future Guidance,Ã¢?ï¿½ contains information about topics that were not covered in this guidance, but which are slated for future guidance. Appendix A, Ã¢??Encrypting Files and Folders,Ã¢?ï¿½ gives instructions on two additional ways to encrypt files under Mac OS X that may provide additional security for information that is to be transferred via removable media (e.g. CD) or network. Appendix B, Ã¢??References,Ã¢?ï¿½ contains a list of resources used in creating this guide. Many of these resources are valuable sources of additional information about Mac OS X in general, including many features not discussed in this guidance. Appendix C, Ã¢??Additional Resources,Ã¢?ï¿½ contains a list of references that, though not used in preparation of this guide, may be of interest to the reader.

Desktop or Mobile Client

Guidance in this document is geared towards a locally-administered Mac OS X v10.3.x system. Guidance contained here may not be applicable to Mac OS X Server or to a Mac OS X network. Some instructions within this guidance are complex, and deviation could result in serious adverse effects on the system and its security. Modification of these instructions should only be performed by experienced Mac OS X administrators, and followed by thorough testing.

This document is intended for anyone managing a locally -administered Apple Mac OS X v10.3.x system. It is assumed that anyone using this guidance will have some experience using Mac OS X, and understands the basics of the Mac OS X user interface.

SSLF

The security configuration guide has been extensively tested with Mac OS X v10.3.3 with Mac OS Update 10.3.4 and security updates Security Update 2004-05-24 and Security Update 2004-06-07 in a lab environment and operational environment.

Not provided.

The following list contains suggestions for successfully using the Apple Mac OS X Security Configuration Guide: Read the guide in its entirety. Subsequent sections can build on information and recommendations discussed in prior sections. This guidance should always be tested in a non-operational environment before deployment. This non-operational environment should simulate the architecture where the system will be deployed as much as possible. This guidance is intended primarily for a locally-administered Mac OS X system. Much of the guidance may still be applicable even for a Mac OS X system being managed by another server. If the system being configured will be centrally managed by another system, the guidance given here should be followed as closely as possible within that context, but some guidance may not be applicable. Any deviations from this guidance should be evaluated to determine what security risk that deviation may introduce, and measures should be taken to monitor or mitigate those risks. The organizations responsible for this guide include: Systems and Network Attack Center (SNAC), and National Security Agency (NSA)

Not provided.

SNAC.Guides@nsa.gov

Not provided. Unless expressly stated otherwise to comply with license requirements or copyrights owned by others, information presented on NSA.gov is considered public information and may be distributed or copied. Use of appropriate byline/phone/image credit is requested. In accordance with 50 USC 402, no one may use without permission from NSA/CSS the words 'National Security Agency', the initials, or seal of the National Security Agency in connection with any commercial activity or in a manner intended to convey the impression that such use is approved, endorsed, or authorized by the National Security Agency.

2004-10-14T04:00:00.000Z

CANDIDATE

2009-07-23T17:45:23.627Z

false

zOS RACF STIG

Version 6, Release 15 Not provided. GOVERNMENTAL_AUTHORITY Not provided. zOS RACF STIG - Version 6, Release 15

9145C7795A6F6C968C211FBA5E7A370857690C82

E47C601B87E9242246AF543A624835A8184077CB5E5B054FB132CEA006AABA88

Standalone XCCDF

IBM OS390

cpe:/o:ibm:os_390

Operating System

This SRR Review Procedures, OS/390 Resource Access Control Facility (RACF) document provides the procedures for conducting a Security Readiness Review (SRR) to determine compliance with the requirements in the OS/390 Security Technical Implementation Guides (STIG). This checklist must be used together with the corresponding version of the STIG document. This SRR guide focuses strictly on the IBM OS/390 operating system (OS) and how the RACF security component interacts with the operating system. Additionally, this checklist ensures the site has properly installed and implemented the RACF component for the IBM OS/390 OS and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist. The items reviewed are based on standards and requirements published by DISA in the OS/390 Security Technical Implementation Guide.

Mainframe Operating System

Not provided.

Developed for the DOD. This checklist has been created for IT professionals, particularly operating system administrators with a background in the IBM OS/390 OS, as well as information security personnel. The document assumes that the reader has experience installing and administering the IBM OS/390-based systems in domain or standalone configurations.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2012-07-27T04:00:00.000Z

2013-04-26T04:00:00.000Z

UNDER_REVIEW

2013-05-09T20:08:44.707Z

false

CIS Slackware Linux 10.2 Benchmark

v1.1.0 Not provided. THIRD_PARTY Not provided. CIS Slackware Linux 10.2 Benchmark v1.1.0

DFBAB002332C4C8E988A2B074B84819087CB692D

391AF545055470FF594597BD088147B1C350AFE0E65D052C5FC007E363C64A63

Prose

Slackware Linux 10.2

cpe:/o:slackware:slackware_linux:10.2

Operating System

This document contains recommendations for the secure configuration of Slackware Linux distributions.

Desktop and Server Operating System

Not provided.

STANDALONE

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Slackware Book

General Slackware

Partitioning

Primary source for information on NTP

Information on MIT Kerberos

Apache "Security Tips" document

Information on sendmail and DNS

OpenSSH (secure encrypted network logins)

TCP Wrappers source distribution

PortSentry and Logcheck (port and log monitoring tools)

Swatch (log monitoring tool)

Open source sendmail (email server) distributions

CUPS (Common UNIX Printing System)

sudo (provides fine-grained access controls for superuser activity)

Tripwire â€“ file modification utility

LPRng (Open Source replacement printing system for Unix)

Slackware Book

Patches and related documentation

2005-10-24T04:00:00.000Z

FINAL

2011-06-27T14:44:31.053Z

false

CIS Solaris 2.5.1-9 Benchmark

v1.3.0 Not provided. THIRD_PARTY Not provided. CIS Solaris 2.5.1-9 Benchmark v1.3.0

69094FB77040FB4088ED14D3E6420671A25CFF40

D47098B9749D81B00C55BAF88F46B83D754ED5C474962581A490B1A30D5DA198

Prose

Sun Solaris 2.5.1

cpe:/o:sun:solaris:2.5.1

Operating System

This document provides recommendations for securing Solaris operating systems. This benchmark document covers Solaris version 2.5.1 and later for both servers and desktops. Desktop systems typically have different security expectations than server-class systems. In an effort to facilitate use of this benchmark on these different classes of machines, shaded text has been used to indicate questions and/or actions that are typically not applicable to desktop systems in a large enterprise environment. These shaded items may be skipped on these desktop platforms.

Desktop and Server Operating System

The actions listed in this document are written with the assumption that they will be executed in the order presented here. Some actions may need to be modified if the order is changed. Actions are written so that they may be copied directly from this document into a root shell window with a cut-and-paste operation. The actions listed in this document are written with the assumption that they will be executed by the root user running the /sbin/sh shell and without noclobber set. Before performing the steps of this benchmark, it is strongly recommended that administrators make backup copies of critical configuration files that may get modified by various benchmark items. If this step is not performed, then the site may have no reasonable back-out strategy for reversing system modifications made as a result of this document. The script provided in Appendix A of this document will automatically back up all files that may be modified by the actions, except for the boot scripts manipulated by the various items in Section 3 of this document, which are backed up automatically by the individual items in Section 3.

Not provided.

MANAGED

Not provided.

Refer to Known Issues.

Not provided.

sol-bench@cisecurity.org

Not provided. Not provided.

2004-06-17T04:00:00.000Z

FINAL

2011-05-11T00:52:46.760Z

false

CIS Solaris 10,11/06,8/07 Benchmark v4.0.0 and appendix archive

v4.0.0 Not provided. THIRD_PARTY Not provided. CIS Solaris 10,11/06,8/07 Benchmark v4.0.0 and appendix archive v4.0.0

279426DD7D67182EB045CBE54A2908AF4B36FF17

849183EBC70E0D041C45F3D12FCAD1CB6D9FC595D3DA2AFC7729B8DC7FECA83F

Prose

Sun Solaris 10.0

cpe:/o:sun:solaris:10.0

Operating System

This document provides recommendations for securing Solaris operating systems. This benchmark document covers Solaris version 10 for both servers and desktops. Desktop systems typically have different security expectations than server-class systems. In an effort to facilitate use of this benchmark on these different classes of machines, shaded text has been used to indicate questions and/or actions that are typically not applicable to desktop systems in a large enterprise environment. These shaded items may be skipped on these desktop platforms.

Desktop and Server Operating System

Not provided.

This checklist has been created for IT professionals, particularly system administrators and information security personnel.

MANAGED

Not provided.

Refer to Known Issues.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

sol-bench@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located athttp://www.cisecurity.org/sub_form.html

2007-09-27T04:00:00.000Z

FINAL

2011-11-21T16:11:30.737Z

false

Unisys STIG Checklist

Version 7 Release 2 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Unisys STIG - Version 7, Release 2

A2A5864EB01494A85EE59B855E92D48764B92C2B

8E7B96CCAB091FF09419C7A8AF1F465FE9E16D93BF3D399DDB15A9110531A77A

Prose Not provided. Unisys Checklist - Version 7, Release 2.

7956E54B26FD15816F308A2BFD10355493564D0F

E9E41A056747FD1B7B6D2787963CC566ADB871F55627CCBD53195CFBC546A84D

Prose

Unisys 2200 8.1

cpe:/o:unisys:unisys_2200:6.1

Operating System

Unisys 2200 6.1

cpe:/o:unisys:unisys_2200:6.1

Operating System

This Unisys Security Checklist provides the procedures for conducting a review to determine compliance with the requirements in the Unisys Security Technical Implementation Guide and must be used together. This Unisys security checklist covers the Unisys Executive and Standard system software. Additionally, this checklist ensures the site has a properly installed and implemented specific operating system and associated software application configurations and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist.

Mainframe Operating System

Not provided.

Developped for the DOD. The requirements set forth in this document are designed to assist Information Assurance Officers (IAOs) and System Administrators (SAs) in support of protecting DOD network infrastructures and resources. It assumes that the reader has knowledge of the Unisys Executive and Standard system software and is familiar with common computer terminology.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2006-11-24T05:00:00.000Z

FINAL

2013-05-09T17:21:53.137Z

false

Microsoft Windows 2000 IPsec Guide

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Microsoft Windows 2000 IPsec Guide

A38E8BB6DF85C1D58C4CDAE3B94BCB6B3EE07893

CC73E5F2EA59AB4CC42B1A062B53D3FBE32D629BF9961B0D73EA388A35C7C640

Prose

Microsoft Windows 2000

cpe:/o:microsoft:windows_2000

Operating System

The purpose of this guide is to inform the reader about Internet Protocol security (IPsec) services that are available in Microsoft Windows 2000 and how to configure these services to implement the desired network security policy. This guide does not attempt to provide individual IPsec security settings for all possible network architectures. Instead, this guide is designed to provide the reader an overview of the functionality that is available via IPsec and how it is implemented in Windows 2000, to provide a couple of worked examples, to make recommendations on critical security parameters, and to provide the reader with sufficient understanding to apply this information as necessary to their specific network architecture. Worked examples are used to illustrate the recommended IPsec configuration in a secure Windows 2000 network. The authors intend this guide to be used as a reference to help the planning/design phase of a network development or upgrade process. This guide focuses on a single issue related to network security (i.e., IPsec) and it should not be used on its own as an all-encompassing network design guide. Rather, other reference materials, including other NSA-produced configuration guides, should also be used.

IPsec Client, IPsec Agent

This document is intended for Microsoft Windows 2000 network administrators and network designers. However, it should be useful for anyone involved with designing or maintaining a network that includes Microsoft Windows 2000 hosts and/or servers.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Prior to loading Windows 2000 IPsec, Windows 2000 system administrators should update their systems with the latest service pack as soon as possible after it is released. If applicable, compare the recommendations in this guide to the existing network architecture.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_ipsec.pdf

2001-08-12T04:00:00.000Z

FINAL

2011-11-16T16:57:10.893Z

false

NIST SP 800-43

Update R1.2.3 Not provided. GOVERNMENTAL_AUTHORITY Not provided. The landing page for the NIST SP 800-43 checklist.

A8AEA21AF45C1B89A0A470165312E4E1C3CAEFDB

FD1497AA39A9F3F44524767105D6C23EB3CC1F4DF62C8F45FBE06813F46706E4

The Microsoft Windows tools, e.g. Security Templates MMC snap-in, Security Configuration Analysis MMC snap-in, Group Policy MMC snap-in, and Group Policy Management Console MMC snap-in can be used to customize and apply the NIST security templates to Windows 2000 Professional systems

There is no automated way of rolling back the settings unless a full system backup was performed before a security template was applied to the system.

Prose Not provided. The XCCDF representation of the checklist entitled NIST SP 800-43.

1131F96A1E13C0A83CEB2E8306EE3915E7EBDE85

9160FF762717CEC80C2B5A4BE50F436702911CD38D9D769E164533F2DEEC38E8

Standalone XCCDF Not provided. The security template for the checklist entitled NIST 800-43.

F762CFF86280BA2919830E5E7CE144703318C1E9

0E9E1D71B96B6CF489172D13C412CB3BD3707878908CB477E101A5BB0BC63B61

Security Template

Microsoft Windows 2000

cpe:/o:microsoft:windows_2000

Operating System

The Systems Administration Guidance for Windows 2000 Professional publication is intended to assist the users and system administrators of Windows 2000 Professional systems in configuring their hosts by providing configuration templates and security checklists. The guide provides detailed information about the security features of Win2K Pro, security configuration guidelines for popular applications, and security configuration guidelines for the Win2K Pro operating system. The guide documents the methods that the system administrators can use to implement each security setting. The principal goal of the document is to recommend and explain tested secure settings for Win2K Pro workstations with the objective of simplifying the administrative burden of improving the security of Win2K Pro systems. This guidance document also includes recommendations for testing and configuring common Windows applications. The application types include electronic mail (e-mail) clients, Web browsers, productivity applications, and antivirus scanners. This list is not intended to be a complete list of applications to install on Windows 2000 Professional, nor does it imply NISTs endorsement of particular commercial off-the-shelf (COTS) products. Many of the configuration recommendations for the tested Windows applications focus on deterring viruses, worms, Trojan horses, and other types of malicious code. The guide presents recommendations to protect the Windows 2000 Professional system from malicious code when the tested applications are being used.

Client Desktop and Mobile Host

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. These recommendations should be applied only to the Windows 2000 Systems and will not work on Windows 9X/ME, Windows NT, Windows XP, Windows Server 2000 or Windows Server 2003. The security templates have been tested on 2000 Professional systems and will not work on Windows 9X/ME, Windows NT, Windows XP, Windows Server 2000 or Windows Server 2003. The security templates should not be used by home users and should be used with caution since it will restrict the functionality and reduce the usability of the system.

This checklist has been created for IT professionals, particularly Windows 2000 system administrators and information security personnel. The document assumes that the reader has experience installing and administering Windows-based systems in domain or standalone configurations.

MANAGED

SSLF

The security templates have been tested on Windows 2000 Professional systems and will not work on Windows 9X/ME, Windows NT, Windows XP, Windows Server 2000 or Windows Server 2003. The recommended settings have been tested with the suite of applications described in section 10 of the NIST SP 800-43.

Not provided.

Refer to Known Issues.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used.

Microsoft will provide best efforts support, in line with the customerÃ???Ã??Ã?Â¢??s support contract, to assist in removing the worst results of such file and registry permissions, but Microsoft can only guarantee returning to the recommended out-of-the-box settings by reformatting and reinstalling the operating system.

itsec@nist.gov

Jesper Johansson and Kirk Soluk, Microsoft Corporation This document was developed at the National Institute of Standards and Technology, which collaborated with NSA, DISA, CIS, and Microsoft to produce the Windows XP security templates. Pursuant to title 17 Section 105 of the United States Code this document and template are not subject to copyright protection and is in the public domain.

2002-01-27T05:00:00.000Z

ARCHIVED

2011-03-02T20:17:57.903Z

false

true

false

CIS Windows 2000 Level 1 Benchmark

v1.2.2 Not provided. THIRD_PARTY Not provided. CIS Windows 2000 Level 1 Benchmark v1.2.2

FB7CBF936CD77A3F0AF1EEC22A765C871223A2C3

F7F759A1F9EA89DB4400AE81E75461E88D69ACB2A2C247E0813C30E7E6443753

Prose

Microsoft Windows 2000 Professional

cpe:/o:microsoft:windows_2000:::professional

Operating System

Microsoft Windows Server 2000

cpe:/o:microsoft:windows_2000:::server

Operating System

This document is a first generation Level I Benchmark for the Microsoft Windows 2000 operating system. It is a combination of best practices published by The SANS Institute, the National Security Agency, and the United States Department of Defense, plus advice from members of the Center for Internet Security (CIS). CIS Level I Benchmarks define minimum standards for securing various operating systems including Windows, and variations of Unix. These standards should be used to improve the â??out of the boxâ?? security of common operating system software to a prudent â??due careâ?? minimum level. By definition, the security actions included in CIS Level I Benchmarks satisfy three conditions: (1) they can be safely implemented by a system administrator of any level of technical security skill, (2) they will generally â??do no harmâ?? to functionality commonly required by everyday users, and (3) they can be scored by an associated software tool. This document is an example of a Level I Benchmark.

Desktop and Server Operating System

Not provided.

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2004-07-26T04:00:00.000Z

FINAL

2011-05-11T01:54:15.587Z

false

Windows 2000 Security Checklist

Version 6, Release 1.19 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Windows 2000 Security Checklist

B872B7F16B087BE4F7122DF34D1581840046238F

69035D18DA523FCDCC58ACB15899964F0787F1B18779D089EBC9B1B32721F02E

SCAP_CONTENT Not provided. Windows 2000 Security Checklist

FDAAE64EBC256215EEB0B8C48D49E6D58B99E74B

D6A43001EC90FDDD1D151298C204308C88CD5D318018ABE2C913286CFF6F2AB7

Prose

Microsoft Windows 2000

cpe:/o:microsoft:windows_2000

Operating System

The Microsoft Windows 2000 SRR targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Sites are required to secure the Microsoft Windows 2000 operating system in accordance with DOD Directive 8500.1, Section 4.18. The checks in this document were developed from DISA and NSA guidelines. Additionally, the review ensures the site has properly installed and implemented the Windows 2000 operating system and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and other DoD Policy and regulations. This document is designed to instruct the reviewer on how to assess both the Professional and Member Server configurations in a mixed Windows NT 4/2000 domain. In addition, the security settings recommended can also be used to configure Group Policy in a Windows 2000 Active Directory environment.

Desktop and Server Operating System

- The vulnerabilities discussed in Sections 3 and 5 of this document are applicable to all versions of Windows 2000. To reduce the complexity of the manual procedures, however, these sections are designed around the Windows 2000 desktop. - The Access Control Lists (ACLs) on a system under review may differ from the recommendations specified in Appendix A. If the reviewed ACL is more restrictive, or if an equivalent user group is identified, there is no problem. If a specific application requires less restrictive settings, these must be documented with the site ISSO.

Developed for the DOD. This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the Windows 2000 operating system and is familiar with common computer terminology.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2010-08-27T04:00:00.000Z

UNDER_REVIEW

2011-03-08T21:23:57.317Z

true

false

true

false

true

CCE-3042-9

2009-07-30T19:31:06.577Z

The "password must meet complexity requirments" policy should be set correctly.

CM-6

IA-5

CCE-3059-3

2009-07-30T19:31:06.733Z

2012-05-25T03:56:35.257Z

The startup type of the Fax service should be correct.

CM-6

CCE-3095-7

2009-07-30T19:31:07.890Z

System File Checker should be properly configured.

CM-7

CCE-3096-5

2009-07-30T19:31:06.297Z

2012-05-25T03:56:34.257Z

The security log maximum size should be configured correctly..

AU-4

AU-6

AU-9

CCE-3098-1

2009-07-30T19:31:08.827Z

2012-05-25T03:56:41.180Z

The "Users Prompted to Change Password Before Expiration" policy should be set correctly.

AC-3

CM-6

CM-7

IA-5

CCE-3145-0

2009-07-30T19:31:09.250Z

2012-05-25T03:56:42.227Z

The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3224-3

2009-07-30T19:31:06.500Z

The "minimum password age" policy should meet minimum requirements.

CM-6

IA-5

CCE-3228-4

2009-07-30T19:31:06.530Z

The "minimum password length" policy should meet minimum requirements.

CM-6

IA-5

CCE-3229-2

2009-07-30T19:31:05.657Z

The "account lockout threshold" policy should meet minimum requirements.

AC-7

CM-6

CCE-3282-1

2009-07-30T19:31:05.547Z

The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3296-1

2009-07-30T19:31:04.890Z

The "change the system time" user right should be assigned to the correct accounts.

AU-8

CM-7

CCE-3317-5

2009-07-30T19:31:05.140Z

The "lock pages in memory" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3372-0

2009-07-30T19:31:06.657Z

2012-05-25T03:56:35.007Z

The startup type of the Alerter service should be correct.

CM-6

CCE-3392-8

2009-07-30T19:31:08.750Z

2012-05-25T03:56:40.930Z

The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3393-6

2009-07-30T19:31:04.827Z

The "back up files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3445-4

2009-07-30T19:31:05.327Z

The "profile system performance" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3463-7

2009-07-30T19:31:08.610Z

2012-05-25T03:56:40.570Z

The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3471-0

2009-07-30T19:31:05.467Z

The "take ownership of files or other objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3489-2

2009-07-30T19:31:05.517Z

The "deny logon locally" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3503-0

2009-07-30T19:31:04.750Z

The "deny access to this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3507-1

2009-07-30T19:31:05.250Z

The "manage auditing and security log" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3515-4

2009-07-30T19:31:06.967Z

2012-05-25T03:56:36.023Z

The startup type of the Simple TCP/IP service should be correct.

CM-6

CCE-3517-0

2009-07-30T19:31:09.827Z

2012-05-25T03:56:43.367Z

The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.

CM-5

CM-6

CCE-3524-6

2009-07-30T19:31:07.030Z

2012-05-25T03:56:36.180Z

The startup type of the SNMP Service service should be correct.

CM-6

CCE-3542-8

2009-07-30T19:31:05.577Z

The "add workstations to domain" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3545-1

2009-07-30T19:31:09.093Z

2012-05-25T03:56:41.790Z

The "Number of Previous Logons to Cache" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3554-3

2009-07-30T19:31:06.877Z

2012-05-25T03:56:35.710Z

The startup type of the Internet Connection Sharing service should be correct.

CM-6

CCE-3559-2

2009-07-30T19:31:07.530Z

Automatic Logon should be properly configured.

AC-3

CM-6

CM-7

IA-2

SC-5

CCE-3588-1

2009-07-30T19:31:06.610Z

The "enforce password history" policy should meet minimum requirements.

CM-6

IA-5

CCE-3589-9

2009-07-30T19:31:06.313Z

2012-05-25T03:56:34.320Z

The "when maximum log size is reached" property should be set correctly for the Security log.

AU-4

AU-5

CM-6

CCE-3596-4

2009-07-30T19:31:09.233Z

2012-05-25T03:56:42.163Z

The "Smart Card Removal Behavior" policy should be set correctly.

CM-6

CM-7

CCE-3600-4

2009-07-30T19:31:08.000Z

The TCP/IP KeepAlive Time should be set correctly .

AC-4

SC-5

SC-7

CCE-3607-9

2009-07-30T19:31:09.140Z

2012-05-25T03:56:41.947Z

The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.

CM-6

SC-2

CCE-3630-1

2009-07-30T19:31:05.093Z

The "increase scheduling priority" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3643-4

2009-07-30T19:31:07.000Z

2012-05-25T03:56:36.087Z

The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.

CM-6

CCE-3646-7

2009-07-30T19:31:07.843Z

Display Last User Name in Logon Screen should be properly configured.

AC-3

AC-9

CM-6

CCE-3653-3

2009-07-30T19:31:04.860Z

The "bypass traverse checking" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3675-6

2009-07-30T19:31:08.547Z

2012-05-25T03:56:40.430Z

The "Prevent Users from Installing Printer Drivers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3682-2

2009-07-30T19:31:07.687Z

Computer Browser ResetBrowser Frames should be properly configured.

CM-6

CCE-3687-1

2009-07-30T19:31:05.610Z

The "reset account lockout counter after" policy should meet minimum requirements.

AC-7

CM-6

CCE-3704-4

2009-07-30T19:31:07.703Z

ICMP Redirects should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3722-6

2009-07-30T19:31:07.110Z

2012-05-25T03:56:36.400Z

The startup type of the World Wide Web Publishing service should be correct.

CM-6

CCE-3726-7

2009-07-30T19:31:07.577Z

Autoplay on all Drive Types should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3736-6

2009-07-30T19:31:04.797Z

The "act as part of the operating system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3738-2

2009-07-30T19:31:06.813Z

2012-05-25T03:56:35.493Z

The startup type of the Messenger service should be correct.

CM-6

CCE-3747-3

2009-07-30T19:31:08.967Z

2012-05-25T03:56:41.507Z

The "Digitally Sign Client Communication (Always)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3748-1

2009-07-30T19:31:02.063Z

2012-05-25T03:56:22.617Z

The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.

AU-2

CCE-3766-3

2009-07-30T19:31:07.390Z

Use of the built-in Guest account should be enabled or disabled as appropriate.

AC-2

CM-7

IA-4

CCE-3767-1

2009-07-30T19:31:04.953Z

The "create permanent shared objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3772-1

2009-07-30T19:31:04.983Z

The "debug programs" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3775-4

2009-07-30T19:31:06.187Z

2012-05-25T03:56:33.977Z

The application log maximum size should be configured correctly..

AU-4

AU-5

CM-6

CCE-3783-8

2009-07-30T19:31:09.030Z

2012-05-25T03:56:41.650Z

The "Digitally Sign Server Communication (Always)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3797-8

2009-07-30T19:31:06.217Z

2012-05-25T03:56:34.057Z

The "when maximum log size is reached" property should be set correctly for the Application log.

AU-4

AU-5

CM-6

CCE-3798-6

2009-07-30T19:31:05.110Z

The "load and unload device drivers" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3805-9

2009-07-30T19:31:06.420Z

2012-05-25T03:56:34.570Z

The "when maximum log size is reached" property should be set correctly for the System log.

AU-4

AU-5

CM-6

CCE-3807-5

2009-07-30T19:31:02.187Z

2012-05-25T03:56:23.210Z

The required permissions for the directory %SystemDrive% should be assigned.

AC-3

CM-6

CCE-3811-7

2009-07-30T19:31:05.030Z

The "generate security audits" user right should be assigned to the correct accounts.

AC-3

AU-9

CM-6

CCE-3819-0

2009-07-30T19:31:07.063Z

2012-05-25T03:56:36.243Z

The startup type of the SNMP Trap Service service should be correct.

CM-6

CCE-3827-3

2009-07-30T19:31:06.483Z

The "maximum password age" policy should meet minimum requirements.

AC-3

CM-6

CM-7

IA-5

SC-5

CCE-3829-9

2009-07-30T19:31:05.360Z

The "remove computer from docking station" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3830-7

2009-07-30T19:31:06.767Z

2012-05-25T03:56:35.337Z

The startup type of the FTP Publishing service should be correct.

CM-6

CCE-3835-6

2009-07-30T19:31:06.797Z

2012-05-25T03:56:35.413Z

The startup type of the IIS Admin service should be correct.

CM-6

CCE-3837-2

2009-07-30T19:31:07.313Z

2012-05-25T03:56:36.977Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-3850-5

2009-07-30T19:31:05.500Z

The "synchronize directory service data" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3852-1

2009-07-30T19:31:06.627Z

The "store password using reversible encryption for all users in the domain" policy should be set correctly.

CM-6

IA-5

CCE-3860-4

2009-07-30T19:31:04.937Z

The "Create a token object" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3874-5

2009-07-30T19:31:09.797Z

2012-05-25T03:56:43.290Z

The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.

CM-6

SC-1

SI-2

CCE-3878-6

2009-07-30T19:31:08.030Z

The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .

AC-4

SC-5

SC-7

CCE-3880-2

2009-07-30T19:31:06.170Z

2012-05-25T03:56:33.900Z

The "restrict guest access to application log" policy should be set correctly.

AU-4

CM-6

CCE-3884-4

2009-07-30T19:31:07.983Z

TCP/IP Dead Gateway Detection should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3886-9

2009-07-30T19:31:08.467Z

2012-05-25T03:56:40.117Z

The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3889-3

2009-07-30T19:31:06.407Z

2012-05-25T03:56:34.493Z

The system log maximum size should be configured correctly..

AU-4

AU-6

AU-9

CCE-3892-7

2009-07-30T19:31:06.687Z

2012-05-25T03:56:35.087Z

The startup type of the ClipBook service should be correct.

CM-6

CCE-3898-4

2009-07-30T19:31:07.217Z

2012-05-25T03:56:36.680Z

The correct service permissions for the Printer service should be assigned.

AC-3

CM-6

CCE-3899-2

2009-07-30T19:31:08.327Z

The built-in Administrator account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-3903-2

2009-07-30T19:31:05.267Z

The "modify firmware environment values" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3904-0

2009-07-30T19:31:05.017Z

The "force shutdown from a remote system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3912-3

2009-07-30T19:31:05.407Z

The "restore files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3915-6

2009-07-30T19:31:07.733Z

IP Source Routing should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3917-2

2009-07-30T19:31:04.780Z

The "access this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3921-4

2009-07-30T19:31:08.377Z

2012-05-25T03:56:39.900Z

The amount of idle time required before disconnecting a session should be set correctly.

AC-1

AC-3

CM-6

CM-7

CCE-3922-2

2009-07-30T19:31:08.093Z

TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3926-3

2009-07-30T19:31:05.297Z

The "profile single process" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3928-9

2009-07-30T19:31:09.063Z

2012-05-25T03:56:41.727Z

The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3934-7

2009-07-30T19:31:05.437Z

The "shut down the system" user right should be assigned to the correct accounts.

AC-3

CM-6

CM-7

CCE-3943-8

2009-07-30T19:31:04.907Z

The "create a pagefile" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3947-9

2009-07-30T19:31:09.280Z

Local volumes should be formatted correctly.

CM-7

CCE-3948-7

2009-07-30T19:31:08.170Z

Protect Kernel object attributes should be properly configured.

CM-6

CM-7

CCE-3951-1

2009-07-30T19:31:07.093Z

2012-05-25T03:56:36.320Z

The startup type of the Telnet service should be correct.

CM-6

CCE-3956-0

2009-07-30T19:31:08.687Z

2012-05-25T03:56:40.790Z

The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.

CM-6

CM-7

CCE-3959-4

2009-07-30T19:31:06.110Z

The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3960-2

2009-07-30T19:31:05.627Z

The "account lockout duration" policy should meet minimum requirements.

AC-7

CM-6

CCE-3962-8

2009-07-30T19:31:09.860Z

2012-05-25T03:56:43.447Z

The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.

CM-5

SI-3

SI-7

SI-8

CCE-3964-4

2009-07-30T19:31:06.267Z

2012-05-25T03:56:34.150Z

The "restrict guest access to security log" policy should be set correctly.

AU-4

CM-6

CCE-3965-1

2009-07-30T19:31:05.170Z

The "log on as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3970-1

2009-07-30T19:31:05.377Z

The "replace a process-level token" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3971-9

2009-07-30T19:31:09.750Z

2012-05-25T03:56:43.117Z

The "Security Zones: Use Only Machine Settings" setting should be configured correctly.

CM-2

CM-6

CCE-3973-5

2009-07-30T19:31:06.920Z

2012-05-25T03:56:35.853Z

The startup type of the Routing and Remote Access service should be correct.

CM-6

CCE-3978-4

2009-07-30T19:31:08.717Z

2012-05-25T03:56:40.853Z

The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.

CM-6

SC-2

CCE-3990-9

2009-07-30T19:31:06.377Z

2012-05-25T03:56:34.430Z

The "restrict guest access to system log" policy should be set correctly.

AU-4

CM-6

CCE-3994-1

2009-07-30T19:31:09.000Z

2012-05-25T03:56:41.587Z

The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4003-0

2009-07-30T19:31:11.030Z

Membership in the Power Users group should be assigned to the appropriate accounts.

AC-2

CM-6

CCE-4008-9

2009-07-30T19:31:09.327Z

The "Screen Saver Executable Name" setting should be configured correctly for the current user.

AC-1

AC-3

CM-6

CM-7

CCE-4010-5

2009-07-30T19:31:08.217Z

Disable saving of dial-up passwords should be properly configured.

AC-1

IA-5

SC-7

CCE-4012-1

2009-07-30T19:31:07.453Z

2012-05-25T03:56:37.540Z

The "Message text for users attempting to log on" policy should be set correctly.

AC-8

CM-6

CM-7

SC-5

CCE-4019-6

2009-07-30T19:31:09.907Z

2012-05-25T03:56:43.603Z

The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.

AC-3

AC-6

CM-5

CCE-4027-9

2009-07-30T19:31:08.063Z

The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .

AC-4

SC-5

SC-7

CCE-4035-2

2009-07-30T19:31:06.843Z

2012-05-25T03:56:35.617Z

The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

CM-6

CCE-4045-1

2009-07-30T19:31:08.343Z

The built-in Guest account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-4065-9

2009-07-30T19:31:07.767Z

IRDP should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-4067-5

2009-07-30T19:31:08.577Z

2012-05-25T03:56:40.507Z

The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4069-1

2009-07-30T19:31:09.127Z

2012-05-25T03:56:41.867Z

The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4085-7

2009-07-30T19:31:08.140Z

TCP/IP SYN Flood Attack Protection should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-4096-4

2009-07-30T19:31:11.000Z

2012-05-25T03:56:46.477Z

The Smart Card service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4117-8

2009-07-30T19:31:09.767Z

2012-05-25T03:56:43.197Z

The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.

AC-3

AC-6

CM-5

CCE-4125-1

2009-07-30T19:31:09.877Z

2012-05-25T03:56:43.523Z

The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.

CM-5

CCE-4156-6

2009-07-30T19:31:10.077Z

The "deny logon as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4195-4

2009-07-30T19:31:10.717Z

2012-05-25T03:56:45.617Z

The DHCP Server service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4235-8

2009-07-30T19:31:10.750Z

The "deny logon as a service" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4244-0

2009-07-30T19:31:10.780Z

2012-05-25T03:56:45.820Z

The Wireless Zero Configuration service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4253-1

2009-07-30T19:31:10.280Z

2012-05-25T03:56:44.320Z

The Distributed Link Tracking Server service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4332-3

2009-07-30T19:31:10.390Z

2012-05-25T03:56:44.587Z

The "Impersonate a client after authentication" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4447-9

2009-07-30T19:31:10.360Z

2012-05-25T03:56:44.523Z

The Distributed Transaction Coordinator service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4453-7

2009-07-30T19:31:10.983Z

The Certificate Services service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4495-8

2009-07-30T19:31:10.217Z

2012-05-25T03:56:44.210Z

The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4539-3

2009-07-30T19:31:10.313Z

2012-05-25T03:56:44.383Z

The startup type of the Remote Access Auto connection Manager service should be correct.

CM-6

CCE-4645-8

2009-07-30T19:31:10.467Z

The "Enforce user logon restrictions" policy should be set correctly.

AC-3

CM-6

CCE-4667-2

2009-07-30T19:31:10.640Z

2012-05-25T03:56:45.290Z

The startup type of the Task Scheduler service should be correct.

CM-6

CCE-4684-7

2009-07-30T19:31:10.547Z

The "Maximum User Renewal Lifetime" policy should be set correctly.

CM-6

CCE-4689-6

2009-07-30T19:31:10.890Z

The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4715-9

2009-07-30T19:31:10.577Z

The "Maximum tolerance for computer clock synchronization" policy should be set correctly.

AU-8

CCE-4720-9

2009-07-30T19:31:10.140Z

2012-05-25T03:56:44.040Z

The Resultant Set of Policy (RSoP) Provider Service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4729-0

2009-07-30T19:31:10.203Z

2012-05-25T03:56:44.133Z

The Network News Transport Protocol (NNTP) service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4750-6

2009-07-30T19:31:10.500Z

The "Maximum User Ticket Lifetime" policy should be set correctly.

CM-6

CCE-4751-4

2009-07-30T19:31:10.453Z

2012-05-25T03:56:44.757Z

The Uninterruptable Power Supply service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4764-7

2009-07-30T19:31:10.813Z

2012-05-25T03:56:45.900Z

The startup type of the .NET Framework service should be correct.

CM-6

CCE-4768-8

2009-07-30T19:31:10.250Z

The "Interactive logon: Requre smart card" setting should be configured correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4777-9

2009-07-30T19:31:10.047Z

2012-05-25T03:56:43.867Z

The License Logging service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4779-5

2009-07-30T19:31:10.920Z

2012-05-25T03:56:46.133Z

The Remote Access Connection Manager service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4786-0

2009-07-30T19:31:10.327Z

2012-05-25T03:56:44.460Z

The "Disconnect clients when logon hours expire" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4790-2

2009-07-30T19:31:10.610Z

The "Create global objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4794-4

2009-07-30T19:31:10.877Z

2012-05-25T03:56:46.023Z

The startup type of the Indexing service should be correct.

CM-6

CCE-4799-3

2009-07-30T19:31:10.687Z

The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4801-7

2009-07-30T19:31:10.953Z

2012-05-25T03:56:46.273Z

The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4803-3

2009-07-30T19:31:10.843Z

2012-05-25T03:56:45.960Z

The Distributed Link Tracking Client service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4812-4

2009-07-30T19:31:09.937Z

DEPRECATED in favor of CCE-5236-5, CCE-4719-1.

CCE-4825-6

2009-07-30T19:31:10.110Z

2012-05-25T03:56:43.960Z

The Application Management service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4830-6

2009-07-30T19:31:10.420Z

2012-05-25T03:56:44.663Z

The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.

AC-3

CM-6

CCE-4848-8

2009-07-30T19:31:10.170Z

Use of the Recycle Bin on file deletion should be enabled or disabled as appropriate.

CM-7

CCE-4865-2

2009-07-30T19:31:10.530Z

The "Maximum Service Ticket Litfetime" policy should be set correctly.

AC-3

CM-6

CM-7

CCE-4874-4

2009-07-30T19:31:10.030Z

2012-05-25T03:56:43.790Z

The Smart Card Helper service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4882-7

2009-07-30T19:31:10.657Z

2012-05-25T03:56:45.430Z

The Telephony service should be enabled or disabled as appropriate.

CM-6

CM-7

CIS Windows 2000 Server Level 2 Benchmark

v2.2.1 Not provided. THIRD_PARTY Not provided. CIS Windows 2000 Server Level 2 Benchmark v2.2.1

159571BCAFFA6F7D5DC55475B56BE8CFB7494A85

F00B7FE1ED9B458C41A34636B396E2599987672D3B55EE483B19F8198CBD4B9D

Prose

Microsoft Windows Server 2000

cpe:/o:microsoft:windows_2000:::server

Operating System

This document is a security benchmark for the Microsoft Windows 2000 operating system for servers. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS).

Server Operating System

Not provided.

STANDALONE

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Windows NT Magazine article regarding editing the Registry

Microsoft Windows Security

2004-11-15T05:00:00.000Z

FINAL

2011-05-11T01:52:33.840Z

false

CIS Windows 2000 Professional Level2 Benchmark

v2.2.1 Not provided. THIRD_PARTY Not provided. CIS Windows 2000 Professional Level2 Benchmark v2.2.1

5968041AA9F3ED151763A8CFA75E682A8103AA42

E0DBEC0A190E0FC43BFE67A68E64431FFA75EFDEE1162E3C68B88C53A280F88B

Prose

Microsoft Windows 2000 Professional

cpe:/o:microsoft:windows_2000:::professional

Operating System

This document is a security benchmark for the Microsoft Windows 2000 Professional operating system for workstations. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows 2000 Professional compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail.

Desktop Operating System

This guide provides CIS Level-2 benchmarks, which provide prudent security beyond the minimum level. The settings should be applied only to Windows 2000 workstation and server operating systems. The guide contains some security configuration recommendations that affect operating system function, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to OS functions and software applications running in their particular environments. Appendix D contains a list of known problematic settings.

Not provided.

MANAGED

Not provided.

Refer to Known Issues.

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Not provided.

windows-feedback@cisecurity.org

Not provided. Not provided.

2004-11-15T05:00:00.000Z

FINAL

2011-05-11T01:50:27.437Z

false

Windows Server 2003 Security Guide for Member Servers

2.1 Not provided. SOFTWARE_VENDOR Not provided. Microsoft Windows 2003 Server acting as a member server.

1CCF34F91A36B67D5080F366E049C5642AA52535

52E33878BA4EE9A1ED7956E92912A61826967898FDBFA2C404FDA62B8F30CB0C

SCAP_CONTENT

Microsoft Windows Server 2003

cpe:/o:microsoft:windows_2003_server

Operating System

This document is a security guidance document for the Microsoft@ Windows Server 2003 operating system. Windows Server 2003 Security Guide helps quickly configure, test, deploy, and manage security settings in Windows Server 2003 across your organization.

Server

Domain Member Server

None.

IT Professional

MANAGED

N/A

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e - mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e - mail address, logo, person, place or event is intended or should be inferred.

Provided in Supporting the Windows Server 2003 Security Guide.pdf, included with the checklist download.

Secwish@microsoft.com

Not provided. Commercial use license

Windows Server 2003 Reference page

2006-04-25T04:00:00.000Z

UNDER_REVIEW

2011-08-03T19:32:15.960Z

true

false

true

CIS Windows 2003 Server Domain Controller Benchmark

v2.0.0 Not provided. THIRD_PARTY Not provided. CIS Windows 2003 Server Domain Controller Benchmark v2.0.0

13F1106581D9F69E220765349DB0371685A4F410

4659B1ACA73013F31C4D7E30EF1A10CFB3C2AA0E7FF0417D40C190C8276D2DBF

Prose

Microsoft Windows Server 2003

cpe:/o:microsoft:windows_2003_server

Operating System

This document is a security benchmark for the Microsoft Windows Server 2003 operating system for domain controllers. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows Server compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail. You should still use the questionnaire in Appendix A to explore some of the trafe-offs of implementing these settings.

Domain Controller

This guide imposes changes that are best implemented in a managed environment. They are designed to limit communication between computers to positively identified and authorized personnel. Major systems should still function, but testing this benchmark in a controlled environment is essential. Settings at the Legacy level are designed for domain controllers that need to operate with older systems such as Windows NT, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system. Settings at the Enterprise level are designed for domain controllers operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended technical controls. Settings at the Specialized Security - Limited Functionality level (formerly High Security) are designed for domain controllers in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment. The information contained in this text applies equally wll to Local Security Policies and Group Policies. In a large domain infrastructure, Group Policy can (and should) be set to override the Local Security Policy. Anyone attempting to make modifications to the Local Security Policy which seem to Ã?Â¢??mysteriously disappearÃ?Â¢?Ã¯Â¿Â½ should contact their system administrator or their management to see if Group Policy may be overriding their changes.

This benchmark is intended for anyone using a Windows Server 2003 operating system who feels at all responsible for the security of that system. A security manager or Information Security Officer should certainly be able to use this guide and the associated tools to gather information about the security status of a network of Windows machines. The owner of a small business or home office can use this guide as a straightforward aid in enhancing his or her own personal network security. A Windows system administrator can use this guide and the associated tools to produce explicit scores that can be given to management to reflect where they currently stand, versus where they should stand with regard to security.

MANAGED

SSLF

Not provided.

Refer to Known Issues.

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any of the Product or the Recommendations. CIS is providing the Products and the Recommendations as is and as available without representations, warranties or covenants of any kind.

Not provided.

windows-feedback@cisecurity.org

Not provided. Not provided.

The SANS Institute

Microsoft Windows Security

Windows XP Security Compliance Management Toolkit

Windows Server 2003 Security Compliance Management Toolkit

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

Windows NT Magazine article regarding editing the Registry

The Center for Internet Security

2007-11-01T04:00:00.000Z

FINAL

2011-05-11T01:46:38.407Z

false

CIS Windows 2003 Server Member Server Benchmark

v2.0.0 Not provided. THIRD_PARTY Not provided. CIS Windows 2003 Server Member Server Benchmark v2.0.0

5C9A22D69B892984F054D1E9BBA956772724BB4A

C34A47632C90FFE98563D262E7CF01A2897EDAC33B45CCA1AEC0D359324FA50D

Prose

Microsoft Windows Server 2003

cpe:/o:microsoft:windows_2003_server

Operating System

This document is a security benchmark for the Microsoft Windows Server 2003 operating system for domain members. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows Server compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail.You should still use the questionnaire in Appendix A to explore some of the trade-offs of implementing these settings.

Domain Member Server

This guide imposes changes that are best implemented in a managed environment. They are designed to limit communication between computers to positively identified and authorized personnel. Major systems should still function, but testing this benchmark in a controlled environment is essential. Settings at the Legacy level are designed for servers that need to operate with older systems such as Windows NT, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system. Settings at the Enterprise level are designed for domain controllers operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended technical controls. Settings at the Specialized Security - Limited Functionality level (formerly High Security) are designed for domain controllers in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment.The information contained in this text applies equally wll to Local Security Policies and Group Policies. In a large domain infrastructure, Group Policy can (and should) be set to override the Local Security Policy. Anyone attempting to make modifications to the Local Security Policy which seem to Ã??Ã?Â¢??mysteriously disappearÃ??Ã?Â¢?Ã?Â¯Ã?Â¿Ã?Â½ should contact their system administrator or their management to see if Group Policy may be overriding their changes.

MANAGED

SSLF

Not provided.

Refer to Known Issues.

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any of the Product or the Recommendations. CIS is providing the Products and the Recommendations as is and as available without representations, warranties or covenants of any kind.

Not provided.

cis-feedback@cisecurity.org

Not provided. Not provided.

The SANS Institute

Windows XP Security Compliance Management Toolkit

Windows Server 2003 Security Compliance Management Toolkit

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

Active Directory Client Extensions

Windows NT Magazine article regarding editing the Registry

The Center for Internet Security

2007-11-01T04:00:00.000Z

FINAL

2011-05-11T01:49:05.467Z

false

NIST SP 800-68

R1.2.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. FDCC Windows XP using OVAL version 5.3.

6441DA6AAC44161647AB4576BEBBF6E7F31270EE

95A655A4889B616082293CA69B2B7867D550EC9E945B53EBFDED4DA94ECC24F3

SCAP_CONTENT Not provided. FDCC Windows XP using OVAL version 5.4.

486125F1C07DE56B12EC570DC28AAEE218A96896

B8E96ADA277E1AA1E6B8EE8875405095FA4061FBBD3A63E5907DFF6E64274E7F

SCAP_CONTENT Not provided. NIST Prose Guidance for Windows XP.

145B8BE2C6E7D430881DC5AAAB34BFE9FEE1A568

3D6810FAA1C984A78DAB0931A09A883C58D2BBE88E369C9E302C6AA9DB723562

Prose

Microsoft Windows XP

cpe:/o:microsoft:windows_xp

Operating System

NIST Special Publication 800-68 has been created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional SP2 systems. It discusses Windows XP and various application security settings in technical detail. The guide provides insight into the threats and security controls that are relevant for various operational environments, such as for a large enterprise or a home office. It describes the need to document, implement, and test security controls, as well as to monitor and maintain systems on an ongoing basis. It presents an overview of the security components offered by Windows XP and provides guidance on installing, backing up, and patching Windows XP systems. It discusses security policy configuration, provides an overview of the settings in the accompanying NIST security templates, and discusses how to apply additional security settings that are not included in the NIST security templates. It demonstrates securing popular office productivity applications, Web browsers, e-mail clients, personal firewalls, antivirus software, and spyware detection and removal utilities on Windows XP systems to provide protection against viruses, worms, Trojan horses, and other types of malicious code. This list is not intended to be a complete list of applications to install on Windows XP system, nor does it imply NISTs endorsement of particular commercial off-the-shelf (COTS) products.

Client Desktop and Mobile Host

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. These recommendations should be applied only to the Windows XP Professional SP2 Systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003. The security templates have been tested on WinXP Professional SP2 systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003. The Specialized Security-Limited Functionality template should not be used by home users and should be used with caution since it will restrict the functionality and reduce the usability of the system.

This checklist has been created for IT professionals, particularly Windows XP system administrators and information security personnel. The document assumes that the reader has experience installing and administering Windows-based systems in domain or standalone configurations.

STANDALONE

MANAGED

SSLF

LEGACY

The security templates have been tested on Windows XP Professional SP2 systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003.

The recommendations are consistent with the security control baselines advocated in SP 800-53 (NIST FISMA implementation project publication).

Refer to Known Issues.

Microsoft will provide best efforts support, in line with the customerÃ??????Ã?????Ã????Ã???Ã??Ã?Â¢??s support contract, to assist in removing the worst results of such file permissions, but Microsoft can only guarantee returning to the recommended out-of-the-box settings by reformatting and reinstalling the operating system.

itsec@nist.gov

Chase Carpenter and Kurt Dillard, Microsoft Corporation This document was developed at the National Institute of Standards and Technology, which collaborated with NSA, DISA, USAF, CIS, and Microsoft to produce the Windows XP security templates. Pursuant to title 17 Section 105 of the United States Code this document and template are not subject to copyright protection and is in the public domain.

2007-09-30T04:00:00.000Z

2008-10-01T04:00:00.000Z

FINAL

2011-03-08T22:45:01.113Z

true

false

true

CCE-1909-1

2009-07-30T19:31:40.000Z

2012-05-25T03:59:51.023Z

The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.

AC-3

CM-6

CCE-1916-6

2009-07-30T19:31:40.483Z

2012-05-25T03:59:52.413Z

The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.

AC-3

CM-6

CCE-1937-2

2009-07-30T19:31:41.500Z

2012-05-25T03:59:56.197Z

The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.

AC-3

CM-6

CCE-1969-5

2009-07-30T19:31:43.627Z

The "create permanent shared objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-1978-6

2009-07-30T19:31:43.327Z

The "deny access to this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2021-4

2009-07-30T19:31:44.313Z

The "take ownership of files or other objects" user right should be assigned to the correct accounts.

AC-3

CCE-2052-9

2009-07-30T19:31:39.420Z

2012-05-25T03:59:49.290Z

The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.

AC-3

CM-6

CCE-2100-6

2009-07-30T19:31:45.000Z

Auditing of "logon" events on success should be enabled or disabled as appropriate..

AC-7

AU-2

CCE-2116-2

2009-07-30T19:31:45.437Z

2012-05-25T04:00:05.727Z

The "restrict guest access to application log" policy should be set correctly.

AU-4

CM-6

CCE-2145-1

2009-07-30T19:31:40.030Z

2012-05-25T03:59:51.163Z

The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.

AC-3

CM-6

CCE-2147-7

2009-07-30T19:31:48.250Z

2012-05-25T04:00:14.743Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-2167-5

2009-07-30T19:31:43.390Z

The "act as part of the operating system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2173-3

2009-07-30T19:31:49.750Z

Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

CM-7

CCE-2175-8

2009-07-30T19:31:39.157Z

2012-05-25T03:59:48.743Z

The required permissions for the file %SystemRoot%\regedit.exe should be assigned.

AC-3

CM-6

CCE-2176-6

2009-07-30T19:31:41.127Z

2012-05-25T03:59:55.057Z

The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.

AC-3

CM-6

CCE-2178-2

2009-07-30T19:31:40.407Z

2012-05-25T03:59:52.150Z

The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.

AC-3

CM-6

CCE-2184-0

2009-07-30T19:31:39.453Z

2012-05-25T03:59:49.430Z

The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.

AC-3

CM-6

CCE-2198-0

2009-07-30T19:31:41.157Z

2012-05-25T03:59:55.290Z

The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.

AC-3

CM-6

CCE-2206-1

2009-07-30T19:31:44.967Z

Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2213-7

2009-07-30T19:31:54.030Z

MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged

AC-3

CM-6

CM-7

SC-5

CCE-2220-2

2009-07-30T19:31:40.797Z

2012-05-25T03:59:53.507Z

The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.

AC-3

CM-6

CCE-2239-2

2009-07-30T19:31:54.063Z

MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted

AC-3

CM-6

CM-7

SC-5

CCE-2247-5

2009-07-30T19:31:44.030Z

The "manage auditing and security log" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2259-0

2009-07-30T19:31:45.063Z

Auditing of "object access" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2299-6

2009-07-30T19:31:43.437Z

The "back up files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2312-7

2009-07-30T19:31:39.483Z

2012-05-25T03:59:49.617Z

The required permissions for the file %SystemRoot%\System32\attrib.exe should be assigned.

AC-3

CM-6

CCE-2313-5

2009-07-30T19:31:51.000Z

2012-05-25T04:00:22.773Z

The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2326-7

2009-07-30T19:31:47.077Z

2012-05-25T04:00:11.460Z

The startup type of the Telnet service should be correct.

CM-6

CM-7

CCE-2335-8

2009-07-30T19:31:44.170Z

The "remove computer from docking station" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2336-6

2009-07-30T19:31:45.657Z

2012-05-25T04:00:06.960Z

The "when maximum log size is reached" property should be set correctly for the Security log.

AU-4

AU-5

CM-6

CCE-2343-2

2009-07-30T19:31:45.030Z

Auditing of "logon" events on failure should be enabled or disabled as appropriate..

AC-7

AU-2

CCE-2344-0

2009-07-30T19:31:51.157Z

2012-05-25T04:00:23.273Z

The "Limit local account user of blank passwords to console logon only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2345-7

2009-07-30T19:31:45.717Z

2012-05-25T04:00:07.210Z

The "restrict guest access to system log" policy should be set correctly.

AU-4

CM-6

CCE-2366-3

2009-07-30T19:31:44.267Z

The "shut down the system" user right should be assigned to the correct accounts.

AC-3

CM-6

CM-7

CCE-2379-6

2009-07-30T19:31:43.360Z

The "access this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2436-4

2009-07-30T19:31:40.063Z

2012-05-25T03:59:51.307Z

The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.

AC-3

CM-6

CCE-2439-8

2009-07-30T19:31:45.907Z

The "minimum password age" policy should meet minimum requirements.

CM-6

IA-5

CCE-2446-3

2009-07-30T19:31:43.843Z

The "load and unload device drivers" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2455-4

2009-07-30T19:31:52.703Z

The "Do Not Automatically Start Windows Messenger" policy should be set correctly.

CM-6

CCE-2466-1

2009-07-30T19:31:44.670Z

The "reset account lockout counter after" policy should meet minimum requirements.

AC-7

CM-6

CCE-2472-9

2009-07-30T19:31:48.530Z

2012-05-25T04:00:15.757Z

The "Message text for users attempting to log on" policy should be set correctly.

AC-8

CM-6

CM-7

SC-5

CCE-2494-3

2009-07-30T19:31:56.157Z

2012-05-25T04:00:33.633Z

The Wireless Zero Configuration service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-2546-0

2009-07-30T19:31:40.983Z

2012-05-25T03:59:54.557Z

The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.

AC-3

CM-6

CCE-2547-8

2009-07-30T19:31:43.767Z

The "adjust memory quotas for a process" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2551-0

2009-07-30T19:31:51.233Z

2012-05-25T04:00:23.570Z

The "LDAP server signing requirements" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2559-3

2009-07-30T19:31:49.187Z

The TCP/IP KeepAlive Time should be set correctly .

AC-4

SC-5

SC-7

CCE-2573-4

2009-07-30T19:31:48.500Z

2012-05-25T04:00:15.570Z

The "Message title for users attempting to log on" policy should be set correctly.

AC-8

CM-6

CM-7

SC-5

CCE-2609-6

2009-07-30T19:31:43.890Z

The "lock pages in memory" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2652-6

2009-07-30T19:31:48.967Z

IRDP should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2657-5

2009-07-30T19:31:44.063Z

The "modify firmware environment values" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2661-7

2009-07-30T19:31:47.017Z

2012-05-25T04:00:11.197Z

The startup type of the SSDP Discovery service should be correct.

CM-6

CM-7

CCE-2662-5

2009-07-30T19:31:53.767Z

The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2672-4

2009-07-30T19:31:40.437Z

2012-05-25T03:59:52.273Z

The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.

AC-3

CM-6

CCE-2674-0

2009-07-30T19:31:41.017Z

2012-05-25T03:59:54.710Z

The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.

AC-3

CM-6

CCE-2675-7

2009-07-30T19:31:44.127Z

The "profile system performance" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2683-1

2009-07-30T19:31:56.267Z

The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate.

AC-3

CM-6

CM-7

SC-5

CCE-2684-9

2009-07-30T19:31:52.670Z

The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.

CM-6

CCE-2688-0

2009-07-30T19:31:50.717Z

2012-05-25T04:00:21.790Z

The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2692-2

2009-07-30T19:31:51.483Z

2012-05-25T04:00:24.383Z

The "Disconnect clients when logon hours expire" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2693-0

2009-07-30T19:31:45.610Z

2012-05-25T04:00:06.837Z

The security log maximum size should be configured correctly..

AU-4

AU-6

AU-9

CCE-2699-7

2009-07-30T19:31:39.767Z

2012-05-25T03:59:50.413Z

The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.

AC-3

CM-6

CCE-2700-3

2009-07-30T19:31:44.377Z

The "deny logon locally" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2701-1

2009-07-30T19:31:50.467Z

2012-05-25T04:00:20.663Z

The "Users Prompted to Change Password Before Expiration" policy should be set correctly.

AC-3

CM-6

CM-7

IA-5

CCE-2708-6

2009-07-30T19:31:53.483Z

The "Maximum Service Ticket Litfetime" policy should be set correctly.

CM-6

CCE-2710-2

2009-07-30T19:31:48.717Z

Autoplay on all Drive Types should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2713-6

2009-07-30T19:31:46.187Z

2012-05-25T04:00:08.710Z

The startup type of the ClipBook service should be correct.

CM-6

CCE-2718-5

2009-07-30T19:31:49.140Z

TCP/IP Dead Gateway Detection should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2726-8

2009-07-30T19:31:39.517Z

2012-05-25T03:59:49.867Z

The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.

AC-3

CM-6

CCE-2731-8

2009-07-30T19:31:41.437Z

2012-05-25T03:59:56.070Z

The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.

AC-3

CM-6

CCE-2735-9

2009-07-30T19:31:45.983Z

The "password must meet complexity requirments" policy should be set correctly.

CM-6

IA-5

CCE-2737-5

2009-07-30T19:31:53.687Z

2012-05-25T04:00:28.727Z

The "Impersonate a client after authentication" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2766-4

2009-07-30T19:31:45.110Z

Auditing of "object access" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2767-2

2009-07-30T19:31:43.733Z

The "generate security audits" user right should be assigned to the correct accounts.

AC-3

AU-9

CM-6

CCE-2776-3

2009-07-30T19:31:48.640Z

Automatic Logon should be properly configured.

AC-3

CM-6

CM-7

IA-2

SC-5

CCE-2777-1

2009-07-30T19:31:45.797Z

2012-05-25T04:00:07.523Z

The "when maximum log size is reached" property should be set correctly for the System log.

AU-4

AU-5

CM-6

CCE-2784-7

2009-07-30T19:31:40.767Z

2012-05-25T03:59:53.273Z

The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.

AC-3

CM-6

CCE-2786-2

2009-07-30T19:31:43.530Z

The "create a pagefile" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2788-8

2009-07-30T19:31:41.343Z

2012-05-25T03:59:55.710Z

The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.

AC-3

CM-6

CCE-2789-6

2009-07-30T19:31:50.140Z

2012-05-25T04:00:19.320Z

The "Prevent Users from Installing Printer Drivers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2791-2

2009-07-30T19:31:43.577Z

The "Create a token object" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2792-0

2009-07-30T19:31:44.563Z

The "deny logon as a service" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2794-6

2009-07-30T19:31:45.577Z

2012-05-25T04:00:06.663Z

The "restrict guest access to security log" policy should be set correctly.

AU-4

CM-6

CCE-2797-9

2009-07-30T19:31:41.377Z

2012-05-25T03:59:55.837Z

The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.

AC-3

CM-6

CCE-2799-5

2009-07-30T19:31:51.860Z

2012-05-25T04:00:25.913Z

The "Minimum session security for NTLM SSP based servers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2802-7

2009-07-30T19:31:50.640Z

2012-05-25T04:00:21.460Z

The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2803-5

2009-07-30T19:31:53.530Z

The "Maximum User Ticket Lifetime" policy should be set correctly.

CM-6

CCE-2804-3

2009-07-30T19:31:48.203Z

2012-05-25T04:00:14.617Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-2806-8

2009-07-30T19:31:43.467Z

The "bypass traverse checking" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2807-6

2009-07-30T19:31:44.093Z

The "profile single process" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2810-0

2009-07-30T19:31:44.343Z

The "synchronize directory service data" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2814-2

2009-07-30T19:31:44.593Z

The "deny logon through Terminal Services" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2816-7

2009-07-30T19:31:45.297Z

Auditing of "process tracking" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2818-3

2009-07-30T19:31:46.157Z

2012-05-25T04:00:08.570Z

The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.

CM-6

CCE-2824-1

2009-07-30T19:31:48.890Z

ICMP Redirects should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2826-6

2009-07-30T19:31:52.593Z

The "Disable Media Player for automatic updates" policy should be set correctly.

SI-2

CCE-2829-0

2009-07-30T19:31:44.000Z

The "log on locally" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2830-8

2009-07-30T19:31:52.360Z

The "Set Safe for Scripting" policy should be set correctly.

CM-6

CCE-2833-2

2009-07-30T19:31:40.827Z

2012-05-25T03:59:53.710Z

The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.

AC-3

CM-6

CCE-2841-5

2009-07-30T19:31:49.500Z

Safe DLL Search Mode should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2842-3

2009-07-30T19:31:51.077Z

2012-05-25T04:00:23.023Z

The "Default owner for objects created by members of the Administrators group" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2843-1

2009-07-30T19:31:45.407Z

Auditing of "system" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2846-4

2009-07-30T19:31:43.500Z

The "change the system time" user right should be assigned to the correct accounts.

AU-8

CM-7

CCE-2847-2

2009-07-30T19:31:44.233Z

The "restore files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2849-8

2009-07-30T19:31:46.313Z

2012-05-25T04:00:09.070Z

The startup type of the Fax service should be correct.

CM-6

CM-7

CCE-2851-4

2009-07-30T19:31:50.500Z

2012-05-25T04:00:20.807Z

The "Shut Down system immediately if unable to log security audits" policy should be set correctly.

AC-3

AU-5

CM-6

CM-7

SC-5

CCE-2855-5

2009-07-30T19:31:40.877Z

2012-05-25T03:59:53.837Z

The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.

AC-3

CM-6

CCE-2860-5

2009-07-30T19:31:44.203Z

The "replace a process-level token" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2864-7

2009-07-30T19:31:43.657Z

2012-05-25T04:00:01.757Z

The "debug programs" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2873-8

2009-07-30T19:31:50.280Z

2012-05-25T04:00:19.867Z

The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2878-7

2009-07-30T19:31:45.377Z

Auditing of "system" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2880-3

2009-07-30T19:31:46.233Z

2012-05-25T04:00:08.837Z

The startup type of the Computer Browser service should be correct.

CM-6

CCE-2882-9

2009-07-30T19:31:43.920Z

The "log on as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2886-0

2009-07-30T19:31:43.687Z

The "force shutdown from a remote system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2888-6

2009-07-30T19:31:46.343Z

2012-05-25T04:00:09.180Z

The startup type of the FTP Publishing service should be correct.

CM-6

CM-7

CCE-2889-4

2009-07-30T19:31:46.047Z

The "store password using reversible encryption for all users in the domain" policy should be set correctly.

CM-6

IA-5

CCE-2891-0

2009-07-30T19:31:50.063Z

2012-05-25T04:00:19.040Z

The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2894-4

2009-07-30T19:31:40.907Z

2012-05-25T03:59:53.947Z

The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.

AC-3

CM-6

CCE-2896-9

2009-07-30T19:31:46.563Z

2012-05-25T04:00:09.930Z

The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

AC-1

CM-6

CM-7

CCE-2898-5

2009-07-30T19:31:44.517Z

The "deny logon as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2899-3

2009-07-30T19:31:40.937Z

2012-05-25T03:59:54.227Z

The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.

AC-3

CM-6

CCE-2902-5

2009-07-30T19:31:44.860Z

Auditing of "account management" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2904-1

2009-07-30T19:31:45.467Z

2012-05-25T04:00:05.947Z

The application log maximum size should be configured correctly..

AU-4

AU-5

CM-6

CCE-2906-6

2009-07-30T19:31:44.890Z

Auditing of "account management" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2910-8

2009-07-30T19:31:46.407Z

2012-05-25T04:00:09.447Z

The startup type of the Indexing service should be correct.

CM-6

CM-7

CCE-2913-2

2009-07-30T19:31:45.217Z

Auditing of "privilege use" events on success should be enabled or disabled as appropriate..

AC-6

AU-2

CCE-2915-7

2009-07-30T19:31:46.453Z

2012-05-25T04:00:09.617Z

The startup type of the Messenger service should be correct.

CM-6

CM-7

CCE-2916-5

2009-07-30T19:31:49.377Z

TCP/IP SYN Flood Attack Protection should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2918-1

2009-07-30T19:31:45.267Z

Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..

AC-6

AU-2

CCE-2920-7

2009-07-30T19:31:45.877Z

The "maximum password age" policy should meet minimum requirements.

AC-3

CM-6

CM-7

IA-5

SC-5

CCE-2926-4

2009-07-30T19:31:50.110Z

2012-05-25T04:00:19.197Z

The "LAN Manager Authentication Level" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2928-0

2009-07-30T19:31:44.703Z

The "account lockout duration" policy should meet minimum requirements.

AC-7

CM-6

CCE-2930-6

2009-07-30T19:31:49.077Z

Display Last User Name in Logon Screen should be properly configured.

AC-3

AC-9

CM-6

CCE-2933-0

2009-07-30T19:31:44.920Z

Auditing of "directory service access" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2934-8

2009-07-30T19:31:47.047Z

2012-05-25T04:00:11.337Z

The startup type of the Task Scheduler service should be correct.

CM-6

CM-7

CCE-2935-5

2009-07-30T19:31:50.170Z

2012-05-25T04:00:19.477Z

The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2939-7

2009-07-30T19:31:45.327Z

Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..

AU-2

CCE-2942-1

2009-07-30T19:31:47.187Z

2012-05-25T04:00:12.150Z

The startup type of the World Wide Web Publishing service should be correct.

CM-6

CCE-2943-9

2009-07-30T19:31:48.467Z

Use of the built-in Administrator account should be enabled or disabled as appropriate.

AC-3

CM-6

CM-7

SC-5

CCE-2944-7

2009-07-30T19:31:43.797Z

The "increase scheduling priority" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2948-8

2009-07-30T19:31:43.953Z

The "log on as a service" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2950-4

2009-07-30T19:31:46.267Z

2012-05-25T04:00:08.960Z

The startup type of the Fast User Switching service should be correct.

CM-6

CCE-2952-0

2009-07-30T19:31:49.110Z

System availability to Master Browser should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2955-3

2009-07-30T19:31:50.030Z

2012-05-25T04:00:18.883Z

The "Audit the use of backup and restore privilege" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2956-1

2009-07-30T19:31:56.297Z

2012-05-25T04:00:34.087Z

RPC Endpiont Mapper Client Authentication (SP2 only)

IA-2

CCE-2957-9

2009-07-30T19:31:50.217Z

2012-05-25T04:00:19.617Z

The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2960-3

2009-07-30T19:31:44.640Z

The "perform volume maintenance tasks" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-2961-1

2009-07-30T19:31:53.157Z

The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

AC-1

AC-3

CM-6

CM-7

CCE-2968-6

2009-07-30T19:31:49.827Z

The "Allow Server Operators to Schedule Tasks" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2971-0

2009-07-30T19:31:45.157Z

Auditing of "policy change" events on success should be enabled or disabled as appropriate..

AU-2

CCE-2973-6

2009-07-30T19:31:48.280Z

2012-05-25T04:00:14.993Z

The behavior surrounding Anonymous SID/Name translation should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-2974-4

2009-07-30T19:31:50.250Z

2012-05-25T04:00:19.727Z

The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2980-1

2009-07-30T19:31:51.937Z

2012-05-25T04:00:26.057Z

The "Screen Saver Timeout" setting should be configured correctly for the current user.

AC-1

AC-3

CM-6

CM-7

CCE-2981-9

2009-07-30T19:31:45.937Z

The "minimum password length" policy should meet minimum requirements.

CM-6

IA-5

CCE-2983-5

2009-07-30T19:31:50.547Z

2012-05-25T04:00:20.993Z

The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2986-8

2009-07-30T19:31:44.750Z

The "account lockout threshold" policy should meet minimum requirements.

AC-7

CM-6

CCE-2987-6

2009-07-30T19:31:51.110Z

2012-05-25T04:00:23.150Z

The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2991-8

2009-07-30T19:31:51.280Z

2012-05-25T04:00:23.743Z

The "LDAP client signing requirements" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2993-4

2009-07-30T19:31:51.733Z

2012-05-25T04:00:25.447Z

The "Do not store LAN Manager hash value on next password change" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2994-2

2009-07-30T19:31:46.017Z

The "enforce password history" policy should meet minimum requirements.

CM-6

IA-5

CCE-2996-7

2009-07-30T19:31:50.877Z

2012-05-25T04:00:22.320Z

The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.

CM-6

SC-2

CCE-3000-7

2009-07-30T19:31:50.920Z

2012-05-25T04:00:22.460Z

The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.

CM-6

SC-2

CCE-3004-9

2009-07-30T19:31:44.483Z

The "allow logon through Terminal Services" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3005-6

2009-07-30T19:31:50.327Z

2012-05-25T04:00:20.023Z

The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.

CM-6

CCE-3006-4

2009-07-30T19:31:45.767Z

2012-05-25T04:00:07.353Z

The system log maximum size should be configured correctly..

AU-4

AU-6

AU-9

CCE-3007-2

2009-07-30T19:31:53.343Z

2012-05-25T04:00:28.150Z

The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.

CM-6

CCE-3008-0

2009-07-30T19:31:44.827Z

Auditing of "account logon" events on failure should be enabled or disabled as appropriate..

AC-6

AU-2

CCE-3009-8

2009-07-30T19:31:51.187Z

2012-05-25T04:00:23.400Z

The "Allow undock without having to logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3010-6

2009-07-30T19:31:53.717Z

The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3012-2

2009-07-30T19:31:53.377Z

2012-05-25T04:00:28.243Z

The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.

AC-1

CM-6

CCE-3014-8

2009-07-30T19:31:45.500Z

2012-05-25T04:00:06.227Z

The "when maximum log size is reached" property should be set correctly for the Application log.

AU-4

AU-5

CM-6

CCE-3017-1

2009-07-30T19:31:49.343Z

TCP/IP PMTU Discovery should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3018-9

2009-07-30T19:31:51.390Z

2012-05-25T04:00:23.977Z

The "Maximum machine account password age" policy should be set correctly.

AC-3

CM-6

CM-7

IA-5

SC-5

CCE-3025-4

2009-07-30T19:31:49.920Z

The built-in Guest account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-3026-2

2009-07-30T19:31:46.717Z

2012-05-25T04:00:10.320Z

The startup type of the Internet Connection Sharing service should be correct.

CM-7

CCE-3027-0

2009-07-30T19:31:50.610Z

2012-05-25T04:00:21.290Z

The "Digitally Sign Client Communication (Always)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3034-6

2009-07-30T19:31:46.093Z

2012-05-25T04:00:08.273Z

The startup type of the Alerter service should be correct.

CM-6

CCE-3035-3

2009-07-30T19:31:46.797Z

2012-05-25T04:00:10.540Z

The startup type of the Routing and Remote Access service should be correct.

CM-6

CM-7

CCE-3036-1

2009-07-30T19:31:51.670Z

2012-05-25T04:00:25.103Z

The "Shares that can be accessed anonymously" policy should be set correctly.

AC-3

CM-6

CM-7

CCE-3038-7

2009-07-30T19:31:53.420Z

2012-05-25T04:00:28.320Z

The "Enable Error Reporting" policy should be set correctly.

CM-6

CCE-3040-3

2009-07-30T19:31:48.420Z

Use of the built-in Guest account should be enabled or disabled as appropriate.

AC-2

CM-7

IA-4

CCE-3043-7

2009-07-30T19:31:47.110Z

2012-05-25T04:00:11.663Z

The startup type of the Terminal Services service should be correct.

CM-6

CM-7

CCE-3044-5

2009-07-30T19:31:49.000Z

Kerberos and RSVP Traffic Protected by IPSec should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3048-6

2009-07-30T19:31:47.157Z

2012-05-25T04:00:11.900Z

The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.

CM-6

CM-7

CCE-3049-4

2009-07-30T19:31:50.390Z

2012-05-25T04:00:20.320Z

The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3053-6

2009-07-30T19:31:50.687Z

2012-05-25T04:00:21.617Z

The "Digitally Sign Server Communication (Always)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3058-5

2009-07-30T19:31:51.703Z

2012-05-25T04:00:25.227Z

The "Sharing and security model for local accounts" policy should be set correctly.

AC-3

CM-6

CM-7

CCE-3061-9

2009-07-30T19:31:49.420Z

Security Audit log warning level should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3063-5

2009-07-30T19:31:53.563Z

The "Maximum User Renewal Lifetime" policy should be set correctly.

CM-6

CCE-3084-1

2009-07-30T19:31:51.030Z

2012-05-25T04:00:22.900Z

The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.

IA-5

IA-7

SC-2

SC-9

CCE-3085-8

2009-07-30T19:31:50.437Z

2012-05-25T04:00:20.477Z

The "Unsigned Driver Installation Behavior" policy should be set correctly.

AC-6

CM-5

IA-5

CCE-3088-2

2009-07-30T19:31:51.517Z

2012-05-25T04:00:24.557Z

The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3094-0

2009-07-30T19:31:52.390Z

The "Enable User Control Over Installs" policy should be set correctly.

AC-6

CCE-3097-3

2009-07-30T19:31:50.827Z

2012-05-25T04:00:22.180Z

The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.

CM-6

SC-2

CCE-3100-5

2009-07-30T19:31:49.610Z

Use Classic Logon should be properly configured.

CM-6

CCE-3104-7

2009-07-30T19:31:55.187Z

2012-05-25T04:00:31.727Z

The Remote Access Connection Manager service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-3106-2

2009-07-30T19:31:50.750Z

2012-05-25T04:00:21.930Z

The "Number of Previous Logons to Cache" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3107-0

2009-07-30T19:31:53.657Z

The "Create global objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-3110-4

2009-07-30T19:31:51.547Z

2012-05-25T04:00:24.743Z

The "Let Everyone permissions apply to anonymous users" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3111-2

2009-07-30T19:31:50.797Z

2012-05-25T04:00:22.040Z

The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3116-1

2009-07-30T19:31:53.047Z

The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.

SC-1

CCE-3118-7

2009-07-30T19:31:49.297Z

TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3122-9

2009-07-30T19:31:54.920Z

2012-05-25T04:00:31.163Z

The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-3123-7

2009-07-30T19:31:51.327Z

2012-05-25T04:00:23.853Z

The "Refuse machine account password change" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3124-5

2009-07-30T19:31:53.203Z

The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

AC-1

AC-3

CM-6

CM-7

CCE-3128-6

2009-07-30T19:31:50.577Z

2012-05-25T04:00:21.150Z

The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3131-0

2009-07-30T19:31:54.890Z

2012-05-25T04:00:31.040Z

The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-3132-8

2009-07-30T19:31:48.937Z

IP Source Routing should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3133-6

2009-07-30T19:31:50.953Z

2012-05-25T04:00:22.617Z

The "Smart Card Removal Behavior" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3135-1

2009-07-30T19:31:49.890Z

The built-in Administrator account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-3139-3

2009-07-30T19:31:51.780Z

The "Force logoff when logon hours expire" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3150-0

2009-07-30T19:31:51.593Z

2012-05-25T04:00:24.853Z

The "Named Pipes that can be accessed anonymously" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3151-8

2009-07-30T19:31:50.360Z

2012-05-25T04:00:20.180Z

The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.

CM-6

SC-2

CCE-3155-9

2009-07-30T19:31:51.627Z

2012-05-25T04:00:24.977Z

The "Remotely accessible registry paths" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3156-7

2009-07-30T19:31:51.827Z

2012-05-25T04:00:25.773Z

The "Minimum session security for NTLM SSP based clients" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3157-5

2009-07-30T19:31:49.953Z

2012-05-25T04:00:18.587Z

The amount of idle time required before disconnecting a session should be set correctly.

AC-1

AC-3

CM-6

CM-7

CCE-3162-5

2009-07-30T19:31:50.000Z

2012-05-25T04:00:18.757Z

The "Audit the access of global system objects" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3172-4

2009-07-30T19:31:51.420Z

2012-05-25T04:00:24.257Z

The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3186-4

2009-07-30T19:31:53.827Z

The "Interactive logon: Requre smart card" setting should be configured correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3188-0

2009-07-30T19:31:53.453Z

The "Enforce user logon restrictions" policy should be set correctly.

AC-3

CM-6

CCE-3208-6

2009-07-30T19:31:53.610Z

The "Maximum tolerance for computer clock synchronization" policy should be set correctly.

AU-8

CCE-3236-7

2009-07-30T19:31:54.483Z

2012-05-25T04:00:30.040Z

The Error Reporting Service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-3265-6

2009-07-30T19:31:56.187Z

2012-05-25T04:00:33.773Z

The WMI Performance Adapter service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-3273-0

2009-07-30T19:31:56.343Z

Restrictions for Unauthenticated RPC clients (SP2 only)

IA-2

CCE-3291-2

2009-07-30T19:31:55.877Z

2012-05-25T04:00:33.023Z

The WebClient service should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4224-2

2009-07-30T19:31:58.360Z

2012-05-25T04:00:37.947Z

Turn off the Windows Messenger Customer Experience Improvement Program

CM-6

CCE-4242-4

2009-07-30T19:31:58.390Z

The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.

CM-6

CCE-4262-2

2009-07-30T19:31:58.627Z

The "Prevent IIS Installation" setting should be configured correctly.

AC-6

CCE-4270-5

2009-07-30T19:31:58.750Z

The "Turn off shell protocol protected mode" setting should be configured correctly.

SC-5

SI-3

CCE-4390-1

2009-07-30T19:31:58.937Z

2012-05-25T04:00:38.900Z

Prompt for password on resume from hibernate/suspend should be set correctly.

AC-1

CCE-4412-3

2009-07-30T19:31:58.983Z

2012-05-25T04:00:38.960Z

Do not preserve zone information in file attachments should be set correcly.

CM-6

CCE-4482-6

2009-07-30T19:31:58.860Z

The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.

CM-6

CM-7

CCE-4500-5

2009-07-30T19:31:58.907Z

2012-05-25T04:00:38.820Z

The "Password protect the screen saver" setting should be configured correctly for the current user.

AC-1

CM-6

IA-5

CCE-4513-8

2009-07-30T19:31:58.157Z

2012-05-25T04:00:37.663Z

Turn off printing over HTTP

CM-6

CCE-4641-7

2009-07-30T19:31:58.203Z

The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CM-6

CCE-4665-6

2009-07-30T19:31:57.860Z

The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.

CM-6

CCE-4707-6

2009-07-30T19:31:58.047Z

The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CM-6

CCE-4732-4

2009-07-30T19:31:58.437Z

The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.

CM-6

CCE-4791-0

2009-07-30T19:31:58.827Z

The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

CM-6

CCE-4849-6

2009-07-30T19:31:58.703Z

2012-05-25T04:00:38.493Z

The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

IA-2

IA-5

CCE-4887-6

2009-07-30T19:31:58.313Z

The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.

CM-6

CCE-4952-8

2009-07-30T19:31:57.703Z

2012-05-25T04:00:36.680Z

The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.

AC-3

CM-6

CCE-4953-6

2009-07-30T19:31:58.000Z

The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.

CM-6

CCE-4997-3

2009-07-30T19:31:58.467Z

The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.

CM-6

CCE-5014-6

2009-07-30T19:31:58.517Z

2012-05-25T04:00:38.163Z

Turn off Windows Update device driver searching

CM-2

CM-6

CCE-5022-9

2009-07-30T19:31:57.780Z

The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.

CM-7

CCE-5025-2

2009-07-30T19:31:58.780Z

The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

AC-6

CM-5

CCE-5032-8

2009-07-30T19:31:58.547Z

2012-05-25T04:00:38.257Z

Logon - Do not process the run once list

AC-2

CM-6

CCE-5042-7

2009-07-30T19:31:59.047Z

2012-05-25T04:00:39.040Z

Hide mechanisms to remove zone information should be set correcly.

CM-6

CCE-5053-4

2009-07-30T19:31:57.890Z

2012-05-25T04:00:37.257Z

Group Policy - Registry policy processing

CM-6

CCE-5054-2

2009-07-30T19:31:57.920Z

The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.

CM-6

CCE-5055-9

2009-07-30T19:31:58.233Z

2012-05-25T04:00:37.773Z

Turn off Search Companion content file updates

CM-5

CM-6

CCE-5059-1

2009-07-30T19:31:59.077Z

2012-05-25T04:00:39.117Z

Notify antivirus programs when opening attachments should be set correcly.

SI-3

CCE-5072-4

2009-07-30T19:31:58.280Z

The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

CM-6

CCE-5099-7

2009-07-30T19:31:58.077Z

2012-05-25T04:00:37.540Z

Turn off Internet download for Web publishing and online ordering wizards

CM-6

CCE-5121-9

2009-07-30T19:31:58.110Z

The "Turn Off Internet File Association Service" setting should be configured correctly.

CM-6

CCE-5136-7

2009-07-30T19:31:57.813Z

The "Display Error Notification" setting should be configured correctly.

CM-6

CCE-5160-7

2009-07-30T19:31:58.593Z

The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.

CM-6

CCE-5194-6

2009-07-30T19:31:57.733Z

The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

CM-6

CM-7

CCE-5200-1

2009-07-30T19:31:57.967Z

2012-05-25T04:00:37.383Z

Turn off downloading of print drivers over HTTP

CM-6

CIS Windows XP Professional Benchmark

v2.0.1 Not provided. THIRD_PARTY Not provided. CIS Windows XP Professional Benchmark v2.0.1

59FA39C6C3035C423C96BC7698734B7F25DE9CAB

AA7317BBE58522259CCADB5CA2F09617EE4E972ECE0EA6FE39652D800F0294BE

Prose

Microsoft Windows XP Professional

cpe:/o:microsoft:windows_xp:::professional

Operating System

This document is a security benchmark for the Microsoft Windows XP Professional operating system for workstations. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows XP Professional compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail.

Desktop Client

Not provided.

MANAGED

Not provided.

Refer to Known Issues.

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Not provided.

windows-feedback@cisecurity.org

Not provided. Not provided.

The SANS Institute

Microsoft Windows Security

Windows XP Security Compliance Management Toolkit

Windows Server 2003 Security Compliance Management Toolkit

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

Windows NT Magazine article regarding editing the Registry

The Center for Internet Security

2005-08-01T04:00:00.000Z

FINAL

2011-05-11T02:00:51.973Z

false

Windows XP Security Guide (Microsoft-Developed)

2.2 Not provided. SOFTWARE_VENDOR Not provided. Windows XP Security Guide ZIP Bundle

9C016E2D2D2A4EF1BFE9E93744F170A9B1A7E697

BE88733415DA32AE2E500F9458D8E49E8B01B1ED35A05CDD3DE6E8C28108C0CB

Tools capable of processing the Security Content Automation Program (SCAP), content are capable of assessing and installing this checklist. Please visit http://nvd.nist.gov/scap.cfm for more information.

Prose

Microsoft Windows XP

cpe:/o:microsoft:windows_xp

Operating System

This document is a security guidance document for the Microsoft@ Windows XP client operating system. Windows XP Security Guide helps quickly configure, test, deploy, and manage security settings in Windows XP across your organization.

Client Operating System

None

IT Professional

MANAGED

N/A

Secwish@microsoft.com

N/A Commercial use license

Quickly access resources designed to ease the deployment and management of your Windows client infrastructure.

2006-04-12T04:00:00.000Z

FINAL

2011-08-03T17:28:03.447Z

false

Windows 2000/XP/2003/Vista addendum

Version 6, Release 1 Not provided. GOVERNMENTAL_AUTHORITY Not provided. DISA Windows 2003/XP/2000/Vista Addendum, Version 6.1, May 21, 2007

E499F33C6FAD2E7A042A8B09D7F216D5273CBEF1

6139032DFD75B3B6C46805C7884705FC9FE916C835EF6AEE6BAE1F9D8B9305DA

Currently, no Undo function exists for deletions made within the Windows NT registry. The registry editor (Regedt32.exe or Regedit.exe) prompts you to confirm the deletions if Confirm On Delete is selected from the options menu. When you delete a registry key, the message does not include the name of the key you are deleting. Therefore, check your selection carefully before proceeding with any deletion.

Reference Link

Microsoft Windows Vista

cpe:/o:microsoft:windows_vista

Operating System

Microsoft Windows Server 2003

cpe:/o:microsoft:windows_2003_server

Operating System

Microsoft Windows XP

cpe:/o:microsoft:windows_xp

Operating System

Microsoft Windows 2000

cpe:/o:microsoft:windows_2000

Operating System

This Addendum to MicrosoftÃ¢??s Windows 2003 Security Guide and NSAÃ¢??s Guides to Securing Windows 2000 and XP was developed to enhance the confidentiality, integrity, and availability of sensitive Department of Defense (DOD) Automated Information Systems (AISs) using the Windows 2003, 2000, and XP operating systems (OSs).This Addendum is coordinated with the following documents here after collectively known as the Windows Server 2003/XP/2000 Guides: - Microsoft Ã¢??Solutions for Security, Windows 2003 Security Guide,Ã¢?ï¿½ 2003 - Microsoft Ã¢??Solutions for Security, Threats and Countermeasures: Security Settings in Windows 2003 and Windows XP,Ã¢?ï¿½ 2003 - Microsoft Windows 2003 and XP Specialized Security Ã¢?? Limited Functionality Templates - NSA Guide to Securing Windows 2000 Active Directory, December 2000, Version 1.0 - NSA Guide to Securing Windows 2000 Group Policy, September 2001, Version 1.1 - NSA Guide to Securing Windows 2000 Group Policy: Security Configuration Tool Set, December 2002, Version 1.2 - NSA Guide to Securing Windows 2000 File and Disk Resources, 19 April 2001, Version 1.0 - NSA Guide to Securing Windows XP, December 2003, Version 1.1 The Microsoft Windows 2003 and XP Specialized Security Ã¢?? Limited Functionality Templates were developed through the combined efforts of Microsoft, NSA, NIST, DISA FSO, CIS, and other organizations (hereafter referred to as the Consensus Group). They provide a common set of security settings for organizations requiring a highly secure processing environment, such as found in DOD. Each site network/communications infrastructure must provide secure, available, and reliable data for all customers, especially the warfighter. This Addendum is designed to supplement the security guidance provided by the Windows Server 2003/XP/2000 Guides with DOD-specific requirements. This Addendum will assist sites in meeting the minimum requirements standards, controls, and options that must be in place for secure network operations. These minimum security requirements include compliance with the Windows Server 2003/XP/2000 Guides using the Specialized Security Ã¢?? Limited Functionality Templates and the additional requirements defined in this Addendum. Deviations or exceptions will be documented in the appropriate checklist.

Desktop and Server Operating System

This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. The security changes described in this document only apply to Microsoft Windows 2000, 2003 ad XP systems and should not be applied to any other Windows versions or operating systems. You can severely impair or disable a Windows system with incorrect changes or accidental deletions when using programs (examples: Security Configuration Manager, Regedt32.exe, and Regedit.exe) to change the system configuration. Therefore, it is extremely important to test all settings recommended in this guide before installing them on an operational network.

Developped for the DOD. Users of this guide should have a working knowledge of Windows 2000, 2003 and XP installation and basic system administration skills.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Refer to Known Issues.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2007-05-21T04:00:00.000Z

UNDER_REVIEW

2011-08-10T17:50:28.170Z

false

Windows Vista Security Guide (Microsoft-Produced)

3.0 Not provided. SOFTWARE_VENDOR Not provided. Windows Vista Security Guide (Microsoft-Produced)

A2A42E67BD1A0B9B8F982CFAEBBF15C1545815BC

63FCA23A72B798250B0C1C91F87345D03F3A7882ED7B8B9B3311A6FAFEB43BC4

Prose

Microsoft Windows Defender

cpe:/a:microsoft:windows_defender

Malware

Microsoft Internet Explorer 7

cpe:/a:microsoft:internet_explorer:7

Web Browser

BitLocker Drive Encryption

cpe:/a:microsoft:bitlocker

Encryption Software

Microsoft Windows Vista

cpe:/o:microsoft:windows_vista

Operating System

This document is a security guidance document for the Microsoft@ Windows Vista client operating system. Windows Vista Security Guide helps quickly configure, test, deploy, and manage security settings in Windows Vista across your organization.

Desktop Client

None

IT Professional

MANAGED

N/A

Not provided.

N/A

Secwish@microsoft.com

Not provided. Commercial use license

2008-02-26T05:00:00.000Z

FINAL

2009-07-15T18:14:41.813Z

false

Hercules 3.5 Security Configuration Guide

Version 1.0 Not provided. SOFTWARE_VENDOR Not provided. Security Guide Prose

E6EB9E2DEBA85B10F17E3199505D1166F3F54C59

0DD23571569A6632DDDDB87C00AADEE461608B513D97473308CF1F986F3AE028

Prose

Citadel Hercules 3.5

cpe:/a:citadel:hercules:3.5

Configuration Management Software

The Hercules Security Configuration Guide provides procedures for securing the Hercules Server, Hercules Channel Server and Hercules Download Server v3.5, after the initial installation and configuration of the product. This guide contains procedures for the recommended baseline server configuration applicable to any environment and an enhanced configuration for use in higher security environments.

Web Application Server

Not provided.

System Administrators familiar with Windows system configuration, IIS configuration and Hercules functionality.

MANAGED

All recommendations included have been tested and verified on Hercules Server v3.5 running on either Windows 2000 Server or Windows Server 2003.

Not provided.

Citadel Security Software, Inc. has defined and tested this baseline configuration template with Hercules 3.5. Citadel will provide technical support for Hercules 3.5 product operation to customers who have a current support agreement in place and who have implemented or are considering implementing this baseline configuration. Please refer to your support agreement for specific details on how to contact Citadel Security Software, Inc. technical support department.

Citadel Customer Support - support@citadel.com - (888) 924-8233

Not provided. Not provided.

2004-11-30T05:00:00.000Z

CANDIDATE

2011-03-08T22:18:52.523Z

false

Guide to Securing Internet Explorer 5.5 using Group Policy

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Securing Internet Explorer 5.5 using Group Policy

CE9C8C4CA76C3C06435304AB6E4608BA440229EB

BF13140F25EC618F3F759418EB7253C666D5F758CEB0BCE83279259DDC9F964E

Prose

Microsoft Internet Explorer 5.5

cpe:/a:microsoft:ie:5.5

Web Browser

This guide provides recommendations and rationale for security-relevant settings for Internet Explorer v5.5. Although Internet Explorer v6.0 is mentioned in Appendix B, the majority of this guide deals with Internet Explorer 5.5. The mechanism used to implement these recommendations is Group Policy. It is assumed that the administrator is familiar with using Group Policy in general, such as how to edit a group policy, how to link a group policy to an object, how to exclude someone from a group policy, and how to ensure that a group policy interfaces correctly with other group policies. It is recommended that the reader first read the Guide to Securing Microsoft Windows 2000 Group Policy for additional information on these subjects. Worksheets are provided in Appendix D summarizing the configuration options. These worksheets should be completed while reading this document to assist in making appropriate decisions for your network. This will help in configuring all systems on the network to the same settings, as well as being a reference for reconfiguration. All options in this document comply with the DoD mobile code policy. In order to be completely compliant with the DoD mobile code policy, decisions concerning what sites, certificates, and programs to trust must be made in accordance with that policy, as well as with any relevant local implementation guidelines.

Desktop Client

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. This guide contains possible recommended settings for the system Registry. You can severely impair or disable a Windows system with incorrect changes or accidental deletions when using a Registry editor (Regedt32.exe or Regedit.exe) to change the system configuration. Currently, there is no undo command for deletions within the Registry. The Registry editor prompts you to confirm the deletions if Confirm on Delete is selected from the options menu. When you delete a key, the message does not include the name of the key you are deleting. Therefore, check your selection carefully before proceeding.

This guide is written for administrators of Windows 2000 networks as a configuration guide for Internet Explorer 5.5. The document assumes that the reader has experience administering Windows-based systems in domain or standalone configurations.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Refer to Known Issues.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/webs/ie_5_5.pdf

2002-06-30T04:00:00.000Z

FINAL

2009-07-24T02:00:39.577Z

false

Guide to Securing Netscape v7.02

v1.1 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Securing Netscape v7.02

7A423BBBAC49E7BA279464666BFDBBCA620A11AF

4318F14FED24ECF3F1E5EE48EB13BD5FE5E795C8B34737E2711421F2A54FED35

Prose

Netscape Navigator 7.02

cpe:/a:netscape:navigator:7.02

Web Browser

This guide provides recommendations and rationale for security-relevant settings for Netscape Navigator v7.02. The simplest way to implement this configuration guidance is to install and configure Netscape as per this document on all the machines and templates that will include Netscape. For cases where Netscape is preinstalled and implementing this guidance is desired without touching every machine or template, and for cases where configuration is to be reapplied periodically, a sample VBS script to modify the users preferences file is provided in Appendix C. The script implements many but not all of the recommendations in Chapters 3 through 5 as well as Appendix A, and can be customized. Those settings that cannot be automatically set via script are so noted throughout the document. The sample script can be used as a logon script through Windows 2000 Group Policy. While it is possible to use this script as part of a Windows NT logon script, such a task requires a knowledgeable NT administrator and is beyond the scope of this document.

Desktop Client

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This guide is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns.

This document is intended for an administrator of a Windows network supporting users running Netscape 7.02. This document can also be used for a standalone machine running Netscape 7.02 on Windows, although the owner of this machine would be responsible for both administrative and user responsibilities mentioned in this document. This document may provide insight for both users of Netscape 7.02 on non-Windows platforms and users of similar versions of Mozilla on any platform however, this guide was not developed with these environments in mind.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Refer to Known Issues.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/webs/netscape_7_02.pdf

2003-03-31T05:00:00.000Z

FINAL

2009-07-23T18:59:35.877Z

true

false

Guide to Sun Microsystems Java Plug-in Security

v1.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Guide to Sun Microsystems Java Plug-in Security

57C6C6BCF273BDE0CD6C501EC1F2491CC558F2E1

93AC76817F634C1A6710FF06032F7C7373FA0B93EA1C465A43035D1B3FAF4B83

Prose

Sun Java Plug-in 1.4.2

cpe:/a:sun:java_plug-in:1.4.2

Web Browser

Web browsers are functionally designed to deliver web pages from a web server. However, through plug-in technology, most web browsers can be enabled to deliver additional features such as Java programs, which are also known as applets. This document provides information about using Java applets in a secure manner. This document focuses on the Sun Microsystems 1.4.2 Java Runtime Environment (JRE) Java Plug-in with Netscape 7.1 and for Internet Explorer 6.0 on Windows platforms. The document introduces the reader to these concepts by explaining Java applets, the JRE Plug-in, and the Administrative and Developer tools. After this introduction, this document explains how the Java applets interact with web browsers, particularly Netscape v7.1 and Internet Explorer 6.0. Additionally, this document allows the reader to understand the Applet Development Lifecycle, and how security is inter-related within this lifecycle

Desktop Client

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document only apply to Microsoft Windows 2000 systems and should not be applied to any other Windows versions or operating systems. This document may contain recommended settings for the system registry. Java can be severely impaired or disabled with incorrect changes or accidental deletions when using a registry editor to change the system configuration. Currently, no Undo function exists for deletions made within the Windows 2000 registry. The registry editor (Regedt32.exe or Regedit.exe) prompts you to confirm the deletions if Confirm On Delete is selected from the options menu. When you delete a registry key, the message does not include the name of the key you are deleting. Therefore, check your selection carefully before proceeding with any deletion.

This document is developed to provide guidance to an Information Technology administrator. It is vital to client and network security to understand the risks involved with applets in web browsers. This document is not necessarily a how-to guide, but more of an information guide to the existence and usage of settings.

MANAGED

The security configuration guide has been extensively tested in a lab and operational environment.

Not provided.

Refer to Known Issues.

Not provided.

SNAC.Guides@nsa.gov

Not provided. Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm?Address =/snac/support/java_plugin_guide_prepub2.pdf

Transitioning from Microsoft Java Virtual Machine, October 2003.

2003-12-07T05:00:00.000Z

2011-03-08T05:00:00.000Z

FINAL

2011-08-31T14:14:47.027Z

false

Apache Benchmark for Unix, Levels I and II

Version 2.1 Not provided. THIRD_PARTY Not provided. Center for Internet Security Benchmark for Apache Web Server v2.1

5F1F6CDFC4F4F20FB83A02857335142DDAC8FFB9

4EE0FBAEA7CA36D42C5DFE6155FF717FD93A5DC8526AE6B967DF03F899354A34

Prose

Apache HTTP Server 2.0

cpe:/a:apache:http_server:2.0

Web Server

Apache HTTP Server 1.3

cpe:/a:apache:http_server:1.3

Web Server

This document provides a security benchmark consensus from The Center for Internet Security (CIS) for securing Apache web servers on Unix operating systems. While much of the information in this benchmark can be applied to Apache servers on Microsoft Windows-based operating systems, emphasis is on Unix installations such as Linux, Sun Solaris, and HP-UX, due to significant differences in directory structure, directory permissions, and source compilation. This benchmark document covers both Apache 1.3.XX and 2.0.XX versions. This benchmark document defines both Level 1 and Level 2 benchmark settings. These settings are designed primarily to enhance the security of the web server itself. Level 1 benchmarks are considered to be minimum and essential requirements. Level 2 benchmarks are more advanced settings and may not apply in all situations. It is left to the discretion of the reader to determine the relevance of each setting as it applies to their web environment. The emphasis for this benchmark is on high security (vs. ease of use or installation) and assumes static vs. dynamic web pages. This document focuses on the security of the Apache web server (which resides in the HTTP Presentation Tier - communication between an http client and the web server) and does not cover secure coding practices (such as Perl/PHP CGI script creation) and/or Web application security issues (such as Java).

Web Server

It is the intent of this benchmark to be applicable for all major Unix operating systems. However, the platform used for the examples in this document is Sun Solaris 8.0 therefore, all of the OS level commands are Solaris specific. If you are using a different Unix OS, you will need to make sure that you use the correct syntax for your OS. Users running the benchmark on Unix systems should verify command syntax, using the Unix man command, before executing commands on their systems.

While experienced Apache/Web administrators will find the Apache benchmark to be a valuable technical resource in their arsenal, the benchmark is especially intended for those organizations that lack the resources to train, or those without technically advanced web security administrators.

MANAGED

Not provided.

Refer to Known Issues.

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Not provided.

apache-feedback@cisecurity.org

Not provided. Not provided.

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures.

The MD5 Message-Digest Algorithm

Not Provided

Detecting and Defending againstWeb-Server Fingerprinting

Mod_Security: Reference Manual

2008-01-01T05:00:00.000Z

FINAL

2012-09-05T17:41:22.797Z

false

Web Apache Checklist

Version 6, Release 1.12 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Web Checklist Apache

3AAB0467A15D4BD184C5013477C719BE6084645B

EFF90C50E834BAC7B82705AA75D99834FFA736AE4BEAC24F02D1B9002D2593B0

Prose

Apache HTTP Server 2.0

cpe:/a:apache:http_server:2.0

Web Server

Apache HTTP Server 1.3

cpe:/a:apache:http_server:1.3

Web Server

This group of checklists covers valuable security-related information for the Apache web server and web site server products. It includes procedures to perform a Security Readiness Review (SRR). Security items covered are based on the Web Server Secure Technology Implementation Guide (STIG) published by DISA. The reviewer will apply Systems Administration knowledge and have familiarity with web server and web site configurations. Apache Server, UNIX, Linux, and/or Windows server experience is beneficial. Users of this checklist will need to be able to navigate the file systems of these operating environments. This web server checklist targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or that may lead to the interruption of production operations. The documentation provides procedures for assessing Apache web server and Apache web site server products. The document is broken into the following sections: Section 1: Contains specific product requirements for an Apache web server that were not addressed in the Web Server Secure Technology Implementation Guide (STIG) [http://iase.disa.mil/stigs/stig/index.html]. Section 2: Is not applicable to assessing Apache, but is specific to clients of the DISA VMS database. Section 3: Provides configuration information for Apache 1.3.x web server installations focusing on mitigating denial of dervice attacks, restricting file access, mitigating buffer overflows, account management, OS and DMZ configurations. Section 4: Provides configuration information for Apache web site 1.3.x in the areas of policy configuration, account privileges, and encryption. Section 5: Provides configuration information for Apache 2.x web server installations focusing on mitigating Denial of Service attacks, restricting file access, mitigating buffer overflows, account management, OS and DMZ configurations. Section 6: Provides configuration information for Apache web site 2.x in the areas of policy configuration, account privileges, and encryption. Note: Specific assessment procedures and information for assessing Apache can be found in all other sections of this checklist bundle, some of which is question-answer oriented.

Web Server

Not provided.

Developed by DISA for the DOD. This document is intended for those responsible for the configuration and management of information systems. It assumes that the reader has knowledge of web servers and is familiar with common computer terminology.

MANAGED

SSLF

Not provided.

DOD Directive 8500.2, DOD Directive 8520.2

Please refer to the Checklist.

Not provided.

Only available to DOD customers.

Not provided.

Not provided. Not provided.

2010-04-23T04:00:00.000Z

UNDER_REVIEW

2011-02-25T18:22:27.597Z

false

CIS Wireless Networks Apple Hardware addendum

v1.0.0 Not provided. THIRD_PARTY Not provided. CIS Wireless Networks Apple Hardware addendum v1.0.0

9FCC9CE14B2204C423D857AE0DA17817A4122678

5AD105108AC6ED670783D709721BC766FEE394BB6467F4D02BBA3DCF82B95281

Prose

Apple Airport Extreme 4.0.8

cpe:/h:apple:airport_extreme:4.0.8

Wireless Network

Users of the wireless benchmark should, at a minimum, review the overall recommended architecture for the benchmark that most closely matches the functional requirements, data protection level, and other characteristics of their intended environments. The general policy tables will give general policies that should be implemented regardless of whether the technology used is wired or wirelessÃ¢??these policies are best practices that are accepted in the information protection industry. Finally, use the Wireless Policy Checklist and the Products Capability Matrix to help in your product comparison and selection research. The Center for Internet Security (CIS) document, Assessing the Security of a Wireless Environment, describes methods for conducting wireless site surveys and performing manual and automated monitoring.

Wireless Networking

Not provided.

STANDALONE

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2005-04-13T04:00:00.000Z

FINAL

2011-05-11T02:03:23.223Z

false

CIS Wireless Networks Cisco Hardware addendum

v1.0.0 Not provided. THIRD_PARTY Not provided. CIS Wireless Networks Cisco Hardware addendum v1.0.0

5B09B4536F1D8E461DDDED849701CF7AF6F209DC

D450627184C2E99E9294A5ADF86ED2F8713EE53EA0EE7070BEA2A1CE732F1A13

Prose

Cisco Aironet 1200 Access Point

cpe:/h:cisco:aironet_ap1200

Wireless Network

Users of the wireless benchmark should, at a minimum, review the overall recommended architecture for the benchmark that most closely matches the functional requirements, data protection level, and other characteristics of their intended environments. The general policy tables will give general policies that should be implemented regardless of whether the technology used is wired or wirelessâ??these policies are best practices that are accepted in the information protection industry. Finally, use the Wireless Policy Checklist and the Products Capability Matrix to help in your product comparison and selection research. The Center for Internet Security (CIS) document, Assessing the Security of a Wireless Environment, describes methods for conducting wireless site surveys and performing manual and automated monitoring.

Wireless Networking

Not provided.

STANDALONE

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2005-04-13T04:00:00.000Z

FINAL

2011-05-11T02:05:41.173Z

false

HP LaserJet 4345 MFP Security Checklist

Version 1 Not provided. SOFTWARE_VENDOR Not provided. HP LaserJet 4345 MFP Security Checklist

69DFD672AD64F52364C6E354CDBA5DFEBFDAB18D

3893ECEFFCC7C09BEA3FCB6CBF822B0C7B343A1E7E026085CA5247255F334F79

Prose

HP LaserJet 4345 MFP

cpe:/h:hp:laserjet_4345_mfp

Multi-Functional Peripheral

The HP LaserJet 4345 MFP Security Checklist provides instructions to configure HP LaserJet 4345 MFPs for recommended network security settings. The checklist relies on HP Web Jetadmin Peripheral Management Software for most of the settings, but covers some settings in the MFP Embedded Web Server (a web page that is part of the MFP firmware to provide remote network access to status and settings). The checklist also assumes that readers are trained in standard practices for network administrative practices. HP requires the configuration presented in the checklist to consider HP LaserJet 4345 MFPs as configured for security however, HP does not guarantee or warrant that the HP LaserJet 4345 MFP Security Checklist provides assurance that MFPs are resistant to network security compromises. Administrators should use the checklist as a reference toward best practices to help improve overall security.

Multi-Functional Peripherals

Some settings in the HP LaserJet 4345 MFP Security Checklist do no apply to all networks. The checklist recommends disabling many network services and access points. Administrators should consider the applications and tools that are installed on their networks and configure the MFPs accordingly. The configurations recommended in the HP LaserJet 4345 Security Checklist are compatible as tested in the assumed network environment, but they may cause unexpected problems in other environments. Administrators should test the configuration settings in their network environments to ensure that they are compatible. The settings recommended in the checklist should be configured in the order in which they appear in the checklist. Many of the settings depend on other settings for successful configuration. - While many of the settings that appear in the checklist EWS Settings section are also available in Web Jetadmin, you should configure them only in the EWS. The combination of settings suggested in the checklist requires that these settings are not configured in Web Jetadmin. - SNMPv3 configuration on multiple MFPs: Web Jetadmin can configure SNMPv3 on multiple MFPs, but it is successful only when the SNMPv3 configuration is executed alone. If other configurations are applied with changes to the SNMPv3 configuration, the configuration fails. Follow the checklist instructions to apply the SNMPv3 configuration by itself.

The HP settings in the HP LaserJet 4345 MFP Security CheckliLaserJet 4345 MFP Security Checklist is for administrators who use Web Jetadmin to configure MFPs on enterprise networks. Administrators should be familiar with general standards and practices for using HP printers connected via HP Jetdirect. Administrators should also be familiar with the use of HP Web Jetadmin for managing HP printers (or MFPs) over network connections. Administrators should also have access to MFP and Web Jetadmin user guides. The user guides are available online by searching for them by product at HP.com.

MANAGED

HP tested the HP LaserJet 4345 MFP Security Checklist on systems that meet the descriptions in the checklist Assumptions section. Testing included the following: 1. Start with an HP LaserJet 4345 MFP reset to factory default settings and connected to a TCP/IP network with LDAP, DHCP, DNS, WINS, and standard network hardware. 2. Upgrade MFP firmware and Jetdirect firmware to the latest versions available at hp.com 3. Install the latest version of HP Web Jetadmin available at hp.com onto a network-connected PC. 4. Update Web Jetadmin with the latest plug in for HP LaserJet 4345 MFP and with the latest service pack (service pack 3). If a major upgrade to Web Jetadmin is released, the HP LaserJet 4345 MFP Security Checklist may not reflect the new configuration options. 5. Follow the checklist instructions in the order they appear, and configure all recommended settings. 6. Log in using the MFP control panel, and use the MFP to make a copy. 7. Log in using the MFP control panel, and send a document to email (assuming that you configured the MFP for Send to Email). 8. Send a print job to the MFP from a network PC.

N/A.

The HP LaserJet 4345 MFP Security Checklist provides instructions to configure HP LaserJet MFPs for security on enterprise networks. Although many of the recommended settings are applicable to smaller networks and even to other MFPs or printers, this checklist does not expressly cover them. Administrators should be qualified and trained IT professionals who understand the implications of these settings and configure their networks accordingly. The recommended configurations in this checklist are known to be compatible only on TCP/IP networks with PCs and hardware necessary to have a network. Administrators should test their networks after configuring MFPs for this checklist. Use the test procedure above in the Testing Information section. Many of the settings recommended in this checklist can cause some network applications, management tools, and services to lose access. Consider each setting as it relates to you network. See the Ramifications section of the checklist for known effects on some networks.

HP does not claim that using the HP LaserJet 4345 MFP Security Checklist prevents or inhibits misuse or attacks on networks or on HP products. Use this checklist at your own risk as a reference toward best practices for security.

Use of the HP LaserJet 4345 MFP Security Checklist does not void the product warrantee however, HP does not accept responsibility for networking issues. For help with MFP configurations, contact HP Customer Care. You can find contact information for HP Customer Care by searching for it at hp.com.

Jon Huber - jont.huber@hp.com

Not provided. The HP LaserJet 4345 MFP Security Checklist is property of the Hewlett Packard Company. Copyrighted 2005. It is distributed through the NIST checklist program free of charge however, no person is authorized to alter, publish, or change any part of the checklist without express written permission from the Hewlett Packard Company.

2006-03-28T05:00:00.000Z

FINAL

2009-07-23T18:32:41.157Z

false

CIS Wireless Networks DLink Hardware addendum

V1.0.0 Not provided. THIRD_PARTY Not provided. CIS Wireless Networks DLink Hardware addendum v1.0.0

FC327F36CFA0F26B59AFE975E5E1A42D92781B9E

B1CCA57F03ECD8D6CFDA1FD33AA188B89A090C5825F6D8151EB4FBFCF867AB16

Prose

D-Link DI-624 2.42

cpe:/h:d-link:di-624:2.42

Wireless Network

Wireless Networking

Not provided.

STANDALONE

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2005-03-30T05:00:00.000Z

FINAL

2011-05-11T02:07:40.937Z

false

CIS Wireless Networks Linksys Hardware addendum

v1.0.0 Not provided. THIRD_PARTY Not provided. CIS Wireless Networks Linksys Hardware addendum v1.0.0

87D5DFC08B0899419E962126348E68EB34DD868F

581D1EC706FA9BFB72BA39EF6F5CD9922906462A1A26DD1334DA9B90F1F0FCFC

Prose

Linksys WRT54G 3.0.1.3

cpe:/h:linksys:wrt54g:3.01.3

Wireless Network

Users of the wireless benchmark should, at a minimum, review the overall recommended architecture for the benchmark that most closely matches the functional requirements, data protection level, and other characteristics of their intended environments. The general policy tables will give general policies that should be implemented regardless of whether the technology used is wired or wirelessâ??these policies are best practices that are accepted in the information protection industry. Finally, use the Wireless Policy Checklist and the Products Capability Matrix to help in your product comparison and selection research. The Center for Internet Security (CIS) document, Assessing the Security of a Wireless Environment, describes methods for conducting wireless site surveys and performing manual and automated monitoring.

Wireless Networking

Not provided.

STANDALONE

MANAGED

Not provided.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

cis-feedback@cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

2005-10-11T04:00:00.000Z

FINAL

2011-05-11T02:09:25.733Z

false

Tandem Security Checklist

v2 Release 1.2 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Tandem Security Checklist

89A1010A252493E21347637E3CEE998E98740715

1303BFE8C786918D775E0291008338BBB2181D6A3587435346D8F36F74B8BE31

Prose

Tandem Computers Operating System

cpe:/o:tandem_computers:tandem_operating_system

Operating System

This Tandem Security Checklist provides the procedures for conducting a review to determine compliance with the requirements in the Tandem Security Technical Implementation Guide and must be used together. This Tandem security checklist covers the operating system(s) (OS), applications, and security tools as follows: OS - Tandem NonStop Kernel Access Methods - Tandem NonStop SQL (NSSQL) Tandem Enscribe Security Tools - Block Mode Operating System Services (BOSS) Command Interpreter Monitor (CMON) Additionally, this checklist ensures the site has properly installed and implemented specific operating system configurations and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist.

Client / Server

Not provided.

Developped for the DOD. This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the Tandem operating system and is familiar with common computer terminology.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2004-04-16T04:00:00.000Z

FINAL

2011-05-24T19:58:11.990Z

false

KM-8030 MFP Security Checklist

Version 1 Not provided. SOFTWARE_VENDOR Not provided. KM-8030 MFP Security Checklist

97624D83B4A795C25E1435B7D354725FFBBB1416

B76A1FFAF8F01CABD822022D4189E575B8E6CC0D7B3572B6488E0FAD5DA5A2E4

Prose

Kyocera KM-8030 MFP

cpe:/h:kyocera:km-8030

Multi-Functional Peripheral

The KM-8030 Security Checklist provides instruction and configuration recommendation for connectivity in a secure network infrastructure. The checklist relies on the KM-NET Viewer KM-NET Viewer Web Edition or the print systems MIB â??Command Centerâ?� to implement most of the security settings. The checklist will cover some of the settings that can be changed using Command Center that is embedded in our NIC for the print system. Please note only those individual who certified or trained in the standard practice of computer network administration should attempt these setting changes.

Multi-Functional Peripherals

The KM-8030 MFP Security Checklist Troubleshooting section covers most of the common issue one may encounter.

This checklist is intended for IT administrators who have a clear understanding of how to configure network connectivity, network protocols, and the network equipment being used and clear understanding of the security measure that are in place on their network.

STANDALONE

MANAGED

Kyocera tested the KM-8030 MFP Security Checklist on the KM-8030 MFP with the firmware and software versions mentioned in the checklist.

Not provided.

The KM-8030 MFP Security Checklist provides instructions to configure KM-8030 MFP on SOHO or Enterprise networks. Administrators should be qualified and trained IT professionals who understand the implications of these settings and configure their networks accordingly. The recommended configurations in this checklist are known to be compatible only on TCP/IP networks with PCs and hardware connected, which constitutes a computer network. If possible administrators should first test any configuration made on an isolated network before implementing the changes to a production environment.

Kyocera does not claim that using the KM-8030 MFP Security Checklist will prevent or inhibit misuse or attacks on the network or on any Kyocera products. Use this checklist at your own risk as a reference toward best practices for security.

Using the KM-8030 MFP Security Checklist will not void the products warranty, however Kyocera will not assume responsible for any network issue that are not a direct result of using the Kyocera product . For any additional support with the KM-8030 MFP please contact your local authorized Kyocera dealer or visit our web-site at www.kyoceramita.com

Victor Moro - victor_moro@kyoceramita.com

Not provided. The KM-8030 MFP Security Checklist is the property of Kyocera Mita America Incorporated Copyrighted 2007. It is distributed through the NIST checklist program free of charge no person are authorized to alter, publish or change any part of this checklist without express written permission from Kyocera Mita America Incorporated.

2008-03-31T04:00:00.000Z

FINAL

2009-07-23T18:12:25.297Z

false

Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs

Version 4.0 Not provided. SOFTWARE_VENDOR Not provided. Prose guide for multiple HP LaserJet MFP's

8133428146B984A271A986121CF6D83D833F90FB

16FBE9DB8912977258473C2A87F2C7DB9DCD7BEA1B1CF2B8A930347544C8CF9D

Prose

HP LaserJet 4345 MFP

cpe:/h:hp:laserjet_4345_mfp

Multi-Functional Peripheral

HP Color Laserjet 4730 MFP

cpe:/h:hp:color_laserjet_4730_mfp

Multi-Functional Peripheral

HP Color Laserjet 9500 MFP

cpe:/h:hp:color_laserjet_9500_mfp

Multi-Functional Peripheral

HP Laserjet 9040 MFP

cpe:/h:hp:laserjet_9040_mfp

Multi-Functional Peripheral

HP Laserjet 9050 MFP

cpe:/h:hp:laserjet_9050_mfp

Multi-Functional Peripheral

HP Laserjet m3027 MFP

cpe:/h:hp:laserjet_m3027_mfp

Multi-Functional Peripheral

HP Laserjet m3035 MFP

cpe:/h:hp:laserjet_m3035_mfp

Multi-Functional Peripheral

HP Laserjet m4345 MFP

cpe:/h:hp:laserjet_m4345_mfp

Multi-Functional Peripheral

HP Laserjet m5025 MFP

cpe:/h:hp:laserjet_m5025_mfp

Multi-Functional Peripheral

HP Laserjet m5035 MFP

cpe:/h:hp:laserjet_m5035_mfp

Multi-Functional Peripheral

This checklist provides instructions to configure HP LaserJet and Color LaserJet MFPs with all reasonable security related settings. The checklist relies on HP Web Jetadmin Peripheral Management Software for most of the settings. The checklist assumes that readers are trained in standard network administrative practices. This checklist includes an introduction and an explanation of known types of threats that relate to MFPs. It follows with instructions on configuring security-related settings as the main body of the document. Later chapters include a bulleted list of the checklist settings, a table listing the default state of each setting, a chapter explaining the ramifications of the settings, and some notes about physical security. The appendix is a list of terms with explanations. HP requires this configuration to consider HP LaserJet and Color LaserJet MFPs configured for security however, HP does not guarantee or warrant that this checklist provides assurance that MFPs are resistant to network security compromises. Administrators should use the checklist as a reference toward best practices to improve overall security.

Multi-Functional Peripherals

The settings recommended in this checklist do not apply to all HP MFP models. They also do not apply to all networks. Use this checklist as a reference toward best known security practices, but choose settings that work best in your network environment. These settings should be configured in the order in which they appear in the checklist. Many of the settings depend on other settings for proper configuration. These settings should be configured on one MFP model at a time. This checklist covers a large number of settings that become complicated as they go on. Configuring multiple models at the same time increases the complications and can cause failures in some settings. However, HP Web Jetadmin can configure an unlimited number of individual MFPs of the same model.

This checklist is for administrators who use Web Jetadmin to configure MFPs on enterprise networks. Administrators should be familiar with general standards and practices for using HP MFPs or printers connected via HP Jetdirect. Administrators should also have access to MFP and Web Jetadmin user guides and MFP product user guides. These guides are available online by searching for them by product at hp.com.

MANAGED

HP tested these settings on systems that meet the descriptions in the checklist Assumptions section. Testing included the following: 1. Start with a variety of HP MFP reset to factory default settings and connected to a TCP/IP network with LDAP, DHCP, DNS, WINS, and standard network hardware. 2. Install the latest version of HP Web Jetadmin available at hp.com onto a network-connected PC. 3. Update Web Jetadmin with the latest service packs and plug ins found at hp.com. 4. Upgrade MFP firmware and Jetdirect firmware to the latest versions available at hp.com 5. Follow the checklist instructions in the order they appear, and configure all recommended settings. 6. Log into one of each model of MFP on the MFP control panel, and make a copy. 7. Log into one of each model of MFP on the MFP control panel, and send a document to email. 8. Log into one of each model of MFP and send a fax. 9. Send a print job to one of each model of MFP from a network PC.

None noted.

This checklist provides instructions to configure HP LaserJet and Color LaserJet MFPs for security in enterprise networks. Although many of the recommended settings are applicable to smaller networks and even to other MFPs or printers, this checklist does not expressly cover them. Administrators should be qualified and trained IT professionals who understand the implications of these settings and configure their networks accordingly. The recommended configurations in this checklist are known to be compatible only on TCP/IP networks with PCs and hardware necessary to have a network. Administrators should test their networks after configuring. Use the test procedure in the Testing Information section. The configurations recommended in this checklist are known to be compatible only when executed in the order in which they appear in the checklist. Many of these settings can cause some network applications, management tools, and services to lose access. Consider each setting as it relates to your network. See the Ramifications section for more information.

HP makes no claim that using this checklist prevents or inhibits misuse or attacks on networks or on HP products. Use this checklist at your own risk as a reference toward best security practices.

This checklist is provided only as a complimentary guide to known best practices for increasing MFP security. HP does not claim or warrant that these configurations prevent misuse of MFPs or networks or that they prevent malicious attacks on MFPs or networks. As technology improves, malicious people (hackers) continue to find new ways to exploit networks. Hackers are beginning to target MFPs and other network peripherals to misuse resources or to gain access to networks or to the internet. Predicting the actions of a hacker is difficult, but HP is dedicated to research in this area. You should continue to be aware and always remain vigilant. Use other techniques with this checklist to help ensure that your network is resistant to compromise. Use of this checklist does not void the product warrantee however, HP does not accept responsibility for networking issues. If your MFP malfunctions due to configurations recommended in this checklist, contact HP Customer Care. You can find contact information for HP Customer Care by searching for it at hp.com.

Contact Jon Huber with review comments or questions at the following address:jont.huber@hp.com

Not provided. This checklist is property of the Hewlett Packard Company. Copyrighted 2007. It is distributed through the NIST checklist program free of charge however, no person is authorized to alter, publish, or change any part of the checklist without express written permission from HP.

2007-06-19T04:00:00.000Z

UNDER_REVIEW

2011-06-09T18:01:16.317Z

false

Windows NT Security Checklist

Version 4, Release 1.21 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Windows NT Security Checklist, Version 4, Release 1.21

A79C1EBA78864D4F7EEF9B578E705B1F795CE468

043E2E8BBD42C3CE9E5AD0D22377D432E97DB4DD10C9B95E2A27197310DA770C

Prose

Microsoft Windows NT 4.0

cpe:/o:microsoft:windows_nt:4.0

Operating System

The Microsoft Windows NT SRR targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Sites are required to secure the Microsoft Windows NT operating system in accordance with DOD Directive 8500.1, Section 4.18. The checks in this document were developed from DISA and NSA guidelines specified in the above reference. Additionally, the review ensures the site has properly installed and implemented the Windows NT operating system and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and other DoD Policy and regulations. The results of the SRR scripts will coincide with the Windows NT SRR Checklist with the following: F- Finding, N/F- Not A Finding, N/A- Not Applicable, MR -Manual Review, or NR - Not Reviewed. This document is designed to instruct the reviewer on how to assess both the workstation and server configurations. In addition, the procedures account for the optional domain-controller configuration of devices running Windows NT Server. The Windows NT Security Checklist is composed of five major sections and four appendices: - Section 1: This section contains summary information about the sections and appendices that comprise the Windows NT Security Checklist, and defines its scope. Supporting documents consulted are listed in this section. - Section 2: This section is the matrix that allows the reviewer to document vulnerabilities discovered during the SRR process. Section 2A is used for a review done using the WinBatch SRR scripts. Section 2B is used for manual SRRs. The entries in this table, sorted by Potential Discrepancy Item (PDI), are mapped to procedures - referenced by paragraph number - in Sections 3, 4, and 5. - Section 3: This section contains the administrative issues that are discussed between the reviewer and the System Administrator or the Information Systems Security Officer (ISSO). The interview outlined in this section may be performed independent of the technical review discussed in Sections 4 and 5. - Section 4: This section documents the procedures that instruct the reviewer on how to perform an SRR using the automation scripts, and to interpret the script output for vulnerabilities. Each procedure maps to a PDI tabulated in Section 2. - Section 5: This section documents the procedures that instruct the reviewer on how to perform an SRR manually, and to interpret the program output for vulnerabilities. Each procedure maps to a PDI tabulated in Section 2. - Appendix A: This appendix documents the allowed Access Control Lists (ACLs) for file and registry objects. The tables contained in this section are referenced in Sections 4 and 5. - Appendix B: This appendix documents procedures for checking compliance with specific IAVM notices applicable to Windows NT. - Appendix C: This appendix documents the WinBatch scripts used to perform an SRR. The scripts documented here are referenced in Section 4. - Appendix D: This appendix documents the procedures for using the John the Ripper password integrity utility.

Desktop and Server Operating System

Not provided.

Developped for the DOD. This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the Windows NT operating system and is familiar with common computer terminology.

MANAGED

SSLF

Not provided.

DOD Directive 85

Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2006-07-28T04:00:00.000Z

FINAL

2013-04-15T14:11:47.497Z

false

OpenVMS Security Checklist

Version 2 Release 2.3 Not provided. GOVERNMENTAL_AUTHORITY Not provided. OpenVMS SECURITY CHECKLIST

02E274E9947462207ABADEC1E242AC735ECEE677

C38152B5FEE7A5CAC36E5F499BDB7F3BE0BED5FB243EB8046D846D16D33B6217

Prose

Digital OpenVMS Alpha 6.1

cpe:/o:digital:openvms_alpha:6.1

Operating System

Digital OpenVMS Alpha 6.2

cpe:/o:digital:openvms_alpha:6.2

Operating System

Digital OpenVMS Alpha 7.0

cpe:/o:digital:openvms_alpha:7.0

Operating System

Digital OpenVMS Alpha 7.1

cpe:/o:digital:openvms_alpha:7.1

Operating System

Digital OpenVMS Alpha 7.2

cpe:/o:digital:openvms_alpha:7.2

Operating System

Digital OpenVMS Alpha 7.3

cpe:/o:digital:openvms_alpha:7.3

Operating System

Digital OpenVMS VAX 6.1

cpe:/o:digital:openvms_vax:6.1

Operating System

Digital OpenVMS VAX 6.2

cpe:/o:digital:openvms_vax:6.2

Operating System

Digital OpenVMS VAX 7.0

cpe:/o:digital:openvms_vax:7.0

Operating System

Digital OpenVMS VAX 7.1

cpe:/o:digital:openvms_vax:7.1

Operating System

Digital OpenVMS VAX 7.2

cpe:/o:digital:openvms_vax:7.2

Operating System

Digital OpenVMS VAX 7.3

cpe:/o:digital:openvms_vax:7.3

Operating System

Digital OpenVMS VAX 5.3

cpe:/o:digital:openvms_vax:5.3

Operating System

Digital OpenVMS VAX 5.4

cpe:/o:digital:openvms_vax:5.4

Operating System

Digital OpenVMS VAX 5.5

cpe:/o:digital:openvms_vax:5.5

Operating System

Digital OpenVMS VAX 6.0

cpe:/o:digital:openvms_vax:6.0

Operating System

The VMS - OpenVMS SRR targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Additionally, the review ensures the site has properly installed and implemented the VMS/OpenVMS environment and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and other DoD Policy and regulations. (There is no available VMS Ã¢?? OpenVMS Security Technical Implementation Guide.) The results of the SRR scripts will coincide with the VMS-OpenVMS SRR Checklist with the following: F- Finding, N/F- Not A Finding, N/A- Not Applicable, MR -Manual Review, or NR Ã¢?? Not Reviewed. DISA Field Security Operations has assigned a level of urgency to each finding based on Chief Information Officer (CIO) established criteria for certification and accreditation. All findings are based on regulations and guidelines. All findings require correction by the host organization. Category I findings are any vulnerabilities that provide an attacker immediate access into a machine, superuser access, or access that bypasses a firewall. Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder. Category III findings are any vulnerabilities that provide information that potentially could lead to compromise. Category IV vulnerabilities, when resolved, will prevent the possibility of degraded security. The VMS - OpenVMS Security Checklist is composed of five major sections and two appendices. The major sections within this checklist are sections 2A and 3A. Section 2A, the Ã¢??SRR Results ReportÃ¢?ï¿½, is comprised of a matrix that allows the reviewer to manually document vulnerabilities discovered during the Security Readiness Review (SRR). Section 3A, Ã¢??Checklist ProceduresÃ¢?ï¿½, documents procedures to instruct reviewers about how to manually perform the SRR for each specific PDI.

Operating System

Not provided.

Developped for the DOD. This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the OpenVMS operating system and is familiar with common computer terminology.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2006-04-17T04:00:00.000Z

FINAL

2013-05-09T15:03:51.910Z

false

Generic Database Security Checklist

Version 8, Release 1.6 Not provided. GOVERNMENTAL_AUTHORITY Not provided. http://iase.disa.mil/stigs/downloads/zip/unclassified_generic_v8r1.6_checklist_20100827.zip

EDEAD46BF4D219DE8D0E1C32BDC44F08BE04804B

670DF34CBE3BE663E110E669D957955832471C9C9C52D2DD5E51ADAD5D2B2F78

Prose

Microsoft SQL Server 2000

cpe:/a:microsoft:sql_server:2000

Database Management System

Oracle Database 8i

cpe:/a:oracle:database_server:8

Database Management System

Oracle Database 10g

cpe:/a:oracle:database_server:10

Database Management System

Oracle Database 9i

cpe:/a:oracle:database_server:9

Database Management System

IBM DB2 8.1

cpe:/a:ibm:db2:8.1

Database Management System

Microsoft SQL Server 7.0

cpe:/a:microsoft:sql_server:7.0

Database Management System

The Database Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. This SRR guide focuses strictly on Oracle versions 8i, 9i and Microsoft SQL Server versions 7.0, 2000. Additionally, this checklist ensures the site has properly installed and implemented the database environment and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and the Database Security Technical Implementation Guide. The results of the SRR scripts will coincide with the Database SRR Checklist with the following: F - Finding, N/F - Not A Finding, N/A - Not Applicable, MR - Manual Review, or NR - Not Reviewed, which can be filled in Section 2A (Oracle SRR Result Report) or Section 2B (MS SQL Server SRR Results Report). DISA Field Security Operations has assigned a level of urgency to each finding based on Chief Information Officer (CIO) established criteria for certification and accreditation. All findings are based on regulations and guidelines. All findings require correction by the host organization. Category I findings are any vulnerabilities that provide an attacker immediate access into a machine, superuser access, or access that bypasses a firewall. Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder. Category III findings are any vulnerabilities that provide information that potentially could lead to compromise. Category IV vulnerabilities, when resolved, will prevent the possibility of degraded security.

Database Server

The vulnerabilities discussed in Sections 2A and 3A of this document are applicable to Oracle versions 8i, 9i, and 10g, vulnerabilities discussed in Sections 2B and 3B are applicable to MS SQL Server versions 7.0 and 2000, and vulnerabilities discussed in Sections 2C and 3C are applicable to DB2 version 8 on Unix and Windows platforms. The checklist does not address database versions earlier than those referenced above. For earlier versions, the reviewer should mark all checks except the check for a supported version, as NA and treat this as a completed database review. The unsupported version check should be marked as Open. The generic checklist should be used to cover databases other than Oracle, SQL Server, and DB2. To perform a successful Security Readiness Review (SRR), this document provides two methods to assess vulnerabilities on an Oracle and MS SQL Server DBMS. DISA FSO scripts and manual procedures. The manual procedures should be performed if the SRR command-scripts are not available, if they are not permitted, or if there is a discrepancy in the tools reporting.

Developped for the DOD. This checklist has been created for IT professionals, information security and database personnel. The document assumes that the reader has experience administering Oracle, SQL Server, DB2, or other databases.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Please refer to the Checklist or the README.TXT files provided with the scripts for any comments, warnings, or detailed instructions.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2010-08-27T04:00:00.000Z

FINAL

2011-02-25T18:48:19.107Z

false

Guide to Securing Microsoft Windows NT Networks

v4.2 Not provided. GOVERNMENTAL_AUTHORITY Not provided. Security Template files for securing Microsoft Windows NT

1ED44993668E1BDAB245970C5863C8EB7AA46AF5

F70971AC188BAE950820FE9E5C26A446374BC8DAC10DFA61E0A9EBE90B61EA21

Security Template

Microsoft Windows NT

cpe:/o:microsoft:windows_nt

Operating System

The purpose of this document is to inform the reader about the Windows NT 4.0 security mechanisms that are available and how these security mechanisms can be implemented in a network environment. It is intended to provide a solid security foundation for any Windows NT 4.0 network by providing step-by-step instructions on how to utilize the operating system's built-in security features, additional add-on service packs and hotfixes to eliminate known security vulnerabilities. While networks will vary in purpose and scope, this document outlines security recommendations and procedures that can be adapted for any Windows NT 4.0 network. The Guide to Securing Microsoft Windows NT Networks presents detailed information on how to secure a network based Windows NT 4.0 operating system in coordination with Microsoft's current service pack (SP6a). Specifically, this document addresses the built-in security features and shortfalls of the default Windows NT 4.0 operating system.

Desktop and Server Operating System

This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address these issues, such as the use of products like Microsoft Exchange, IIS, and SMS. The security changes described in this document only apply to Microsoft Windows NT 4.0 Service Pack 6a systems and should not be applied to any other Windows NT versions or operating systems. Microsoft Exchange security is tightly coupled to the operating system. File permissions, registry settings, password usage, user rights and other issues associated with Windows NT security have a direct impact on Exchange security. It is recommended that you implement the recommendations contained in this guide prior to installing Microsoft Exchange Server or the Exchange or Outlook clients. You can severely impair or disable a Windows NT system with incorrect changes or accidental deletions when using programs (examples: Security Configuration Manager, Regedt32.exe, and Regedit.exe) to change the system configuration. Therefore, it is extremely important to test all settings recommended in this guide before installing them on an operational network.

Developped for the DOD. Users of this guide should have a working knowledge of Windows NT installation and basic system administration skills.

MANAGED

SSLF

Not provided.

DOD Directive 8500.

Refer to Known Issues.

Not provided.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Not provided.

Not provided. Not provided.

2001-09-18T04:00:00.000Z

FINAL

2011-03-28T18:48:27.490Z

false

CIS SQL Server 2005 Benchmark

v1.2.0 Not provided. THIRD_PARTY Not provided. CIS SQL Server 2005 Benchmark v1.2.0

14DEEDF53D3652291B74BB70DED1740447BFACE6

0FA74DF4DE9C3C27D724DAA54B89D0D9F0C472965E0F5B90B5F74BDD90ED1C23

Prose

Microsoft SQL Server 2005

cpe:/a:microsoft:sql_server:2005

Database Management System

This document is derived from research conducted utilizing the SQL Server 2005 environment on Windows XP Desktops and Windows 2003 servers. This document provides the necessary settings and procedures for the secure installation, setup, configuration, and operation of an MS SQL Server 2005 system. With the use of the settings and procedures in this document, an SQL Server 2005 database may be secured from conventional out of the box threats. Recognizing the nature of security cannot and should not be limited to only the application the scope of this document is not limited to only SQL Server 2005 specific settings or configurations, but also addresses backups, archive logs, best practices processes and procedures that are applicable to general software and hardware security.

Database Server

Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a quick fix for anyone's information security needs. It is extremely important to conduct testing of security configurations on non-production systems prior to implementing them on production systems.

Database System Administrators

MANAGED

Not provided.

Refer to Known Issues.

Differs for Public and Private consumers, please read disclaimer information from the CIS web site located at: http://www.cisecurity.org/sub_form.html

Not provided.

windows-feedback@lists.cisecurity.org

Not provided. Differs for Public and Private consumers, please read licensing information from the CIS web site located at http://www.cisecurity.org/sub_form.html

2010-01-12T05:00:00.000Z

FINAL

2011-05-11T01:40:51.333Z

false

Database Security Checklist for MS SQL Server 2005

Version 8, Release 1.7 Not provided. GOVERNMENTAL_AUTHORITY Not provided. http://iase.disa.mil/stigs/downloads/zip/unclassified_sqlserver9_v8r1.7_checklist_20100827.zip

3596A32101E132852AAF1359730ACAF82D0F6E7F

EB26A56DE4DE3BB6220C57674FDD8D563341D29C5A71832141DB17AE2ED6C6E6

Prose

Microsoft SQL Server 2000

cpe:/a:microsoft:sql_server:2000

Database Management System

Microsoft SQL Server 2005

cpe:/a:microsoft:sql_server:2005

Database Management System

Microsoft SQL Server 7.0

cpe:/a:microsoft:sql_server:7.0

Database Management System

The Database Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Additionally, the review ensures the site has properly installed and implemented the database environment and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on Department of Defense (DOD) policy and the Database Security Technical Implementation Guide. Each security item to review is listed in this document with a procedure for measuring compliance with the security requirement. The result of the procedure is a status of compliance with the requirement. Results are assigned as one of the following: O = Open finding or non-compliance NF = Not a Finding or compliance NA = Not Applicable or the item is not applicable to the database version, database use, or host platform being reviewed and, NR = Not Reviewed or the procedure was not completed so compliance is not determined.

Database Server

The execution of the SQL Server 2005 script and many of the manual procedures require SYSADMIN privileges in the SQL Server instance. Some operating system commands require Administrator privileges to the host operating system. This will vary based on the permissions assigned to the account used. It is recommended the account used for installation of SQL Server be used to process the security review as this account is expected to have access required. Use of this account would be expected to be logged and monitored by an authorized DBA or the IAO.

MANAGED

SSLF

DISA Field Security Operations has assigned a level of urgency to each finding based on Chief Information Officer (CIO) established criteria for certification and accreditation. All findings are based on regulations and guidelines. All findings require correction by the host organization. Category I findings are any vulnerabilities that provide an attacker immediate access into a machine, superuser access, or access that bypasses a firewall. Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder. Category III findings are any vulnerabilities that provide information that potentially could lead to compromise. NOTE: Security patches required by the DOD IAVM process are reviewed during an operating system security review. Information for security patch compliance is available in Appendix A of this Database Security Checklist.

Not provided.

Not provided. Not provided.

2009-12-25T05:00:00.000Z

2010-08-27T04:00:00.000Z

FINAL

2011-02-25T13:28:25.033Z

false

USGCB Windows Vista

2.0.x.0 Not provided. GOVERNMENTAL_AUTHORITY Not provided. USGCB Windows Vista using OVAL version 5.10

369B9234A7D5E32BCDA4C1017BC3C7AB67A948F3

953D763C288B671BE2EE0A7E0321563E0BDED966B142E646CE8C758CE52EE796

SCAP 1.2 Content Not provided. USGCB Windows Vista using OVAL version 5.10

369B9234A7D5E32BCDA4C1017BC3C7AB67A948F3

953D763C288B671BE2EE0A7E0321563E0BDED966B142E646CE8C758CE52EE796

SCAP 1.2 Content Not provided. USGCB Windows Vista using OVAL version 5.3.

39B2E5A63CDAACE785C3C2A8E8E3B55B5CA9B264

135C8BD19702B4AB50CBD43EF5950DF0FBBC05B5BFD52A25CF430193D1E63534

SCAP_CONTENT Not provided. USGCB Windows Vista using OVAL version 5.4.

9BB42E47720E96E8C91418611A1C7D41539C7451

5644F7517D3C5F3669250F01F569C96BE6CC04A136F935C5FF800BAD7808FD48

SCAP_CONTENT Not provided. USGCB Windows Vista GPOs

A6886CC6844676232EFF0EF063F66ACE330D9CFC

6253EE0C5DBE936EFA278458B00FF1F2113CD2C35D587C901E1690CA011FE244

GPOs Not provided. This is the human readable version of the USGCB settings.

E17A5C7A70B025A1220AD3E73F62659B8C76DEE6

E7C412B282054AE094223437810344433A7B6B800A66796A59194B5AEE4178CB

USGCB Windows Settings - 2012.02.10

Prose Not provided. USGCB Windows Vista using OVAL version 5.10

369B9234A7D5E32BCDA4C1017BC3C7AB67A948F3

953D763C288B671BE2EE0A7E0321563E0BDED966B142E646CE8C758CE52EE796

SCAP 1.2 Content

Microsoft Windows Vista

cpe:/o:microsoft:windows_vista

Operating System

The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security. This checklist represents the USGCB guidance for Microsoft Windows Vista.

Client Operating System

Spreadsheet containing known issues can be found at http://usgcb.nist.gov/usgcb/microsoft_content.html, under the "Documentation" column.

US Federal Agencies.

MANAGED

Not provided.

The recommendations are consistent with the security control baselines advocated in SP 800-53 (NIST FISMA implementation project publication).

Not provided.

Do not attempt to implement any of the settings without first testing them in a non-operational environment. These recommendations have only been tested on Windows 7 Ultimate 32-bit, Windows 7 Ultimate 64-bit, Windows 7 Enterprise x86, and Windows 7 Enterprise x64. These settings may be applicable to other Windows systems and service packs; however, NIST has not tested other Windows based systems with these settings. Please see the National Checklist Program (NCP) website for configuration guides related to other Windows Based systems and applications. The draft download packages contain recommended security settings; they are not meant to replace well-structured policy or sound judgment. Furthermore, these recommendations do not address site-specific configuration issues. Care must be taken when implementing these settings to address local operational and policy concerns. These recommendations were developed at the National Institute of Standards and Technology, which collaborated with DoD and Microsoft to produce the Windows 7, Windows 7 Firewall, Internet Explorer 8 USGCB. Pursuant to title 17 Section 105 of the United States Code, these recommendations are not subject to copyright protection and are in the public domain. NIST assumes no responsibility whatsoever for their use by other parties, and makes no guarantees, expressed or implied, about their quality, reliability, or any other characteristic. We would appreciate acknowledgement if the recommendations are used.

Not provided.

usgcb@nist.gov

Not provided. Not provided.

USGCB Microsoft content download page

The link to the USGCB home page.

USGCB individual file listings and download page

USGCB FAQ

2008-06-19T04:00:00.000Z

FINAL

2013-05-02T12:19:57.983Z

true

false

true

CCE-18129-7

2011-10-18T12:55:48.903Z

2012-03-17T03:35:04.797Z

The Windows Vista 'Telnet Client' feature should be turned on or off as appropriate.

CCE-18220-4

2011-10-18T12:55:48.903Z

2012-05-25T03:56:16.040Z

DEPRECATED. [Was: "The 'Configure Windows NTP Client' setting should be configured correctly." The enabled/disabled/not configured status of this GPO (see CCE Technical Mechanisms) does not itself affect the configuration of aspects of the Windows NTP Client; it only controls whether Group Policy is used to set those options.]

CCE-18279-0

2011-10-18T12:55:48.917Z

2012-03-17T03:35:04.653Z

The Windows Vista 'Internet Information Services' feature should be turned on or off as appropriate.

CCE-18284-0

2011-10-18T12:55:48.917Z

2012-03-17T03:35:04.873Z

The Windows Vista 'Telnet Server' feature should be turned on or off as appropriate.

CCE-18303-8

2011-10-18T12:55:48.903Z

2012-05-25T03:56:16.633Z

The 'Turn off the Display (Plugged In)' setting should be configured correctly.

CCE-18358-2

2011-10-18T12:55:48.903Z

2012-05-25T03:56:16.493Z

The 'Specify the System Hibernate Timeout (Plugged In)' setting should be configured correctly.

CCE-18624-7

2011-10-18T12:55:48.903Z

2012-03-17T03:35:04.733Z

The Windows Vista 'SimpleTCP Services' feature should be turned on or off as appropriate.

CCE-18686-6

2011-10-18T12:55:48.903Z

2012-05-25T03:56:16.570Z

The 'Turn off the Display (On Battery)' setting should be configured correctly.

CCE-18689-0

2011-10-18T12:55:48.903Z

2012-03-17T03:35:04.997Z

The Windows Vista 'Windows Media Center' feature should be turned on or off as appropriate.

CCE-18700-5

2011-10-18T12:55:48.903Z

2012-03-17T03:35:04.937Z

The Windows Vista 'TFTP Client' feature should be turned on or off as appropriate.

CCE-18891-2

2011-10-18T12:55:48.917Z

2012-03-17T03:35:04.593Z

The Windows Vista 'Games' feature should be turned on or off as appropriate.

CCE-18938-1

2011-10-18T12:55:48.903Z

2012-05-25T03:56:16.400Z

The 'Specify the System Hibernate Timeout (On Battery)' setting should be configured correctly.

CCE-2323-4

2009-07-30T19:30:51.500Z

The "enforce password history" policy should meet minimum requirements.

CM-6

IA-5

CCE-2339-0

2009-07-30T19:30:51.640Z

2012-05-25T03:55:46.650Z

The behavior surrounding Anonymous SID/Name translation should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-2359-8

2009-07-30T19:30:52.110Z

The built-in Guest account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-2363-0

2009-07-30T19:30:50.767Z

The "account lockout duration" policy should meet minimum requirements.

AC-7

CM-6

CCE-2376-2

2009-07-30T19:30:52.500Z

2012-05-25T03:55:50.103Z

The "Number of Previous Logons to Cache" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2380-4

2009-07-30T19:30:52.420Z

2012-05-25T03:55:49.807Z

The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2398-6

2009-07-30T19:30:52.670Z

2012-05-25T03:55:50.680Z

The "Limit local account user of blank passwords to console logon only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2457-0

2009-07-30T19:30:52.813Z

2012-05-25T03:55:51.227Z

The "Let Everyone permissions apply to anonymous users" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2462-0

2009-07-30T19:30:53.157Z

The "No auto-restart for scheduled Automatic Updates installations

CM-2

CM-6

SI-2

CCE-2467-9

2009-07-30T19:30:52.577Z

2012-05-25T03:55:50.337Z

The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.

CM-6

SC-2

CCE-2471-1

2009-07-30T19:30:54.717Z

2012-05-25T03:55:58.023Z

Enumerate administrator accounts on elevation

AC-6

CCE-2477-8

2009-07-30T19:30:55.420Z

The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.

CM-6

CCE-2519-7

2009-07-30T19:30:52.140Z

2012-05-25T03:55:48.367Z

The amount of idle time required before disconnecting a session should be set correctly.

AC-1

AC-3

CM-6

CM-7

CCE-2521-3

2009-07-30T19:30:56.000Z

2012-05-25T03:56:01.883Z

The "Turn off the communitication features" setting should be configured correctly.

CM-6

CCE-2525-4

2009-07-30T19:30:56.030Z

2012-05-25T03:56:01.960Z

The "Turn off Windows Mail application" setting should be configured correctly.

CM-6

CCE-2697-1

2009-07-30T19:30:55.343Z

The "Turn Off Internet File Association Service" setting should be configured correctly.

CM-6

CCE-2714-4

2009-07-30T19:30:52.093Z

The built-in Administrator account should be correctly named.

AC-3

CM-6

CM-7

SC-5

CCE-2715-1

2009-07-30T19:30:50.750Z

The "reset account lockout counter after" policy should meet minimum requirements.

AC-7

CM-6

CCE-2719-3

2009-07-30T19:30:51.797Z

Autoplay on all Drive Types should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2754-0

2009-07-30T19:30:54.670Z

2012-05-25T03:55:57.867Z

Turn off downloading of print drivers over HTTP

CM-6

CCE-2755-7

2009-07-30T19:30:56.217Z

The "Turn Off Downloading of Game Information" setting should be configured correctly.

CM-6

CCE-2778-9

2009-07-30T19:30:54.627Z

2012-05-25T03:55:57.680Z

Turn off Search Companion content file updates

CM-5

CM-6

CCE-2785-4

2009-07-30T19:30:52.000Z

TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-2821-7

2009-07-30T19:30:55.563Z

2012-05-25T03:56:00.180Z

The "Require a Password when a Computer Wakes (On Battery)" setting should be configured correctly.

AC-3

CCE-2825-8

2009-07-30T19:30:52.860Z

2012-05-25T03:55:51.400Z

The "Remotely accessible registry paths" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2838-1

2009-07-30T19:30:52.327Z

2012-05-25T03:55:49.413Z

The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2852-2

2009-07-30T19:30:53.187Z

The "Reschedule Automatic Updates scheduled installations" should be set correctly

CM-6

SI-2

CCE-2858-9

2009-07-30T19:30:52.267Z

2012-05-25T03:55:49.133Z

The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-2868-8

2009-07-30T19:30:55.267Z

The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.

CM-6

CCE-2883-7

2009-07-30T19:30:51.453Z

The "minimum password length" policy should meet minimum requirements.

CM-6

IA-5

CCE-2962-9

2009-07-30T19:30:55.907Z

2012-05-25T03:56:01.460Z

The "Turn off Heap termination on corruption" setting should be configured correctly.

CM-6

CCE-2967-8

2009-07-30T19:30:51.407Z

The "maximum password age" policy should meet minimum requirements.

AC-3

CM-6

CM-7

IA-5

SC-5

CCE-2975-1

2009-07-30T19:30:54.797Z

2012-05-25T03:55:58.243Z

The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

IA-2

IA-5

CCE-2979-3

2009-07-30T19:30:54.920Z

2012-05-25T03:55:58.650Z

Hide mechanisms to remove zone information is set correcly.

CM-6

CCE-3001-5

2009-07-30T19:30:52.377Z

2012-05-25T03:55:49.603Z

The "Shut Down system immediately if unable to log security audits" policy should be set correctly.

AC-3

AU-5

CM-6

CM-7

SC-5

CCE-3023-9

2009-07-30T19:30:52.453Z

2012-05-25T03:55:49.913Z

The "Digitally Sign Server Communication (Always)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3032-0

2009-07-30T19:30:51.687Z

Use of the built-in Administrator account should be enabled or disabled as appropriate.

AC-3

CM-6

CM-7

SC-5

CCE-3033-8

2009-07-30T19:30:51.483Z

The "password must meet complexity requirments" policy should be set correctly.

CM-6

IA-5

CCE-3045-2

2009-07-30T19:30:55.093Z

The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.

SC-7

CCE-3050-2

2009-07-30T19:30:52.983Z

2012-05-25T03:55:51.807Z

The "Screen Saver Timeout" setting should be configured correctly for the current user.

AC-1

AC-3

CM-6

CM-7

CCE-3072-6

2009-07-30T19:30:51.767Z

Automatic Logon should be properly configured.

AC-3

CM-6

CM-7

IA-2

SC-5

CCE-3075-9

2009-07-30T19:30:52.703Z

2012-05-25T03:55:50.867Z

The "Maximum machine account password age" policy should be set correctly.

AC-3

CM-6

CM-7

IA-5

SC-5

CCE-3082-5

2009-07-30T19:30:51.563Z

2012-05-25T03:55:46.383Z

The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

AC-1

CCE-3086-6

2009-07-30T19:30:54.530Z

2012-05-25T03:55:57.320Z

Logon - Do not process the run once list

AC-2

CM-6

CCE-3093-2

2009-07-30T19:30:55.377Z

The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CM-6

CCE-3115-3

2009-07-30T19:30:55.407Z

The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

CM-6

CCE-3120-3

2009-07-30T19:30:51.953Z

TCP/IP Dead Gateway Detection should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3125-2

2009-07-30T19:30:55.937Z

2012-05-25T03:56:01.570Z

The "Turn off shell protocol protected mode" setting should be configured correctly.

SC-5

SI-3

CCE-3138-5

2009-07-30T19:30:52.937Z

2012-05-25T03:55:51.663Z

The "Do not store LAN Manager hash value on next password change" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3142-7

2009-07-30T19:30:51.967Z

The TCP/IP KeepAlive Time should be set correctly .

AC-4

SC-5

SC-7

CCE-3143-5

2009-07-30T19:30:55.813Z

2012-05-25T03:56:01.133Z

The "Prevent indexing uncached Exchange folders" setting should be configured correctly.

CM-6

CCE-3160-9

2009-07-30T19:30:53.437Z

Restrictions for Unauthenticated RPC clients (SP2 only)

IA-2

CCE-3164-1

2009-07-30T19:30:52.467Z

2012-05-25T03:55:50.007Z

The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3168-2

2009-07-30T19:30:52.280Z

2012-05-25T03:55:49.210Z

The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3169-0

2009-07-30T19:30:54.877Z

2012-05-25T03:55:58.477Z

Prompt for password on resume from hibernate/suspend is set correctly.

AC-1

CCE-3173-2

2009-07-30T19:30:51.890Z

Display Last User Name in Logon Screen should be properly configured.

AC-3

AC-9

CM-6

CCE-3177-3

2009-07-30T19:30:50.797Z

The "account lockout threshold" policy should meet minimum requirements.

AC-7

CM-6

CCE-3181-5

2009-07-30T19:30:52.047Z

Security Audit log warning level should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3199-7

2009-07-30T19:30:52.077Z

Safe DLL Search Mode should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3212-8

2009-07-30T19:30:52.313Z

2012-05-25T03:55:49.307Z

The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.

CM-6

SC-2

CCE-3214-4

2009-07-30T19:30:56.140Z

2012-05-25T03:56:02.400Z

The "Override the More Gadgets Link" setting should be configured correctly.

CM-6

CCE-3217-7

2009-07-30T19:30:53.063Z

2012-05-25T03:55:52.103Z

The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.

AC-1

CM-6

CCE-3220-1

2009-07-30T19:30:52.733Z

2012-05-25T03:55:50.947Z

The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3230-0

2009-07-30T19:30:52.360Z

2012-05-25T03:55:49.507Z

The "Users Prompted to Change Password Before Expiration" policy should be set correctly.

AC-3

CM-6

CM-7

IA-5

CCE-3232-6

2009-07-30T19:30:51.593Z

2012-05-25T03:55:46.477Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-3233-4

2009-07-30T19:30:52.593Z

2012-05-25T03:55:50.430Z

The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.

CM-6

SC-2

CCE-3239-1

2009-07-30T19:30:51.813Z

ICMP Redirects should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3240-9

2009-07-30T19:30:51.437Z

The "minimum password age" policy should meet minimum requirements.

CM-6

IA-5

CCE-3244-1

2009-07-30T19:30:53.377Z

The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate.

AC-3

CM-6

CM-7

SC-5

CCE-3248-2

2009-07-30T19:30:51.670Z

Use of the built-in Guest account should be enabled or disabled as appropriate.

AC-3

CM-6

CM-7

SC-5

CCE-3251-6

2009-07-30T19:30:52.627Z

2012-05-25T03:55:50.507Z

The "Smart Card Removal Behavior" policy should be set correctly.

CM-6

CM-7

SC-5

CCE-3252-4

2009-07-30T19:30:52.407Z

2012-05-25T03:55:49.697Z

The "Digitally Sign Client Communication (Always)" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3255-7

2009-07-30T19:30:52.640Z

2012-05-25T03:55:50.603Z

The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3259-9

2009-07-30T19:30:54.610Z

2012-05-25T03:55:57.587Z

Turn off the Windows Messenger Customer Experience Improvement Program

CM-6

CCE-3261-5

2009-07-30T19:30:51.843Z

IP Source Routing should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3270-6

2009-07-30T19:30:55.063Z

The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

CM-6

CM-7

CCE-3271-4

2009-07-30T19:30:55.670Z

2012-05-25T03:56:00.587Z

The "Turn on session logging" setting should be configured correctly.

AU-2

CCE-3272-2

2009-07-30T19:30:51.627Z

2012-05-25T03:55:46.570Z

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.

AC-3

CM-6

CM-7

SC-5

CCE-3279-7

2009-07-30T19:30:51.860Z

IRDP should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-3283-9

2009-07-30T19:30:52.953Z

The "Force logoff when logon hours expire" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3285-4

2009-07-30T19:30:52.157Z

2012-05-25T03:55:48.523Z

The "Audit the access of global system objects" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3292-0

2009-07-30T19:30:53.313Z

The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.

AC-3

CM-6

CCE-3300-1

2009-07-30T19:30:54.937Z

2012-05-25T03:55:58.743Z

Notify antivirus programs when opening attachments is set correcly.

SI-3

CCE-3303-5

2009-07-30T19:30:52.187Z

2012-05-25T03:55:48.743Z

The "Audit the use of backup and restore privilege" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3307-6

2009-07-30T19:30:52.217Z

2012-05-25T03:55:48.930Z

The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3311-8

2009-07-30T19:30:51.517Z

The "store password using reversible encryption for all users in the domain" policy should be set correctly.

CM-6

IA-5

CCE-3314-2

2009-07-30T19:30:51.717Z

2012-05-25T03:55:46.913Z

The "Message title for users attempting to log on" policy should be set correctly.

AC-8

CM-6

CM-7

SC-5

CCE-3323-3

2009-07-30T19:30:53.030Z

2012-05-25T03:55:52.007Z

The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.

CM-6

CCE-3325-8

2009-07-30T19:30:52.233Z

2012-05-25T03:55:49.023Z

The "Prevent Users from Installing Printer Drivers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3330-8

2009-07-30T19:30:52.547Z

2012-05-25T03:55:50.257Z

The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.

CM-6

SC-2

CCE-3331-6

2009-07-30T19:30:55.127Z

The "Allow remote access to the PnP interface" setting should be configured correctly.

AC-1

CCE-3336-5

2009-07-30T19:30:51.733Z

2012-05-25T03:55:47.070Z

The "Message text for users attempting to log on" policy should be set correctly.

AC-8

CM-6

CM-7

SC-5

CCE-3341-5

2009-07-30T19:30:55.983Z

2012-05-25T03:56:01.773Z

The "Report Logon Server Not Available During User logon" setting should be configured correctly.

CM-6

CCE-3348-0

2009-07-30T19:30:55.233Z

The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.

CM-6

CCE-3349-8

2009-07-30T19:30:52.890Z

2012-05-25T03:55:51.477Z

The "Shares that can be accessed anonymously" policy should be set correctly.

AC-3

CM-6

CM-7

CCE-3358-9

2009-07-30T19:30:53.077Z

The "Configure Automatic Updates" should be set correctly

CM-2

CM-6

CCE-3361-3

2009-07-30T19:30:52.750Z

2012-05-25T03:55:51.057Z

The "Disconnect clients when logon hours expire" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3363-9

2009-07-30T19:30:53.127Z

The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" should be set correctly

CM-6

CCE-3364-7

2009-07-30T19:30:54.577Z

2012-05-25T03:55:57.477Z

Turn off Internet download for Web publishing and online ordering wizards

CM-6

CCE-3367-0

2009-07-30T19:30:52.907Z

2012-05-25T03:55:51.587Z

The "Sharing and security model for local accounts" policy should be set correctly.

AC-3

CM-6

CM-7

CCE-3376-1

2009-07-30T19:30:55.797Z

2012-05-25T03:56:01.040Z

The "Allow indexing of encrypted files" setting should be configured correctly.

CM-6

CCE-3379-5

2009-07-30T19:30:52.780Z

2012-05-25T03:55:51.133Z

The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3380-3

2009-07-30T19:30:52.843Z

2012-05-25T03:55:51.320Z

The "Named Pipes that can be accessed anonymously" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3394-4

2009-07-30T19:30:53.407Z

RPC Endpiont Mapper Client Authentication (SP2 only)

IA-2

CCE-3398-5

2009-07-30T19:30:55.953Z

2012-05-25T03:56:01.663Z

The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

AC-6

CM-5

CCE-3421-5

2009-07-30T19:30:54.657Z

2012-05-25T03:55:57.757Z

Turn off printing over HTTP

CM-6

CCE-3429-8

2009-07-30T19:30:53.017Z

2012-05-25T03:55:51.900Z

The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.

IA-2

CCE-3432-2

2009-07-30T19:30:55.327Z

The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CM-6

CCE-3437-1

2009-07-30T19:30:54.890Z

2012-05-25T03:55:58.587Z

Do not preserve zone information in file attachments is set correcly.

CM-6

CCE-3450-4

2009-07-30T19:30:55.000Z

2012-05-25T03:55:58.867Z

Audit: Force audit policy subcategory settings are set correcly.

AC-3

CM-6

CM-7

SC-5

CCE-3452-0

2009-07-30T19:30:54.563Z

2012-05-25T03:55:57.400Z

Group Policy - Registry policy processing

CM-6

CCE-3456-1

2009-07-30T19:30:56.127Z

2012-05-25T03:56:02.307Z

The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.

CM-5

CM-6

CCE-3460-3

2009-07-30T19:30:53.360Z

MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted

AC-3

CM-6

CM-7

SC-5

CCE-3464-5

2009-07-30T19:30:55.140Z

The "Do not create system restore point when new device driver installed" setting should be configured correctly.

CM-6

CCE-3468-6

2009-07-30T19:30:55.170Z

The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.

SI-1

CCE-3469-4

2009-07-30T19:30:55.577Z

2012-05-25T03:56:00.273Z

The "Require a Password when a Computer Wakes (Plugged)" setting should be configured correctly.

AC-3

CCE-3482-7

2009-07-30T19:30:56.187Z

The "Do not allow Digital Locker to run" setting should be configured correctly.

CM-6

CCE-3486-8

2009-07-30T19:30:56.047Z

2012-05-25T03:56:02.057Z

The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.

AC-4

CCE-3500-6

2009-07-30T19:30:56.170Z

2012-05-25T03:56:02.477Z

The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.

CM-6

CCE-3953-7

2009-07-30T19:30:56.627Z

2012-05-25T03:56:03.727Z

The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3954-5

2009-07-30T19:30:56.657Z

2012-05-25T03:56:03.790Z

The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-3969-3

2009-07-30T19:30:56.670Z

2012-05-25T03:56:03.867Z

The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4011-3

2009-07-30T19:30:56.750Z

2012-05-25T03:56:04.070Z

The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.

AC-3

CM-6

CCE-4016-2

2009-07-30T19:30:56.797Z

The "Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.

AC-3

AC-6

CCE-4020-4

2009-07-30T19:30:56.890Z

The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.

AC-3

AC-6

CCE-4034-5

2009-07-30T19:30:57.547Z

The "load and unload device drivers" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4038-6

2009-07-30T19:30:57.627Z

The "log on as a service" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4046-9

2009-07-30T19:30:57.640Z

The "manage auditing and security log" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4048-5

2009-07-30T19:30:57.687Z

The "modify firmware environment values" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4071-7

2009-07-30T19:30:57.717Z

The "perform volume maintenance tasks" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4077-4

2009-07-30T19:30:58.000Z

The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the domain profile.

CM-6

CCE-4083-2

2009-07-30T19:30:57.593Z

The "log on as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4088-1

2009-07-30T19:30:57.000Z

The "act as part of the operating system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4089-9

2009-07-30T19:30:58.453Z

The "Do not send additional data" setting should be configured correctly.

CM-6

CCE-4093-1

2009-07-30T19:30:58.733Z

Auditing of "Account Management: Computer Account Management" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4107-9

2009-07-30T19:30:56.610Z

2012-05-25T03:56:03.663Z

The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4142-6

2009-07-30T19:30:58.907Z

Auditing of "Account Management: Security Group Management" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4152-5

2009-07-30T19:30:58.017Z

Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

CM-7

CCE-4166-5

2009-07-30T19:30:59.017Z

Auditing of "Detailed Tracking: Process Creation" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4183-0

2009-07-30T19:30:59.593Z

Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4184-8

2009-07-30T19:30:57.267Z

The "create permanent shared objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4194-7

2009-07-30T19:30:56.953Z

The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.

AC-3

AC-6

CCE-4201-0

2009-07-30T19:31:00.313Z

Auditing of "Policy Change: Audit Policy Change" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4213-5

2009-07-30T19:30:56.577Z

2012-05-25T03:56:03.587Z

The "Minimum session security for NTLM SSP based servers" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4228-3

2009-07-30T19:30:58.750Z

Auditing of "Account Management: Computer Account Management" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4264-8

2009-07-30T19:30:57.077Z

The "allow logon through Terminal Services" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4267-1

2009-07-30T19:30:58.327Z

The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

AC-1

AC-3

CM-6

CM-7

CCE-4285-3

2009-07-30T19:30:57.670Z

The "Modify an object label" user right should be assigned to the appropriate accounts.

AC-3

CM-6

CCE-4290-3

2009-07-30T19:30:58.627Z

2012-05-25T03:56:08.337Z

The "Password protect the screen saver" setting should be configured correctly for the current user.

AC-1

CM-6

IA-5

CCE-4300-0

2009-07-30T19:31:00.703Z

Auditing of "Privilege Use: Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-4317-4

2009-07-30T19:30:57.577Z

The "lock pages in memory" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4334-9

2009-07-30T19:30:56.983Z

The "access this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4372-9

2009-07-30T19:30:57.813Z

The "replace a process-level token" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4382-8

2009-07-30T19:30:57.483Z

2012-05-25T03:56:05.807Z

The "Impersonate a client after authentication" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4405-7

2009-07-30T19:30:58.530Z

The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

CM-6

CCE-4423-0

2009-07-30T19:30:59.657Z

Auditing of "Logon/Logoff: Logon" events on failure should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4488-3

2009-07-30T19:30:57.453Z

The "generate security audits" user right should be assigned to the correct accounts.

AC-3

AU-9

CM-6

CCE-4516-1

2009-07-30T19:31:00.390Z

Auditing of "Policy Change: Authentication Policy Change" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4535-1

2009-07-30T19:31:00.877Z

Auditing of "System: Security State Change" events on success should be enabled or disabled as appropriate.

SI-6

CCE-4569-0

2009-07-30T19:30:57.860Z

The "shut down the system" user right should be assigned to the correct accounts.

AC-3

CM-6

CM-7

CCE-4583-1

2009-07-30T19:30:56.547Z

2012-05-25T03:56:03.477Z

The "Minimum session security for NTLM SSP based clients" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4594-8

2009-07-30T19:31:00.217Z

Auditing of "Object Access: Registry" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4612-8

2009-07-30T19:30:56.843Z

The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.

AC-3

AC-6

CCE-4618-5

2009-07-30T19:30:57.767Z

The "profile system performance" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4629-2

2009-07-30T19:30:58.500Z

The "Enable User Control Over Installs" policy should be set correctly.

AC-6

CCE-4651-6

2009-07-30T19:30:57.500Z

The "Increase a Process Working Set" setting should be configured correctly.

AC-3

CM-6

CCE-4656-5

2009-07-30T19:30:57.407Z

The "deny logon through Terminal Services" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4673-0

2009-07-30T19:30:57.437Z

The "force shutdown from a remote system" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4687-0

2009-07-30T19:30:57.297Z

The "debug programs" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4694-6

2009-07-30T19:30:58.157Z

2012-05-25T03:56:07.210Z

The "Enable Error Reporting" policy should be set correctly.

CM-6

CCE-4703-5

2009-07-30T19:30:59.577Z

Auditing of "Logon/Logoff: Logoff" events on success should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4704-3

2009-07-30T19:30:57.313Z

The "deny access to this computer from the network" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4722-5

2009-07-30T19:30:57.343Z

The "deny logon as a batch job" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4734-0

2009-07-30T19:31:00.733Z

Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

AC-6

AU-2

CCE-4757-1

2009-07-30T19:30:57.187Z

The "create a pagefile" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4761-3

2009-07-30T19:30:58.360Z

Computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender should be enabled or disabled as appropriate.

CM-6

CCE-4774-6

2009-07-30T19:30:56.703Z

2012-05-25T03:56:03.930Z

The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.

IA-5

SC-2

SC-9

CCE-4781-1

2009-07-30T19:30:56.467Z

The "Remotely accessible registry paths and subpaths" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4783-7

2009-07-30T19:30:58.843Z

Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-4792-8

2009-07-30T19:30:57.250Z

The "Create global objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4796-9

2009-07-30T19:30:57.530Z

The "increase scheduling priority" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4811-6

2009-07-30T19:31:01.313Z

The Teredo tunneling protocol for IPv6 should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-4813-2

2009-07-30T19:30:58.170Z

Use Classic Logon should be properly configured.

CM-6

CCE-4822-3

2009-07-30T19:31:01.000Z

Auditing of "System: System Integrity" events on failure should be enabled or disabled as appropriate.

SI-7

CCE-4824-9

2009-07-30T19:30:59.750Z

Auditing of "Logon/Logoff: Special Logon" events on failure should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4827-2

2009-07-30T19:30:57.093Z

The "back up files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4833-0

2009-07-30T19:30:58.920Z

Auditing of "Account Management: User Account Management" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4841-3

2009-07-30T19:30:56.717Z

2012-05-25T03:56:03.993Z

The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4851-2

2009-07-30T19:31:01.360Z

The "Turn off Help Ratings" setting should be configured correctly.

CM-6

CCE-4854-6

2009-07-30T19:30:57.030Z

The "adjust memory quotas for a process" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4861-1

2009-07-30T19:30:57.797Z

The "remove computer from docking station" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4863-7

2009-07-30T19:30:57.140Z

The "change the system time" user right should be assigned to the correct accounts.

AU-8

CM-7

CCE-4866-0

2009-07-30T19:30:58.280Z

The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.

SC-1

CCE-4867-8

2009-07-30T19:30:57.360Z

The "deny logon as a service" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4872-8

2009-07-30T19:30:57.047Z

The "log on locally" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4877-7

2009-07-30T19:31:00.360Z

Auditing of "Policy Change: Authentication Policy Change" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4879-3

2009-07-30T19:31:00.797Z

Auditing of "System: Ipsec Driver" events on failure should be enabled or disabled as appropriate.

SC-8

CCE-4889-2

2009-07-30T19:30:57.390Z

The "deny logon locally" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4898-3

2009-07-30T19:30:58.563Z

The "Disable Media Player for automatic updates" policy should be set correctly.

SI-2

CCE-4902-3

2009-07-30T19:30:57.217Z

The "Create a token object" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4904-9

2009-07-30T19:30:56.453Z

Kerberos and RSVP Traffic Protected by IPSec should be properly configured.

AC-3

CM-6

CM-7

SC-5

CCE-4907-2

2009-07-30T19:30:56.907Z

The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.

AC-3

AC-6

CCE-4910-6

2009-07-30T19:31:00.953Z

Auditing of "System: Security System Extension" events on failure should be enabled or disabled as appropriate.

SI-6

CCE-4915-5

2009-07-30T19:30:58.377Z

The "Disable Logging" setting should be configured correctly.

AU-2

CCE-4916-3

2009-07-30T19:30:58.827Z

Auditing of "Account Management: Other Account Management Events" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4919-7

2009-07-30T19:30:58.420Z

The "Display Error Notification" setting should be configured correctly.

CM-6

CCE-4921-3

2009-07-30T19:30:59.920Z

Auditing of "Object Access: File System" events on success should be enabled or disabled as appropriate.

AU-2

CCE-4922-1

2009-07-30T19:30:56.500Z

2012-05-25T03:56:03.243Z

The "LAN Manager Authentication Level" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4925-4

2009-07-30T19:30:56.937Z

The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.

AC-3

AC-6

CCE-4940-3

2009-07-30T19:30:56.517Z

2012-05-25T03:56:03.367Z

The "LDAP client signing requirements" policy should be set correctly.

AC-3

CM-6

CM-7

SC-5

CCE-4948-6

2009-07-30T19:30:57.843Z

The "restore files and directories" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4955-1

2009-07-30T19:30:56.767Z

The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.

AC-3

AC-6

CCE-4956-9

2009-07-30T19:30:59.717Z

Auditing of "Logon/Logoff: Special Logon" events on success should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-4962-7

2009-07-30T19:30:57.733Z

The "profile single process" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4969-2

2009-07-30T19:30:56.813Z

The "Behavior of the elevation prompt for standard users" setting should be configured correctly.

AC-3

AC-6

CCE-4970-0

2009-07-30T19:30:57.890Z

The "synchronize directory service data" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4973-4

2009-07-30T19:30:57.127Z

The "bypass traverse checking" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4976-7

2009-07-30T19:31:00.767Z

Auditing of "System: Ipsec Driver" events on success should be enabled or disabled as appropriate.

SC-8

CCE-4988-2

2009-07-30T19:30:57.920Z

The "take ownership of files or other objects" user right should be assigned to the correct accounts.

AC-3

CM-6

CCE-4991-6

2009-07-30T19:30:58.483Z

The "Set Safe for Scripting" policy should be set correctly.

CM-6

CCE-4992-4

2009-07-30T19:30:57.967Z

2012-05-25T03:56:06.867Z

Internet Explorer Processes (Zone Elevation Protection)

CM-6

CCE-5004-7

2009-07-30T19:30:56.860Z

The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.

AC-3

AC-6

CCE-5007-0

2009-07-30T19:30:58.297Z

The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

AC-1

AC-3

CM-6

CM-7

CCE-5008-8

2009-07-30T19:30:57.170Z

The "Change the time zone" user right should be assigned to the appropriate accounts.

AU-8

CM-7

CCE-5018-7

2009-07-30T19:30:59.627Z

Auditing of "Logon/Logoff: Logon" events on success should be enabled or disabled as appropriate.

AC-7

AU-2

CCE-5034-4

2009-07-30T19:30:58.407Z

The "Disable Windows Error Reporting" setting should be configured correctly.

SI-2

CCE-5036-9

2009-07-30T19:31:01.297Z

The 6to4 tunneling protocol for IPv6 should be enabled or disabled as appropriate.

CM-6

CM-7

CCE-5039-3

2009-07-30T19:30:59.937Z

Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate.

AU-2

CCE-5047-6

2009-07-30T19:31:00.967Z

Auditing of "System: System Integrity" events on success should be enabled or disabled as appropriate.

SI-7

CCE-5048-4

2009-07-30T19:30:58.877Z