StigData/Windows-2012R2-MS-2.9.xml

<DISASTIG id="Windows_2012_MS_STIG" version="2.9" created="11/21/2017">
  <AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
    <Rule id="V-1097" severity="medium" conversionstatus="pass" title="Bad Logon Attempts" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -le '3' -and '{0}' -ne '0'</OrganizationValueTestString>
      <PolicyName>Account lockout threshold</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Account Lockout Policy.
 
If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1098" severity="medium" conversionstatus="pass" title="Bad Logon Counter Reset" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '15'</OrganizationValueTestString>
      <PolicyName>Reset account lockout counter after</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Account Lockout Policy.
 
If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1099" severity="medium" conversionstatus="pass" title="Lockout Duration" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '15' -or '{0}' -eq '0'</OrganizationValueTestString>
      <PolicyName>Account lockout duration</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Account Lockout Policy.
 
If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding.
 
Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.</rawString>
    </Rule>
    <Rule id="V-1104" severity="medium" conversionstatus="pass" title="Maximum Password Age " dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -le '60' -and '{0}' -ne '0'</OrganizationValueTestString>
      <PolicyName>Maximum password age</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.</rawString>
    </Rule>
    <Rule id="V-1105" severity="medium" conversionstatus="pass" title="Minimum Password Age" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ne '0'</OrganizationValueTestString>
      <PolicyName>Minimum password age</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding.</rawString>
    </Rule>
    <Rule id="V-1107" severity="medium" conversionstatus="pass" title="Password Uniqueness" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '24'</OrganizationValueTestString>
      <PolicyName>Enforce password history</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Password Policy.
 
If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1150" severity="medium" conversionstatus="pass" title="Microsoft Strong Password Filtering" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <PolicyName>Password must meet complexity requirements</PolicyName>
      <PolicyValue>Enabled</PolicyValue>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Password Policy.
 
If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding.
 
Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.</rawString>
    </Rule>
    <Rule id="V-2372" severity="high" conversionstatus="pass" title="Reversible Password Encryption" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <PolicyName>Store passwords using reversible encryption</PolicyName>
      <PolicyValue>Disabled</PolicyValue>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.</rawString>
    </Rule>
    <Rule id="V-6836" severity="medium" conversionstatus="pass" title="Minimum Password Length" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '14'</OrganizationValueTestString>
      <PolicyName>Minimum password length</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for the "Minimum password length," is less than "14" characters, this is a finding.</rawString>
    </Rule>
  </AccountPolicyRule>
  <AuditPolicyRule dscresourcemodule="AuditPolicyDsc">
    <Rule id="V-26529" severity="medium" conversionstatus="pass" title="Audit - Credential Validation - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Logon -&gt; Credential Validation - Success</rawString>
      <Subcategory>Credential Validation</Subcategory>
    </Rule>
    <Rule id="V-26530" severity="medium" conversionstatus="pass" title="Audit - Credential Validation - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Logon -&gt; Credential Validation - Failure</rawString>
      <Subcategory>Credential Validation</Subcategory>
    </Rule>
    <Rule id="V-26531" severity="medium" conversionstatus="pass" title="Audit - Computer Account Management - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Computer Account Management - Success</rawString>
      <Subcategory>Computer Account Management</Subcategory>
    </Rule>
    <Rule id="V-26532" severity="medium" conversionstatus="pass" title="Audit - Computer Account Management - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Computer Account Management - Failure</rawString>
      <Subcategory>Computer Account Management</Subcategory>
    </Rule>
    <Rule id="V-26533" severity="medium" conversionstatus="pass" title="Audit - Other Account Management Events - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Other Account Management Events - Success</rawString>
      <Subcategory>Other Account Management Events</Subcategory>
    </Rule>
    <Rule id="V-26534" severity="medium" conversionstatus="pass" title="Audit - Other Account Management Events - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Other Account Management Events - Failure</rawString>
      <Subcategory>Other Account Management Events</Subcategory>
    </Rule>
    <Rule id="V-26535" severity="medium" conversionstatus="pass" title="Audit - Security Group Management - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Security Group Management - Success</rawString>
      <Subcategory>Security Group Management</Subcategory>
    </Rule>
    <Rule id="V-26536" severity="medium" conversionstatus="pass" title="Audit - Security Group Management - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Security Group Management - Failure</rawString>
      <Subcategory>Security Group Management</Subcategory>
    </Rule>
    <Rule id="V-26537" severity="medium" conversionstatus="pass" title="Audit - User Account Management - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; User Account Management - Success</rawString>
      <Subcategory>User Account Management</Subcategory>
    </Rule>
    <Rule id="V-26538" severity="medium" conversionstatus="pass" title="Audit - User Account Management - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; User Account Management - Failure</rawString>
      <Subcategory>User Account Management</Subcategory>
    </Rule>
    <Rule id="V-26539" severity="medium" conversionstatus="pass" title="Audit - Process Creation - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Detailed Tracking -&gt; Process Creation - Success</rawString>
      <Subcategory>Process Creation</Subcategory>
    </Rule>
    <Rule id="V-26540" severity="medium" conversionstatus="pass" title="Audit - Logoff - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Logoff - Success</rawString>
      <Subcategory>Logoff</Subcategory>
    </Rule>
    <Rule id="V-26541" severity="medium" conversionstatus="pass" title="Audit - Logon - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Logon - Success</rawString>
      <Subcategory>Logon</Subcategory>
    </Rule>
    <Rule id="V-26542" severity="medium" conversionstatus="pass" title="Audit - Logon - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Logon - Failure</rawString>
      <Subcategory>Logon</Subcategory>
    </Rule>
    <Rule id="V-26543" severity="medium" conversionstatus="pass" title="Audit - Special Logon - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Special Logon - Success</rawString>
      <Subcategory>Special Logon</Subcategory>
    </Rule>
    <Rule id="V-26546" severity="medium" conversionstatus="pass" title="Audit - Audit Policy Change - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Audit Policy Change - Success</rawString>
      <Subcategory>Audit Policy Change</Subcategory>
    </Rule>
    <Rule id="V-26547" severity="medium" conversionstatus="pass" title="Audit - Audit Policy Change - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Audit Policy Change - Failure</rawString>
      <Subcategory>Audit Policy Change</Subcategory>
    </Rule>
    <Rule id="V-26548" severity="medium" conversionstatus="pass" title="Audit - Authentication Policy Change - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Authentication Policy Change - Success</rawString>
      <Subcategory>Authentication Policy Change</Subcategory>
    </Rule>
    <Rule id="V-26549" severity="medium" conversionstatus="pass" title="Audit - Sensitive Privilege Use - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Privilege Use -&gt; Sensitive Privilege Use - Success</rawString>
      <Subcategory>Sensitive Privilege Use</Subcategory>
    </Rule>
    <Rule id="V-26550" severity="medium" conversionstatus="pass" title="Audit - Sensitive Privilege Use - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Privilege Use -&gt; Sensitive Privilege Use - Failure</rawString>
      <Subcategory>Sensitive Privilege Use</Subcategory>
    </Rule>
    <Rule id="V-26551" severity="medium" conversionstatus="pass" title="Audit - IPSec Driver - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; IPsec Driver - Success</rawString>
      <Subcategory>IPsec Driver</Subcategory>
    </Rule>
    <Rule id="V-26552" severity="medium" conversionstatus="pass" title="Audit - IPSec Driver - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; IPsec Driver - Failure</rawString>
      <Subcategory>IPsec Driver</Subcategory>
    </Rule>
    <Rule id="V-26553" severity="medium" conversionstatus="pass" title="Audit - Security State Change - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security State Change - Success</rawString>
      <Subcategory>Security State Change</Subcategory>
    </Rule>
    <Rule id="V-26554" severity="medium" conversionstatus="pass" title="Audit - Security State Change - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security State Change - Failure</rawString>
      <Subcategory>Security State Change</Subcategory>
    </Rule>
    <Rule id="V-26555" severity="medium" conversionstatus="pass" title="Audit - Security System Extension - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security System Extension - Success</rawString>
      <Subcategory>Security System Extension</Subcategory>
    </Rule>
    <Rule id="V-26556" severity="medium" conversionstatus="pass" title="Audit - Security System Extension - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security System Extension - Failure</rawString>
      <Subcategory>Security System Extension</Subcategory>
    </Rule>
    <Rule id="V-26557" severity="medium" conversionstatus="pass" title="Audit - System Integrity - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; System Integrity - Success</rawString>
      <Subcategory>System Integrity</Subcategory>
    </Rule>
    <Rule id="V-26558" severity="medium" conversionstatus="pass" title="Audit - System Integrity - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; System Integrity - Failure</rawString>
      <Subcategory>System Integrity</Subcategory>
    </Rule>
    <Rule id="V-36667" severity="medium" conversionstatus="pass" title="WINAU-000016" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*"
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access &gt;&gt; Removable Storage - Failure
 
Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.</rawString>
      <Subcategory>Removable Storage</Subcategory>
    </Rule>
    <Rule id="V-36668" severity="medium" conversionstatus="pass" title="WINAU-000017" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*"
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access &gt;&gt; Removable Storage - Success
 
Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.</rawString>
      <Subcategory>Removable Storage</Subcategory>
    </Rule>
    <Rule id="V-40200" severity="medium" conversionstatus="pass" title="WNAU-000060" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access -&gt; Central Policy Staging - Failure</rawString>
      <Subcategory>Central Policy Staging</Subcategory>
    </Rule>
    <Rule id="V-40202" severity="medium" conversionstatus="pass" title="WNAU-000059" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access -&gt; Central Policy Staging - Success</rawString>
      <Subcategory>Central Policy Staging</Subcategory>
    </Rule>
    <Rule id="V-57633" severity="medium" conversionstatus="pass" title="WINAU-000089" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Authorization Policy Change - Success</rawString>
      <Subcategory>Authorization Policy Change</Subcategory>
    </Rule>
    <Rule id="V-57635" severity="medium" conversionstatus="pass" title="WINAU-000090" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Authorization Policy Change - Failure</rawString>
      <Subcategory>Authorization Policy Change</Subcategory>
    </Rule>
  </AuditPolicyRule>
  <DocumentRule dscresourcemodule="None">
    <Rule id="V-1112" severity="low" conversionstatus="pass" title="Dormant Accounts" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "PowerShell".
 
Member servers and standalone systems:
Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.)
 
"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {
 $user = ([ADSI]$_.Path)
 $lastLogin = $user.Properties.LastLogin.Value
 $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2
 if ($lastLogin -eq $null) {
 $lastLogin = 'Never'
 }
 Write-Host $user.Name $lastLogin $enabled
}"
 
This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).
For example: User1 10/31/2015 5:49:56 AM True
 
Domain Controllers:
Enter the following command in PowerShell.
"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00"
 
This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate.
 
Review the list of accounts returned by the above queries to determine the finding validity for each account reported.
 
Exclude the following accounts:
Built-in administrator account (Renamed, SID ending in 500)
Built-in guest account (Renamed, Disabled, SID ending in 501)
Application accounts
 
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
 
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</rawString>
    </Rule>
    <Rule id="V-1120" severity="medium" conversionstatus="pass" title="Prohibited FTP Logins" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If FTP is not installed on the system, this is NA.
 
Determine the IP address and port number assigned to FTP sites from documentation or configuration.
 
If Microsoft FTP is used, open "Internet Information Services (IIS) Manager".
 
Select "Sites" under the server name.
 
For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed.
 
Open a "Command Prompt".
 
Attempt to log on as the user "anonymous" with the following commands:
 
Note: Returned results may vary depending on the FTP server software.
 
C:\&gt; "ftp"
ftp&gt; "Open IP Address Port"
(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".)
(Connected to IP Address
220 Microsoft FTP Service)
 
User (IP Address): "anonymous"
(331 Anonymous access allowed, send identity (e-mail name) as password.)
 
Password: "password"
(230 User logged in.)
ftp&gt;
 
If the response indicates that an anonymous FTP login was permitted, this is a finding.
 
If accounts with administrator privileges are used to access FTP, this is a CAT I finding.</rawString>
    </Rule>
    <Rule id="V-1121" severity="high" conversionstatus="pass" title="FTP System File Access" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If FTP is not installed on the system, this is NA.
 
Determine the IP address and port number assigned to FTP sites from documentation or configuration.
 
If Microsoft FTP is used, open "Internet Information Services (IIS) Manager".
 
Select "Sites" under the server name.
 
For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed.
 
Open a "Command Prompt".
 
Access the FTP site and review accessible directories with the following commands:
 
Note: Returned results may vary depending on the FTP server software.
 
C:\&gt; "ftp"
ftp&gt; "Open IP Address Port"
(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".)
(Connected to IP Address
220 Microsoft FTP Service)
 
User (IP Address): "FTP User"
(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".)
 (331 Password required)
 
Password: "Password"
(Substituting [Password] with password for the account attempting access.)
(230 User ftpuser logged in.)
 
ftp&gt; "Dir"
 
If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1168" severity="medium" conversionstatus="pass" title="Members of the Backup Operators Group" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If no accounts are members of the Backup Operators group, this is NA.
 
Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding.</rawString>
    </Rule>
    <Rule id="V-3289" severity="medium" conversionstatus="pass" title="Intrusion Detection System" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether there is a host-based Intrusion Detection System on each server.
 
If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding.
 
A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO.
 
If a host-based Intrusion Detection System is not installed on the system, this is a finding.</rawString>
    </Rule>
    <Rule id="V-3487" severity="medium" conversionstatus="pass" title="Unnecessary Services" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system.
 
Individual services specifically required to be disabled per the STIG are identified in separate requirements.
 
If the site has not documented the services required for their system(s), this is a finding.
 
The following can be used to view the services on a system:
Run "Services.msc".
 
Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary.
 
Default Installation
Name - Startup Type
Application Experience - Manual (Trigger Start)
Application Identity - Manual (Trigger Start)
Application Information - Manual
Application Layer Gateway Service - Manual
Application Management - Manual
Background Intelligent Transfer Service - Automatic (Delayed Start)
Background Tasks Infrastructure Service - Automatic
Base Filtering Engine - Automatic
Certificate Propagation - Manual
CNG Key Isolation - Manual (Trigger Start)
COM+ Event System - Automatic
COM+ System Application - Manual
Computer Browser - Disabled
Credential Manager - Manual
Cryptographic Services - Automatic
DCOM Server Process Launcher - Automatic
Device Association Service - Manual (Trigger Start)
Device Install Service - Manual (Trigger Start)
Device Setup Manager - Manual (Trigger Start)
DHCP Client - Automatic
Diagnostic Policy Service - Automatic (Delayed Start)
Diagnostic Service Host - Manual
Diagnostic System Host - Manual
Distributed Link Tracking Client - Automatic
Distributed Transaction Coordinator - Automatic (Delayed Start)
DNS Client - Automatic (Trigger Start)
Encrypting File System (EFS) - Manual (Trigger Start)
Extensible Authentication Protocol - Manual
Function Discovery Provider Host - Manual
Function Discovery Resource Publication - Manual
Group Policy Client - Automatic (Trigger Start)
Health Key and Certificate Management - Manual
Human Interface Device Access - Manual (Trigger Start)
Hyper-V Data Exchange Service - Manual (Trigger Start)
Hyper-V Guest Shutdown Service - Manual (Trigger Start)
Hyper-V Heartbeat Service - Manual (Trigger Start)
Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start)
Hyper-V Time Synchronization Service - Manual (Trigger Start)
Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start)
IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start)
Interactive Services Detection - Manual
Internet Connection Sharing (ICS) - Disabled
IP Helper - Automatic
IPsec Policy Agent - Manual (Trigger Start)
KDC Proxy Server service (KPS) - Manual
KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start)
Link-Layer Topology Discovery Mapper - Manual
Local Session Manager - Automatic
Microsoft iSCSI Initiator Service - Manual
Microsoft Software Shadow Copy Provider - Manual
Multimedia Class Scheduler - Manual
Net.Tcp Port Sharing Service - Disabled
Netlogon - Manual
Network Access Protection Agent - Manual
Network Connections - Manual
Network Connectivity Assistant - Manual (Trigger Start)
Network List Service - Manual
Network Location Awareness - Automatic
Network Store Interface Service - Automatic
Optimize drives - Manual
Performance Counter DLL Host - Manual
Performance Logs &amp; Alerts - Manual
Plug and Play - Manual
Portable Device Enumerator Service - Manual (Trigger Start)
Power - Automatic
Print Spooler - Automatic
Printer Extensions and Notifications - Manual
Problem Reports and Solutions Control Panel Support - Manual
Remote Access Auto Connection Manager - Manual
Remote Access Connection Manager - Manual
Remote Desktop Configuration - Manual
Remote Desktop Services - Manual
Remote Desktop Services UserMode Port Redirector - Manual
Remote Procedure Call (RPC) - Automatic
Remote Procedure Call (RPC) Locator - Manual
Remote Registry - Automatic (Trigger Start)
Resultant Set of Policy Provider - Manual
Routing and Remote Access - Disabled
RPC Endpoint Mapper - Automatic
Secondary Logon - Manual
Secure Socket Tunneling Protocol Service - Manual
Security Accounts Manager - Automatic
Server - Automatic
Shell Hardware Detection - Automatic
Smart Card - Disabled
Smart Card Removal Policy - Manual
SNMP Trap - Manual
Software Protection - Automatic (Delayed Start, Trigger Start)
Special Administration Console Helper - Manual
Spot Verifier - Manual (Trigger Start)
SSDP Discovery - Disabled
Superfetch - Manual
System Event Notification Service - Automatic
Task Scheduler - Automatic
TCP/IP NetBIOS Helper - Automatic (Trigger Start)
Telephony - Manual
Themes - Automatic
Thread Ordering Server - Manual
UPnP Device Host - Disabled
User Access Logging Service - Automatic (Delayed Start)
User Profile Service - Automatic
Virtual Disk - Manual
Volume Shadow Copy - Manual
Windows All-User Install Agent - Manual (Trigger Start)
Windows Audio - Manual
Windows Audio Endpoint Builder - Manual
Windows Color System - Manual
Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start)
Windows Error Reporting Service - Manual (Trigger Start)
Windows Event Collector - Manual
Windows Event Log - Automatic
Windows Firewall - Automatic
Windows Font Cache Service - Automatic
Windows Installer - Manual
Windows Licensing Monitoring Service - Automatic
Windows Management Instrumentation - Automatic
Windows Modules Installer - Manual
Windows Remote Management (WS-Management) - Automatic
Windows Store Service (WSService) - Manual (Trigger Start)
Windows Time - Manual (Trigger Start)
Windows Update - Manual
WinHTTP Web Proxy Auto-Discovery Service - Manual
Wired AutoConfig - Manual
WMI Performance Adapter - Manual
Workstation - Automatic</rawString>
    </Rule>
    <Rule id="V-15823" severity="medium" conversionstatus="pass" title="Software Certificate Installation Files" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Search all drives for *.p12 and *.pfx files.
 
If any files with these extensions exist, this is a finding.
 
This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager). Some applications create files with extensions of .p12 that are NOT certificate installation files. Removal of noncertificate installation files from systems is not required. These must be documented with the ISSO.</rawString>
    </Rule>
    <Rule id="V-32272" severity="medium" conversionstatus="pass" title="WINPK-000001" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities.
 
Run "PowerShell" as an administrator.
Execute the following command:
Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint
If the following information is not displayed, this is finding.
 
Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561
 
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB
 
Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026
 
Alternately use the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Trusted Root Certification Authorities &gt;&gt; Certificates".
If there are no entries for "DoD Root CA 2", "DoD Root CA 3", and "DoD Root CA 4", this is a finding.
 
For each of the DoD Root CA certificates noted above:
Right click on the certificate and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint".
 
If the value for the "Thumbprint" field is not as noted below, this is a finding.
DoD Root CA 2 - 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561
DoD Root CA 3 - D73CA91102A2204A36459ED32213B467D7CE97FB
DoD Root CA 4 - B8269F25DBD937ECAFD4C35A9838571723F2D026
 
The thumbprints referenced apply to unclassified systems; see PKE documentation for other networks.</rawString>
    </Rule>
    <Rule id="V-36656" severity="medium" conversionstatus="pass" title="WINUC-000001" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\
 
Value Name: ScreenSaveActive
 
Type: REG_SZ
Value: 1
 
Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO:
  
-The logon session does not have administrator rights.
-The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.</rawString>
    </Rule>
    <Rule id="V-36658" severity="medium" conversionstatus="pass" title="WIN00-000005-01" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40173" severity="low" conversionstatus="pass" title="WN00-000017" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</rawString>
    </Rule>
  </DocumentRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-1070" severity="medium" conversionstatus="pass" title="Physical security" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1072" severity="medium" conversionstatus="pass" title="Shared User Accounts" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether any shared accounts exist. If no shared accounts exist, this is NA.
If shared accounts exist, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1074" severity="high" conversionstatus="pass" title="WIN00-000100" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify a supported DoD antivirus product has been installed on the system.
 
If McAfee VirusScan Enterprise 8.8 Patch 3 or later is not installed on the system, this is a finding.
 
If another recognized antivirus product is installed, this would still be a finding; however, the severity may be reduced to a CAT III.</rawString>
    </Rule>
    <Rule id="V-1076" severity="low" conversionstatus="pass" title="System Recovery Backups" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1119" severity="medium" conversionstatus="pass" title="Booting into Multiple Operating Systems" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the local system boots directly into Windows.
 
Open Control Panel.
Select "System".
Select the "Advanced System Settings" link.
Select the "Advanced" tab.
Click the "Startup and Recovery" Settings button.
 
If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1127" severity="high" conversionstatus="pass" title="Restricted Administrator Group Membership" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Review the local Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group.
 
For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group.
 
Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin platforms may use the Domain Admins group or a domain administrative group created specifically for AD admin platforms (see V-43711 in the Active Directory Domain STIG).
 
Standard user accounts must not be members of the local Administrator group.
 
If prohibited accounts are members of the local Administrators group, this is a finding.
 
The built-in Administrator account or other required administrative accounts would not be a finding.</rawString>
    </Rule>
    <Rule id="V-1128" severity="low" conversionstatus="pass" title="Security Configuration Tools" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding.
 
Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance.
 
If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable.</rawString>
    </Rule>
    <Rule id="V-1135" severity="low" conversionstatus="pass" title="Printer Share Permissions" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Open "Devices and Printers" in Control Panel or through Search.
If there are no printers configured, this is NA.
 
For each configured printer:
Right click on the printer.
Select "Printer Properties".
Select the "Sharing" tab.
View whether "Share this printer" is checked.
 
For any printers with "Share this printer" selected:
Select the Security tab.
 
If any standard user accounts or groups have permissions other than "Print", this is a finding.
Standard users will typically be given "Print" permission through the Everyone group.
"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.</rawString>
    </Rule>
    <Rule id="V-2907" severity="medium" conversionstatus="pass" title="System File Changes" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding.
 
A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement.</rawString>
    </Rule>
    <Rule id="V-3245" severity="medium" conversionstatus="pass" title="File share ACLs" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA.
(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.)
 
Run "Computer Management".
Navigate to System Tools &gt;&gt; Shared Folders &gt;&gt; Shares.
 
Right click any non-system-created shares.
Select "Properties".
Select the "Share Permissions" tab.
 
If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.
 
Select the "Security" tab.
 
If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.</rawString>
    </Rule>
    <Rule id="V-3481" severity="medium" conversionstatus="pass" title="Media Player - Prevent Codec Download" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\
 
Value Name: PreventCodecDownload
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-6840" severity="medium" conversionstatus="pass" title="Password Expiration" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PswdExpires
AcctDisabled
Groups
 
If any accounts have "No" in the "PswdExpires" column, this is a finding.
 
The following are exempt from this requirement:
Application Accounts
Domain accounts requiring smart card (CAC/PIV)
 
The following PowerShell command may be used on domain controllers to list accounts with the Password Never Expires flag:
Search-ADAccount -PasswordNeverExpires -UsersOnly</rawString>
    </Rule>
    <Rule id="V-7002" severity="high" conversionstatus="pass" title="Password Requirement" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify all accounts require passwords.
 
Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PswdRequired
AcctDisabled
Groups
 
If any accounts have "No" in the "PswdRequired" column, this is a finding.
 
Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: "Net user &lt;account_name&gt; /passwordreq:yes".</rawString>
    </Rule>
    <Rule id="V-14225" severity="medium" conversionstatus="pass" title="Administrator Account Password Changes" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if any system administrators have left the organization within the last year.
 
Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PwsdLastSetTime
 
If the built-in Administrator account has a date older than one year in the "PwsdLastSetTime" column, this is a finding.
If any system administrators has left the organization within the last year and the "PwsdLastSetTime" field reflects the built-in Administrator account password was not changed at that time, this is a finding.</rawString>
    </Rule>
    <Rule id="V-14268" severity="medium" conversionstatus="pass" title="Attachment Mgr - Preserve Zone Info" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
 
Value Name: SaveZoneInformation
 
Type: REG_DWORD
Value: 2</rawString>
    </Rule>
    <Rule id="V-14269" severity="medium" conversionstatus="pass" title="Attachment Mgr - Hide Mech to Remove Zone Info" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
 
Value Name: HideZoneInfoOnProperties
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-14270" severity="medium" conversionstatus="pass" title="Attachment Mgr - Scan with Antivirus" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
 
Value Name: ScanWithAntiVirus
 
Type: REG_DWORD
Value: 3</rawString>
    </Rule>
    <Rule id="V-15727" severity="medium" conversionstatus="pass" title="User Network Sharing" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: NoInPlaceSharing
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-16021" severity="medium" conversionstatus="pass" title="Help Experience Improvement Program " dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\
 
Value Name: NoImplicitFeedback
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-16048" severity="medium" conversionstatus="pass" title="Help Ratings" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\
 
Value Name: NoExplicitFeedback
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-21954" severity="medium" conversionstatus="pass" title="Kerberos Encryption Types" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify whether the registry key below exists. If it does not exist or the value is "0", this is not a finding.
If the registry key exists and contains a value other than "0", continue below.
 
The values are determined by the selection of encryption suites in the policy Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; Security Options &gt;&gt; "Network Security: Configure encryption types allowed for Kerberos".
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\
Value Name: SupportedEncryptionTypes
Type: REG_DWORD
 
Due to the number of possible combinations that may include the DES encryption types, it is not possible to include all acceptable values as viewed directly in the registry.
 
If the registry key does exist, the value must be converted to binary to determine configuration of specific bits. This will determine whether this is a finding.
 
Note the value for the registry key.
For example, when all suites, including the DES suites are selected, the value will be "0x7fffffff (2147483647)".
 
Open the Windows calculator (Run/Search for "calc").
Select "View", then "Programmer".
Select "Dword" and either "Hex" or "Dec".
Enter the appropriate form of the value found for the registry key (e.g., Hex - enter 0x7fffffff, Dec - enter 2147483647)
Select "Bin".
The returned value may vary in length, up to 32 characters.
If the either of 2 right most characters are "1", this is a finding.
If the both of 2 right most characters are "0", this is not a finding.</rawString>
    </Rule>
    <Rule id="V-32274" severity="medium" conversionstatus="pass" title="WINPK-000003" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates.
 
Run "PowerShell" as an administrator.
Execute the following command:
Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint
If the following information is not displayed, this is finding.
 
Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F
 
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13
 
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4
 
Alternately use the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Untrusted Certificates &gt;&gt; Certificates".
 
For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By":
Right click on the certificate and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint".
 
If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
 
Issued To - Issued By - Thumbprint
DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F
DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13
DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4</rawString>
    </Rule>
    <Rule id="V-36451" severity="high" conversionstatus="pass" title="Accounts with administrative privileges Internet access" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration.
 
The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.
 
Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet.
 
If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36657" severity="medium" conversionstatus="pass" title="WINUC-000003" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\
 
Value Name: ScreenSaverIsSecure
 
Type: REG_SZ
Value: 1</rawString>
    </Rule>
    <Rule id="V-36659" severity="high" conversionstatus="pass" title="WIN00-000005-02" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.
 
If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36661" severity="medium" conversionstatus="pass" title="WIN00-000010-01" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36662" severity="medium" conversionstatus="pass" title="WIN00-000010-02" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if any system administrators with knowledge of application account passwords have left the organization within the last year.
 
Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PwsdLastSetTime
 
If any application accounts listed that are manually managed and have a date older than one year in the "PwsdLastSetTime" column, this is a finding.
If any system administrators with knowledge of application account passwords have left the organization within the last year and the "PwsdLastSetTime" field reflects that application account passwords were not changed at that time, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36666" severity="medium" conversionstatus="pass" title="WIN00-000014" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36670" severity="medium" conversionstatus="pass" title="WINAU-000100" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36671" severity="medium" conversionstatus="pass" title="WINAU-000101" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36672" severity="medium" conversionstatus="pass" title="WINAU-000102" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36733" severity="low" conversionstatus="pass" title="WINGE-000027" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36734" severity="medium" conversionstatus="pass" title="WINGE-000028" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36735" severity="medium" conversionstatus="pass" title="WINGE-000029" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36736" severity="medium" conversionstatus="pass" title="WINGE-000030" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36774" severity="low" conversionstatus="pass" title="WINUC-000002" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\
 
Value Name: SCRNSAVE.EXE
 
Type: REG_SZ
Value: scrnsave.scr</rawString>
    </Rule>
    <Rule id="V-36775" severity="low" conversionstatus="pass" title="WINUC-000004" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: NoDispScrSavPage
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-36776" severity="low" conversionstatus="pass" title="WINUC-000005" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\
 
Value Name: NoCloudApplicationNotification
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-36777" severity="low" conversionstatus="pass" title="WINUC-000006" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\
 
Value Name: NoToastApplicationNotificationOnLockScreen
 
Type: REG_DWORD
Value: 1</rawString>
    </Rule>
    <Rule id="V-40172" severity="low" conversionstatus="pass" title="WN00-000016" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40175" severity="high" conversionstatus="pass" title="WIN00-000110 " dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA if McAfee VirusScan Enterprise (VSE) is used. It will be addressed with the corresponding McAfee VSE STIG.
 
Configurations will vary depending on the product.
 
Review the antivirus program signature update configuration.
 
If the antivirus program is not configured to update the signature files on a daily basis, this is a finding.
 
It may not be possible for systems to receive updates on a daily basis due to various factors. If the signature file is more than a week old, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40198" severity="medium" conversionstatus="pass" title="WN00-000009-02" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If no accounts are members of the Backup Operators group, this is NA.
 
Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40237" severity="medium" conversionstatus="pass" title="WINPK-000004" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate.
 
Run "PowerShell" as an administrator.
Execute the following command:
Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint
If the following information is not displayed, this is finding.
 
Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3
 
Alternately use the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Untrusted Certificates &gt;&gt; Certificates".
 
For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By":
Right click on the certificate and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint".
 
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
 
Issued To - Issued By - Thumbprint
DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3</rawString>
    </Rule>
    <Rule id="V-42420" severity="medium" conversionstatus="pass" title="WINFW-000001" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding.
 
The configuration requirements will be determined by the applicable firewall STIG.</rawString>
    </Rule>
    <Rule id="V-57637" severity="medium" conversionstatus="pass" title="WIN00-000018" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This is applicable to unclassified systems, for other systems this is NA.
 
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
 
If an application whitelisting program is not in use on the system, this is a finding.
 
Configuration of whitelisting applications will vary by the program.
 
AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
 
If AppLocker is used, perform the following to view the configuration of AppLocker:
Open PowerShell.
 
If the AppLocker PowerShell module has not been previously imported, execute the following first:
Import-Module AppLocker
 
Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:
Get-AppLockerPolicy -Effective -XML &gt; c:\temp\file.xml
 
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
 
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" under the Microsoft Windows section of the following link:
 
https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml</rawString>
    </Rule>
    <Rule id="V-57641" severity="medium" conversionstatus="pass" title="WIN00-000019" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding.</rawString>
    </Rule>
    <Rule id="V-57645" severity="medium" conversionstatus="pass" title="WIN00-000020" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-57653" severity="medium" conversionstatus="pass" title="WINGE-000056" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system automatically disables temporary user accounts after 72 hours. If it does not, this is a finding.
 
Determine if temporary user accounts are used and identify any that may be in existence.
For Domain Accounts:
Open PowerShell.
Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any temporary accounts.
For any accounts returned, run the command "Get-ADUser -Identity &lt;Name&gt; -Property WhenCreated" to determine when the account was created.
 
Local accounts:
Run "Net user &lt;username&gt;". This will list the account properties, including "Account Expires".</rawString>
    </Rule>
    <Rule id="V-57655" severity="medium" conversionstatus="pass" title="WINGE-000057" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system is configured such that emergency administrator accounts are automatically removed or disabled after the crisis is resolved or within 72 hours. If it is not, this is a finding.
 
Determine if emergency accounts are used and identify any that may be in existence.
For Domain Accounts:
Open PowerShell.
Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any emergency accounts.
 
Local accounts:
Run "Net user &lt;username&gt;". This will list the account properties, including "Account Expires".</rawString>
    </Rule>
    <Rule id="V-57719" severity="medium" conversionstatus="pass" title="WINAU-000203" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding.</rawString>
    </Rule>
  </ManualRule>
  <PermissionRule dscresourcemodule="AccessControlDsc">
    <Rule id="V-1152" severity="high" conversionstatus="pass" title="Anonymous Access to the Registry" dscresource="RegistryAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Backup Operators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key Only</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>LOCAL SERVICE</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\</Path>
      <rawString>Run "Regedit".
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\
 
If the key does not exist, this is a finding.
 
Right-click on "winreg" and select "Permissions…".
Select "Advanced".
 
If the permissions are not as restrictive as the defaults listed below, this is a finding.
 
The following are the same for each permission listed:
Type - Allow
Inherited from - None
 
Columns: Principal - Access - Applies to
Administrators - Full Control - This key and subkeys
Backup Operators - Read - This key only
LOCAL SERVICE - Read - This key and subkeys</rawString>
    </Rule>
    <Rule id="V-26070" severity="high" conversionstatus="pass" title="Winlogon Registry Permissions" dscresource="RegistryAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Winlogon\</Path>
      <rawString>Run "Regedit".
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Right-click on "WinLogon" and select "Permissions…".
Select "Advanced".
 
If the permissions are not as restrictive as the defaults listed below, this is a finding.
 
The following are the same for each permission listed:
Type - Allow
Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Applies to - This key and subkeys
 
Columns: Principal - Access
TrustedInstaller - Full Control
SYSTEM - Full Control
Administrators - Full Control
Users - Read
ALL APPLICATION PACKAGES - Read</rawString>
    </Rule>
    <Rule id="V-26486" severity="medium" conversionstatus="fail" title="Deny log on through Remote Desktop \ Terminal Services" dscresource="">
      <AccessControlEntry />
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding:
 
Domain Systems Only:
Enterprise Admins group
Domain Admins group
Local account (see Note below)
 
All Systems:
Guests group
 
Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups.
 
Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts.
Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.</rawString>
    </Rule>
    <Rule id="V-32282" severity="high" conversionstatus="pass" title="WINRG-000001 Active Setup\Installed Components Registry Permissions" dscresource="RegistryAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subkeys Only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\</Path>
      <rawString>Run "Regedit".
Navigate to the following registry keys and review the permissions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems)
 
If the default permissions listed below have been changed, this is a finding.
 
Users - Read
Administrators - Full Control
SYSTEM - Full Control
CREATOR OWNER - Full Control (Subkeys only)
ALL APPLICATION PACKAGES - Read</rawString>
    </Rule>
    <Rule id="V-36722" severity="medium" conversionstatus="pass" title="WINAU-000204" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Eventlog</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\WINEVT\LOGS\Application.evtx</Path>
      <rawString>Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement:
 
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control
 
The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder.
 
If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36723" severity="medium" conversionstatus="pass" title="WINAU-000205" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Eventlog</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\WINEVT\LOGS\Security.evtx</Path>
      <rawString>Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement:
 
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control
 
The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder.
 
If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36724" severity="medium" conversionstatus="pass" title="WINAU-000206" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Eventlog</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\WINEVT\LOGS\System.evtx</Path>
      <rawString>Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement:
 
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control
 
The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder.
 
If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40177.b" severity="medium" conversionstatus="pass" title="WNGE-000007" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%ProgramFiles(x86)%</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
For each folder, view the Properties.
Select the "Security" tab, and the "Advanced" button.
 
Default Permissions:
\Program Files and \Program Files (x86)
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
TrustedInstaller - Full control - This folder and subfolders
SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
Users - Read &amp; execute - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read &amp; execute - This folder, subfolders and files
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls "c:\program files"
icacls "c:\program files (x86)"
 
The following results should be displayed as each is entered:
 
c:\program files
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-40177.a" severity="medium" conversionstatus="pass" title="WNGE-000007" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%ProgramFiles%</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
For each folder, view the Properties.
Select the "Security" tab, and the "Advanced" button.
 
Default Permissions:
\Program Files and \Program Files (x86)
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
TrustedInstaller - Full control - This folder and subfolders
SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
Users - Read &amp; execute - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read &amp; execute - This folder, subfolders and files
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls "c:\program files"
icacls "c:\program files (x86)"
 
The following results should be displayed as each is entered:
 
c:\program files
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-40178" severity="medium" conversionstatus="pass" title="WNGE-000006" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>CreateDirectories,AppendData</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders only</Inheritance>
          <Rights>CreateFiles,WriteData</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%SystemDrive%\</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
View the Properties of system drive root directory.
Select the "Security" tab, and the "Advanced" button.
 
C:\
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
SYSTEM - Full control - This folder, subfolders and files
Administrators - Full control - This folder, subfolders and files
Users - Read &amp; execute - This folder, subfolders and files
Users - Create folders / append data - This folder and subfolders
Users - Create files / write data - Subfolders only
CREATOR OWNER - Full Control - Subfolders and files only
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls c:\
 
The following results should be displayed:
 
c:\
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
CREATOR OWNER:(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-40179" severity="medium" conversionstatus="pass" title="WNGE-000008" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
View the Properties of the folder.
Select the "Security" tab, and the "Advanced" button.
 
Default Permissions:
\Windows
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
TrustedInstaller - Full control - This folder and subfolders
SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
Users - Read &amp; execute - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read &amp; execute - This folder, subfolders and files
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls c:\windows
 
The following results should be displayed:
 
c:\windows
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-57721" severity="medium" conversionstatus="pass" title="WINAU-000213" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\eventvwr.exe</Path>
      <rawString>Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding.
 
Navigate to "%SystemRoot%\SYSTEM32".
View the permissions on "Eventvwr.exe".
 
The default permissions below satisfy this requirement.
TrustedInstaller - Full Control
Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read &amp; Execute</rawString>
    </Rule>
  </PermissionRule>
  <RegistryRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-1075" severity="low" conversionstatus="pass" title="Display Shutdown Button" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ShutdownWithoutLogon
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ShutdownWithoutLogon</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1089" severity="medium" conversionstatus="pass" title="Legal Notice Display" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: LegalNoticeText
 
Value Type: REG_SZ
Value: See message text below
 
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
 
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
 
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
 
-At any time, the USG may inspect and seize data stored on this IS.
 
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
 
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
 
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
 
Any OS versions that do not support the full text version must state the following:
"I've read &amp; consent to terms in IS user agreem't."
 
Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.</rawString>
      <ValueData>You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</ValueData>
      <ValueName>LegalNoticeText</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1090" severity="low" conversionstatus="pass" title="Caching of logon credentials" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '4'</OrganizationValueTestString>
      <rawString>If the system is not a member of a domain, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: CachedLogonsCount
 
Value Type: REG_SZ
Value: 4 (or less)</rawString>
      <ValueData />
      <ValueName>CachedLogonsCount</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1093" severity="high" conversionstatus="pass" title="Anonymous shares are not restricted" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: RestrictAnonymous
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RestrictAnonymous</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1136" severity="low" conversionstatus="pass" title="Forcibly Disconnect when Logon Hours Expire" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: EnableForcedLogoff
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableForcedLogoff</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1141" severity="medium" conversionstatus="pass" title="Unencrypted Password is Sent to SMB Server." dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
 
Value Name: EnablePlainTextPassword
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnablePlainTextPassword</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1145" severity="medium" conversionstatus="pass" title="Disable Automatic Logon" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: AutoAdminLogon
 
Type: REG_SZ
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AutoAdminLogon</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1151" severity="low" conversionstatus="pass" title="Secure Print Driver Installation" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\
 
Value Name: AddPrinterDrivers
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>AddPrinterDrivers</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1153" severity="high" conversionstatus="pass" title="LanMan Authentication Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: LmCompatibilityLevel
 
Value Type: REG_DWORD
Value: 5</rawString>
      <ValueData>5</ValueData>
      <ValueName>LmCompatibilityLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1154" severity="medium" conversionstatus="pass" title="Ctrl+Alt+Del Security Attention Sequence" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: DisableCAD
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableCAD</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1157" severity="medium" conversionstatus="pass" title="Smart Card Removal Option " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -match '1|2'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
  
Value Name: SCRemoveOption
 
Value Type: REG_SZ
Value: 1 (Lock Workstation) or 2 (Force Logoff)
 
If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.</rawString>
      <ValueData />
      <ValueName>SCRemoveOption</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1162" severity="medium" conversionstatus="pass" title="SMB Server Packet Signing (if client agrees)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: EnableSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1163" severity="medium" conversionstatus="pass" title="Encryption of Secure Channel Traffic" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: SealSecureChannel
 
Value Type: REG_DWORD
Value: 1
 
If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).</rawString>
      <ValueData>1</ValueData>
      <ValueName>SealSecureChannel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1164" severity="medium" conversionstatus="pass" title="Signing of Secure Channel Traffic" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: SignSecureChannel
 
Value Type: REG_DWORD
Value: 1
 
If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).</rawString>
      <ValueData>1</ValueData>
      <ValueName>SignSecureChannel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1165" severity="low" conversionstatus="pass" title="Computer Account Password Reset" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: DisablePasswordChange
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisablePasswordChange</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1166" severity="medium" conversionstatus="pass" title="SMB Client Packet Signing (if server agrees)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\
 
Value Name: EnableSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1171" severity="medium" conversionstatus="pass" title="Format and Eject Removable Media" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: AllocateDASD
 
Value Type: REG_SZ
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllocateDASD</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1172" severity="low" conversionstatus="pass" title="Password Expiration Warning" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '14'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: PasswordExpiryWarning
 
Value Type: REG_DWORD
Value: 14 (or greater)</rawString>
      <ValueData />
      <ValueName>PasswordExpiryWarning</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1173" severity="low" conversionstatus="pass" title="Global System Objects Permission Strength" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\
 
Value Name: ProtectionMode
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>ProtectionMode</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1174" severity="low" conversionstatus="pass" title="Idle Time Before Suspending a Session." dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '15'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: autodisconnect
 
Value Type: REG_DWORD
Value: 0x0000000f (15) (or less)</rawString>
      <ValueData />
      <ValueName>autodisconnect</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-2374" severity="high" conversionstatus="pass" title="Disable Media Autoplay" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
 
Value Name: NoDriveTypeAutoRun
 
Type: REG_DWORD
Value: 0x000000ff (255)</rawString>
      <ValueData>255</ValueData>
      <ValueName>NoDriveTypeAutoRun</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3338" severity="high" conversionstatus="pass" title="Anonymous Access to Named Pipes" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>True</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: NullSessionPipes
 
Value Type: REG_MULTI_SZ
Value: (blank)
 
Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</rawString>
      <ValueData></ValueData>
      <ValueName>NullSessionPipes</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-3339" severity="high" conversionstatus="pass" title="Remotely Accessible Registry Paths" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\
 
Value Name: Machine
 
Value Type: REG_MULTI_SZ
Value: see below
 
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
 
Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</rawString>
      <ValueData>System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion</ValueData>
      <ValueName>Machine</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-3340" severity="high" conversionstatus="pass" title="Anonymous Access to Network Shares" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>True</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist, this is not a finding:
 
If the following registry value does exist and is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: NullSessionShares
 
Value Type: REG_MULTI_SZ
Value: (Blank)</rawString>
      <ValueData></ValueData>
      <ValueName>NullSessionShares</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-3343" severity="high" conversionstatus="pass" title="Remote Assistance - Solicit Remote Assistance" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fAllowToGetHelp
  
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>fAllowToGetHelp</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3344" severity="high" conversionstatus="pass" title="Limit Blank Passwords" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: LimitBlankPasswordUse
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>LimitBlankPasswordUse</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3373" severity="low" conversionstatus="pass" title="Maximum Machine Account Password Age" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '30' -and {0} -gt '0'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: MaximumPasswordAge
 
Value Type: REG_DWORD
Value: 30 (or less, but not 0)</rawString>
      <ValueData />
      <ValueName>MaximumPasswordAge</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3374" severity="medium" conversionstatus="pass" title="Strong Session Key" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: RequireStrongKey
 
Value Type: REG_DWORD
Value: 1
  
This setting may prevent a system from being joined to a domain if not configured consistently between systems.</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireStrongKey</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3376" severity="medium" conversionstatus="pass" title="Storage of Passwords and Credentials" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: DisableDomainCreds
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableDomainCreds</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3377" severity="medium" conversionstatus="pass" title="Everyone Anonymous rights" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: EveryoneIncludesAnonymous
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EveryoneIncludesAnonymous</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3378" severity="medium" conversionstatus="pass" title="Sharing and Security Model for Local Accounts" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: ForceGuest
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ForceGuest</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3379" severity="high" conversionstatus="pass" title="LAN Manager Hash stored" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: NoLMHash
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoLMHash</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3381" severity="medium" conversionstatus="pass" title="LDAP Client Signing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LDAP\
 
Value Name: LDAPClientIntegrity
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>LDAPClientIntegrity</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3382" severity="medium" conversionstatus="pass" title="Session Security for NTLM SSP Based Clients" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\
 
Value Name: NTLMMinClientSec
 
Value Type: REG_DWORD
Value: 0x20080000 (537395200)</rawString>
      <ValueData>537395200</ValueData>
      <ValueName>NTLMMinClientSec</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3383" severity="medium" conversionstatus="pass" title="FIPS Compliant Algorithms " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\
 
Value Name: Enabled
 
Value Type: REG_DWORD
Value: 1
  
Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.</rawString>
      <ValueData>1</ValueData>
      <ValueName>Enabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3385" severity="medium" conversionstatus="pass" title="Case Insensitivity for Non-Windows" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\
 
Value Name: ObCaseInsensitive
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>ObCaseInsensitive</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3449" severity="medium" conversionstatus="pass" title="TS/RDS - Session Limit" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fSingleSessionPerUser
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fSingleSessionPerUser</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3453" severity="medium" conversionstatus="pass" title="TS/RDS - Password Prompting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fPromptForPassword
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fPromptForPassword</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3454" severity="medium" conversionstatus="pass" title="TS/RDS - Set Encryption Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: MinEncryptionLevel
 
Type: REG_DWORD
Value: 3</rawString>
      <ValueData>3</ValueData>
      <ValueName>MinEncryptionLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3455" severity="medium" conversionstatus="pass" title="TS/RDS - Do Not Use Temp Folders" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: PerSessionTempDir
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PerSessionTempDir</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3456" severity="medium" conversionstatus="pass" title="TS/RDS - Delete Temp Folders" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: DeleteTempDirsOnExit
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DeleteTempDirsOnExit</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3469" severity="medium" conversionstatus="pass" title="Group Policy - Do Not Turn off Background Refresh" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Review the registry.
If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.):
If the following registry value exists but is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\
 
Value Name: DisableBkGndGroupPolicy
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableBkGndGroupPolicy</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3470" severity="medium" conversionstatus="pass" title="Remote Assistance - Offer Remote Assistance" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fAllowUnsolicited
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>fAllowUnsolicited</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3472.a" severity="low" conversionstatus="pass" title="Windows Time Service - Configure NTP Client" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$'</OrganizationValueTestString>
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\W32time\Parameters\
Type: REG_SZ
Value Name: Type
Value: Possible values are NoSync, NTP, NT5DS, AllSync</rawString>
      <ValueData />
      <ValueName>Type</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-3472.b" severity="low" conversionstatus="pass" title="Windows Time Service - Configure NTP Client" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -notmatch 'time.windows.com'</OrganizationValueTestString>
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\W32time\Parameters\
Type: REG_SZ
Value Name: NTPServer
Value: "address of the time server"</rawString>
      <ValueData />
      <ValueName>NTPServer</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-3479" severity="medium" conversionstatus="pass" title="Safe DLL Search Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\
 
Value Name: SafeDllSearchMode
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>SafeDllSearchMode</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3480" severity="medium" conversionstatus="pass" title="Media Player - Disable Automatic Updates" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Windows Media Player is not installed by default. If it is not installed, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\
 
Value Name: DisableAutoupdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableAutoupdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3666" severity="medium" conversionstatus="pass" title="Session Security for NTLM SSP based Servers" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\
 
Value Name: NTLMMinServerSec
 
Value Type: REG_DWORD
Value: 0x20080000 (537395200)</rawString>
      <ValueData>537395200</ValueData>
      <ValueName>NTLMMinServerSec</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4108" severity="low" conversionstatus="pass" title="Audit Log Warning Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '90'</OrganizationValueTestString>
      <rawString>If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\
 
Value Name: WarningLevel
 
Value Type: REG_DWORD
Value: 90 (or less)</rawString>
      <ValueData />
      <ValueName>WarningLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4110" severity="low" conversionstatus="pass" title="Disable IP Source Routing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: DisableIPSourceRouting
 
Value Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>DisableIPSourceRouting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4111" severity="low" conversionstatus="pass" title="Disable ICMP Redirect" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: EnableICMPRedirect
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableICMPRedirect</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4112" severity="low" conversionstatus="pass" title="Disable Router Discovery" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: PerformRouterDiscovery
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>PerformRouterDiscovery</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4113" severity="low" conversionstatus="pass" title="TCP Connection Keep-Alive Time" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '300000'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: KeepAliveTime
 
Value Type: REG_DWORD
Value: 300000 (or less)</rawString>
      <ValueData />
      <ValueName>KeepAliveTime</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4116" severity="low" conversionstatus="pass" title="Name-Release Attacks" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\
 
Value Name: NoNameReleaseOnDemand
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoNameReleaseOnDemand</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4438" severity="low" conversionstatus="pass" title="TCP Data Retransmissions" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '3'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: TcpMaxDataRetransmissions
 
Value Type: REG_DWORD
Value: 3 (or less)</rawString>
      <ValueData />
      <ValueName>TcpMaxDataRetransmissions</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4442" severity="low" conversionstatus="pass" title="Screen Saver Grace Period" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '5'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: ScreenSaverGracePeriod
 
Value Type: REG_SZ
Value: 5 (or less)</rawString>
      <ValueData />
      <ValueName>ScreenSaverGracePeriod</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-4443" severity="high" conversionstatus="pass" title="Remotely Accessible Registry Paths and Sub-Paths" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\
 
Value Name: Machine
 
Value Type: REG_MULTI_SZ
Value: see below
 
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Perflib
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
System\CurrentControlSet\Services\Eventlog
System\CurrentControlSet\Services\Sysmonlog
 
Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</rawString>
      <ValueData>Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Perflib;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;System\CurrentControlSet\Services\Eventlog;System\CurrentControlSet\Services\Sysmonlog</ValueData>
      <ValueName>Machine</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-4445" severity="low" conversionstatus="pass" title="Optional Subsystems" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>True</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\
 
Value Name: Optional
 
Value Type: REG_MULTI_SZ
Value: (Blank)</rawString>
      <ValueData></ValueData>
      <ValueName>Optional</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-4447" severity="medium" conversionstatus="pass" title="TS/RDS - Secure RPC Connection." dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fEncryptRPCTraffic
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fEncryptRPCTraffic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4448" severity="medium" conversionstatus="pass" title="Group Policy - Registry Policy Processing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\
 
Value Name: NoGPOListChanges
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NoGPOListChanges</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6831" severity="medium" conversionstatus="pass" title="Encrypting and Signing of Secure Channel Traffic" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: RequireSignOrSeal
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireSignOrSeal</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6832" severity="medium" conversionstatus="pass" title="SMB Client Packet Signing (Always)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\
 
Value Name: RequireSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6833" severity="medium" conversionstatus="pass" title="SMB Server Packet Signing (Always)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: RequireSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6834" severity="high" conversionstatus="pass" title="Anonymous Access to Named Pipes and Shares" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: RestrictNullSessAccess
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RestrictNullSessAccess</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-11806" severity="low" conversionstatus="pass" title="Display of Last User Name" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: DontDisplayLastUserName
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontDisplayLastUserName</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14228" severity="medium" conversionstatus="pass" title="Audit Access of Global System Objects" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: AuditBaseObjects
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AuditBaseObjects</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14229" severity="medium" conversionstatus="pass" title="Audit Backup and Restore Privileges" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: FullPrivilegeAuditing
 
Value Type: REG_BINARY
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>FullPrivilegeAuditing</ValueName>
      <ValueType>Binary</ValueType>
    </Rule>
    <Rule id="V-14230" severity="medium" conversionstatus="pass" title="Audit Policy Subcategory Setting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: SCENoApplyLegacyAuditPolicy
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>SCENoApplyLegacyAuditPolicy</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14232" severity="low" conversionstatus="pass" title="IPSec Exemptions" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\IPSEC\
 
Value Name: NoDefaultExempt
 
Value Type: REG_DWORD
Value: 3</rawString>
      <ValueData>3</ValueData>
      <ValueName>NoDefaultExempt</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14234" severity="medium" conversionstatus="pass" title="UAC - Admin Approval Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: FilterAdministratorToken
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>FilterAdministratorToken</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14235" severity="medium" conversionstatus="pass" title="UAC - Admin Elevation Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -le '4'</OrganizationValueTestString>
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ConsentPromptBehaviorAdmin
 
Value Type: REG_DWORD
Value: 4 (Prompt for consent)
3 (Prompt for credentials)
2 (Prompt for consent on the secure desktop)
1 (Prompt for credentials on the secure desktop)</rawString>
      <ValueData />
      <ValueName>ConsentPromptBehaviorAdmin</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14236" severity="medium" conversionstatus="pass" title="UAC - User Elevation Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ConsentPromptBehaviorUser
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ConsentPromptBehaviorUser</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14237" severity="medium" conversionstatus="pass" title="UAC - Application Installations" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableInstallerDetection
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableInstallerDetection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14239" severity="medium" conversionstatus="pass" title="UAC - UIAccess Application Elevation" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableSecureUIAPaths
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableSecureUIAPaths</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14240" severity="medium" conversionstatus="pass" title="UAC - All Admin Approval Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableLUA
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableLUA</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14241" severity="medium" conversionstatus="pass" title="UAC - Secure Desktop Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: PromptOnSecureDesktop
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PromptOnSecureDesktop</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14242" severity="medium" conversionstatus="pass" title="UAC - Non UAC Compliant Application Virtualization" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableVirtualization
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableVirtualization</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14243" severity="medium" conversionstatus="pass" title="Enumerate Administrator Accounts on Elevation" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\
 
Value Name: EnumerateAdministrators
 
Type: REG_DWORD
Value: 0x00000000 (0)</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnumerateAdministrators</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14247" severity="medium" conversionstatus="pass" title="TS/RDS - Prevent Password Saving" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: DisablePasswordSaving
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisablePasswordSaving</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14249" severity="medium" conversionstatus="pass" title="TS/RDS - Drive Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisableCdm
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisableCdm</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14253" severity="medium" conversionstatus="pass" title="RPC - Unauthenticated RPC Clients" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\
 
Value Name: RestrictRemoteClients
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RestrictRemoteClients</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14259" severity="medium" conversionstatus="pass" title="Printing Over HTTP" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\
 
Value Name: DisableHTTPPrinting
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableHTTPPrinting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14260" severity="medium" conversionstatus="pass" title="HTTP Printer Drivers" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\
 
Value Name: DisableWebPnPDownload
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableWebPnPDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14261" severity="medium" conversionstatus="pass" title="Windows Update Device Drive Searching" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: DontSearchWindowsUpdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontSearchWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15666" severity="medium" conversionstatus="pass" title="Windows Peer to Peer Networking " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Peernet\
 
Value Name: Disabled
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>Disabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15667" severity="medium" conversionstatus="pass" title="Prohibit Network Bridge" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\
 
Value Name: NC_AllowNetBridge_NLA
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NC_AllowNetBridge_NLA</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15672" severity="low" conversionstatus="pass" title="Event Viewer Events.asp Links" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\EventViewer\
 
Value Name: MicrosoftEventVwrDisableLinks
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>MicrosoftEventVwrDisableLinks</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15674" severity="medium" conversionstatus="pass" title="Internet File Association Service " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: NoInternetOpenWith
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoInternetOpenWith</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15680" severity="low" conversionstatus="pass" title="Classic Logon" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the system is a member of a domain, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: LogonType
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>LogonType</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15682" severity="medium" conversionstatus="pass" title="RSS Attachment Downloads" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\
 
Value Name: DisableEnclosureDownload
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableEnclosureDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15683" severity="medium" conversionstatus="pass" title="Windows Explorer – Shell Protocol Protected Mode " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: PreXPSP2ShellProtocolBehavior
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>PreXPSP2ShellProtocolBehavior</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15684" severity="medium" conversionstatus="pass" title="Windows Installer – IE Security Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: SafeForScripting
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>SafeForScripting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15685" severity="medium" conversionstatus="pass" title="Windows Installer – User Control " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: EnableUserControl
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableUserControl</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15686" severity="low" conversionstatus="pass" title="Windows Installer – Vendor Signed Updates" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: DisableLUAPatching
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableLUAPatching</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15687" severity="low" conversionstatus="pass" title="Media Player – First Use Dialog Boxes " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Windows Media Player is not installed by default. If it is not installed, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\
 
Value Name: GroupPrivacyAcceptance
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>GroupPrivacyAcceptance</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.a" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowLLTDIOOndomain
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowLLTDIOOndomain</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.b" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowLLTDIOOnPublicNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowLLTDIOOnPublicNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.c" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: EnableLLTDIO
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableLLTDIO</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.d" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: ProhibitLLTDIOOnPrivateNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ProhibitLLTDIOOnPrivateNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.a" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowRspndrOndomain
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowRspndrOndomain</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.b" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowRspndrOnPublicNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowRspndrOnPublicNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.c" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: EnableRspndr
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableRspndr</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.d" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: ProhibitRspndrOnPrivateNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ProhibitRspndrOnPrivateNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.a" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableFlashConfigRegistrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableFlashConfigRegistrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.b" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableInBand802DOT11Registrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableInBand802DOT11Registrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.c" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableUPnPRegistrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableUPnPRegistrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.d" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableWPDRegistrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableWPDRegistrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.e" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: EnableRegistrars
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableRegistrars</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15699" severity="medium" conversionstatus="pass" title="Network – Windows Connect Now Wizards " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\
 
Value Name: DisableWcnUi
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableWcnUi</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15700" severity="medium" conversionstatus="pass" title="Device Install – PnP Interface Remote Access " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: AllowRemoteRPC
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowRemoteRPC</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15701" severity="low" conversionstatus="pass" title="Device Install – Drivers System Restore Point" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: DisableSystemRestore
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableSystemRestore</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15702" severity="low" conversionstatus="pass" title="Device Install – Generic Driver Error Report" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: DisableSendGenericDriverNotFoundToWER
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableSendGenericDriverNotFoundToWER</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15703" severity="low" conversionstatus="pass" title="Driver Install – Device Driver Search Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: DontPromptForWindowsUpdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontPromptForWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15704" severity="low" conversionstatus="pass" title="Handwriting Recognition Error Reporting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\
 
Value Name: PreventHandwritingErrorReports
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PreventHandwritingErrorReports</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15705" severity="medium" conversionstatus="pass" title="Power Mgmt – Password Wake on Battery" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\
 
Value Name: DCSettingIndex
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DCSettingIndex</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15706" severity="medium" conversionstatus="pass" title="Power Mgmt – Password Wake When Plugged In" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\
 
Value Name: ACSettingIndex
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>ACSettingIndex</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15707" severity="low" conversionstatus="pass" title="Remote Assistance – Session Logging" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: LoggingEnabled
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>LoggingEnabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15713" severity="medium" conversionstatus="pass" title="Defender – SpyNet Reporting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -notmatch '1|2'</OrganizationValueTestString>
      <rawString>If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding:
 
If the registry value does not exist, this is not a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\
 
Value Name: SpyNetReporting
 
Type: REG_DWORD
Value: 1 or 2 = a Finding</rawString>
      <ValueData />
      <ValueName>SpyNetReporting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15718" severity="low" conversionstatus="pass" title="Windows Explorer – Heap Termination" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoHeapTerminationOnCorruption
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NoHeapTerminationOnCorruption</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15722" severity="medium" conversionstatus="pass" title="Media DRM – Internet Access" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\WMDRM\
 
Value Name: DisableOnline
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableOnline</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15991" severity="medium" conversionstatus="pass" title="UAC - UIAccess Secure Desktop" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableUIADesktopToggle
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableUIADesktopToggle</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15997" severity="medium" conversionstatus="pass" title="TS/RDS – COM Port Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisableCcm
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisableCcm</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15998" severity="medium" conversionstatus="pass" title="TS/RDS – LPT Port Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisableLPT
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisableLPT</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15999" severity="medium" conversionstatus="pass" title="TS/RDS - PNP Device Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisablePNPRedir
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisablePNPRedir</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16000" severity="medium" conversionstatus="pass" title="TS/RDS – Smart Card Device Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fEnableSmartCard
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fEnableSmartCard</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16008" severity="medium" conversionstatus="pass" title="UAC - Application Elevations" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ValidateAdminCodeSignatures
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ValidateAdminCodeSignatures</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16020" severity="medium" conversionstatus="pass" title="Windows Customer Experience Improvement Program " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\
 
Value Name: CEIPEnable
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>CEIPEnable</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21950" severity="medium" conversionstatus="pass" title="SPN Target Name Validation Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\
 
Value Name: SmbServerNameHardeningLevel
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>SmbServerNameHardeningLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21951" severity="medium" conversionstatus="pass" title="Computer Identity Authentication for NTLM" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\LSA\
 
Value Name: UseMachineId
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>UseMachineId</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21952" severity="medium" conversionstatus="pass" title="NTLM NULL Session Fallback" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\
 
Value Name: allownullsessionfallback
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>allownullsessionfallback</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21953" severity="medium" conversionstatus="pass" title="PKU2U Online Identities Authentication" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\
 
Value Name: AllowOnlineID
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowOnlineID</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21955" severity="low" conversionstatus="pass" title="IPv6 Source Routing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
 
Value Name: DisableIPSourceRouting
 
Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>DisableIPSourceRouting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21956" severity="low" conversionstatus="pass" title="IPv6 TCP Data Retransmissions" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '3'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
 
Value Name: TcpMaxDataRetransmissions
 
Value Type: REG_DWORD
Value: 3 (or less)</rawString>
      <ValueData />
      <ValueName>TcpMaxDataRetransmissions</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21960" severity="low" conversionstatus="pass" title="Elevate when setting a network’s location" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\
 
Value Name: NC_StdDomainUserSetLocation
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NC_StdDomainUserSetLocation</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21961" severity="low" conversionstatus="pass" title="Direct Access – Route Through Internal Network" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: Force_Tunneling
 
Type: REG_SZ
Value: Enabled</rawString>
      <ValueData>Enabled</ValueData>
      <ValueName>Force_Tunneling</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-21963" severity="low" conversionstatus="pass" title="Windows Update Point and Print Driver Search" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\
 
Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DoNotInstallCompatibleDriverFromWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21964" severity="low" conversionstatus="pass" title="Prevent device metadata retrieval from Internet" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\
 
Value Name: PreventDeviceMetadataFromNetwork
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PreventDeviceMetadataFromNetwork</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21965" severity="low" conversionstatus="pass" title="Prevent Windows Update for device driver search" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: SearchOrderConfig
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>SearchOrderConfig</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21967" severity="low" conversionstatus="pass" title="MSDT Interactive Communication" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\
 
Value Name: DisableQueryRemoteServer
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableQueryRemoteServer</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21969" severity="low" conversionstatus="pass" title="Windows Online Troubleshooting Service" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\
 
Value Name: EnableQueryRemoteServer
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableQueryRemoteServer</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21970" severity="low" conversionstatus="pass" title="Disable PerfTrack" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\
 
Value Name: ScenarioExecutionEnabled
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ScenarioExecutionEnabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21971" severity="low" conversionstatus="pass" title="Application Compatibility Program Inventory" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\
 
Value Name: DisableInventory
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableInventory</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21973" severity="high" conversionstatus="pass" title="Autoplay for non-volume devices" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoAutoplayfornonVolume
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoAutoplayfornonVolume</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21980" severity="medium" conversionstatus="pass" title="Explorer Data Execution Prevention" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoDataExecutionPrevention
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NoDataExecutionPrevention</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-22692" severity="high" conversionstatus="pass" title="Default Autorun Behavior" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: NoAutorun
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoAutorun</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26283" severity="high" conversionstatus="pass" title="Restrict Anonymous SAM Enumeration" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: RestrictAnonymousSAM
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RestrictAnonymousSAM</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26359" severity="low" conversionstatus="pass" title="Legal Banner Dialog Box Title" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: LegalNoticeCaption
 
Value Type: REG_SZ
Value: See message title options below
 
"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent.
 
If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089.
 
Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required.</rawString>
      <ValueData />
      <ValueName>LegalNoticeCaption</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26575" severity="medium" conversionstatus="pass" title="6to4 State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: 6to4_State
 
Type: REG_SZ
Value: Disabled</rawString>
      <ValueData>Disabled</ValueData>
      <ValueName>6to4_State</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26576" severity="medium" conversionstatus="pass" title="IP-HTTPS State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\
 
Value Name: IPHTTPS_ClientState
 
Type: REG_DWORD
Value: 3</rawString>
      <ValueData>3</ValueData>
      <ValueName>IPHTTPS_ClientState</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26577" severity="medium" conversionstatus="pass" title="ISATAP State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: ISATAP_State
 
Type: REG_SZ
Value: Disabled</rawString>
      <ValueData>Disabled</ValueData>
      <ValueName>ISATAP_State</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26578" severity="medium" conversionstatus="pass" title="Teredo State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: Teredo_State
 
Type: REG_SZ
Value: Disabled</rawString>
      <ValueData>Disabled</ValueData>
      <ValueName>Teredo_State</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26579" severity="medium" conversionstatus="pass" title="Maximum Log Size - Application" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00008000 (32768) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26580" severity="medium" conversionstatus="pass" title="Maximum Log Size - Security" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '196608'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00030000 (196608) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26581" severity="medium" conversionstatus="pass" title="Maximum Log Size - Setup" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00008000 (32768) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26582" severity="medium" conversionstatus="pass" title="Maximum Log Size - System" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00008000 (32768) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-28504" severity="low" conversionstatus="pass" title="Device Install Software Request Error Report" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: DisableSendRequestAdditionalSoftwareToWER
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableSendRequestAdditionalSoftwareToWER</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-34974" severity="high" conversionstatus="pass" title="Always Install with Elevated Privileges Disabled" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: AlwaysInstallElevated
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AlwaysInstallElevated</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36439" severity="medium" conversionstatus="pass" title="Local admin accounts filtered token policy enabled on domain systems." dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the system is not a member of a domain, this is NA.
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: LocalAccountTokenFilterPolicy
 
Type: REG_DWORD
Value: 0x00000000 (0)
 
This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to 1 may be required.</rawString>
      <ValueData>0</ValueData>
      <ValueName>LocalAccountTokenFilterPolicy</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36673" severity="low" conversionstatus="pass" title="WINCC-000011" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: EnableIPAutoConfigurationLimits
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableIPAutoConfigurationLimits</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36677" severity="low" conversionstatus="pass" title="WINCC-000018" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\
 
Value Name: UseWindowsUpdate
 
Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>UseWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36678" severity="low" conversionstatus="pass" title="WINCC-000025" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: DriverServerSelection
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DriverServerSelection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36679" severity="medium" conversionstatus="pass" title="WINCC-000027" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\
 
Value Name: DriverLoadPolicy
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DriverLoadPolicy</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36680" severity="medium" conversionstatus="pass" title="WINCC-000030" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoUseStoreOpenWith
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoUseStoreOpenWith</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36681" severity="medium" conversionstatus="pass" title="WINCC-000048" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Control Panel\International\
 
Value Name: BlockUserInputMethodsForSignIn
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>BlockUserInputMethodsForSignIn</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36684" severity="medium" conversionstatus="pass" title="WINCC-000051" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\System\
 
Value Name: EnumerateLocalUsers
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnumerateLocalUsers</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36687" severity="medium" conversionstatus="pass" title="WINCC-000052" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\System\
 
Value Name: DisableLockScreenAppNotifications
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableLockScreenAppNotifications</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36696" severity="low" conversionstatus="pass" title="WINCC-000065" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\
 
Value Name: DisablePcaUI
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisablePcaUI</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36697" severity="low" conversionstatus="pass" title="WINCC-000070" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Appx\
 
Value Name: AllowAllTrustedApps
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>AllowAllTrustedApps</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36698" severity="medium" conversionstatus="pass" title="WINCC-000075" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\
 
Value Name: Enabled
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>Enabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36700" severity="medium" conversionstatus="pass" title="WINCC-000076" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\CredUI\
 
Value Name: DisablePasswordReveal
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisablePasswordReveal</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36707" severity="low" conversionstatus="pass" title="WINCC-000088" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\System\
 
Value Name: EnableSmartScreen
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableSmartScreen</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36708" severity="medium" conversionstatus="pass" title="WINCC-000095" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\
 
Value Name: DisableLocation
 
Type: REG_DWORD
Value: 1 (Enabled)
 
If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO.</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableLocation</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36709" severity="medium" conversionstatus="pass" title="WINCC-000106" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\
 
Value Name: AllowBasicAuthInClear
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowBasicAuthInClear</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36710.a" severity="low" conversionstatus="pass" title="WINCC-000109" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\
Type: REG_DWORD
Value Name: AutoDownload
Value: 0x00000002 (2)</rawString>
      <ValueData>2</ValueData>
      <ValueName>AutoDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36710.b" severity="low" conversionstatus="pass" title="WINCC-000109" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\
Type: REG_DWORD
Value Name: AutoDownload
Value: 0x00000002 (2)</rawString>
      <ValueData>2</ValueData>
      <ValueName>AutoDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36711" severity="medium" conversionstatus="pass" title="WINCC-000110" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA.
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\
 
Value Name: RemoveWindowsStore
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RemoveWindowsStore</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36712" severity="high" conversionstatus="pass" title="WINCC-000123" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\
 
Value Name: AllowBasic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowBasic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36713" severity="medium" conversionstatus="pass" title="WINCC-000124" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\
 
Value Name: AllowUnencryptedTraffic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowUnencryptedTraffic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36714" severity="medium" conversionstatus="pass" title="WINCC-000125" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\
 
Value Name: AllowDigest
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowDigest</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36718" severity="high" conversionstatus="pass" title="WINCC-000126" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\
 
Value Name: AllowBasic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowBasic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36719" severity="medium" conversionstatus="pass" title="WINCC-000127" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\
 
Value Name: AllowUnencryptedTraffic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowUnencryptedTraffic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36720" severity="medium" conversionstatus="pass" title="WINCC-000128" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\
 
Value Name: DisableRunAs
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableRunAs</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36773" severity="medium" conversionstatus="pass" title="WINSO-000021" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '900'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: InactivityTimeoutSecs
 
Value Type: REG_DWORD
Value: 0x00000384 (900) (or less)</rawString>
      <ValueData />
      <ValueName>InactivityTimeoutSecs</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-40204" severity="medium" conversionstatus="pass" title="WNCC-000136" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: RedirectOnlyDefaultClientPrinter
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RedirectOnlyDefaultClientPrinter</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43238" severity="medium" conversionstatus="pass" title="WINCC-000138" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\
 
Value Name: NoLockScreenSlideshow
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoLockScreenSlideshow</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43239" severity="medium" conversionstatus="pass" title="WINCC-000139" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
 
Value Name: ProcessCreationIncludeCmdLine_Enabled
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ProcessCreationIncludeCmdLine_Enabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43240" severity="medium" conversionstatus="pass" title="WINCC-000140" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\
 
Value Name: DontDisplayNetworkSelectionUI
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontDisplayNetworkSelectionUI</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43241" severity="low" conversionstatus="pass" title="WINCC-000141" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
 
Value Name: MSAOptional
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>MSAOptional</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43245" severity="medium" conversionstatus="pass" title="WINCC-000145" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: DisableAutomaticRestartSignOn
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableAutomaticRestartSignOn</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-57639" severity="medium" conversionstatus="pass" title="WINSO-000092" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\
 
Value Name: ForceKeyProtection
 
Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>ForceKeyProtection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-72753" severity="medium" conversionstatus="pass" title="WINCC-000150" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\
 
Value Name: UseLogonCredential
 
Type: REG_DWORD
Value: 0x00000000 (0)
 
Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2.</rawString>
      <ValueData>0</ValueData>
      <ValueName>UseLogonCredential</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-73519" severity="medium" conversionstatus="pass" title="WIN00-000170" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This applies to Windows 2012. Windows 2012 R2 uses a different method to disable SMBv1, see WN12-00-000160.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
 
Value Name: SMB1
 
Type: REG_DWORD
Value: 0x00000000 (0)</rawString>
      <ValueData>0</ValueData>
      <ValueName>SMB1</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-73523.a" severity="medium" conversionstatus="pass" title="WIN00-000180" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\
Type: REG_MULTI_SZ
Value Name: DependOnService
Value: Bowser MRxSmb20 NSI</rawString>
      <ValueData>Bowser;MRxSmb20;NSI</ValueData>
      <ValueName>DependOnService</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-73523.b" severity="medium" conversionstatus="pass" title="WIN00-000180" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\
Type: REG_DWORD
Value Name: Start
Value: 0x00000004 (4)</rawString>
      <ValueData>4</ValueData>
      <ValueName>Start</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
  </RegistryRule>
  <SecurityOptionRule dscresourcemodule="SecurityPolicyDsc">
    <Rule id="V-1113" severity="medium" conversionstatus="pass" title="Disable Guest Account" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Accounts: Guest account status</OptionName>
      <OptionValue>Disabled</OptionValue>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.</rawString>
    </Rule>
    <Rule id="V-1114" severity="medium" conversionstatus="pass" title="Rename Built-in Guest Account" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Accounts: Rename guest account</OptionName>
      <OptionValue />
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ne 'Guest'</OrganizationValueTestString>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding.</rawString>
    </Rule>
    <Rule id="V-1115" severity="medium" conversionstatus="pass" title="Rename Built-in Administrator Account" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Accounts: Rename administrator account</OptionName>
      <OptionValue />
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ne 'Administrator'</OrganizationValueTestString>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.</rawString>
    </Rule>
    <Rule id="V-3337" severity="high" conversionstatus="pass" title="Anonymous SID/Name Translation" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Network access: Allow anonymous SID/Name translation</OptionName>
      <OptionValue>Disabled</OptionValue>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.</rawString>
    </Rule>
    <Rule id="V-3380" severity="medium" conversionstatus="pass" title="Force Logoff When Logon Hours Expire" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Network security: Force logoff when logon hours expire</OptionName>
      <OptionValue>Enabled</OptionValue>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.</rawString>
    </Rule>
  </SecurityOptionRule>
  <ServiceRule dscresourcemodule="xPSDesiredStateConfiguration">
    <Rule id="V-15505" severity="medium" conversionstatus="pass" title="HBSS McAfee Agent" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "Services.msc".
 
Verify the McAfee Agent service is running, depending on the version installed.
 
Version - Service Name
McAfee Agent v5.x - McAfee Agent Service
McAfee Agent v4.x - McAfee Framework Service
 
If the service is not listed or does not have a Status of "Started", this is a finding.</rawString>
      <ServiceName>McAfee</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-26600" severity="medium" conversionstatus="pass" title="Fax Service Disabled " dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Fax (fax) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Fax (fax)</rawString>
      <ServiceName>fax</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26602" severity="medium" conversionstatus="pass" title="Microsoft FTP Service Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the server has the role of an FTP server, this is NA.
 
Run "Services.msc".
 
If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding.</rawString>
      <ServiceName>FTPSVC</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26604" severity="medium" conversionstatus="pass" title="Peer Networking Identity Manager Service Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Peer Networking Identity Manager (p2pimsvc)</rawString>
      <ServiceName>p2pimsvc</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26605" severity="medium" conversionstatus="pass" title="Simple TCP/IP Services Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Simple TCP/IP (simptcp) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Simple TCP/IP Services (simptcp)</rawString>
      <ServiceName>simptcp</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26606" severity="medium" conversionstatus="pass" title="Telnet Service Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Telnet (tlntsvr) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Telnet (tlntsvr)</rawString>
      <ServiceName>tlntsvr</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-40206" severity="medium" conversionstatus="pass" title="WNSV-000106" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Smart Card Removal Policy service is configured to "Automatic".
 
Run "Services.msc".
 
If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding.</rawString>
      <ServiceName>SCPolicySvc</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
  </ServiceRule>
  <UserRightRule dscresourcemodule="SecurityPolicyDsc">
    <Rule id="V-1102" severity="high" conversionstatus="pass" title="User Right - Act as part of OS" dscresource="UserRightsAssignment">
      <Constant>SeTcbPrivilege</Constant>
      <DisplayName>Act as part of the operating system</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1155" severity="medium" conversionstatus="pass" title="Deny Access from the Network" dscresource="UserRightsAssignment">
      <Constant>SeDenyNetworkLogonRight</Constant>
      <DisplayName>Deny access to this computer from the network</DisplayName>
      <Force>False</Force>
      <Identity>Enterprise Admins,Domain Admins,"Local account and member of Administrators group" or "Local account" (see Note below),Guests,Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups.</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding:
 
Domain Systems Only:
Enterprise Admins group
Domain Admins group
"Local account and member of Administrators group" or "Local account" (see Note below)
 
All Systems:
Guests group
 
Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups.
 
Note: Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group". "Local account" is more restrictive but may cause issues on servers such as systems that provide Failover Clustering.
Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.</rawString>
    </Rule>
    <Rule id="V-18010" severity="high" conversionstatus="pass" title="User Right - Debug Programs" dscresource="UserRightsAssignment">
      <Constant>SeDebugPrivilege</Constant>
      <DisplayName>Debug programs</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26469" severity="medium" conversionstatus="pass" title="Access Credential Manager as a trusted caller" dscresource="UserRightsAssignment">
      <Constant>SeTrustedCredManAccessPrivilege</Constant>
      <DisplayName>Access Credential Manager as a trusted caller</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26470" severity="medium" conversionstatus="pass" title="Access this computer from the network" dscresource="UserRightsAssignment">
      <Constant>SeNetworkLogonRight</Constant>
      <DisplayName>Access this computer from the network</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Authenticated Users,Systems dedicated to managing Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG), must only allow Administrators, removing the Authenticated Users group.</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding:
 
Administrators
Authenticated Users
 
Systems dedicated to managing Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG), must only allow Administrators, removing the Authenticated Users group.</rawString>
    </Rule>
    <Rule id="V-26472" severity="medium" conversionstatus="pass" title="Allow log on locally" dscresource="UserRightsAssignment">
      <Constant>SeInteractiveLogonRight</Constant>
      <DisplayName>Allow log on locally</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26473" severity="medium" conversionstatus="pass" title="Allow log on through Remote Desktop Services" dscresource="UserRightsAssignment">
      <Constant>SeRemoteInteractiveLogonRight</Constant>
      <DisplayName>Allow log on through Remote Desktop Services</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding:
 
Administrators
 
If the system serves the Remote Desktop Services role, the Remote Desktop Users group or another more restrictive group may be included.
 
Organizations may grant this to other groups, such as more restrictive groups with administrative or management functions, if required. Remote Desktop Services access must be restricted to the accounts that require it. This must be documented with the ISSO.</rawString>
    </Rule>
    <Rule id="V-26474" severity="medium" conversionstatus="pass" title="Back up files and directories" dscresource="UserRightsAssignment">
      <Constant>SeBackupPrivilege</Constant>
      <DisplayName>Back up files and directories</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26475" severity="low" conversionstatus="pass" title="Bypass traverse checking" dscresource="UserRightsAssignment">
      <Constant>SeChangeNotifyPrivilege</Constant>
      <DisplayName>Bypass traverse checking</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Authenticated Users,Local Service,Network Service,Window Manager\Window Manager Group</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Bypass traverse checking" user right, this is a finding:
 
Administrators
Authenticated Users
Local Service
Network Service
Window Manager\Window Manager Group</rawString>
    </Rule>
    <Rule id="V-26476" severity="medium" conversionstatus="pass" title="Change the system time" dscresource="UserRightsAssignment">
      <Constant>SeSystemtimePrivilege</Constant>
      <DisplayName>Change the system time</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Local Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Change the system time" user right, this is a finding:
 
Administrators
Local Service</rawString>
    </Rule>
    <Rule id="V-26477" severity="low" conversionstatus="pass" title="Change the time zone" dscresource="UserRightsAssignment">
      <Constant>SeTimeZonePrivilege</Constant>
      <DisplayName>Change the time zone</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Local Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Change the time zone" user right, this is a finding:
 
Administrators
Local Service</rawString>
    </Rule>
    <Rule id="V-26478" severity="medium" conversionstatus="pass" title="Create a pagefile" dscresource="UserRightsAssignment">
      <Constant>SeCreatePagefilePrivilege</Constant>
      <DisplayName>Create a pagefile</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26479" severity="high" conversionstatus="pass" title="Create a token object" dscresource="UserRightsAssignment">
      <Constant>SeCreateTokenPrivilege</Constant>
      <DisplayName>Create a token object</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Create a token object" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26480" severity="medium" conversionstatus="pass" title="Create global objects" dscresource="UserRightsAssignment">
      <Constant>SeCreateGlobalPrivilege</Constant>
      <DisplayName>Create global objects</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Service,Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding:
 
Administrators
Service
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26481" severity="medium" conversionstatus="pass" title="Create permanent shared objects" dscresource="UserRightsAssignment">
      <Constant>SeCreatePermanentPrivilege</Constant>
      <DisplayName>Create permanent shared objects</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26482" severity="medium" conversionstatus="pass" title="Create symbolic links" dscresource="UserRightsAssignment">
      <Constant>SeCreateSymbolicLinkPrivilege</Constant>
      <DisplayName>Create symbolic links</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,{Hyper-V}</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'</OrganizationValueTestString>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding:
 
Administrators
 
Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding.</rawString>
    </Rule>
    <Rule id="V-26483" severity="medium" conversionstatus="pass" title="Deny log on as a batch job" dscresource="UserRightsAssignment">
      <Constant>SeDenyBatchLogonRight</Constant>
      <DisplayName>Deny log on as a batch job</DisplayName>
      <Force>False</Force>
      <Identity>Enterprise Admins,Domain Admins,Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding:
 
Domain Systems Only:
Enterprise Admins Group
Domain Admins Group
 
All Systems:
Guests Group</rawString>
    </Rule>
    <Rule id="V-26484" severity="medium" conversionstatus="pass" title="Deny log on as service " dscresource="UserRightsAssignment">
      <Constant>SeDenyServiceLogonRight</Constant>
      <DisplayName>Deny log on as a service</DisplayName>
      <Force>True</Force>
      <Identity>Enterprise Admins,Domain Admins</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on as a service" user right on domain-joined systems, this is a finding:
 
Enterprise Admins Group
Domain Admins Group
 
If any accounts or groups are defined for the "Deny log on as a service" user right on non-domain-joined systems, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26485" severity="medium" conversionstatus="pass" title="Deny log on locally" dscresource="UserRightsAssignment">
      <Constant>SeDenyInteractiveLogonRight</Constant>
      <DisplayName>Deny log on locally</DisplayName>
      <Force>False</Force>
      <Identity>Enterprise Admins,Domain Admins,Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this.,Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding:
 
Domain Systems Only:
Enterprise Admins Group
Domain Admins Group
 
Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this.
 
All Systems:
Guests Group</rawString>
    </Rule>
    <Rule id="V-26486.a" severity="medium" conversionstatus="pass" title="Deny log on through Remote Desktop \ Terminal Services" dscresource="UserRightsAssignment">
      <Constant>SeDenyRemoteInteractiveLogonRight</Constant>
      <DisplayName>Deny log on through Remote Desktop Services</DisplayName>
      <Force>False</Force>
      <Identity>Enterprise Admins,Domain Admins,Local account (see Note below),Guests,Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups.</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding:
 
Domain Systems Only:
Enterprise Admins group
Domain Admins group
Local account (see Note below)
 
All Systems:
Guests group
 
Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups.
 
Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts.
Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.</rawString>
    </Rule>
    <Rule id="V-26487" severity="medium" conversionstatus="pass" title="Enable accounts to be trusted for delegation" dscresource="UserRightsAssignment">
      <Constant>SeEnableDelegationPrivilege</Constant>
      <DisplayName>Enable computer and user accounts to be trusted for delegation</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26488" severity="medium" conversionstatus="pass" title="Force shutdown from a remote system" dscresource="UserRightsAssignment">
      <Constant>SeRemoteShutdownPrivilege</Constant>
      <DisplayName>Force shutdown from a remote system</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26489" severity="medium" conversionstatus="pass" title="Generate security audits" dscresource="UserRightsAssignment">
      <Constant>SeAuditPrivilege</Constant>
      <DisplayName>Generate security audits</DisplayName>
      <Force>True</Force>
      <Identity>Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding:
 
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26490" severity="medium" conversionstatus="pass" title="Impersonate a client after authentication" dscresource="UserRightsAssignment">
      <Constant>SeImpersonatePrivilege</Constant>
      <DisplayName>Impersonate a client after authentication</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Service,Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding:
 
Administrators
Service
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26492" severity="medium" conversionstatus="pass" title="Increase scheduling priority" dscresource="UserRightsAssignment">
      <Constant>SeIncreaseBasePriorityPrivilege</Constant>
      <DisplayName>Increase scheduling priority</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26493" severity="medium" conversionstatus="pass" title="Load and unload device drivers" dscresource="UserRightsAssignment">
      <Constant>SeLoadDriverPrivilege</Constant>
      <DisplayName>Load and unload device drivers</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26494" severity="medium" conversionstatus="pass" title="Lock pages in memory" dscresource="UserRightsAssignment">
      <Constant>SeLockMemoryPrivilege</Constant>
      <DisplayName>Lock pages in memory</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26496" severity="medium" conversionstatus="pass" title="Manage auditing and security log" dscresource="UserRightsAssignment">
      <Constant>SeSecurityPrivilege</Constant>
      <DisplayName>Manage auditing and security log</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding:
 
Administrators
 
If the organization has an Auditors group, the assignment of this group to the user right would not be a finding.
 
If an application requires this user right, this would not be a finding.
Vendor documentation must support the requirement for having the user right.
The requirement must be documented with the ISSO.
The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662).</rawString>
    </Rule>
    <Rule id="V-26497" severity="medium" conversionstatus="pass" title="Modify an object label" dscresource="UserRightsAssignment">
      <Constant>SeRelabelPrivilege</Constant>
      <DisplayName>Modify an object label</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Modify an object label" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26498" severity="medium" conversionstatus="pass" title="Modify firmware environment values" dscresource="UserRightsAssignment">
      <Constant>SeSystemEnvironmentPrivilege</Constant>
      <DisplayName>Modify firmware environment values</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26499" severity="medium" conversionstatus="pass" title="Perform volume maintenance tasks" dscresource="UserRightsAssignment">
      <Constant>SeManageVolumePrivilege</Constant>
      <DisplayName>Perform volume maintenance tasks</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26500" severity="medium" conversionstatus="pass" title="Profile single process" dscresource="UserRightsAssignment">
      <Constant>SeProfileSingleProcessPrivilege</Constant>
      <DisplayName>Profile single process</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26501" severity="medium" conversionstatus="pass" title="Profile system performance" dscresource="UserRightsAssignment">
      <Constant>SeSystemProfilePrivilege</Constant>
      <DisplayName>Profile system performance</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,NT Service\WdiServiceHost</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Profile system performance" user right, this is a finding:
 
Administrators
NT Service\WdiServiceHost</rawString>
    </Rule>
    <Rule id="V-26503" severity="medium" conversionstatus="pass" title="Replace a process level token" dscresource="UserRightsAssignment">
      <Constant>SeAssignPrimaryTokenPrivilege</Constant>
      <DisplayName>Replace a process level token</DisplayName>
      <Force>True</Force>
      <Identity>Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Replace a process level token" user right, this is a finding:
 
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26504" severity="medium" conversionstatus="pass" title="Restore files and directories" dscresource="UserRightsAssignment">
      <Constant>SeRestorePrivilege</Constant>
      <DisplayName>Restore files and directories</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26505" severity="medium" conversionstatus="pass" title="Shut down the system" dscresource="UserRightsAssignment">
      <Constant>SeShutdownPrivilege</Constant>
      <DisplayName>Shut down the system</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Shut down the system" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26506" severity="medium" conversionstatus="pass" title="Take ownership of files or other objects" dscresource="UserRightsAssignment">
      <Constant>SeTakeOwnershipPrivilege</Constant>
      <DisplayName>Take ownership of files or other objects</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
  </UserRightRule>
  <WindowsFeatureRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-73805" severity="medium" conversionstatus="pass" title="WIN00-000160" dscresource="WindowsFeature">
      <FeatureName>FS-SMB1</FeatureName>
      <InstallState>Absent</InstallState>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This applies to Windows 2012 R2. Windows 2012 uses a different method to disable SMBv1, see WN12-00-000170 and WN12-00-000180.
 
Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter the following:
Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol
 
If "State : Enabled" is returned, this is a finding.
 
Alternately:
Search for "Features".
Select "Turn Windows features on or off".
 
If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.</rawString>
    </Rule>
  </WindowsFeatureRule>
  <WmiRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-1073" severity="high" conversionstatus="pass" title="Unsupported Service Packs" dscresource="Script">
      <Class>Win32_OperatingSystem</Class>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Operator>-ge</Operator>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Property>Version</Property>
      <rawString>Run "winver.exe".
 
If the "About Windows" dialog box does not display
"Microsoft Windows Server
Version 6.2 (Build 9200)"
or greater, this is a finding.
       
No preview versions will be used in a production environment.
 
Unsupported Service Packs/Releases:
Windows 2012 - any release candidates or versions prior to the initial release.</rawString>
      <Value>6.2.9200</Value>
    </Rule>
    <Rule id="V-1081" severity="high" conversionstatus="pass" title="NTFS Requirement" dscresource="Script">
      <Class>Win32_LogicalDisk</Class>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Operator>-match</Operator>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Property>FileSystem</Property>
      <rawString>Open "Computer Management".
 
Select "Disk Management" under "Storage".
 
For each local volume, if the file system does not indicate "NTFS", this is a finding.
 
"ReFS" (Resilient File System) is also acceptable and would not be a finding.
 
This does not apply to system partitions such as the Recovery and EFI System Partition.</rawString>
      <Value>NTFS|ReFS</Value>
    </Rule>
  </WmiRule>
</DISASTIG>